10111 |
2024-06-14 18:42
|
hecto.doc dd2d12d4f427963b4334a6f1061a252b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed |
1
https://covid19help.top/hecto.scr
|
3
covid19help.top(104.21.83.128) - mailcious 45.33.6.223 104.21.83.128 - mailcious
|
5
ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1 ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Possible COVID-19 Domain in SSL Certificate M2
|
|
4.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10112 |
2024-06-15 08:12
|
Appendix.jpg.lnk b8be125e6f496b0d5856fd4c2b59d778 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Interception |
3
http://x1.i.lencr.org/ https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=2 - rule_id: 40280 https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=2
|
4
mailnepalarmymil.mods.email(91.223.208.175) x1.i.lencr.org(23.52.33.11) 91.223.208.175 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mailnepalarmymil.mods.email/dispachofapc-46703841
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10113 |
2024-06-15 08:12
|
Bio Data Form.jpg.lnk e10c8df203a7a195a44ee629fcf0c756 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Interception |
3
http://x1.i.lencr.org/ https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=1 - rule_id: 40280 https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=1
|
4
mailnepalarmymil.mods.email(91.223.208.175) x1.i.lencr.org(23.52.33.11) 91.223.208.175 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mailnepalarmymil.mods.email/dispachofapc-46703841
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10114 |
2024-06-15 08:13
|
Dispatch of the APC HMLTV tech... 73a0170ea882989f6ffc3b4726a3ee56 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting Check virtual network interfaces suspicious process Tofsee Interception |
3
http://x1.i.lencr.org/ https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0 - rule_id: 40280 https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0
|
4
mailnepalarmymil.mods.email(91.223.208.175) x1.i.lencr.org(23.52.33.11) 91.223.208.175 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mailnepalarmymil.mods.email/dispachofapc-46703841
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10115 |
2024-06-15 08:30
|
amadka.exe 5a12fd39ea2482c5ef29e1ca1fe5c083 Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Themida Packer Malicious Library UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Http API PWS Code injection Anti_VM AntiDebug AntiVM PE File PE32 P Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Cryptocurrency Miner Malware powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW VMware anti-virtualization IP Check human activity check installed browsers check Tofsee Stealer Windows Exploit Browser RisePro ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
12
http://185.172.128.19/b2c2c1.exe http://185.172.128.19/NewKindR.exe http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://147.45.47.155/ku4Nor9/index.php http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/ http://77.91.77.81/lend/servoces64.exe https://d1i94yju6i4l9g.cloudfront.net/setup.exe https://db-ip.com/demo/home.php?s=175.208.134.152
|
24
xmr-eu1.nanopool.org(146.59.154.106) - mailcious db-ip.com(104.26.4.15) kmsandallapp.ru(31.31.198.35) - mailcious d1i94yju6i4l9g.cloudfront.net(18.244.65.58) ipinfo.io(34.117.186.192) x1.i.lencr.org(23.52.33.11) pastebin.com(104.20.3.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(163.172.171.111) - mailcious 182.162.106.33 - malware 51.15.89.13 147.45.47.126 - mailcious 163.172.154.142 - mailcious 18.244.65.161 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 34.117.186.192 147.45.47.155 - malware 77.91.77.81 - mailcious 31.31.198.35 - mailcious 104.26.5.15 172.67.19.24 - mailcious 185.215.113.67 - mailcious
|
22
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
3
http://185.172.128.19/ghsdh39s/index.php http://77.91.77.81/Kiru9gu/index.php http://185.172.128.19/FirstZ.exe
|
28.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10116 |
2024-06-16 10:04
|
ey.exe ceb1b42233ced601bf691ffa63a305a9 Generic Malware Malicious Packer Malicious Library UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious docs.google.com(172.217.161.238) - mailcious xred.mooo.com() - mailcious freedns.afraid.org(69.42.215.252) www.dropbox.com(162.125.84.18) - mailcious 69.42.215.252 172.217.27.14 142.251.130.1 162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10117 |
2024-06-16 10:09
|
lenin.exe 93896624af562420c457d547b73dd197 Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 147.45.47.126 - mailcious 104.26.4.15 34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10118 |
2024-06-16 10:18
|
random.exe 0f2c5d3966f262c04af7eb8cbe26c78a Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Chec Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
10
http://185.172.128.116/Mb3GvQs8/index.php http://185.172.128.116/NewLatest.exe http://185.172.128.116/Mb3GvQs8/index.php?scr=1 http://185.172.128.116/b2c2c1.exe http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://77.91.77.81/lend/monster.exe http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/
|
17
xmr-eu1.nanopool.org(51.15.58.224) - mailcious kmsandallapp.ru(31.31.198.35) - mailcious x1.i.lencr.org(23.40.44.214) pastebin.com(104.20.4.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(51.68.137.186) - mailcious 104.20.3.235 - malware 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 51.15.193.130 77.91.77.81 - mailcious 185.172.128.116 51.68.137.186 - mailcious 31.31.198.35 - mailcious 121.254.136.9 185.215.113.67 - mailcious
|
17
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://77.91.77.81/Kiru9gu/index.php http://185.172.128.19/FirstZ.exe
|
20.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10119 |
2024-06-16 10:23
|
WB.exe 2ca46e1c431bc4a3e5a01921e1e13a50 Emotet Generic Malware Downloader ASPack UPX Malicious Packer Malicious Library Anti_VM AntiDebug AntiVM PE File PE32 DllRegisterServer dll OS Processor Check JPEG Format DLL MZP Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Advertising Google ComputerName Remote Code Execution DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
13
www.dropbox.com(162.125.84.18) - mailcious drive.usercontent.google.com(142.250.206.193) - mailcious freedns.afraid.org(69.42.215.252) docs.google.com(172.217.25.174) - mailcious xred.mooo.com() - mailcious ddos.dnsnb8.net(44.221.84.105) - mailcious 142.250.66.129 44.221.84.105 51.15.193.130 216.58.203.78 38.147.172.248 69.42.215.252 162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
17.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10120 |
2024-06-16 10:27
|
3-1.exe 0c52be0ed6803e36100228e2b0671b4a Generic Malware Malicious Library ASPack UPX Malicious Packer AntiDebug AntiVM DllRegisterServer dll PE File PE32 OS Processor Check JPEG Format DLL MZP Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder sandbox evasion Tofsee Windows Browser Advertising Google ComputerName Remote Code Execution DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
12
www.dropbox.com(162.125.84.18) - mailcious drive.usercontent.google.com(142.250.207.97) - mailcious freedns.afraid.org(69.42.215.252) docs.google.com(172.217.25.174) - mailcious xred.mooo.com() - mailcious smtp.163.com(103.129.252.45) 103.129.252.45 142.250.66.129 142.251.222.206 38.147.172.248 69.42.215.252 162.125.84.18 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
15.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10121 |
2024-06-16 10:36
|
1234.exe 4d85d7bdb9b2d6163ebc289af01f023d HermeticWiper Generic Malware PhysicalDrive Malicious Packer Malicious Library Downloader UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges PWS Internet API AntiDebug AntiVM PE File PE32 CAB OS Processor Check DllRegisterSer PDB Check memory Creates executable files ICMP traffic unpack itself AppData folder malicious URLs AntiVM_Disk China anti-virtualization VM Disk Size Check Tofsee Windows Remote Code Execution |
8
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=653&tdl=653&tds=653&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|653,P2PS|0,PDMode|2&tfl=653&tp=t&tst=1&ttdl=653&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Sam.CPI202405&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=153 http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Sam.CPI202405&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=9 http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=2C4D1463A89D6C425729E1EBD92D9A08&p2p=1&t_id=360TS_Setup.exe&tads=17298256&tdl=103789536&tds=17316439&terr=0&tes=Status|1,ErrorCode|0,DnCount|23,HttpNum|18,DnFailCount|22,FStatus|1,P2SS|103789536,P2PS|0,PDMode|3&tfl=103789536&tp=t&tst=1&ttdl=103789536&ttm=6062&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://sd.p.360safe.com/8F105DD2B73CEC44783794041478D929FC616836.trt http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1105.exe https://orion.ts.360.com/installapp?c=&ch=WW.Sam.CPI202405&sch=0&ver=11.0.0.1105&lan=en&os=6.1-x64&mid=fa7bb520099706f4d9615c3663eacc55&time=1718502664&checksum=10FC50695A77DD5E36A7B75A
|
20
sd.p.360safe.com(54.230.169.32) tr.p.360safe.com(54.76.174.118) int.down.360safe.com(54.230.176.104) orion.ts.360.com(82.145.215.156) iup.360safe.com(54.230.61.95) st.p.360safe.com(54.77.42.29) s.360safe.com(54.255.136.181) 54.230.61.65 54.255.136.181 54.230.176.36 54.76.174.118 54.77.42.29 54.230.176.22 54.230.169.19 54.230.61.95 82.145.215.156 54.230.176.105 54.230.176.104 54.230.61.39 54.230.61.34
|
5
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10122 |
2024-06-17 10:24
|
Taskbar.exe 0ee9a0317342d545c2bfd9e3fbd627f9 Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Remote Code Execution Cryptographic key |
|
2
i.ibb.co(172.96.160.168) - mailcious 172.96.160.183
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10123 |
2024-06-17 13:29
|
setup222.exe 8677376c509f0c66d1f02c6b66d7ef90 Downloader PE64 PE File VirusTotal Malware MachineGuid Creates executable files Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
boredombusters.online(104.21.44.95) - mailcious 172.67.198.131 121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10124 |
2024-06-17 13:33
|
NewLatest.exe 07101cac5b9477ba636cd8ca7b9932cb Amadey Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns Malicious Traffic Creates executable files unpack itself AppData folder Windows DNS CoinMiner |
3
http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://185.172.128.116/Mb3GvQs8/index.php - rule_id: 40304 http://185.172.128.116/b2c2c1.exe - rule_id: 40314
|
8
xmr-eu1.nanopool.org(162.19.224.121) - mailcious zeph-eu2.nanopool.org(51.15.61.114) - mailcious pastebin.com(172.67.19.24) - mailcious 51.15.58.224 104.20.3.235 - malware 163.172.171.111 - mailcious 185.172.128.19 - mailcious 185.172.128.116 - mailcious
|
8
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
3
http://185.172.128.19/FirstZ.exe http://185.172.128.116/Mb3GvQs8/index.php http://185.172.128.116/b2c2c1.exe
|
6.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10125 |
2024-06-17 13:43
|
__x64___setup___x32__.zip 7e05adc41fe0d6484c3cc75893991a2f ZIP Format Malware Malicious Traffic Tofsee |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://gay-domain.com/licenseUser.php
|
3
gay-domain.com(172.67.154.227) 172.67.154.227 182.162.106.144
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|