9286 |
2024-01-26 09:13
|
rost.exe 03135ee6d7c5c029982e63d36d368267 Themida Packer Malicious Packer UPX PE32 PE File Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) www.maxmind.com(104.18.145.235) 172.67.75.166 34.117.186.192 104.18.145.235 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9287 |
2024-01-26 09:28
|
somzx.exe e899fbf28973beed105f99e209e11be5 AgentTesla Malicious Library .NET framework(MSIL) UPX PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Software crashed keylogger |
1
https://discordapp.com/api/webhooks/1197254961164202145/ptzKDsgHtj6pY49BfLZoBFgkUGXIM695d512QfX0eWtZsuDouCKEGxBU0TiPSCQb8iSK
|
4
discordapp.com(162.159.134.233) - mailcious api.ipify.org(64.185.227.156) 162.159.133.233 - malware 64.185.227.156
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
14.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9288 |
2024-01-26 12:11
|
vnextofficeupdationwaitingfort... 869dc88123916a7193c56809db6b5e97 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.3.176.145/310/conhost.exe
|
3
api.ipify.org(64.185.227.156) 192.3.176.145 - malware
104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9289 |
2024-01-26 12:11
|
currentupdationoftheexplertsay... bfc3ef7d2fa438d76b535b0410fe1296 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://paste.ee/d/Kiio7 http://172.245.208.3/440/ibmSever.vbs https://paste.ee/d/Kiio7
|
3
paste.ee(172.67.187.200) - mailcious 172.245.208.3 - mailcious 172.67.187.200 - mailcious
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9290 |
2024-01-26 12:13
|
ibmSever.vbs bb9a31982bd53b29cc81e3027709727bVirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/Kiio7 https://paste.ee/d/Kiio7
|
2
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9291 |
2024-01-27 15:59
|
ISIcentos.vbs 860f242d1a6e895bbd7c2c204c466511VirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/wVH5z https://paste.ee/d/wVH5z
|
2
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9292 |
2024-01-27 16:00
|
hotels.exe 77709112275d51ebd4d9491673c93a62 .NET framework(MSIL) UPX Malicious Library Socket ScreenShot Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File .NET EXE DLL OS Processor Check PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 5.75.172.21 172.67.75.166 34.117.186.192
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
19.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9293 |
2024-01-27 16:10
|
amers.exe a2694e00b509f5192ab406b4c4dbd5d4 Amadey RedLine Infostealer RedlineStealer RedLine stealer UltraVNC Generic Malware NSIS UPX Malicious Library Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
24
http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/mine/stan.exe - rule_id: 39114 http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://109.107.182.3/cost/ko.exe http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://185.172.128.109/syncUpd.exe - rule_id: 39052 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://apps.identrust.com/roots/dstrootcax3.p7c http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0ZvGCz0fk8hqCTekN1L6IFObRSt0FnIziWyOpr8xOZhORjutgVOlbm595iNSmRYmohWq9E&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1191012356%3A1706338947208913 https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0LeW44r7VVR74bP_-DTZ1tUx2XPR-89LBFra8MZNpjPX0WU1E7ZoU1WTHj5ozbI1pULjHf https://accounts.google.com/generate_204?oMaQNA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
26
db-ip.com(172.67.75.166) www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious pastebin.com(104.20.67.143) - mailcious zeph-eu2.nanopool.org(51.195.138.197) - mailcious accounts.google.com(64.233.188.84) 94.156.67.230 193.233.132.62 - mailcious 172.67.75.166 195.20.16.103 - mailcious 185.215.113.68 - malware 5.42.64.33 - mailcious 172.217.25.4 - suspicious 185.172.128.90 - mailcious 108.177.97.84 34.117.186.192 104.20.68.143 - mailcious 185.172.128.19 - mailcious 154.92.15.189 - mailcious 51.15.61.114 114.108.166.96 185.172.128.109 - malware 109.107.182.3 - mailcious 142.250.204.99
|
25
ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) ET HUNTING Download Request Containing Suspicious Filename - Crypted ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response)
|
11
http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/mine/stan.exe http://109.107.182.3/lego/crypted.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/theme/Plugins/clip64.dll http://185.172.128.109/syncUpd.exe http://185.172.128.19/latestrocki.exe http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php
|
25.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9294 |
2024-01-28 10:00
|
ko.exe f7942f50665070dee333d0df2bebc4c6 Generic Malware Malicious Library UPX Code injection AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities malicious URLs installed browsers check Tofsee Ransomware Windows Exploit Browser DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2nVIT-_JIwIi3-MDUsz3bxxTyczYU2E_0mxE6Z7OGpr1sV2Sb-w7rPHn7z745xx-jF96pazw https://accounts.google.com/generate_204?gYg_LA https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3cH1IHBBxj7z9KBB591Z5_GSdD_Lq-mVf0ijv_RhuU12_w1wh_c3NPmMNlOMTEqt9p65VQ1A&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-587006607%3A1706403341784438 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.76.131) accounts.google.com(64.233.188.84) www.google.com(142.250.207.100) 172.217.27.36 172.217.31.3 64.233.188.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9295 |
2024-01-28 10:01
|
ORDEN_EMBARGO.js 7874b7e03b57bb11f63f6a0904f51296 Generic Malware Antivirus ActiveXObject VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://cdn.discordapp.com/attachments/1196835353152200777/1197210017439428608/remcossiiii.txt
https://wallpapercave.com/uwp/uwp4234125.png
|
2
wallpapercave.com(104.22.53.71) - malware 104.22.53.71 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9296 |
2024-01-28 10:02
|
neweraroc.exe 796f63c42ca69a07ce61a45fcbed1c8d Generic Malware NSIS Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE32 PE File .NET EXE PNG Format OS Processor Check PE64 ZIP Format MZP Format JPEG Format BMP Format ftp CHM Format DLL icon CAB MSOffice Fi VirusTotal Cryptocurrency Miner Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Ransomware Windows ComputerName DNS CoinMiner |
2
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://185.172.128.109/syncUpd.exe - rule_id: 39052
|
7
zeph-eu2.nanopool.org(51.195.43.17) - mailcious pastebin.com(172.67.34.170) - mailcious 5.42.64.33 - mailcious 51.68.137.186 - mailcious 185.172.128.90 - mailcious 185.172.128.109 - malware 104.20.67.143 - mailcious
|
7
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.172.128.90/cpa/ping.php http://185.172.128.109/syncUpd.exe
|
11.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9297 |
2024-01-28 10:05
|
360TS_Setup_Mini_WW.Ginmobi.CP... 3016285c9eb979ba1703d25012457567 HermeticWiper PhysicalDrive Generic Malware Malicious Library Malicious Packer Downloader UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges PWS Internet API AntiDebug AntiVM PE32 PE File CAB OS Processor Check DLL DllRegiste VirusTotal Malware PDB Check memory Creates executable files ICMP traffic unpack itself AppData folder malicious URLs AntiVM_Disk China anti-virtualization VM Disk Size Check Tofsee Windows Remote Code Execution DNS keylogger |
8
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=5AB68050645C22B305C3DDFD067536BA&p2p=1&t_id=360TS_Setup.exe&tads=16865916&tdl=101195496&tds=17031830&terr=0&tes=Status|1,ErrorCode|0,DnCount|23,HttpNum|18,DnFailCount|22,FStatus|1,P2SS|101195496,P2PS|0,PDMode|3&tfl=101195496&tp=t&tst=1&ttdl=101195496&ttm=6063&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Ginmobi.CPI202401&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=9 http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=655&tdl=655&tds=655&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|655,P2PS|0,PDMode|2&tfl=655&tp=t&tst=1&ttdl=655&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Ginmobi.CPI202401&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=153 http://sd.p.360safe.com/6F79A56EEE9CC4E090829186AED7661C24328656.trt https://orion.ts.360.com/installapp?c=&ch=WW.Ginmobi.CPI202401&sch=0&ver=11.0.0.1073&lan=en&os=6.1-x64&mid=fa7bb520099706f4d9615c3663eacc55&time=1706411816&checksum=6FC809A9E95941BB8F2BC53F
|
22
sd.p.360safe.com(54.230.169.15) tr.p.360safe.com(54.76.174.118) int.down.360safe.com(99.86.207.61) orion.ts.360.com(82.145.215.156) iup.360safe.com(54.230.61.39) st.p.360safe.com(54.77.42.29) s.360safe.com(54.255.136.181) 54.230.61.65 54.255.136.181 99.86.207.15 54.254.196.234 99.86.207.68 54.230.169.15 54.77.42.29 82.145.215.152 54.76.174.118 54.230.61.95 54.230.61.39 54.230.61.34 99.86.207.16 99.86.207.61 125.253.92.50
|
5
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9298 |
2024-01-29 08:00
|
vinu.exe b999d160106e9c1cc130e81cb65cb6c1 Malicious Packer Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
12
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) www.maxmind.com(104.18.145.235) 172.67.75.166 104.18.146.235 185.172.128.19 - mailcious 34.117.186.192 185.215.113.68 - malware 193.233.132.62 - mailcious 154.92.15.189 - mailcious 109.107.182.3 - mailcious 125.253.92.50
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9299 |
2024-01-29 08:02
|
btcgood.exe 52457d397f4d5abc4d9de5dc74fd42c5 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware Check memory buffers extracted Creates shortcut unpack itself Collect installed applications IP Check installed browsers check Tofsee Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(104.237.62.211) 64.185.227.156 89.208.103.177
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt SURICATA Applayer Protocol detection skipped
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9300 |
2024-01-29 08:02
|
plata.exe 7c36240fbc9b608d4847cbaedf7f031a Malicious Packer UPX PE32 PE File Malware download Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) www.maxmind.com(104.18.145.235) 34.117.186.192 104.18.146.235 104.26.4.15 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|