10156 |
2024-06-27 10:16
|
a.p.l.n.doc 6e11c40fcc227fab4b32f8c3b275b57c MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://paste.ee/d/i2CFj
http://91.92.244.199/xampp/apln/bringbeautifulflowerimages.gif
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
91.92.244.199 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10157 |
2024-06-27 10:27
|
hv.exe 6a1db4f73db4ed058c8cd7e04dfa7cc3 Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/A54sKxhY - rule_id: 38719
|
3
pastebin.com(172.67.19.24) - mailcious 104.20.3.235 - malware 194.26.29.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/A54sKxhY
|
12.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10158 |
2024-06-27 17:12
|
build2.exe 335a64e110185d35bcfbc3ef86a382e9 Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199695752269
https://t.me/ta904ek
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
65.21.109.161
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10159 |
2024-06-28 12:45
|
123.exe cd581d68ed550455444ee6e099c44266 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check PNG Format MSOffice File JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://x1.i.lencr.org/ https://moreapp4you.online/George.exe - rule_id: 40536
|
10
x1.i.lencr.org(23.52.33.11) moreapp4you.online(31.31.196.208) - malware iplogger.co(104.21.82.93) 77.91.77.81 - mailcious 23.41.113.9 31.31.196.208 - mailcious 121.254.136.74 104.21.82.93 121.254.136.9 185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://moreapp4you.online/George.exe
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10160 |
2024-06-28 12:47
|
intalls555.exe 7e30a1a92f86e8e0a25154b1521d0588 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220) 149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10161 |
2024-06-28 12:53
|
sw.w.w.w.www.doc 80e1ba7b421fd01f5319de00cf5420f7 MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://198.46.178.144/wednesdayfile.jpeg https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 https://paste.ee/d/RgwiL
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 172.67.187.200 - mailcious 198.46.178.144 - mailcious 104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10162 |
2024-06-28 12:56
|
bh.h.h.h.hhhhh.doC 71ee0c2a6053262bfceb4cd2b0aa4117 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.232.175.155/88122/flowersarebautifulforeveryonegraden.gif https://paste.ee/d/oB1cd
|
3
paste.ee(104.21.84.67) - mailcious 172.232.175.155 - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10163 |
2024-06-29 15:16
|
se.e.e.e.eee.doc 6c502f63642761f32b454d1eedee5ee3 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS DDNS crashed |
3
http://managermagnetcccccmango.duckdns.org/thursdayfile.gif http://41.216.183.208/Users_API/negrocock/file_rxahvjvk.4g3.txt https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
|
5
managermagnetcccccmango.duckdns.org(198.46.178.144) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 198.46.178.144 - mailcious 41.216.183.208 172.67.215.45 - malware
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 3 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Malicious Base64 Encoded Payload In Image SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10164 |
2024-06-29 15:23
|
go.exe a8a5bb77ad9c654a552178b562d8f860 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTARyH5Kd-rVBKeWnqUj906AGGHofujSb8AgwWKsTypD2yBBYr3WBtOnUhGtxSOgxIU3lQHJc9Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTARz2rTindXOxtKWlV36tkFtVGW8sAyWc6Y640azCnTxNjcf0x1986tGgMcPtexJF55x92Pocw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023256178%3A1719641978822264 https://accounts.google.com/generate_204?e342lA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195) accounts.google.com(74.125.23.84) www.google.com(142.250.206.196) 142.250.71.163 216.58.203.68 74.125.203.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10165 |
2024-06-29 15:25
|
ot.o.o.ooo.doc b0d399c7eee1ee84aa8e55b81a4ac56f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://51.81.235.253/44155/amazingflowerspcitureshere.gif https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652 https://paste.ee/d/I1BAU
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 104.21.84.67 - malware 51.81.235.253 - mailcious 172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10166 |
2024-06-30 20:07
|
space.php 67cef2b94174d0883a8e8b9ad9c217c7 Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199707802586
https://t.me/g067n
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
65.109.243.105
23.1.179.144 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
16.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10167 |
2024-06-30 23:34
|
https://t.co/WRGTyuOptG 5d97f0c23481feb8b29ced43e5391035 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing 117.18.232.195 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10168 |
2024-06-30 23:34
|
https://t.co/XCgLbVc0am b88f184324bab0b6c8aa74de052a7b34 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing 117.18.232.195 - phishing
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10169 |
2024-07-01 15:06
|
ENC.zip 34dd73380e19295eef9c195a9f35c9b3 ZIP Format VirusTotal Malware Malicious Traffic Tofsee |
8
https://kaylen.xyz//mozglue.dll https://kaylen.xyz//freebl3.dll https://kaylen.xyz//softokn3.dll https://kaylen.xyz//nss3.dll https://kaylen.xyz//msvcp140.dll https://kaylen.xyz//sql.dll https://kaylen.xyz/ https://kaylen.xyz//vcruntime140.dll
|
2
kaylen.xyz(172.67.220.235) 104.21.94.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10170 |
2024-07-01 15:24
|
outbyte-pc-repair.exe 044b5657529471e023ee2da2dad94cfa Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 Browser Info Stealer VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ
|
4
outbyte.com(45.33.97.245) www.google-analytics.com(216.239.34.178) 172.217.24.78 45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|