9241 |
2024-01-16 10:23
|
browserforfindvideoswhichmakey... cac7fbeb22725d491739d21ce51d7cf2 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/DPx5S
http://23.94.239.93/5060/browserclear.vbs
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware 23.94.239.93 - mailcious
104.22.53.71
104.21.84.67 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9242 |
2024-01-17 08:10
|
rty45.exe 02550318e655f52fa990158a1c709cef Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
4
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
173.44.176.41
23.32.56.80
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9243 |
2024-01-17 08:14
|
latestrocki.exe 51a977874c9b190837bc2658396d4dfe Generic Malware NSIS Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File .NET EXE PNG Format OS Processor Check PE64 ZIP Format MZP Format JPEG Format BMP Format CHM Format DLL icon CAB MSOffice File W VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
https://i.alie3ksgaa.com/sta/imagd.jpg
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.17
185.172.128.90 - mailcious
185.172.128.53 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.172.128.53/syncUpd.exe http://185.172.128.90/cpa/ping.php
|
13.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9244 |
2024-01-17 08:14
|
rty27.exe 34a7dbf9c978714dd0679079c5445a10 Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9245 |
2024-01-17 08:16
|
conhost.exe be3c89dc0d88fddd3289ac9e6e72360a AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.75) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9246 |
2024-01-17 08:23
|
conhost.exe 431b955c96a65b12587361ef1e961c2b AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.75) 173.231.16.75
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9247 |
2024-01-17 08:24
|
liva.exe fb987f700ecaba1d1bced04a45c572e8 Generic Malware EnigmaProtector Malicious Library Malicious Packer UPX Code injection AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
20
http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://db-ip.com/demo/home.php?s=175.208.134.152 https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
16
db-ip.com(104.26.5.15) fbsbx.com(157.240.215.35) www.facebook.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) ipinfo.io(34.117.186.192) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 172.67.75.166 157.240.215.14 185.215.113.68 - malware 193.233.132.62 - mailcious 34.117.186.192 23.67.53.17 157.240.215.35 109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
19.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9248 |
2024-01-17 14:21
|
msworldwidenamespreadingaround... 34ac6f63ff7a32a51e98db3c21fd7b1c MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/3636/conhost.exe
|
3
api.ipify.org(64.185.227.156) 172.245.208.28 - mailcious
64.185.227.156
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9249 |
2024-01-17 14:25
|
beautifulhjcreversehissettings... c0b8ac37280a20cd4a86808102cc3eb2 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/1313/conhost.exe
|
3
api.ipify.org(104.237.62.211) 172.245.208.28 - mailcious
104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9250 |
2024-01-17 15:19
|
go.exe 5d01c27e7807d0c5d9d0076d6a803b55 RedLine stealer Generic Malware Malicious Library UPX Code injection Anti_VM AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format MSOffice File Browser Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName DNS crashed |
17
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz https://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=105.0.1&buildid=20220922151854 https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://static.xx.fbcdn.net/rsrc.php/v3/yb/r/S-jgxi6wsFP.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
10
www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) facebook.com(157.240.215.35) connect.facebook.net(157.240.215.14) crash-reports.mozilla.com(50.112.239.245) 157.240.215.35 52.13.80.180 157.240.215.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9251 |
2024-01-18 07:57
|
conhost.exe 7547a8f171604d74d6436f7983c7a91d AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) 104.237.62.211
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9252 |
2024-01-18 18:52
|
JAN-17-2024-765FYDX.url 0a5062edfd1d56c273a2fa19c695a6a8 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
http://5.181.159.46/ http://5.181.159.46/Downloads http://5.181.159.46/Downloads/26.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9253 |
2024-01-18 18:54
|
microbiolagicalthingshappenein... 6a0bc469af442ab4df602ad5af219b02 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1522/conhost.exe
|
3
api.ipify.org(104.237.62.211) 107.175.243.133 - malware
173.231.16.75
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9254 |
2024-01-18 18:56
|
microbiolagicalthingshappenein... adf6b4115caf260b8f57c1fd9bb618ec MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1521/conhost.exe
|
3
api.ipify.org(64.185.227.156) 107.175.243.133 - malware 104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9255 |
2024-01-19 07:59
|
rty45.exe bfa0a2b457d28d8805a0658b7498c639 Malicious Library UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|