10186 |
2024-07-03 09:40
|
outbyte-driver-updater.exe 19e7819eb886414b6bcab23db00541ec Gen1 HermeticWiper Generic Malware PhysicalDrive Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 MZP Format OS Processor Check Lnk Format GIF Format DLL PE64 MSOffice File DllRegisterServer dll ftp Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee GameoverP2P Zeus Windows Browser ComputerName Trojan Banking crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg
|
9
ssl.outbyte.com(45.33.97.245) api.outbyte.com(192.155.86.205) outbyte.com(45.33.97.245) du.outbyte.com(51.81.185.149) www.google-analytics.com(142.250.206.206) 142.250.207.78 51.81.185.149 45.33.97.245 192.155.86.205
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
11.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10187 |
2024-07-03 10:42
|
archive.rar 9d10f6f08ae1cc016c10b09007063417 Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM VirusTotal Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord DNS CoinMiner |
10
http://5.42.99.177/api/crazyfish.php - rule_id: 40006
http://apps.identrust.com/roots/dstrootcax3.p7c
http://80.78.242.100/d/525403
http://5.42.99.177/api/twofish.php - rule_id: 40008
http://x1.i.lencr.org/
https://steamcommunity.com/profiles/76561199707802586 - rule_id: 40674
https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188
https://db-ip.com/demo/home.php?s=
http://77.105.133.27/download/th/space.php
http://77.105.133.27/download/123p.exe
|
35
db-ip.com(172.67.75.166)
monoblocked.com(45.130.41.108) - malware
api64.ipify.org(173.231.16.77)
api.myip.com(172.67.75.163)
steamcommunity.com(104.100.64.90) - mailcious
lop.foxesjoy.com(104.21.66.124) - malware
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.186.192)
x1.i.lencr.org(23.35.220.247)
bitbucket.org(104.192.141.1) - malware
cdn.discordapp.com(162.159.133.233) - malware
vk.com(87.240.132.67) - mailcious
iplogger.org(104.21.4.208) - mailcious
pool.hashvault.pro(142.202.242.45) - mailcious 104.71.154.102
104.26.5.15
149.154.167.99 - mailcious
23.201.35.155
34.117.186.192
125.253.92.50
104.26.8.59
162.159.130.233 - malware
104.21.66.124 - malware
45.130.41.108 - malware
104.237.62.213
77.91.77.80 - malware
104.192.141.1 - mailcious
121.254.136.9
80.78.242.100 - mailcious
37.27.31.150
5.42.99.177 - mailcious
23.41.113.9
77.105.133.27 - mailcious
87.240.132.72 - mailcious
172.67.132.113
|
17
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) SURICATA Applayer Mismatch protocol both directions ET INFO Executable Download from dotted-quad Host ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET HUNTING Redirect to Discord Attachment Download ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
4
http://5.42.99.177/api/crazyfish.php http://5.42.99.177/api/twofish.php https://steamcommunity.com/profiles/76561199707802586 https://lop.foxesjoy.com/ssl/crt.exe
|
6.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10188 |
2024-07-03 10:46
|
Update.js cbca476a716c76cf629b3428ee9c3f43VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://yeo.fans.smalladventureguide.com/orderReview
|
2
yeo.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10189 |
2024-07-03 11:27
|
Video HD (1080p).lnk e694422f9ae9a4bf93258f6376db4292 Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell ZIP Format VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Interception Windows ComputerName Cryptographic key |
4
https://matodown.b-cdn.net/K2.zip https://mato2.b-cdn.net/matodown - rule_id: 40855 https://mato2.b-cdn.net/matodown https://matodown.b-cdn.net/K1.zip
|
4
matodown.b-cdn.net(143.244.49.183) mato2.b-cdn.net(143.244.50.214) 169.150.225.43 212.102.50.49
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mato2.b-cdn.net/matodown
|
11.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10190 |
2024-07-03 18:47
|
uho.uouo.uououo.doc 9904916ce3549610216e99d83e7e2135 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit Java DNS crashed |
3
http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt http://23.95.235.16/33011/greatideaforfollowers.gif https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 23.95.235.16 - mailcious 91.92.254.29 172.67.215.45 - malware
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 ET MALWARE Malicious Base64 Encoded Payload In Image SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET WEB_CLIENT Obfuscated Javascript // ptth
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10191 |
2024-07-03 19:02
|
file_ahstznsa.ob0.txt.ps1 478b1ac88592f59f8a1d4cb790120c38 Generic Malware Antivirus VirusTotal Malware powershell Malicious Traffic unpack itself Check virtual network interfaces Tofsee ComputerName |
2
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
http://23.95.235.16/33011/WDF.txt
|
2
uploaddeimagens.com.br(172.67.215.45) - malware 172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
3.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10192 |
2024-07-03 19:10
|
file_xgep41gp.dyp.txt.ps1 b75a49ff9b2f445e17519d2e743fe1b4 Generic Malware Antivirus Malware powershell Malicious Traffic unpack itself Check virtual network interfaces Tofsee ComputerName |
2
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
http://23.95.235.16/33011/WDF.txt
|
2
uploaddeimagens.com.br(172.67.215.45) - malware 172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10193 |
2024-07-04 02:39
|
http://py.pl/I7mIC 6cb7e9e8e7161d8a30c49a4228aafaaf Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
|
2
py.pl(151.101.66.133) 151.101.194.133 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10194 |
2024-07-04 09:39
|
systemd.exe da4b6f39fc024d2383d4bfe7f67f1ee1 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Tofsee crashed |
1
https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
|
2
bitbucket.org(43.202.69.9) - malware 104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10195 |
2024-07-04 09:41
|
Bitwarden-Installer-2024.6.3.e... 06e9439beabd1813ff13295adbba48ff Generic Malware Malicious Library Malicious Packer UPX AntiDebug AntiVM PE File ftp PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution DNS Software |
2
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious 104.87.193.17
149.154.167.99 - mailcious
95.217.241.48
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.8 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10196 |
2024-07-04 09:45
|
MOVE.vbs 17a1424e8ac08659157d2d0f0d143de9 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key Dropper |
3
http://91.92.254.29/Users_API/HURRICANE/file_2n4kbwex.dbr.txt
http://airstreamsa.in.net/ajai/wave.txt
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
|
3
ia803405.us.archive.org(207.241.232.195) - mailcious 91.92.254.29 - mailcious
207.241.232.195 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10197 |
2024-07-04 10:17
|
file_20dp34d4.orr.txt.ps1 d95ef9e08e9db08a9722d77fb91c39df Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://uploaddeimagens.com.br/images/004/807/737/original/new-image_j.jpg?1720020397 - rule_id: 40914
http://192.3.64.135/okeydookietrational.txt
|
2
uploaddeimagens.com.br(172.67.215.45) - malware 104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/807/737/original/new-image_j.jpg
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10198 |
2024-07-04 11:31
|
Update.js 616eae241a26b57cf9d5efc97ff8491fVBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://shryr.fans.smalladventureguide.com/orderReview
|
2
shryr.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10199 |
2024-07-04 17:02
|
uh.uh.uhuhuh.uu.uh.doc 2065f134f20986527b4023d59e12081c MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit Java DNS crashed |
4
http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gif
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
http://91.92.254.29/Users_API/syscore/file_ygeik543.xh0.txt
http://198.46.178.139/33144/ORES.txt
|
4
uploaddeimagens.com.br(172.67.215.45) - malware 91.92.254.29 - mailcious
198.46.178.139 - malware
172.67.215.45 - malware
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 ET MALWARE Malicious Base64 Encoded Payload In Image SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET WEB_CLIENT Obfuscated Javascript // ptth
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10200 |
2024-07-04 17:08
|
Explore.vbs 9b5731dd0f4fe8d82ce62e1ef83ebc8c Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
1
89.197.154.116 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
9.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|