| 1 |
2025-04-10 01:45
|
 CarZ.exe 33a2df57afcf0e90607ab3a604ab6939
Emotet Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware RWX flags setting |
|
|
|
|
1.4 |
|
7 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2025-04-09 20:47
|
 Win11_24H2_English_x64.iso.3af... 96beac72b4b58aecf6ea792711e263fc
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2025-04-09 16:50
|
 2.wsf 70e7a78686df6013aa8fabe63d2827b8
Generic Malware Antivirus AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cloudflare DNS Cryptographic key |
5
https://toolkit-nokia-network-alert.trycloudflare.com/error_log.txt
https://toolkit-nokia-network-alert.trycloudflare.com/AutoRun.inf
https://toolkit-nokia-network-alert.trycloudflare.com/deci.zip
https://toolkit-nokia-network-alert.trycloudflare.com/
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt - rule_id: 44968
|
6
www.healyconsultants.com(162.159.134.42)
numbers-queensland-rec-thumbs.trycloudflare.com(104.16.231.132) - mailcious
toolkit-nokia-network-alert.trycloudflare.com(104.16.230.132) - malware
162.159.134.42 - mailcious
104.16.231.132 - malware
104.16.230.132 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
|
1
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt
|
8.4 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2025-04-09 13:46
|
 gs.exe 899e8f69a4b5e13049ab33b475ca98fa
Generic Malware UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2025-04-09 13:43
|
 gutschein20.pdf 287484957ea3b13e976d983365a7eee3
PDF |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2025-04-09 11:14
|
 weneedbestthingswithgreatnewse... 69a8457d73f1171b37da05e4c9869b05
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process malicious URLs Tofsee DNS Dropper |
1
https://paste.ee/d/gckekFMQ/0
|
2
paste.ee(23.186.113.60) - mailcious
23.186.113.60 - mailcious
|
4
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2025-04-09 11:10
|
 new_image.jpg.dll 8e7ded0089b6adfdd951b5d8175078f7
North Korea Generic Malware Malicious Library Malicious Packer UPX PE File DLL PE32 OS Processor Check .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2025-04-09 10:42
|
 greatnicegirlbackontheearthwit... efb65d67dc764eb12f65fc12dd8eb542
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware VBScript powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger heapspray wscript.exe payload download Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://192.3.23.235/xampp/javn/newthingsonhereforgetrockgain.gif
https://paste.ee/d/pjDmf0Pi
|
3
paste.ee(23.186.113.60) - mailcious
192.3.23.235
23.186.113.60 - mailcious
|
4
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2025-04-09 10:32
|
 new_image.jpg.dll 8e7ded0089b6adfdd951b5d8175078f7
North Korea Generic Malware Malicious Library Malicious Packer UPX PE File DLL PE32 OS Processor Check .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2025-04-09 10:29
|
eneedbestthingswithgreatnewsev... 30cece81aea584416692dd3eeec38453
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://74.208.132.59/112/weneedbestthingswithgreatnewsevengivenbestforentiretime.hta
|
3
paste.ee(23.186.113.60) - mailcious
23.186.113.60 - mailcious
74.208.132.59 - mailcious
|
8
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET INFO TLS Handshake Failure
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2025-04-09 10:27
|
 tfqHNUJxJdFp8T0.exe 00d9a8bdd9e0f92deddb0732da1714fc
Loki LokiBot Malicious Library Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://94.156.177.41/alpha/five/fre.php - rule_id: 44633
|
1
94.156.177.41 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://94.156.177.41/alpha/five/fre.php
|
13.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2025-04-09 10:26
|
Microsoft-Order.pdf.lnk 8b68173e0f5484fc965d50770f71a08d
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
5.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2025-04-09 10:25
|
 ori.js 01e995c96291c13d4ec3a08ebcdca4f6
AgentTesla Hide_EXE Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Processor Check OS Name Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(142.251.8.108)
108.177.125.108
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2025-04-09 10:23
|
 mgh.js 455952e05525f25fbe0c893828d2a29f
Suspicious_Script_Bin Hide_EXE PE File PE32 Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName Dropper |
1
http://lee44.kozow.com:6892/is-ready
|
2
lee44.kozow.com(104.168.7.12)
104.168.7.12
|
4
ET INFO DYNAMIC_DNS Query to a *.kozow .com Domain
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.kozow .com Domain
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2025-04-09 10:02
|
Artikel-4.png.lnk 91a93c5a882ec9d46934f5f00bedd453
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM Lnk Format GIF Format PNG Format MSOffice File VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cloudflare DNS Cryptographic key |
6
https://toolkit-nokia-network-alert.trycloudflare.com/error_log.txt
https://toolkit-nokia-network-alert.trycloudflare.com/
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt
https://numbers-queensland-rec-thumbs.trycloudflare.com/lo.bat
https://numbers-queensland-rec-thumbs.trycloudflare.com/new.wsh
https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
|
5
www.healyconsultants.com(162.159.134.42)
numbers-queensland-rec-thumbs.trycloudflare.com(104.16.230.132) - mailcious
toolkit-nokia-network-alert.trycloudflare.com(104.16.231.132) - malware
162.159.134.42 - mailcious
104.16.230.132 - mailcious
|
4
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
|
|
9.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|