10201 |
2024-07-05 11:13
|
software.exe 1ed6f9d578e14edad0bf47edf1f6269f Vidar Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199730044335
|
16.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10202 |
2024-07-05 14:54
|
sostener.vbs c45cccf34e0483bbb46f55d04ccb781b Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key Dropper |
3
http://91.92.254.29/Users_API/ABBAS/file_odpxh4oq.2bf.txt
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
https://bitbucket.org/sdfsfew/abbas-ksdmspaod/downloads/R28JUNIOSOST.txt
|
3
ia803405.us.archive.org(207.241.232.195) - mailcious 91.92.254.29 - mailcious
207.241.232.195 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10203 |
2024-07-05 15:01
|
Scandoc1114.exe 1028a0939cb0ce3475e93dcab08ebba8 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
4
smtp.bureaubetak.co(208.91.199.224) api.ipify.org(172.67.74.152) 208.91.199.223 - mailcious 172.67.74.152
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction ET MALWARE AgentTesla Exfil Via SMTP
|
|
9.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10204 |
2024-07-05 15:54
|
Report.ps1 054618073752ea5823c98130114a3241 Hide_EXE Generic Malware task schedule Antivirus KeyLogger AntiDebug AntiVM Malware download AsyncRAT NetWireRC VirusTotal Malware Code Injection Check memory buffers extracted unpack itself DDNS |
|
2
services-line2.freeddns.org(136.243.111.71) 136.243.111.71
|
3
ET INFO DYNAMIC_DNS Query to a *.freeddns .org Domain ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
7.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10205 |
2024-07-06 18:20
|
mkl.js b0d0cfe2e3d3285272c07d5c32c96e44 AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108) 142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10206 |
2024-07-06 18:35
|
build.exe 2dece3353cda5321fff7c92a697c37ee Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 104.87.193.17
149.154.167.99 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10207 |
2024-07-07 18:55
|
buildj.exe 7debc473f9ec83c3d000a57466eab9b2 Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
95.217.241.48 - mailcious
184.85.112.102
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10208 |
2024-07-07 19:11
|
go.exe d1a881d79ea584b074ae23f9279c5bd0 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/generate_204?w4ag3w https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AdF4I74pC9xrfzbndeH-N6NOflXq1MjzJIxNFee4-gZlSvToqsOXxF3zsbE0AhE66RpXdgwWsyVz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023031012%3A1720346845031034 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AdF4I76Y3NkKUEH3PqSbeNYT6o-AmZa8Isqhy7dbwEu3iufOXcI9DiOb9Rvo_KyAQWxTR7znvW1X-w
|
6
ssl.gstatic.com(142.251.222.35) accounts.google.com(74.125.203.84) www.google.com(142.250.206.228) 142.251.8.84 142.251.220.100 142.250.66.99
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10209 |
2024-07-08 07:52
|
PACKAGE_DEMO.exe e450ca946d4bf6173ebe3f00c3d08d81 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory Creates shortcut Collect installed applications sandbox evasion IP Check installed browsers check Tofsee Ransomware MeduzaStealer Stealer Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(104.26.12.205) 79.137.197.154 104.26.12.205
|
8
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) SURICATA Applayer Protocol detection skipped
|
|
11.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10210 |
2024-07-08 09:46
|
Installer.exe bed8cdced2d57be2bd750f0f59991ecd Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS |
|
4
api.telegram.org(149.154.167.220) 101.35.228.105 - malware 45.33.6.223 149.154.167.220
|
4
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup
|
|
9.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10211 |
2024-07-08 09:54
|
Client.exe 86108d3bcc19fe774cc81b71494d31f9 Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check PNG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Browser Email ComputerName DNS Software crashed |
1
|
4
freegeoip.app(172.67.160.84) ipbase.com(104.21.85.189) 104.21.73.97 172.67.209.71
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com) ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
|
|
7.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10212 |
2024-07-08 10:04
|
Update.js affe7c07da3776a191c69b73e50d491aVBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://pkjzv.fans.smalladventureguide.com/orderReview
|
2
pkjzv.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10213 |
2024-07-08 11:11
|
archive.rar 2074be740d489e298715968ed68fd122 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord DNS |
10
http://176.111.174.109/psyzh - rule_id: 40370 http://77.105.133.27/download/123p.exe - rule_id: 40857 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://80.78.242.100/d/525403 - rule_id: 40853 http://5.42.99.177/api/twofish.php - rule_id: 40008 http://80.78.242.100/d/385132 http://77.105.133.27/download/th/space.php - rule_id: 40856 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://db-ip.com/demo/home.php?s=
|
26
raw.githubusercontent.com(185.199.109.133) - malware db-ip.com(172.67.75.166) api64.ipify.org(104.237.62.213) api.myip.com(104.26.9.59) lop.foxesjoy.com(104.21.66.124) - malware ipinfo.io(34.117.186.192) cdn.discordapp.com(162.159.133.233) - malware vk.com(87.240.132.72) - mailcious iplogger.org(172.67.132.113) - mailcious 176.111.174.109 - malware 182.162.106.33 - malware 43.153.49.49 - mailcious 173.231.16.77 104.26.4.15 172.67.75.163 34.117.186.192 104.21.66.124 - malware 185.199.111.133 - mailcious 5.42.99.177 - mailcious 87.240.129.133 - mailcious 77.105.133.27 - mailcious 162.159.135.233 - malware 182.162.106.144 172.67.132.113 77.91.77.80 - malware 80.78.242.100 - mailcious
|
18
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET HUNTING Redirect to Discord Attachment Download ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
|
7
http://176.111.174.109/psyzh http://77.105.133.27/download/123p.exe http://5.42.99.177/api/crazyfish.php http://80.78.242.100/d/525403 http://5.42.99.177/api/twofish.php http://77.105.133.27/download/th/space.php https://lop.foxesjoy.com/ssl/crt.exe
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10214 |
2024-07-08 14:09
|
INVESTIGATION_OF_SEXUAL_HARASS... 9345d52abd5bab4320c1273eb2c90161 ZIP Format Word 2007 file format(docx) VirusTotal Malware unpack itself Tofsee |
2
http://x1.i.lencr.org/
https://investigation04.session-out.com/fbd901_harassment/doc.rtf
|
4
investigation04.session-out.com(89.150.40.43)
x1.i.lencr.org(23.52.33.11) 89.150.40.43
23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10215 |
2024-07-08 14:24
|
INVESTIGATION_OF_SEXUAL_HARASS... 9345d52abd5bab4320c1273eb2c90161 ZIP Format Word 2007 file format(docx) VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
2
http://x1.i.lencr.org/ https://investigation04.session-out.com/fbd901_harassment/doc.rtf - rule_id: 41091
|
4
investigation04.session-out.com(89.150.40.43) - mailcious x1.i.lencr.org(23.52.33.11) 89.150.40.43 - mailcious 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://investigation04.session-out.com/fbd901_harassment/doc.rtf
|
2.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|