| 10096 |
2024-06-11 14:45
|
 DocuSign.vbs 73999f3f3808981c1470956082ebc738
VirusTotal Malware wscript.exe payload download Tofsee |
|
2
www.python.org(151.101.228.223)
146.75.48.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10097 |
2024-06-11 14:47
|
 DocuSign.url 1bb21d7cfa769080240279276bf0da2e
AntiDebug AntiVM URL Format MSOffice File Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://45.61.132.126/
http://45.61.132.126/Downloads\DocuSign.vbs
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10098 |
2024-06-12 07:38
|
 kenzo.exe fe7e4a096f69688dc594ef1fe7a776fd
Malicious Packer PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
172.67.75.166
147.45.47.126 - mailcious
34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10099 |
2024-06-12 10:09
|
entirethingscleantogetlionsisa... 1ea13f7866b6cdb3407f6c7e72857b99
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://192.210.150.29/xampp/ebm/flowersandlionsbothgreatattitudeimage.bmp
https://paste.ee/d/CJwKy
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
192.210.150.29 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10100 |
2024-06-12 10:11
|
sevendaytounderstamndhowmuchsw... c272b9af2086b381b4e4fc7328897cf4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://192.3.243.156/sparetuesdayparttss.png
https://paste.ee/d/PFErN
|
3
paste.ee(104.21.84.67) - mailcious
104.21.84.67 - malware
192.3.243.156 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10101 |
2024-06-12 13:25
|
 bas.bat c3d227e82f84533c2918a6239b99ff2d
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName Cloudflare DNS Cryptographic key crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://stocks-army-malta-false.trycloudflare.com/qfv0ao.zip
|
4
stocks-army-malta-false.trycloudflare.com(104.16.231.132)
61.111.58.34 - malware
61.111.58.16 - suspicious
104.16.230.132 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10102 |
2024-06-12 15:17
|
fb34_gate2.rar a229ecb9458451d9691f269857aec75d
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro DNS CoinMiner |
8
http://5.42.66.10/download/th/space.php - rule_id: 39944
http://5.42.99.177/api/crazyfish.php - rule_id: 40006
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.42.99.177/api/twofish.php - rule_id: 40008
http://88.218.93.76/d/385135
http://5.42.66.10/download/123p.exe - rule_id: 39935
https://db-ip.com/demo/home.php?s=
https://steamcommunity.com/profiles/76561199698764354
|
36
db-ip.com(104.26.4.15)
pool.hashvault.pro(125.253.92.50) - mailcious
cdn-download.avgbrowser.com(23.1.236.116)
api64.ipify.org(104.237.62.213)
bitbucket.org(104.192.141.1) - malware
api.myip.com(172.67.75.163)
steamcommunity.com(104.106.57.101) - mailcious
iplogger.org(104.21.4.208) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.186.192)
lop.foxesjoy.com(172.67.159.232) - malware
cdn.discordapp.com(162.159.135.233) - malware
vk.com(87.240.132.78) - mailcious
raw.githubusercontent.com(185.199.108.133) - malware
104.71.154.102
182.162.106.33 - malware
104.26.5.15
104.21.4.208
147.45.47.126 - mailcious
185.199.111.133 - mailcious
34.117.186.192
149.154.167.99 - mailcious
95.217.135.112
162.159.130.233 - malware
104.21.66.124 - malware
104.237.62.213
77.91.77.80 - malware
5.42.66.10 - malware
104.192.141.1 - mailcious
121.254.136.9
125.253.92.50
5.42.99.177 - mailcious
104.26.9.59
23.33.184.247
88.218.93.76
87.240.132.72 - mailcious
|
24
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Executable Download from dotted-quad Host
ET HUNTING Redirect to Discord Attachment Download
ET INFO Packed Executable Download
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SURICATA Applayer Wrong direction first Data
|
4
http://5.42.66.10/download/th/space.php
http://5.42.99.177/api/crazyfish.php
http://5.42.99.177/api/twofish.php
http://5.42.66.10/download/123p.exe
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10103 |
2024-06-13 11:38
|
 DIP.exe 3f02a2516380a49f81ae8e15e7f548cc
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Device_File_Check PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10104 |
2024-06-14 07:47
|
 qgtplfgy2.exe 3d033b03106e5b46abde0df781c164d5
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Device_File_Check PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed |
|
2
cp8nl.hyperhost.ua(185.174.175.187)
185.174.175.187
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10105 |
2024-06-14 09:20
|
bin2.doc 118072abaca518e6ece93908a9fee1f4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash suspicious TLD Tofsee Exploit DNS crashed |
17
http://www.carolinappttery.com/q380/
http://www.ybw73.top/zfmd/?gSDpSqhg=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&zd=lHTo3CucwT
http://www.aritum.top/f2qc/?gSDpSqhg=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&zd=lHTo3CucwT
http://www.aritum.top/f2qc/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.ybw73.top/zfmd/
http://www.carolinappttery.com/q380/?gSDpSqhg=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&zd=lHTo3CucwT
http://www.sjzsls.com/9ypd/
http://www.winnscce.com/xk70/?gSDpSqhg=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&zd=lHTo3CucwT
http://www.w90dm.top/8ms4/
http://www.ay62m.top/orwn/
http://www.sjzsls.com/9ypd/?gSDpSqhg=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&zd=lHTo3CucwT
http://www.ay62m.top/orwn/?gSDpSqhg=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&zd=lHTo3CucwT
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.w90dm.top/8ms4/?gSDpSqhg=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&zd=lHTo3CucwT
http://www.winnscce.com/xk70/
https://dukeenergyltd.top/bin2.scr
|
16
www.aritum.top(203.161.55.102)
dukeenergyltd.top(172.67.134.136) - malware
www.sjzsls.com(154.212.44.122) - mailcious
www.carolinappttery.com(123.58.214.101)
www.winnscce.com(123.58.214.101)
www.ay62m.top(38.47.207.132)
www.ybw73.top(38.47.232.233)
www.w90dm.top(38.47.232.178)
38.47.232.178
203.161.55.102
38.47.232.233
154.212.44.122 - mailcious
38.47.207.132
45.33.6.223
172.67.134.136 - malware
123.58.214.101
|
3
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.top domain
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10106 |
2024-06-14 09:22
|
bin1.doc ab6398c625d0ae23c0582ad07d044581
MS_RTF_Obfuscation_Objects RTF File doc Cobalt Strike Cobalt VirusTotal Malware c&c RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
19
dukeenergyltd.top(104.21.25.202) - malware
www.ekvassf.store()
www.baldjourney.com(35.212.60.56)
www.themirrorproject.org()
www.planningexcellence.org(104.21.68.117)
www.heolty.xyz(162.0.238.43)
www.5597043.com(172.66.47.183)
www.mildhicky.com(149.88.71.203)
www.usebanq.com(198.54.117.242)
www.vt0lcffi5.sbs(47.239.13.172)
47.239.13.172
35.212.60.56
172.66.44.73
198.54.117.242 - mailcious
45.33.6.223
172.67.134.136 - malware
149.88.71.203
162.0.238.43
104.21.68.117
|
4
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP Request abnormal Content-Encoding header
ET Threatview.io High Confidence Cobalt Strike C2 IP group 3
|
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10107 |
2024-06-14 09:24
|
sharo.doc 8b049d5e850fc75c1cef5edb8fc68feb
Formbook MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
|
21
www.primeplay88.org(91.195.240.19) - mailcious
covid19help.top(172.67.175.222) - mailcious
www.kinkynerdspro.blog(94.23.162.163) - mailcious
www.touchclean.top(67.223.117.189)
www.99b6q.xyz() - mailcious
www.mrart.co.kr(183.111.183.31) - mailcious
www.besthomeincome24.com() - mailcious
www.ibistradingco.com(191.101.228.74)
www.terelprime.com(66.96.161.166) - mailcious
www.xn--matfrmn-jxa4m.se(194.9.94.86) - mailcious
www.aceautocorp.com(198.12.241.35) - mailcious
91.195.240.19 - mailcious
67.223.117.189
54.38.220.85 - mailcious
93.127.196.69
66.96.161.166 - mailcious
172.67.175.222 - mailcious
45.33.6.223
194.9.94.85 - mailcious
183.111.183.31 - mailcious
198.12.241.35 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP Request abnormal Content-Encoding header
ET HUNTING Possible COVID-19 Domain in SSL Certificate M2
|
12
http://www.kinkynerdspro.blog/ufuh/
http://www.terelprime.com/ufuh/
http://www.aceautocorp.com/ufuh/
http://www.aceautocorp.com/ufuh/
http://www.xn--matfrmn-jxa4m.se/ufuh/
http://www.mrart.co.kr/ufuh/
http://www.primeplay88.org/ufuh/
http://www.terelprime.com/ufuh/
http://www.xn--matfrmn-jxa4m.se/ufuh/
http://www.primeplay88.org/ufuh/
http://www.mrart.co.kr/ufuh/
http://www.kinkynerdspro.blog/ufuh/
|
3.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10108 |
2024-06-14 10:46
|
file.rar c6479683dc4b3a056b853c2f66e20998
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro DNS CoinMiner |
10
http://5.42.66.10/download/th/space.php - rule_id: 39944
http://77.91.77.80/rome/kenzo.exe - rule_id: 40187
http://5.42.99.177/api/crazyfish.php - rule_id: 40006
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.42.99.177/api/twofish.php - rule_id: 40008
http://88.218.93.76/d/385135 - rule_id: 40184
http://5.42.66.10/download/123p.exe - rule_id: 39935
https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188
https://steamcommunity.com/profiles/76561199699680841
https://db-ip.com/demo/home.php?s=
|
36
db-ip.com(172.67.75.166)
pool.hashvault.pro(131.153.76.130) - mailcious
cdn-download.avgbrowser.com(104.100.168.115)
api64.ipify.org(173.231.16.77)
api.myip.com(104.26.9.59)
steamcommunity.com(23.66.133.162) - mailcious
lop.foxesjoy.com(104.21.66.124) - malware
t.me(149.154.167.99) - mailcious
iplogger.org(104.21.4.208) - mailcious
ipinfo.io(34.117.186.192)
bitbucket.org(104.192.141.1) - malware
cdn.discordapp.com(162.159.133.233) - malware
vk.com(93.186.225.194) - mailcious
raw.githubusercontent.com(185.199.111.133) - malware
185.199.109.133 - mailcious
87.240.129.133 - mailcious
104.26.5.15
104.21.4.208
147.45.47.126 - mailcious
23.1.179.144 - mailcious
34.117.186.192
121.254.136.18
23.43.165.105
149.154.167.99 - mailcious
104.21.66.124 - malware
65.109.240.138
104.237.62.213
5.42.99.177 - mailcious
5.42.66.10 - malware
104.192.141.1 - mailcious
23.52.128.153
125.253.92.50
162.159.134.233 - malware
104.26.9.59
77.91.77.80 - malware
88.218.93.76 - mailcious
|
25
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA Applayer Mismatch protocol both directions
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Packed Executable Download
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Redirect to Discord Attachment Download
ET INFO EXE - Served Attached HTTP
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php
http://77.91.77.80/rome/kenzo.exe
http://5.42.99.177/api/crazyfish.php
http://5.42.99.177/api/twofish.php
http://88.218.93.76/d/385135
http://5.42.66.10/download/123p.exe
https://lop.foxesjoy.com/ssl/crt.exe
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10109 |
2024-06-14 18:39
|
licc.doc af079d569c6115b1f3998c7cce495168
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/pjkOs
http://216.9.224.18/2999/pillowgoodandcleanimg.png
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
216.9.224.18 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10110 |
2024-06-14 18:40
|
rothc.doc 40d18ab9b48c16d917ab69e101fa45eb
Formbook MS_RTF_Obfuscation_Objects RTF File doc Cobalt Strike Cobalt VirusTotal Malware c&c exploit crash unpack itself Tofsee Exploit DNS crashed |
|
23
www.themirrorproject.org() - mailcious
www.tpsideanchor.com(154.38.187.252)
www.5597043.com(172.66.47.183) - mailcious
covid19help.top(172.67.175.222) - mailcious
www.baldjourney.com(35.212.60.56) - mailcious
www.ekvassf.store() - mailcious
www.planningexcellence.org(172.67.195.9) - mailcious
www.heolty.xyz(162.0.238.43) - mailcious
www.usebanq.com(198.54.117.242) - mailcious
www.mildhicky.com(149.88.71.203) - mailcious
www.ar-robotics.com(34.149.87.45)
www.vt0lcffi5.sbs(47.239.13.172) - mailcious
47.239.13.172 - mailcious
35.212.60.56 - mailcious
172.66.44.73
34.149.87.45 - phishing
172.67.195.9
154.38.187.252
198.54.117.242 - mailcious
104.21.83.128 - mailcious
45.33.6.223
149.88.71.203 - mailcious
162.0.238.43 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1
ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Possible COVID-19 Domain in SSL Certificate M2
ET Threatview.io High Confidence Cobalt Strike C2 IP group 3
SURICATA HTTP Request abnormal Content-Encoding header
|
14
http://www.usebanq.com/8lx9/
http://www.mildhicky.com/i5j9/
http://www.baldjourney.com/bgvg/
http://www.mildhicky.com/i5j9/
http://www.5597043.com/twtt/
http://www.5597043.com/twtt/
http://www.heolty.xyz/fo0a/
http://www.vt0lcffi5.sbs/l7g9/
http://www.baldjourney.com/bgvg/
http://www.planningexcellence.org/uid7/
http://www.planningexcellence.org/uid7/
http://www.vt0lcffi5.sbs/l7g9/
http://www.usebanq.com/8lx9/
http://www.heolty.xyz/fo0a/
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|