| 1636 |
2025-03-21 10:08
|
 update.exe 369fb99dbae23164166f27bf37e6fef2
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1637 |
2025-03-21 09:30
|
 casos.exe 7e45d87c02e2f5736fb0bf91f0b5b71f
Formbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
|
21
www.temecula.deals(15.197.148.33) -
www.anartisthuman.info(208.91.197.27) -
www.minimalbtc.xyz(76.223.54.146) -
www.multo.xyz(13.248.169.48) -
www.vaishnavi.xyz(92.204.40.98) -
www.jplttj.info(47.83.1.90) -
www.needethereum.xyz(13.248.169.48) -
www.statusq.studio(13.248.243.5) -
www.agistaking.xyz(13.248.169.48) -
www.zeniow.xyz(209.74.77.230) -
www.pond-magic.shop(15.197.148.33) -
15.197.148.33 -
92.204.40.98 -
76.223.54.146 -
209.74.77.230 -
13.248.243.5 -
208.91.197.27 -
3.33.130.190 -
13.248.169.48 -
45.33.6.223 -
47.83.1.90 -
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
20
http://www.anartisthuman.info/q5nb/
http://www.jplttj.info/qk2k/
http://www.pond-magic.shop/vhzb/
http://www.agistaking.xyz/c8u0/
http://www.temecula.deals/xwqx/
http://www.multo.xyz/dlol/
http://www.needethereum.xyz/7t1k/
http://www.vaishnavi.xyz/fepe/
http://www.zeniow.xyz/ia4f/
http://www.agistaking.xyz/c8u0/
http://www.pond-magic.shop/vhzb/
http://www.needethereum.xyz/7t1k/
http://www.vaishnavi.xyz/fepe/
http://www.statusq.studio/tjfr/
http://www.temecula.deals/xwqx/
http://www.anartisthuman.info/q5nb/
http://www.multo.xyz/dlol/
http://www.statusq.studio/tjfr/
http://www.jplttj.info/qk2k/
http://www.zeniow.xyz/ia4f/
|
6.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1638 |
2025-03-21 09:24
|
 sweetbabaygirlwithmybestthinki... 7c7b35dec47671230514dc3f691dd96d
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files unpack itself suspicious process Tofsee DNS Dropper |
|
2
paste.ee(23.186.113.60) -
23.186.113.60 -
|
4
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1639 |
2025-03-21 09:22
|
nicegirlwithbeautifulsmileande... 67d981098720f9d22af464722e7c58bc
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://213.165.70.23/315/nicegirlwithbeautifulsmileandeyesfor.hta
|
4
paste.ee(23.186.113.60) -
23.186.113.60 -
45.33.6.223 -
213.165.70.23 -
|
8
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET INFO TLS Handshake Failure
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
|
|
5.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1640 |
2025-03-21 09:21
|
 hemybestgirlformybestkisseseve... 4ca83cd1d5efcde0793d1d5ea51d0c62
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process malicious URLs Tofsee DNS Dropper |
|
2
paste.ee(23.186.113.60) -
23.186.113.60 -
|
4
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1641 |
2025-03-21 09:21
|
 vsse.exe cd00eab486d24844b6ae7933c4514271
Formbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Process Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
31
http://www.zeniow.xyz/ia4f/?y_3TV=PWKr0tq9ggEA6355c9UyNF2pd7P8mK2dL3BBPgf/WfBkZg8pHvux8cwM5cbL82+ryc47uajX6FH7VUY9gkG/3EWTphbi/Pfl4NQpMu/zjtwuhefdlRmz0+cWQnJKIaegbhRgrPA=&NReKM=nmUcOK - rule_id: 44081
http://www.zeniow.xyz/ia4f/?y_3TV=PWKr0tq9ggEA6355c9UyNF2pd7P8mK2dL3BBPgf/WfBkZg8pHvux8cwM5cbL82+ryc47uajX6FH7VUY9gkG/3EWTphbi/Pfl4NQpMu/zjtwuhefdlRmz0+cWQnJKIaegbhRgrPA=&NReKM=nmUcOK
http://www.anartisthuman.info/q5nb/?y_3TV=cbGNT1GwMlz4ZJSziaGZ417O1lPEEGr/otaQaC2lDUNXgkD5XcZBfcFh4bos8p6nBAeLwaWY70PtJ84F2cqIefn38VmVolqA9OM00NydnH4eimiA5ovgMJtFZSZXN9c5ALcOmvE=&NReKM=nmUcOK - rule_id: 44080
http://www.anartisthuman.info/q5nb/?y_3TV=cbGNT1GwMlz4ZJSziaGZ417O1lPEEGr/otaQaC2lDUNXgkD5XcZBfcFh4bos8p6nBAeLwaWY70PtJ84F2cqIefn38VmVolqA9OM00NydnH4eimiA5ovgMJtFZSZXN9c5ALcOmvE=&NReKM=nmUcOK
http://www.vaishnavi.xyz/fepe/ - rule_id: 44085
http://www.vaishnavi.xyz/fepe/
http://www.agistaking.xyz/c8u0/?y_3TV=FMJVgFO6r2fqsFEl6TwcqloBaxOFxcVuwnCszuFGPNY4Pf96ze7CheFJaWHnvvI5HUXX1ffPrMdMHGblvRY36kwJ6Z5LjOSq3+UxRnzl3DcT41eA43jrjNZY+mEu3ZZesfo5R+c=&NReKM=nmUcOK - rule_id: 44077
http://www.agistaking.xyz/c8u0/?y_3TV=FMJVgFO6r2fqsFEl6TwcqloBaxOFxcVuwnCszuFGPNY4Pf96ze7CheFJaWHnvvI5HUXX1ffPrMdMHGblvRY36kwJ6Z5LjOSq3+UxRnzl3DcT41eA43jrjNZY+mEu3ZZesfo5R+c=&NReKM=nmUcOK
http://www.pond-magic.shop/vhzb/?y_3TV=utPv65Al4AswLtqgXBb6Y4fTxryMVttJesMXOpbeQKe44HKKs52WpuXeGiT/ACGN6+bMff3De6fwTiZsaGhnqx8sLpUZ6NMur+BKLZ/qQcXmCUHZhzver/1jMPQf6ei06+vySQk=&NReKM=nmUcOK - rule_id: 44079
http://www.pond-magic.shop/vhzb/?y_3TV=utPv65Al4AswLtqgXBb6Y4fTxryMVttJesMXOpbeQKe44HKKs52WpuXeGiT/ACGN6+bMff3De6fwTiZsaGhnqx8sLpUZ6NMur+BKLZ/qQcXmCUHZhzver/1jMPQf6ei06+vySQk=&NReKM=nmUcOK
http://www.needethereum.xyz/7t1k/?y_3TV=FU89ini0gnpj8wdpORJLv3Vt4RH2UdonDWusiqXcZKGzkaK/1F4v6ebYfxiMRK0Sp+KhdTnnXUlQw/F9hhoAQLNA+2u62uYZ6Z5FgcXKgYvRqi64dxV4oyAUMmVAbniMH2jLJf0=&NReKM=nmUcOK - rule_id: 44150
http://www.needethereum.xyz/7t1k/?y_3TV=FU89ini0gnpj8wdpORJLv3Vt4RH2UdonDWusiqXcZKGzkaK/1F4v6ebYfxiMRK0Sp+KhdTnnXUlQw/F9hhoAQLNA+2u62uYZ6Z5FgcXKgYvRqi64dxV4oyAUMmVAbniMH2jLJf0=&NReKM=nmUcOK
http://www.temecula.deals/xwqx/?y_3TV=otmcxnJvFIgVfYDZKBmMxfZ/2Rsfmh5K0YH/99vZ/T7EZjaL7WFZ4hVKC4Doi6q8u50oMvgcqXDIzwm5VvCgIECKPmoYjETr5j8UxgstLIDPhmq1nsbeJqpfQc3YQdHA6Li+eys=&NReKM=nmUcOK - rule_id: 44082
http://www.temecula.deals/xwqx/?y_3TV=otmcxnJvFIgVfYDZKBmMxfZ/2Rsfmh5K0YH/99vZ/T7EZjaL7WFZ4hVKC4Doi6q8u50oMvgcqXDIzwm5VvCgIECKPmoYjETr5j8UxgstLIDPhmq1nsbeJqpfQc3YQdHA6Li+eys=&NReKM=nmUcOK
http://www.pond-magic.shop/vhzb/ - rule_id: 44079
http://www.pond-magic.shop/vhzb/
http://www.anartisthuman.info/q5nb/ - rule_id: 44080
http://www.anartisthuman.info/q5nb/
http://www.agistaking.xyz/c8u0/ - rule_id: 44077
http://www.agistaking.xyz/c8u0/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
http://www.temecula.deals/xwqx/ - rule_id: 44082
http://www.temecula.deals/xwqx/
http://www.multo.xyz/dlol/ - rule_id: 44084
http://www.multo.xyz/dlol/
http://www.needethereum.xyz/7t1k/ - rule_id: 44150
http://www.needethereum.xyz/7t1k/
http://www.multo.xyz/dlol/?y_3TV=Vdu1QfmsuFO68GL+Z4x3EHJHVjGIjNF/HVgaJhop4EyQK8uQubyUDtwdOyyNKnabI4xwGbdZuUIxD/VQQoafkwH5Ac9mLu9zmIIuvlxOoy49VxHnP5G+j0sNpXUeFDu2oIGBsSQ=&NReKM=nmUcOK - rule_id: 44084
http://www.multo.xyz/dlol/?y_3TV=Vdu1QfmsuFO68GL+Z4x3EHJHVjGIjNF/HVgaJhop4EyQK8uQubyUDtwdOyyNKnabI4xwGbdZuUIxD/VQQoafkwH5Ac9mLu9zmIIuvlxOoy49VxHnP5G+j0sNpXUeFDu2oIGBsSQ=&NReKM=nmUcOK
http://www.zeniow.xyz/ia4f/ - rule_id: 44081
http://www.zeniow.xyz/ia4f/
|
16
www.anartisthuman.info(208.91.197.27) -
www.multo.xyz(76.223.54.146) -
www.vaishnavi.xyz(92.204.40.98) -
www.temecula.deals(3.33.130.190) -
www.needethereum.xyz(13.248.169.48) -
www.agistaking.xyz(13.248.169.48) -
www.zeniow.xyz(209.74.77.230) -
www.pond-magic.shop(3.33.130.190) -
15.197.148.33 -
92.204.40.98 -
76.223.54.146 -
209.74.77.230 -
208.91.197.27 -
3.33.130.190 -
13.248.169.48 -
45.33.6.223 -
|
|
15
http://www.zeniow.xyz/ia4f/
http://www.anartisthuman.info/q5nb/
http://www.vaishnavi.xyz/fepe/
http://www.agistaking.xyz/c8u0/
http://www.pond-magic.shop/vhzb/
http://www.needethereum.xyz/7t1k/
http://www.temecula.deals/xwqx/
http://www.pond-magic.shop/vhzb/
http://www.anartisthuman.info/q5nb/
http://www.agistaking.xyz/c8u0/
http://www.temecula.deals/xwqx/
http://www.multo.xyz/dlol/
http://www.needethereum.xyz/7t1k/
http://www.multo.xyz/dlol/
http://www.zeniow.xyz/ia4f/
|
7.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1642 |
2025-03-21 09:21
|
 ssnicegirlwecomebackwithnicepe... deb8539ff8039481417fb7b6c81d821f
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process Tofsee DNS Dropper |
|
3
paste.ee(23.186.113.60) -
23.186.113.60 -
45.33.6.223 -
|
4
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1643 |
2025-03-21 09:20
|
 vfc.exe 907d825de589180257b3cdd1515c7002
Formbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
|
20
www.anartisthuman.info(208.91.197.27) -
www.zeniow.xyz(209.74.77.230) -
www.multo.xyz(76.223.54.146) -
www.vaishnavi.xyz(92.204.40.98) -
www.temecula.deals(15.197.148.33) -
www.needethereum.xyz(13.248.169.48) -
www.statusq.studio(13.248.243.5) -
www.agistaking.xyz(13.248.169.48) -
www.jplttj.info(47.83.1.90) -
www.pond-magic.shop(15.197.148.33) -
15.197.148.33 -
92.204.40.98 -
76.223.54.146 -
209.74.77.230 -
13.248.243.5 -
208.91.197.27 -
3.33.130.190 -
13.248.169.48 -
45.33.6.223 -
47.83.1.90 -
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
20
http://www.anartisthuman.info/q5nb/
http://www.zeniow.xyz/ia4f/
http://www.vaishnavi.xyz/fepe/
http://www.jplttj.info/qk2k/
http://www.temecula.deals/xwqx/
http://www.jplttj.info/qk2k/
http://www.vaishnavi.xyz/fepe/
http://www.pond-magic.shop/vhzb/
http://www.anartisthuman.info/q5nb/
http://www.statusq.studio/tjfr/
http://www.temecula.deals/xwqx/
http://www.multo.xyz/dlol/
http://www.statusq.studio/tjfr/
http://www.needethereum.xyz/7t1k/
http://www.agistaking.xyz/c8u0/
http://www.multo.xyz/dlol/
http://www.needethereum.xyz/7t1k/
http://www.zeniow.xyz/ia4f/
http://www.agistaking.xyz/c8u0/
http://www.pond-magic.shop/vhzb/
|
6.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1644 |
2025-03-21 09:20
|
 konlother2.1.exe f704529fe56523850e01f960da08248d
Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger unpack itself DNS |
3
http://www.lil.lat/h3wr/?KthPv=GTzuYoepN3O6hjOYQAUDt3jnZyS6JoSeJaNXYeK5/jK533K+rzaU3XKg/JUiTyx4lDVM/0Cc&t8o=FrFd9Xa
http://www.circling.sbs/h3wr/?KthPv=nGV1DkLXLMRlN4WXoCYP6KrwOE0RmVfHUrQ9bDRDTRl76bL8ZGHt7kctFC5IIewZ8vdNDrJV&t8o=FrFd9Xa
http://www.mybucketwish.net/h3wr/?KthPv=FnrwQ/2PL1klTrDsikS8ad6IJW8/Pi0J6fr3HwPBGc/nCDEFF9hmcYqRRQtt7vjbvrWAJ/Zw&t8o=FrFd9Xa
|
9
www.circling.sbs(172.67.201.46) -
www.lil.lat(15.235.167.22) -
www.mybucketwish.net(13.248.243.5) -
www.aifriendship.store() -
www.nesuns.asia(104.21.53.233) -
15.235.167.22 -
13.248.243.5 -
172.67.201.46 -
45.33.6.223 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1645 |
2025-03-21 09:18
|
 cosses.exe c338c9cdccb21a6f023987865b4a6269
Formbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
|
18
www.temecula.deals(15.197.148.33) -
www.anartisthuman.info(208.91.197.27) -
www.multo.xyz(76.223.54.146) -
www.vaishnavi.xyz(92.204.40.98) -
www.jplttj.info(47.83.1.90) -
www.needethereum.xyz(13.248.169.48) -
www.statusq.studio(13.248.243.5) -
www.agistaking.xyz(76.223.54.146) -
www.zeniow.xyz(209.74.77.230) -
www.pond-magic.shop(15.197.148.33) -
92.204.40.98 -
209.74.77.230 -
13.248.243.5 -
208.91.197.27 -
3.33.130.190 -
13.248.169.48 -
45.33.6.223 -
47.83.1.90 -
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
20
http://www.temecula.deals/xwqx/
http://www.vaishnavi.xyz/fepe/
http://www.jplttj.info/qk2k/
http://www.agistaking.xyz/c8u0/
http://www.needethereum.xyz/7t1k/
http://www.jplttj.info/qk2k/
http://www.multo.xyz/dlol/
http://www.pond-magic.shop/vhzb/
http://www.statusq.studio/tjfr/
http://www.anartisthuman.info/q5nb/
http://www.temecula.deals/xwqx/
http://www.agistaking.xyz/c8u0/
http://www.multo.xyz/dlol/
http://www.statusq.studio/tjfr/
http://www.vaishnavi.xyz/fepe/
http://www.pond-magic.shop/vhzb/
http://www.zeniow.xyz/ia4f/
http://www.needethereum.xyz/7t1k/
http://www.zeniow.xyz/ia4f/
http://www.anartisthuman.info/q5nb/
|
5.8 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1646 |
2025-03-21 09:17
|
 iaminthebestdutyservicewithgre... f416bdb17daf4b30b55b760b1d4884db
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process Tofsee DNS Dropper |
|
2
paste.ee(23.186.113.60) -
23.186.113.60 -
|
4
ET INFO TLS Handshake Failure
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1647 |
2025-03-21 09:11
|
nicepeoplesgoodpeoplesgreatski... 7ac028158d3b52f5a3de282ac70e7367
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://213.165.70.23/312/updates.js
|
3
www2.0zz0.com(104.21.48.1) -
104.21.112.1 -
213.165.70.23 -
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1648 |
2025-03-21 09:11
|
oybestgirlformybestkisseseverm... 3c78915b2301c96a7384d3d03c00da3b
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://69.48.201.40/255/hemybestgirlformybestkissesever.hta
|
3
paste.ee(23.186.113.60) -
23.186.113.60 -
69.48.201.40 -
|
8
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
|
|
5.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1649 |
2025-03-21 09:09
|
 cvvs.exe 17ffd8a0d8bf24a59671db67e0910e80
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows |
|
|
|
|
9.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1650 |
2025-03-21 09:09
|
aminthebestdutyservicewithgrea... 52978b3c6c5147d528ad875cb55075ae
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://217.154.16.81/233/iaminthebestdutyservicewithgreatnessgiven.hta?&addition=slimy&caravan
|
3
paste.ee(23.186.113.60) -
23.186.113.60 -
217.154.16.81 -
|
6
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
|
|
5.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|