10096 |
2024-06-11 14:45
|
DocuSign.vbs 73999f3f3808981c1470956082ebc738 VirusTotal Malware wscript.exe payload download Tofsee |
|
2
www.python.org(151.101.228.223) 146.75.48.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10097 |
2024-06-11 14:47
|
DocuSign.url 1bb21d7cfa769080240279276bf0da2e AntiDebug AntiVM URL Format MSOffice File Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://45.61.132.126/
http://45.61.132.126/Downloads\DocuSign.vbs
|
1
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10098 |
2024-06-12 07:38
|
kenzo.exe fe7e4a096f69688dc594ef1fe7a776fd Malicious Packer PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 172.67.75.166 147.45.47.126 - mailcious 34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10099 |
2024-06-12 10:09
|
entirethingscleantogetlionsisa... 1ea13f7866b6cdb3407f6c7e72857b99 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://192.210.150.29/xampp/ebm/flowersandlionsbothgreatattitudeimage.bmp https://paste.ee/d/CJwKy
|
3
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious 192.210.150.29 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10100 |
2024-06-12 10:11
|
sevendaytounderstamndhowmuchsw... c272b9af2086b381b4e4fc7328897cf4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://192.3.243.156/sparetuesdayparttss.png https://paste.ee/d/PFErN
|
3
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware 192.3.243.156 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10101 |
2024-06-12 13:25
|
bas.bat c3d227e82f84533c2918a6239b99ff2d Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName Cloudflare DNS Cryptographic key crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://stocks-army-malta-false.trycloudflare.com/qfv0ao.zip
|
4
stocks-army-malta-false.trycloudflare.com(104.16.231.132) 61.111.58.34 - malware
61.111.58.16 - suspicious
104.16.230.132 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10102 |
2024-06-12 15:17
|
fb34_gate2.rar a229ecb9458451d9691f269857aec75d Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro DNS CoinMiner |
8
http://5.42.66.10/download/th/space.php - rule_id: 39944 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.99.177/api/twofish.php - rule_id: 40008 http://88.218.93.76/d/385135 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://db-ip.com/demo/home.php?s= https://steamcommunity.com/profiles/76561199698764354
|
36
db-ip.com(104.26.4.15) pool.hashvault.pro(125.253.92.50) - mailcious cdn-download.avgbrowser.com(23.1.236.116) api64.ipify.org(104.237.62.213) bitbucket.org(104.192.141.1) - malware api.myip.com(172.67.75.163) steamcommunity.com(104.106.57.101) - mailcious iplogger.org(104.21.4.208) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.186.192) lop.foxesjoy.com(172.67.159.232) - malware cdn.discordapp.com(162.159.135.233) - malware vk.com(87.240.132.78) - mailcious raw.githubusercontent.com(185.199.108.133) - malware 104.71.154.102 182.162.106.33 - malware 104.26.5.15 104.21.4.208 147.45.47.126 - mailcious 185.199.111.133 - mailcious 34.117.186.192 149.154.167.99 - mailcious 95.217.135.112 162.159.130.233 - malware 104.21.66.124 - malware 104.237.62.213 77.91.77.80 - malware 5.42.66.10 - malware 104.192.141.1 - mailcious 121.254.136.9 125.253.92.50 5.42.99.177 - mailcious 104.26.9.59 23.33.184.247 88.218.93.76 87.240.132.72 - mailcious
|
24
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Executable Download from dotted-quad Host ET HUNTING Redirect to Discord Attachment Download ET INFO Packed Executable Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) SURICATA Applayer Wrong direction first Data
|
4
http://5.42.66.10/download/th/space.php http://5.42.99.177/api/crazyfish.php http://5.42.99.177/api/twofish.php http://5.42.66.10/download/123p.exe
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10103 |
2024-06-13 11:38
|
DIP.exe 3f02a2516380a49f81ae8e15e7f548cc Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Device_File_Check PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205) 104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10104 |
2024-06-14 07:47
|
qgtplfgy2.exe 3d033b03106e5b46abde0df781c164d5 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Device_File_Check PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed |
|
2
cp8nl.hyperhost.ua(185.174.175.187) 185.174.175.187
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10105 |
2024-06-14 09:20
|
bin2.doc 118072abaca518e6ece93908a9fee1f4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash suspicious TLD Tofsee Exploit DNS crashed |
17
http://www.carolinappttery.com/q380/ http://www.ybw73.top/zfmd/?gSDpSqhg=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&zd=lHTo3CucwT http://www.aritum.top/f2qc/?gSDpSqhg=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&zd=lHTo3CucwT http://www.aritum.top/f2qc/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip http://www.ybw73.top/zfmd/ http://www.carolinappttery.com/q380/?gSDpSqhg=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&zd=lHTo3CucwT http://www.sjzsls.com/9ypd/ http://www.winnscce.com/xk70/?gSDpSqhg=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&zd=lHTo3CucwT http://www.w90dm.top/8ms4/ http://www.ay62m.top/orwn/ http://www.sjzsls.com/9ypd/?gSDpSqhg=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&zd=lHTo3CucwT http://www.ay62m.top/orwn/?gSDpSqhg=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&zd=lHTo3CucwT http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.w90dm.top/8ms4/?gSDpSqhg=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&zd=lHTo3CucwT http://www.winnscce.com/xk70/ https://dukeenergyltd.top/bin2.scr
|
16
www.aritum.top(203.161.55.102) dukeenergyltd.top(172.67.134.136) - malware www.sjzsls.com(154.212.44.122) - mailcious www.carolinappttery.com(123.58.214.101) www.winnscce.com(123.58.214.101) www.ay62m.top(38.47.207.132) www.ybw73.top(38.47.232.233) www.w90dm.top(38.47.232.178) 38.47.232.178 203.161.55.102 38.47.232.233 154.212.44.122 - mailcious 38.47.207.132 45.33.6.223 172.67.134.136 - malware 123.58.214.101
|
3
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10106 |
2024-06-14 09:22
|
bin1.doc ab6398c625d0ae23c0582ad07d044581 MS_RTF_Obfuscation_Objects RTF File doc Cobalt Strike Cobalt VirusTotal Malware c&c RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
19
dukeenergyltd.top(104.21.25.202) - malware www.ekvassf.store() www.baldjourney.com(35.212.60.56) www.themirrorproject.org() www.planningexcellence.org(104.21.68.117) www.heolty.xyz(162.0.238.43) www.5597043.com(172.66.47.183) www.mildhicky.com(149.88.71.203) www.usebanq.com(198.54.117.242) www.vt0lcffi5.sbs(47.239.13.172) 47.239.13.172 35.212.60.56 172.66.44.73 198.54.117.242 - mailcious 45.33.6.223 172.67.134.136 - malware 149.88.71.203 162.0.238.43 104.21.68.117
|
4
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP Request abnormal Content-Encoding header ET Threatview.io High Confidence Cobalt Strike C2 IP group 3
|
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10107 |
2024-06-14 09:24
|
sharo.doc 8b049d5e850fc75c1cef5edb8fc68feb Formbook MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
|
21
www.primeplay88.org(91.195.240.19) - mailcious covid19help.top(172.67.175.222) - mailcious www.kinkynerdspro.blog(94.23.162.163) - mailcious www.touchclean.top(67.223.117.189) www.99b6q.xyz() - mailcious www.mrart.co.kr(183.111.183.31) - mailcious www.besthomeincome24.com() - mailcious www.ibistradingco.com(191.101.228.74) www.terelprime.com(66.96.161.166) - mailcious www.xn--matfrmn-jxa4m.se(194.9.94.86) - mailcious www.aceautocorp.com(198.12.241.35) - mailcious 91.195.240.19 - mailcious 67.223.117.189 54.38.220.85 - mailcious 93.127.196.69 66.96.161.166 - mailcious 172.67.175.222 - mailcious 45.33.6.223 194.9.94.85 - mailcious 183.111.183.31 - mailcious 198.12.241.35 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP Request abnormal Content-Encoding header ET HUNTING Possible COVID-19 Domain in SSL Certificate M2
|
12
http://www.kinkynerdspro.blog/ufuh/ http://www.terelprime.com/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.primeplay88.org/ufuh/ http://www.terelprime.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.primeplay88.org/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.kinkynerdspro.blog/ufuh/
|
3.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10108 |
2024-06-14 10:46
|
file.rar c6479683dc4b3a056b853c2f66e20998 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro DNS CoinMiner |
10
http://5.42.66.10/download/th/space.php - rule_id: 39944 http://77.91.77.80/rome/kenzo.exe - rule_id: 40187 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.99.177/api/twofish.php - rule_id: 40008 http://88.218.93.76/d/385135 - rule_id: 40184 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://steamcommunity.com/profiles/76561199699680841 https://db-ip.com/demo/home.php?s=
|
36
db-ip.com(172.67.75.166) pool.hashvault.pro(131.153.76.130) - mailcious cdn-download.avgbrowser.com(104.100.168.115) api64.ipify.org(173.231.16.77) api.myip.com(104.26.9.59) steamcommunity.com(23.66.133.162) - mailcious lop.foxesjoy.com(104.21.66.124) - malware t.me(149.154.167.99) - mailcious iplogger.org(104.21.4.208) - mailcious ipinfo.io(34.117.186.192) bitbucket.org(104.192.141.1) - malware cdn.discordapp.com(162.159.133.233) - malware vk.com(93.186.225.194) - mailcious raw.githubusercontent.com(185.199.111.133) - malware 185.199.109.133 - mailcious 87.240.129.133 - mailcious 104.26.5.15 104.21.4.208 147.45.47.126 - mailcious 23.1.179.144 - mailcious 34.117.186.192 121.254.136.18 23.43.165.105 149.154.167.99 - mailcious 104.21.66.124 - malware 65.109.240.138 104.237.62.213 5.42.99.177 - mailcious 5.42.66.10 - malware 104.192.141.1 - mailcious 23.52.128.153 125.253.92.50 162.159.134.233 - malware 104.26.9.59 77.91.77.80 - malware 88.218.93.76 - mailcious
|
25
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SURICATA Applayer Mismatch protocol both directions ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Redirect to Discord Attachment Download ET INFO EXE - Served Attached HTTP ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php http://77.91.77.80/rome/kenzo.exe http://5.42.99.177/api/crazyfish.php http://5.42.99.177/api/twofish.php http://88.218.93.76/d/385135 http://5.42.66.10/download/123p.exe https://lop.foxesjoy.com/ssl/crt.exe
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10109 |
2024-06-14 18:39
|
licc.doc af079d569c6115b1f3998c7cce495168 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/pjkOs
http://216.9.224.18/2999/pillowgoodandcleanimg.png
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
216.9.224.18 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10110 |
2024-06-14 18:40
|
rothc.doc 40d18ab9b48c16d917ab69e101fa45eb Formbook MS_RTF_Obfuscation_Objects RTF File doc Cobalt Strike Cobalt VirusTotal Malware c&c exploit crash unpack itself Tofsee Exploit DNS crashed |
|
23
www.themirrorproject.org() - mailcious www.tpsideanchor.com(154.38.187.252) www.5597043.com(172.66.47.183) - mailcious covid19help.top(172.67.175.222) - mailcious www.baldjourney.com(35.212.60.56) - mailcious www.ekvassf.store() - mailcious www.planningexcellence.org(172.67.195.9) - mailcious www.heolty.xyz(162.0.238.43) - mailcious www.usebanq.com(198.54.117.242) - mailcious www.mildhicky.com(149.88.71.203) - mailcious www.ar-robotics.com(34.149.87.45) www.vt0lcffi5.sbs(47.239.13.172) - mailcious 47.239.13.172 - mailcious 35.212.60.56 - mailcious 172.66.44.73 34.149.87.45 - phishing 172.67.195.9 154.38.187.252 198.54.117.242 - mailcious 104.21.83.128 - mailcious 45.33.6.223 149.88.71.203 - mailcious 162.0.238.43 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1 ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Possible COVID-19 Domain in SSL Certificate M2 ET Threatview.io High Confidence Cobalt Strike C2 IP group 3 SURICATA HTTP Request abnormal Content-Encoding header
|
14
http://www.usebanq.com/8lx9/ http://www.mildhicky.com/i5j9/ http://www.baldjourney.com/bgvg/ http://www.mildhicky.com/i5j9/ http://www.5597043.com/twtt/ http://www.5597043.com/twtt/ http://www.heolty.xyz/fo0a/ http://www.vt0lcffi5.sbs/l7g9/ http://www.baldjourney.com/bgvg/ http://www.planningexcellence.org/uid7/ http://www.planningexcellence.org/uid7/ http://www.vt0lcffi5.sbs/l7g9/ http://www.usebanq.com/8lx9/ http://www.heolty.xyz/fo0a/
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|