10141 |
2024-06-24 15:51
|
pumairld.txt.ps1 19a7f5e2e7fd8e14d8129dcdf6c8b992 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Discord ComputerName DNS Cryptographic key |
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10142 |
2024-06-25 02:50
|
http://l.instagram.com/?235901... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.215.63) business.instagram.com(157.240.215.63) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10143 |
2024-06-25 05:28
|
https://l.instagram.com/?23590... AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.11.52) business.instagram.com(157.240.11.52) 157.240.215.63
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10144 |
2024-06-25 05:29
|
https://business.instagram.com... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
https://business.instagram.com/micro_site/url/?event_type=click
|
2
business.instagram.com(157.240.11.52) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10145 |
2024-06-25 05:29
|
http://l.instagram.com/?235901... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.11.52) business.instagram.com(157.240.11.52) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10146 |
2024-06-25 07:44
|
ExtExport2.exe 901a623dbccaa22525373cd36195ee14 Suspicious_Script_Bin UPX PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces IP Check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://185.38.142.10:7474/
|
8
ipinfo.io(34.117.186.192) api.ipify.org(172.67.74.152) api.ip.sb(104.26.13.31) 172.67.75.172 - mailcious 34.117.186.192 104.26.12.205 185.38.142.10 114.108.166.82
|
8
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SURICATA HTTP unable to match response to request
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10147 |
2024-06-25 07:57
|
Main.exe 9ec7f08c85bfa1b267761f225b68ab0b Malicious Library Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware Telegram MachineGuid Malicious Traffic WMI Tofsee ComputerName DNS crashed |
2
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
5.75.208.137
104.76.78.101 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
6.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10148 |
2024-06-25 09:12
|
notorious.doc 2d1b096a33d1b673fd06db9f3e861761 MS_RTF_Obfuscation_Objects RTF File doc RedLine Malware download VirusTotal Malware RWX flags setting exploit crash suspicious TLD IP Check Tofsee Stealer Exploit Browser DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.38.142.10:7474/
https://universalmovies.top/ExtExport2.exe
|
10
api.ipify.org(172.67.74.152)
universalmovies.top(104.21.74.191) - malware
ipinfo.io(34.117.186.192)
api.ip.sb(104.26.13.31) 34.117.186.192
104.26.12.31
172.67.74.152
182.162.106.144
185.38.142.10
172.67.162.95 - mailcious
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA HTTP unable to match response to request
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10149 |
2024-06-26 10:13
|
nelb.doc 6b9167056af49bf702c833ae4f581ef1 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
4
http://www.home-repair-contractors-kfm.xyz/btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba http://www.xmentorgroup.com/btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba http://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba https://universalmovies.top/nelb.scr
|
9
www.xmentorgroup.com(3.33.130.190) www.home-repair-contractors-kfm.xyz(199.59.243.226) www.h7wlvwr4afx.top() universalmovies.top(172.67.162.95) - malware www.liposuctionclinics2.today(104.21.89.233) 199.59.243.226 - phishing 3.33.130.190 - phishing 172.67.148.235 104.21.74.191 - malware
|
4
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10150 |
2024-06-26 10:16
|
build.exe 71b44c9a55f3b40681f6a5524ca9821d [m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS |
3
http://defgyma.com/dl/build2.exe http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true https://api.2ip.ua/geo.json
|
6
defgyma.com(190.159.138.51) - malware api.2ip.ua(172.67.139.220) cajgtus.com(189.195.132.134) - malware 104.21.65.24 93.118.137.82 201.191.99.134
|
9
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET POLICY External IP Address Lookup DNS Query (2ip .ua)
|
|
13.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10151 |
2024-06-26 10:18
|
a.f.f.f.f.fff.doc 6476133e6fcd5bb5fad7d39d1d214a6a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://93.123.12.248/xampp/Apln/yellowflowerisrareandbeautyfolwer.gif https://paste.ee/d/5ApcC
|
5
paste.ee(172.67.187.200) - mailcious ia803405.us.archive.org(207.241.232.195) - mailcious 104.21.84.67 - malware 93.123.12.248 - mailcious 207.241.232.195 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10152 |
2024-06-26 10:36
|
av_downloader1.1.exe 759f5a6e3daa4972d43bd4a5edbdeb11 Generic Malware Malicious Library Malicious Packer UPX Antivirus AntiDebug AntiVM PE File PE32 MSOffice File PNG Format JPEG Format VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
2
www.pornhub.com(66.254.114.41) - mailcious 66.254.114.41 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10153 |
2024-06-27 04:33
|
https://t.co/J5c3B3lHDS a447b2274aa6e2ebdb080e3def9263db Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing 117.18.232.195 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10154 |
2024-06-27 10:05
|
b.j.c.c.cc.doc 809e5331e9ead88825e560d3077cb6da MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://91.92.244.199/xampp/bpln/catwalkbeautyalwayshavegreat.gif https://paste.ee/d/5mZQI
|
5
paste.ee(172.67.187.200) - mailcious ia803405.us.archive.org(207.241.232.195) - mailcious 172.67.187.200 - mailcious 91.92.244.199 - mailcious 207.241.232.195 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10155 |
2024-06-27 10:11
|
vi.exe baa9e1a92bab85279dca0aed641f1fa9 Malicious Library Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic Tofsee crashed |
1
https://steamcommunity.com/profiles/76561199662282318
|
4
ndearn.xyz(76.223.67.189) steamcommunity.com(104.76.78.101) - mailcious 76.223.67.189 - mailcious 104.76.78.101 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|