10126 |
2024-06-17 14:26
|
file.rar eb8589a8b967f7be1a94b8ae4cb0a15c Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro Remote Code Execution DNS CoinMiner |
11
http://176.111.174.109/psyzh http://5.42.66.10/download/th/space.php - rule_id: 39944 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.232.45.38/eee01/eee01.exe - rule_id: 39938 http://5.42.99.177/api/twofish.php - rule_id: 40008 http://80.78.242.100/d/385135 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://steamcommunity.com/profiles/76561199699680841 - rule_id: 40206 https://db-ip.com/demo/home.php?s=
|
34
db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.45) - mailcious cdn-download.avgbrowser.com(23.199.47.133) api64.ipify.org(104.237.62.213) api.myip.com(104.26.8.59) steamcommunity.com(23.66.133.162) - mailcious lop.foxesjoy.com(104.21.66.124) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.186.192) cdn.discordapp.com(162.159.134.233) - malware vk.com(87.240.132.67) - mailcious iplogger.org(172.67.132.113) - mailcious 94.232.45.38 - malware 182.162.106.33 - malware 182.162.106.144 184.26.241.154 - mailcious 149.154.167.99 - mailcious 147.45.47.126 - mailcious 34.117.186.192 5.42.99.177 - mailcious 125.253.92.50 176.111.174.109 - malware 104.26.8.59 162.159.130.233 - malware 65.109.240.138 - mailcious 172.67.159.232 77.91.77.80 - malware 5.42.66.10 - malware 23.52.128.153 80.78.242.100 173.231.16.77 104.26.4.15 87.240.132.78 - mailcious 172.67.132.113
|
28
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET DROP Dshield Block Listed Source group 1 ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Executable Download from dotted-quad Host SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET HUNTING Redirect to Discord Attachment Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php http://5.42.99.177/api/crazyfish.php http://94.232.45.38/eee01/eee01.exe http://5.42.99.177/api/twofish.php http://5.42.66.10/download/123p.exe https://lop.foxesjoy.com/ssl/crt.exe https://steamcommunity.com/profiles/76561199699680841
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10127 |
2024-06-17 16:58
|
am.exe 6cfddd5ce9ca4bb209bd5d8c2cd80025 Gen1 Generic Malware Malicious Library Antivirus Obsidium protector .NET framework(MSIL) UPX Anti_VM PE File PE32 OS Processor Check PNG Format Browser Info Stealer Malware download Amadey VirusTotal Malware powershell PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key |
4
http://proresupdate.com/h9fmdW5/index.php https://contur2fa.recipeupdates.rest/__hh/files/run_search https://contur2fa.recipeupdates.rest/__hh/files/run https://i.imgur.com/yximuB4.png
|
6
contur2fa.recipeupdates.rest(172.67.197.250) i.imgur.com(199.232.192.193) - mailcious proresupdate.com(45.152.112.146) 45.152.112.146 172.67.197.250 146.75.92.193 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
|
10.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10128 |
2024-06-18 07:37
|
IMG_812_06108.exe 9ea3d152c4e248841abf4f490a84b8c9 AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://78.111.67.189/ecg/Hiwpwthq.mp4 https://api.ipify.org/
|
3
api.ipify.org(172.67.74.152) 104.26.13.205 78.111.67.189 - malware
|
7
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII ET MALWARE PE EXE or DLL Windows file download Text M2 ET HUNTING [TW] Likely Hex Executable String ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10129 |
2024-06-18 22:31
|
https://qrco.de/bfAK2I?onO=XTp... 12dec78d031d4e022b462bf6373a6d21 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File icon Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
5
http://apps.identrust.com/roots/dstrootcax3.p7c https://qrco.de/bfAK2I?onO=XTpHzVDAeO?WTh=1XXH9na1GN https://qrco.de/favicon.ico https://qrcg-registry.qr-code-generator.com/qrapp-legacy-webcomponents/qrcg.min.js https://qrco.de/css/build/smartphone-preview.min.css
|
8
qrcg-registry.qr-code-generator.com(54.230.176.84) cdnjs.cloudflare.com(104.17.25.14) - mailcious qrco.de(13.225.131.84) 182.162.106.33 - malware 104.17.25.14 54.230.176.21 13.225.131.87 23.67.53.17
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO QR Code Generator Domain in DNS Lookup (qrco .de) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10130 |
2024-06-19 09:34
|
murka.exe 9e27ed6d9855b9bfae9234f0303a8bba Malicious Packer UPX Anti_VM PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 104.26.5.15 34.117.186.192 147.45.47.126 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10131 |
2024-06-19 09:36
|
bbc.doc c37e66ac7c43e79fd1c771892d457314 MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://172.235.39.109/3090/InetCache.hta https://uploaddeimagens.com.br/images/004/798/015/original/new_image.jpg?1718284216 https://paste.ee/d/95tJR
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 172.235.39.109 - mailcious 104.21.84.67 - malware 172.67.215.45 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible HTA Application Download ET INFO Dotted Quad Host HTA Request ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10132 |
2024-06-19 17:15
|
voda.exe 61454bbf62a50d22bc3d52b44de73edd Malicious Packer UPX PE File PE32 Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 104.26.5.15 34.117.186.192 147.45.47.126 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
7.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10133 |
2024-06-20 09:28
|
UHH.txt.exe 72ffddcd4adf890a663396aaf31affc4 AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(104.26.13.205) ip-api.com(208.95.112.1) 104.26.13.205 208.95.112.1
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10134 |
2024-06-21 07:36
|
simon.exe b7e7f713ce1c717b6ae28904971e37e5 Themida Packer Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Firmware DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 77.91.77.66 104.26.4.15 34.117.186.192
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
15.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10135 |
2024-06-21 07:53
|
avg_secure_browser_setup.exe 13b3860a2827e505cb6de1418f640b16 HermeticWiper NSIS Generic Malware PhysicalDrive Malicious Library UPX Malicious Packer PE File PE32 DLL DllRegisterServer dll OS Processor Check MSOffice File CAB PE64 Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Auto service Check virtual network interfaces AppData folder sandbox evasion anti-virtualization installed browsers check Tofsee Ransomware Fortinet Windows Browser ComputerName Firmware crashed |
4
http://browser-update.avg.com/browser-avg/win/x64/109.0.24252.121/AVGBrowserInstaller.exe https://stats.securebrowser.com/?_=1718955853989&retry_tracking_count=0&last_request_error_code=0&last_request_error_message=&last_request_status=0&last_request_system_error=0&request_proxy=0 https://update.avgbrowser.com/service/update2 https://update.avgbrowser.com/service/update2?cup2key=9:2906594695&cup2hreq=1a77176c46ecf7b2954c2373054d5a3b455eb7a159f1b6ad23c4e5706d55a272
|
6
browser-update.avg.com(104.103.68.11) stats.securebrowser.com(104.20.87.8) update.avgbrowser.com(172.67.41.145) 104.22.62.125 23.195.119.80 104.20.86.8
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
19.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10136 |
2024-06-24 07:44
|
ama.exe 5d860e52bfa60fec84b6a46661b45246 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check MSOffice File PNG Format JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://x1.i.lencr.org/ https://moreapp4you.online/George.exe
|
9
x1.i.lencr.org(23.52.33.11) iplogger.co(172.67.167.249) moreapp4you.online(31.31.196.208) 182.162.106.33 - malware 23.67.53.17 23.35.220.247 31.31.196.208 - mailcious 104.21.82.93 185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10137 |
2024-06-24 07:47
|
pic1.exe 1fecbc51b5620e578c48a12ebeb19bc2 Generic Malware Downloader Malicious Library UPX MPRESS Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE64 OS Processor C VirusTotal Malware PDB Code Injection Creates executable files unpack itself suspicious TLD Tofsee Remote Code Execution crashed |
|
2
cv99160.tw1.ru(92.53.96.121) 92.53.96.121 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10138 |
2024-06-24 07:51
|
limba.exe 3e767dd673e06387e35d7362d89ddea1 Themida Packer Generic Malware Malicious Packer Anti_VM PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Firmware DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 77.91.77.66 - mailcious 104.26.4.15 34.117.186.192
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
14.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10139 |
2024-06-24 11:01
|
kissingisbestforcatwalkonthebe... b380556670eaff97d6dfb34144e8cbc5 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://pastebin.com/raw/RWYyTg4h
http://192.227.173.64/xampp/kobo/wecreatedimagestogetmepicture.gif
|
3
pastebin.com(172.67.19.24) - mailcious 104.20.3.235 - malware
192.227.173.64 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10140 |
2024-06-24 14:38
|
BST.msi fe821027dfc49e8017c2cc50974a00b4 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk suspicious TLD VM Disk Size Check Tofsee ComputerName DNS |
|
3
kurvabbr.pw(103.35.191.31) barsen.monster() 103.35.191.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.pw domain - Likely Hostile ET INFO TLS Handshake Failure
|
|
3.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|