10171 |
2024-07-01 16:46
|
Update.js 365d4f4e6ffed01288e0fae6e352e8a5 VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10172 |
2024-07-02 07:45
|
snukingorig2.5.exe 7d50650cd2ba63482d4caf875ae65a8e Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205) 104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10173 |
2024-07-02 07:54
|
buildcr.exe 88932ab33c38072946abc06b426d33b8 [m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS |
3
http://defgyma.com/dl/build2.exe - rule_id: 40622 http://cajgtus.com/files/1/build3.exe - rule_id: 40623 https://api.2ip.ua/geo.json
|
6
defgyma.com(181.204.98.226) - malware api.2ip.ua(104.21.65.24) cajgtus.com(178.134.214.182) - malware 104.21.65.24 186.233.231.45 190.13.174.94
|
9
ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY PE EXE or DLL Windows file download HTTP
|
2
http://defgyma.com/dl/build2.exe http://cajgtus.com/files/1/build3.exe
|
12.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10174 |
2024-07-02 09:45
|
package_full.pdf.lnk 87e1217cd4517d2c3ea39b1b970a5550 Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Tofsee Interception Windows ComputerName Cryptographic key |
1
https://scratchedcards.com/can/cantruck
|
2
scratchedcards.com(5.188.88.146) - malware 5.188.88.146 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10175 |
2024-07-02 13:49
|
Update.js a17403e9e32d19f46d7796f574136b61VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://vlms.fans.smalladventureguide.com/orderReview
|
2
vlms.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10176 |
2024-07-02 14:10
|
Update.js 365d4f4e6ffed01288e0fae6e352e8a5VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117) - mailcious 162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10177 |
2024-07-02 15:45
|
Content_497179.exe 52070a9adf4787ece9b80af208603030 Generic Malware NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL BMP Format Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion anti-virtualization Tofsee |
1
|
2
codeonicinc.com(104.26.8.6) 104.26.9.6
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10178 |
2024-07-02 15:58
|
Content_497179.exe 52070a9adf4787ece9b80af208603030 Gen1 Generic Malware NSIS Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 OS Processor Check DLL icon BMP Format DllRegisterServer dll Lnk Format GIF Format ftp Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName |
1
|
2
codeonicinc.com(104.26.8.6) 172.67.69.54
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10179 |
2024-07-03 08:05
|
wp.exe 140e8ca7a6a6df97fe913af1adad9cbe AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Email Client Info Stealer Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Gmail Browser Email ComputerName Cryptographic key crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108) 173.194.174.109
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10180 |
2024-07-03 08:07
|
pilnmAc2.6.exe 9929a1a4d2ec5d72c028435c6b71054f Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(172.67.74.152) 172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10181 |
2024-07-03 08:09
|
don701.exe 6a1ff8c93c4d4ba50c8145a354b5c586 AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Gmail Browser Email ComputerName Cryptographic key crashed keylogger |
|
2
smtp.gmail.com(74.125.23.109) 173.194.174.109
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10182 |
2024-07-03 08:13
|
Build.exe 2f6f4f9674c6721b5ea8319ed90a8f20 Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library Downloader UPX Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DllRegisterSer Browser Info Stealer VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself suspicious process AppData folder installed browsers check Tofsee Windows Browser Advertising Google ComputerName Trojan DNS DDNS crashed keylogger |
7
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
|
10
drive.usercontent.google.com(142.250.207.97) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious 142.251.220.78
45.141.26.232 - mailcious
142.251.220.1
69.42.215.252
162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10183 |
2024-07-03 08:17
|
F.exe e501c275814bfcb58fe845c38227d5c5 Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library Antivirus UPX Malicious Packer Admin Tool (Sysinternals etc ...) Downloader .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DllRegisterSer Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Browser Advertising Google ComputerName DNS Cryptographic key DDNS crashed keylogger |
7
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
|
11
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious 142.251.220.78
69.42.215.252
142.250.66.142
142.251.220.1
142.251.220.33
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
10.8 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10184 |
2024-07-03 09:29
|
outbyte-driver-updater.exe 19e7819eb886414b6bcab23db00541ec Gen1 Generic Malware PhysicalDrive Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg
|
4
outbyte.com(45.33.97.245) www.google-analytics.com(142.250.207.110) 142.251.130.14 45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10185 |
2024-07-03 09:37
|
Fortect.exe 745dfc19a7a8ce32812211f17b792fa6 Gen1 RedLine stealer Emotet NSIS Generic Malware Suspicious_Script_Bin Downloader Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM Javascript_Blob PE File PE32 OS Processor Check DLL PNG Format JPEG Format Lnk For VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut RWX flags setting unpack itself Auto service AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Ransomware Windows ComputerName DNS Software |
11
https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=PKAOK¶m=ServiceRunning<*> https://app.fortect.com/events/version.php?data=json&sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&installed= https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSVR¶m=6.5.0.2<*> https://app.fortect.com/ev-install-start/ev-install-start.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502 https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSST¶m=Downloader%20Started<*> https://app.fortect.com/ev-install-end/ev-install-end.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502 https://cloud.fortect.com/app/installation/engine/6502/FortectSetup64.7z https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=LANG¶m=1042<*>ko<*> https://app.fortect.com/events/evt_scan.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=AUINS¶m=service%20installed<*>0<*>6.5.0.2<*> https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSRN¶m=6.5.0.2<*> https://cloud.fortect.com/app/installation/service/6502/FortectProtection64.7z
|
6
service.fortect.com(104.26.3.16) app.fortect.com(104.26.2.16) cloud.fortect.com(172.67.75.40) 104.26.3.16 - mailcious 172.67.75.40 - mailcious 104.26.2.16 - mailcious
|
3
ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
|
|
8.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|