| 10051 |
2024-06-05 09:19
|
 obiz.scr 3a050f5830ff95d1858e94f231f7ea4b
AgentTesla Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.13.205)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10052 |
2024-06-05 09:23
|
lionsarekingofthejunglewhichcr... 96094535fe4ae7ea46eb3df5e0b45231
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://185.222.58.78/300333/lionsgetgorestkingenitreworldimage.bmp
https://paste.ee/d/uRpyT - rule_id: 40036
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
185.222.58.78 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10053 |
2024-06-05 23:26
|
 ICARUS.Setup.exe 225fcf1e03e30b492bd0aef35969329b
Emotet Gen1 NSIS Generic Malware Malicious Library UPX Malicious Packer Anti_VM Javascript_Blob PE File PE32 DLL PE64 OS Processor Check DllRegisterServer dll BMP Format Lnk Format GIF Format icon VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Auto service Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Ransomware GameoverP2P Interception Zeus Windows ComputerName Trojan Banking |
3
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3c775e75-aff8-4af1-aede-7a5c0349aa0b?P1=1718201907&P2=404&P3=2&P4=WiuGZ5IY9kx3eECOliePn%2bZR2Oa2T%2fIA6AoadHbz1e2TomQPzt6zla8iSDn3KibvVKZ7rCsNDdx37Vncvson%2bw%3d%3d
https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/latest?action=select
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/125.0.2535.85/files?action=GenerateDownloadInfo&foregroundPriority=true
|
9
msedge.f.tlu.dl.delivery.mp.microsoft.com(199.232.214.172)
msedge.api.cdp.microsoft.com(20.114.58.89)
self.events.data.microsoft.com(20.189.173.3)
config.edge.skype.com(52.123.254.33)
23.56.109.165
13.107.42.16
13.89.179.9
13.95.26.4
51.104.15.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
13.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10054 |
2024-06-06 14:27
|
 SetupTools.exe 5ec12277c0679d4761d265dd821f674f
Generic Malware Malicious Library UPX Antivirus PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS Cryptographic key |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10055 |
2024-06-07 09:33
|
 lenin.exe fb2f90584265d465b4046c9a4e7c9bfa
UPX PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
104.26.5.15
34.117.186.192
147.45.47.126 - mailcious
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
16.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10056 |
2024-06-07 09:33
|
john.doc da2543ed3a6567896c950bfeb597814b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
25
https://universalmovies.top/john.scr
http://www.6666111p.vip/y3do/?Ugn9C=LOchJJI7j7x4RSIZOmRKrvMdEDW/MUxucIo24swAQXAkKIo03dsxd6yGfyoydnm7SmxXMXwHD0q4GFP2LgOY7CsTmAi6O8Bpro54P9T4NSt7/iYty+/boiJQGB1N3z+f5OnconY=&Pk=WONpQ
http://www.6666111p.vip/y3do/
http://www.sjzsls.com/9s2m/?Ugn9C=/AdC9GegXDS/vzNv1Epb/BfZDITsTVSRF0qSIgfFe+x3a1YrqDLlvj5NbVdHoQQDF7Kc5dLcM8fpOgktz/3sEUGAQfvn12WDGpve1l9b9ctB4wuylPXfAChK8iXjKhCfF0ELu94=&Pk=WONpQ
http://www.kvatromusic.online/yjik/
http://www.yetung.com/7ru5/?Ugn9C=ISPW+m88VBQNqH+k3JW84YG5Fk7QLrErwcAnWTSXodWIF9bOo25oIut7GSly+JY6T9/fHFYUtdHtiF5inQf0UQqeKTQ7bI9uaPa6a3iFF9Uz86xGPiVez/GDzFjvFDmTYUOptkY=&Pk=WONpQ
http://www.silverbrit.info/kj8f/?Ugn9C=4t9Vdj82cePVf5tb2btNPfj+cF91LcmybOtR99dnAhd1RJtV43KyF44o/jxPyXILLT2c7dvr4ObZNHuTbQFO2r18ofp9GNB90rnp1Ohw/CJp1ZbSd7nYHKYFKR9pZcLJ+FI+J6g=&Pk=WONpQ
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.beescy.xyz/pdwc/
http://www.stellardaysigning.com/xb5p/
http://www.kvatromusic.online/yjik/?Ugn9C=gdGtnhc9ASA4qX4b34OgRoYxE/bD+nb59vJiz4FtHHCSzpBYLiuXgNVcIgjaJpSMIjXnBANqWDNRr5Ocy1GAv43NZgQpgrLVhi6C63ziyaNAbXqEiKgPKznZLTw5BnTXjQFFRAg=&Pk=WONpQ
http://www.double2nllc.com/lphk/?Ugn9C=QQ9AzHzvXAdOb0MPNLfjUpWPUVpZplRrayXzypMYhteyq/MKivL68z82kZS9u6bhgeBbY+QYkFf+kg9uvjJAnI3fPdAT94WYiFSy6W9ZWxao1mFD7NGeSFfqjgfGWtv75CStAYk=&Pk=WONpQ
http://www.yetung.com/7ru5/
http://www.fullmoonbird.com/c8sr/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.hsck520.com/0tno/?Ugn9C=0cMGHWchhwDqjfnLTJDBZveg9su8HvUeph8XCipGvt+qmCtRZPbLeKFNzMXXlvLfrfTQKCJHTw1MhSXlslZDoNUiVnTSVKsqzzLfuZrJDhCegOsSgpp1goso0jrOzq9yXpycRq0=&Pk=WONpQ
http://www.jx2493.com/pozw/?Ugn9C=JIthcwf9sV4p+C20h/op7zy5aemm7SHr7Am9g1UXd9f/iLUD4eooIAhG548dbPLUr+vOyGwxDijlULi7DZZIjWvc3k9KEblL0qsgRpAZgA0owE5+Y5cgNDkhDspksm+EjunSeOk=&Pk=WONpQ
http://www.stellardaysigning.com/xb5p/?Ugn9C=j+BD0p8WhtBdy7Wd/KfVtBKjF7uQGjkUu2IQ9c2WN0jGyCZp1k8Rj1+VKsyVC4FAIa7rNa0t7jcnj4LfrYK/jtIwEqPY6NFmTaOReXQoO8B2hiELl0EMSu8ktx1OCucJ4jnvo9M=&Pk=WONpQ
http://www.silverbrit.info/kj8f/
http://www.hsck520.com/0tno/
http://www.fullmoonbird.com/c8sr/?Ugn9C=zxCFcO6tuZe6Dlje2mnTfb6r7hCrJw1WRvLQy3p8EhQbFOxorE0QYFIsUppT5UxA2U7/AhBO7aGzpI5DsnNWO/n9u3OyDwlwLJozLrszN4iVUZEIkN4QT6y8EX8/9tm01YM9dRM=&Pk=WONpQ
http://www.sjzsls.com/9s2m/
http://www.jx2493.com/pozw/
http://www.double2nllc.com/lphk/
http://www.beescy.xyz/pdwc/?Ugn9C=YGoy3hUgePQdZVGVI2JgguyNtFd/fyj/zkAvTLDf/KtKm9LDDFlO5Xfik+cH5iVSfdOqayVG+ARiT1VFNZO4tzOVhNMvL1fpmyaeyhkJTFsxeS49wBXCfHO+yKB+0kMKDU35Y5s=&Pk=WONpQ
|
25
www.sjzsls.com(154.212.44.122)
www.double2nllc.com(84.32.84.32)
www.kvatromusic.online(37.140.192.90)
www.yetung.com(121.37.199.72)
www.jx2493.com(103.195.51.41)
www.6666111p.vip(35.186.221.100)
www.fullmoonbird.com(172.67.176.31)
www.beescy.xyz(162.0.213.72)
universalmovies.top(104.21.74.191) - malware
www.hsck520.com(35.190.52.58)
www.stellardaysigning.com(13.248.213.45)
www.silverbrit.info(217.160.230.215)
121.37.199.72
104.21.48.23
35.190.52.58
13.248.213.45
37.140.192.90
84.32.84.32 - mailcious
35.186.221.100
162.0.213.72
103.195.51.41
154.212.44.122
45.33.6.223
217.160.230.215
104.21.74.191 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10057 |
2024-06-07 09:36
|
lionsarekingofthejunglewhotrul... c5af2617421f885a9772a4b51b80cb2a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://103.182.19.148/6060/pointingthejunglelionontheimagescool.bmp
https://paste.ee/d/SrD1H
|
3
paste.ee(172.67.187.200) - mailcious
103.182.19.148 - malware
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10058 |
2024-06-07 09:39
|
 IGCC.exe 29b2b081df5861fed9651766f37b7738
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10059 |
2024-06-07 09:41
|
 DZP.exe 8cc057c58bd59166922b1a6fbf9a0ec7
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10060 |
2024-06-07 09:43
|
 lsass.exe e0354350b177887076f4c89567e0af8d
PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
|
2
www1.militarydefensenow.com(34.192.83.212)
34.192.83.212
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10061 |
2024-06-07 09:43
|
lionsarekingandtheyalwaysliket... f6d2ec2d490d72ee7ba25907db5da25a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/CjFLX
http://96.126.101.128/50809/lionsarekingofjungleimageswondering.bmp
|
3
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
96.126.101.128 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10062 |
2024-06-07 09:47
|
interestedanglesayingsheismost... 2ae556f4c5d9590b352ad8d26fdee537
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.173.143.28/8080/IGCC.exe
|
3
api.ipify.org(172.67.74.152)
104.26.13.205
107.173.143.28 - malware
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10063 |
2024-06-07 09:47
|
lionsarekingandudfdidthekingof... 80190d1b737a846f31133525d9577514
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.173.143.28/90404/igcc.exe
|
3
api.ipify.org(104.26.12.205)
107.173.143.28 - malware
104.26.12.205
|
8
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10064 |
2024-06-07 09:49
|
lionsarekingogthejunglewhorule... 56b4ddf6c247124f9bc633b06b169a84
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://67.207.166.175/T0406W/lsass.exe
|
3
www1.militarydefensenow.com(34.192.83.212)
67.207.166.175 - malware
34.192.83.212
|
9
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious lsass.exe in URI
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10065 |
2024-06-07 09:51
|
 liitletigersearchingforfoodwhi... 077e4cfa6534a69f9e8de8e5b83ba08c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/eZNju
http://172.234.221.211/34009/lionsarebeautifulcomparewithothers.bmp
|
4
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
34.192.83.212
172.234.221.211 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|