| 10156 |
2024-06-27 10:16
|
a.p.l.n.doc 6e11c40fcc227fab4b32f8c3b275b57c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://paste.ee/d/i2CFj
http://91.92.244.199/xampp/apln/bringbeautifulflowerimages.gif
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
91.92.244.199 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10157 |
2024-06-27 10:27
|
 hv.exe 6a1db4f73db4ed058c8cd7e04dfa7cc3
Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/A54sKxhY - rule_id: 38719
|
3
pastebin.com(172.67.19.24) - mailcious
104.20.3.235 - malware
194.26.29.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/A54sKxhY
|
12.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10158 |
2024-06-27 17:12
|
 build2.exe 335a64e110185d35bcfbc3ef86a382e9
Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199695752269
https://t.me/ta904ek
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
65.21.109.161
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10159 |
2024-06-28 12:45
|
 123.exe cd581d68ed550455444ee6e099c44266
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check PNG Format MSOffice File JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://x1.i.lencr.org/
https://moreapp4you.online/George.exe - rule_id: 40536
|
10
x1.i.lencr.org(23.52.33.11)
moreapp4you.online(31.31.196.208) - malware
iplogger.co(104.21.82.93)
77.91.77.81 - mailcious
23.41.113.9
31.31.196.208 - mailcious
121.254.136.74
104.21.82.93
121.254.136.9
185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://moreapp4you.online/George.exe
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10160 |
2024-06-28 12:47
|
 intalls555.exe 7e30a1a92f86e8e0a25154b1521d0588
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10161 |
2024-06-28 12:53
|
sw.w.w.w.www.doc 80e1ba7b421fd01f5319de00cf5420f7
MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://198.46.178.144/wednesdayfile.jpeg
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498
https://paste.ee/d/RgwiL
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
172.67.187.200 - mailcious
198.46.178.144 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10162 |
2024-06-28 12:56
|
bh.h.h.h.hhhhh.doC 71ee0c2a6053262bfceb4cd2b0aa4117
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.232.175.155/88122/flowersarebautifulforeveryonegraden.gif
https://paste.ee/d/oB1cd
|
3
paste.ee(104.21.84.67) - mailcious
172.232.175.155 - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10163 |
2024-06-29 15:16
|
se.e.e.e.eee.doc 6c502f63642761f32b454d1eedee5ee3
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS DDNS crashed |
3
http://managermagnetcccccmango.duckdns.org/thursdayfile.gif
http://41.216.183.208/Users_API/negrocock/file_rxahvjvk.4g3.txt
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
|
5
managermagnetcccccmango.duckdns.org(198.46.178.144) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
198.46.178.144 - mailcious
41.216.183.208
172.67.215.45 - malware
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Malicious Base64 Encoded Payload In Image
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10164 |
2024-06-29 15:23
|
 go.exe a8a5bb77ad9c654a552178b562d8f860
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTARyH5Kd-rVBKeWnqUj906AGGHofujSb8AgwWKsTypD2yBBYr3WBtOnUhGtxSOgxIU3lQHJc9Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTARz2rTindXOxtKWlV36tkFtVGW8sAyWc6Y640azCnTxNjcf0x1986tGgMcPtexJF55x92Pocw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023256178%3A1719641978822264
https://accounts.google.com/generate_204?e342lA
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195)
accounts.google.com(74.125.23.84)
www.google.com(142.250.206.196)
142.250.71.163
216.58.203.68
74.125.203.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10165 |
2024-06-29 15:25
|
ot.o.o.ooo.doc b0d399c7eee1ee84aa8e55b81a4ac56f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://51.81.235.253/44155/amazingflowerspcitureshere.gif
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
https://paste.ee/d/I1BAU
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
104.21.84.67 - malware
51.81.235.253 - mailcious
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10166 |
2024-06-30 20:07
|
 space.php 67cef2b94174d0883a8e8b9ad9c217c7
Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199707802586
https://t.me/g067n
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
65.109.243.105
23.1.179.144 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
16.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10167 |
2024-06-30 23:34
|
https://t.co/WRGTyuOptG 5d97f0c23481feb8b29ced43e5391035
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing
117.18.232.195 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10168 |
2024-06-30 23:34
|
https://t.co/XCgLbVc0am b88f184324bab0b6c8aa74de052a7b34
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing
117.18.232.195 - phishing
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10169 |
2024-07-01 15:06
|
 ENC.zip 34dd73380e19295eef9c195a9f35c9b3
ZIP Format VirusTotal Malware Malicious Traffic Tofsee |
8
https://kaylen.xyz//mozglue.dll
https://kaylen.xyz//freebl3.dll
https://kaylen.xyz//softokn3.dll
https://kaylen.xyz//nss3.dll
https://kaylen.xyz//msvcp140.dll
https://kaylen.xyz//sql.dll
https://kaylen.xyz/
https://kaylen.xyz//vcruntime140.dll
|
2
kaylen.xyz(172.67.220.235)
104.21.94.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10170 |
2024-07-01 15:24
|
 outbyte-pc-repair.exe 044b5657529471e023ee2da2dad94cfa
Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 Browser Info Stealer VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ
|
4
outbyte.com(45.33.97.245)
www.google-analytics.com(216.239.34.178)
172.217.24.78
45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|