9256 |
2024-01-19 08:04
|
room.exe b716baea0866421f013912e77e5db815 EnigmaProtector Malicious Library UPX Malicious Packer Code injection Socket ScreenShot Steal credential DNS AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
13
http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://109.107.182.3/cost/nika.exe http://109.107.182.3/cost/vimu.exe https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MrYoqgbP9QAW3euB1trnjW3nzVsSX4zXyxia8fKwg7xPv0o6RkXvohF4lTm5X6bsfBNbeyg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-939002500%3A1705618756630130 https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1e75G1gW0DiCO0dOvUf1sNyw_eYkTsegr2M0TGYOboAyXMt2zZ3wpHZodY7fybxG3b4LbZ2w https://accounts.google.com/ https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?biSL3A https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
ipinfo.io(34.117.186.192) ssl.gstatic.com(142.250.76.131) db-ip.com(104.26.5.15) accounts.google.com(64.233.187.84) www.google.com(142.250.76.132) 193.233.132.62 - mailcious 104.26.4.15 185.215.113.68 - malware 142.251.222.3 34.117.186.192 142.250.199.100 142.251.8.84 154.92.15.189 - mailcious 109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.215.113.68/mine/amer.exe http://109.107.182.3/cost/go.exe
|
23.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9257 |
2024-01-19 08:05
|
conhost.exe 9c477f0a3dc97e81cd2a76e339b38c7c AgentTesla UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9258 |
2024-01-19 08:07
|
conhost.exe db2097a73708c43f88d3fd6d7a017b13 Generic Malware .NET framework(MSIL) Antivirus PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(173.231.16.75) 64.185.227.156 121.254.136.27
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9259 |
2024-01-19 15:00
|
Adobe_acrobat_installer.exe e2cb17fc7f799e6c39fdbe4aa2c8c06e AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 64.185.227.156 149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
14.2 |
|
32 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9260 |
2024-01-19 18:19
|
vimu.exe 520050ab79ad5b13e6de5d3d7941d4d2 Malicious Packer UPX Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 172.67.75.166 34.117.186.192 193.233.132.62 - mailcious
|
5
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9261 |
2024-01-20 18:19
|
zonak.exe d1d8db81157f989532108d62c64cbc33 Amadey Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check DLL ZIP Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
21
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://109.107.182.3/cost/vimu.exe - rule_id: 39038
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://109.107.182.3/cost/nika.exe - rule_id: 39037
http://185.215.113.68/mine/livak.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://109.107.182.3/cost/go.exe - rule_id: 39025
http://185.215.113.68/mine/amer.exe - rule_id: 39024
http://185.215.113.68/theme/index.php - rule_id: 38935
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MB1Kt9JRng3yyk_pct8ZP3zuC3fBqZFRXuexVmEhTR_dTxy42kBpfUijZBBTyoL_snfrEWg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S487216895%3A1705742046920610
https://accounts.google.com/generate_204?vBMMBg
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3-cnxAB265cMjA870JRwXCWmEackG0gZBWgg8enHGTomo63RZ5p2GNDc8fgTCQ6vFgzSFjkw
https://lizotel.pt/temp/322321.exe
https://lizotel.pt/temp/crypted.exe
https://lizotel.pt/temp/legnew.exe
|
17
db-ip.com(172.67.75.166)
lizotel.pt(185.240.248.84)
www.google.com(142.250.76.132)
ssl.gstatic.com(142.250.76.131)
ipinfo.io(34.117.186.192)
accounts.google.com(64.233.188.84)
www.maxmind.com(104.18.145.235) 108.177.125.84
142.250.207.67
104.18.146.235
104.26.4.15
185.215.113.68 - malware
172.217.25.4 - suspicious
34.117.186.192
185.240.248.84
193.233.132.62 - mailcious
109.107.182.3 - mailcious
|
18
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey Bot Activity (POST)
|
7
http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php
|
19.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9262 |
2024-01-22 12:32
|
rty45.exe c5431ed88227d6f2e201da982db63f38 Malicious Packer UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious 23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9263 |
2024-01-22 12:35
|
rty27.exe 90ab18d69c8c28f797acf90b61d656df Malicious Packer UPX PE File PE64 PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious 121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9264 |
2024-01-22 12:39
|
build.exe 57935225dcb95b6ed9894d5d5e8b46a8 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX Malicious Library Malicious Packer Antivirus PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://93.123.39.68:1334/ http://93.123.39.68/client.exe https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 93.123.39.68 104.26.13.31
|
9
ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request
|
|
9.2 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9265 |
2024-01-22 12:45
|
RisePro_1.4_oCtFry7ogY0hng063r... 1c8918482b9cd613ba75ab7a16463e18 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 104.26.5.15 91.208.127.168 34.117.186.192
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
13.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9266 |
2024-01-23 08:04
|
face.exe b367a4da8177d0be7638599aad1caa9b Amadey Generic Malware NSIS Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL .NET EXE ZIP Format MZP Format JPEG Format BMP Format CHM Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
19
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://109.107.182.3/cost/vimu.exe - rule_id: 39038
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://109.107.182.3/cost/nika.exe - rule_id: 39037
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
http://109.107.182.3/cost/go.exe - rule_id: 39025
http://185.215.113.68/mine/amer.exe - rule_id: 39024
http://185.215.113.68/theme/index.php - rule_id: 38935
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-955853393%3A1705964159222861
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?dNjB8g
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU
https://i.alie3ksgaa.com/sta/imagd.jpg
|
23
db-ip.com(104.26.4.15)
www.google.com(142.250.76.132)
ssl.gstatic.com(142.250.207.99)
www.fleefight.it(94.177.48.37) - malware
ipinfo.io(34.117.186.192)
i.alie3ksgaa.com(154.92.15.189) - mailcious
accounts.google.com(64.233.188.84) 193.233.132.62 - mailcious
216.58.200.227
94.177.48.37 - malware
87.251.77.166 - mailcious
104.26.4.15
173.194.174.84
185.215.113.68 - malware
185.172.128.19 - mailcious
185.172.128.90 - mailcious
34.117.186.192
142.251.220.68
61.111.58.35 - malware
185.172.128.53 - malware
154.92.15.189 - mailcious
185.172.128.109 - malware
109.107.182.3 - mailcious
|
19
ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
|
8
http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://185.172.128.90/cpa/ping.php http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php
|
25.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9267 |
2024-01-23 14:15
|
PrivateCheat.exe 92d5541274a80650bf7fc9d40f2be865 Generic Malware Downloader Malicious Library UPX MPRESS Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File OS Processor C VirusTotal Malware PDB Code Injection Creates executable files AppData folder suspicious TLD Tofsee ComputerName Remote Code Execution crashed |
|
2
ca94025.tw1.ru(188.225.40.162) 188.225.40.162
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9268 |
2024-01-23 14:19
|
IEbrowserUpdates.vbs b188e3740962ca8e83f9a86ab3889c9fVirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/ywRmc https://paste.ee/d/ywRmc
|
2
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9269 |
2024-01-23 14:50
|
http://www.amazon.ca f0d918f20a6893435e7ed9012fffbce2 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM icon MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
4
http://www.amazon.ca/ https://www.amazon.ca/favicon.ico https://fls-na.amazon.ca/1/oc-csi/1/OP/requestId=99J3W16RWYF8QCRB2H31&js=1 https://www.amazon.ca/
|
6
www.amazon.ca(52.85.228.45) fls-na.amazon.ca(3.213.183.151) images-na.ssl-images-amazon.com(18.64.6.158) - mailcious 18.164.155.27 121.254.136.25 34.206.21.244
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9270 |
2024-01-24 07:58
|
dd.exe cce53392d805e6fbfdbccf4527d53c26 AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156) 173.231.16.75
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|