| 10081 |
2024-06-08 05:11
|
 index.html 0227cfd904e99656279202032b98d4a7
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM StartPage Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10082 |
2024-06-08 05:13
|
 audit_log.html cfc4dd7a77f4dd5fa271fc822560302e
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10083 |
2024-06-08 05:26
|
 audit_log.html cfc4dd7a77f4dd5fa271fc822560302e
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10084 |
2024-06-08 05:27
|
 export_file.html ba18e54410f8138a68ae1e581c241032
AntiDebug AntiVM Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10085 |
2024-06-08 17:44
|
 dude.exe aaf735aafa732fc96d2091354795185a
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check icon MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/generate_204?h1fWvw
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTAStUYgHXYd6dyrzYlv0rlNXWsy8KDcmbk61i6z1oK1cpRecjGypwowFoNYDjJy4FzHyYiwZOg
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTATsj2mzmMe9etAFGZRbGaNTsG4tOqdZIHJNt3wqGpQ2QarlByCCBLR3Uvd1sZcv0LJcjpdIzA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-2096241754%3A1717836011855520
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195)
accounts.google.com(64.233.188.84)
www.google.com(142.250.206.228)
173.194.174.84
142.251.222.195
172.217.24.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10086 |
2024-06-08 17:44
|
 lsass.exe 6293f7a0a604be58b31b34460fd5a71b
PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
theloftibiza.com(193.141.3.75)
193.141.3.75
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10087 |
2024-06-08 17:47
|
 HER.exe 004d48284a26569ed3220fd1fd4b7c31
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(172.67.74.152)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10088 |
2024-06-09 09:20
|
 sila.exe 3e9ba4168fb1c8e4a8a3a69c4968abb3
Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
45.33.6.223
172.67.75.166
147.45.47.126 - mailcious
34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10089 |
2024-06-10 10:06
|
 Ucxnbz.exe 9399f672f1d34d17a26a1a6336cfdf6a
.NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
panel.xxxx.uz(46.226.160.88)
46.226.160.88
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10090 |
2024-06-10 10:08
|
 Nngraprczwe.exe 9e57a1210d8f8c3be8e109e888eb1cc4
.NET framework(MSIL) PE File .NET EXE PE32 Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
panel.xxxx.uz(46.226.160.88)
46.226.160.88
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10091 |
2024-06-10 10:10
|
 loader-1001.exe 58ca6d5068fa4fed981cf5ef8a04e4d5
NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Pow VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName Cryptographic key crashed |
5
http://apps.identrust.com/roots/dstrootcax3.p7c
https://cdn-edge-node.com/online_security_mkl.exe - rule_id: 39716
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001 - rule_id: 39690
https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001 - rule_id: 39689
|
9
d2lvl7wmj7b91p.cloudfront.net(54.230.169.96)
d22hce23hy1ej9.cloudfront.net(13.225.110.70) - mailcious
adblock2024.shop(104.21.43.83) - mailcious
cdn-edge-node.com(104.21.11.117) - mailcious
54.230.169.11
172.67.165.254 - mailcious
121.254.136.18
13.225.110.102
172.67.176.247
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
https://cdn-edge-node.com/online_security_mkl.exe
https://d22hce23hy1ej9.cloudfront.net/load/th.php
https://d22hce23hy1ej9.cloudfront.net/load/dl.php
|
10.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10092 |
2024-06-10 10:37
|
 DUU.exe e26a8ce5b2f2b9730cc15713a4b1d4a1
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
104.26.12.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10093 |
2024-06-11 07:39
|
 conhost.exe 8378455f7c8a30d74b355adaf576a10b
XMRig Miner Emotet Cryptocurrency Miner Suspicious_Script_Bin Generic Malware CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://147.45.47.81/xmrig.exe
http://147.45.47.81/WatchDog.exe
http://147.45.47.81/WinRing0x64.sys
https://pastebin.com/raw/2qX4CwaY
|
3
pastebin.com(172.67.19.24) - mailcious
147.45.47.81 - malware
172.67.19.24 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10094 |
2024-06-11 09:22
|
alpha.doc 4447ab2143a08d8b67f131c4cbd9c316
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash suspicious TLD Tofsee Exploit DNS crashed |
1
https://dukeenergyltd.top/alpha.scr
|
2
dukeenergyltd.top(104.21.25.202) - malware
104.21.25.202 - malware
|
2
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10095 |
2024-06-11 14:43
|
 sign_now.vbs 539544ea65b5ecdb757d49fd92cc335dVirusTotal Malware wscript.exe payload download Tofsee |
|
2
www.python.org(151.101.108.223)
146.75.48.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|