3991 |
2024-05-17 09:20
|
evengwalkreallynicetodoforheal... 8c2e6ab3fa1fe129f426869952a3a1d8 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted ICMP traffic RWX flags setting exploit crash Tofsee Exploit DNS DDNS crashed |
2
http://equalizerrr.duckdns.org/eveningdatingforeveryone.js https://paste.ee/d/6gQs6
|
4
equalizerrr.duckdns.org(107.173.4.20) - malware paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 107.173.4.20 - malware
|
5
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3992 |
2024-05-17 09:19
|
todaywegobeautifulgirl.vbs 8ebbcf9f93c0c88b68945c48415f6d98VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
|
2
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3993 |
2024-05-17 09:18
|
becauseofflowerwecantgivesucha... e050b72bd8f7f3c5a79af85cb1a1bd73 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.172.130.130/grace.exe
|
3
api.ipify.org(104.26.13.205) 104.26.13.205
107.172.130.130 - malware
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3994 |
2024-05-17 09:17
|
815abba63691f5311f254f757bad8b... e83ada5bc4a70e0802b8f35186758c81 Malicious Library Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself ComputerName |
|
|
|
|
2.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3995 |
2024-05-17 09:17
|
beautifulthingshappeningonbeau... a75f66170a17551071949b1188489af1 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/Rpug4
http://107.173.4.20/todaywegobeautifulgirl.vbs
|
4
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
107.173.4.20 - malware
45.33.6.223
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3996 |
2024-05-17 09:17
|
loudd.scr aab1d3c0633ee5a766395a51c4b4cf66 LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://rocheholding.top/evie3/five/fre.php
|
2
rocheholding.top(104.21.65.180) - malware 104.21.65.180
|
8
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
15.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3997 |
2024-05-17 09:16
|
sharzx.scr 4eabadc99a3505b71e02e73c43bcddab LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://193.238.153.15/evie1/five/fre.php
|
1
|
|
|
15.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3998 |
2024-05-17 09:13
|
dl.php d20089770bdb6ace5be655ee209e4f24 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3999 |
2024-05-17 09:13
|
weneverneedtokissflowersbeause... 4f3983c99751f41c7d1639fccbee0491 Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
13
http://www.crimsoncascade.xyz/a42m/
http://www.gregoriusalvin.com/a42m/ - rule_id: 39605
http://www.gregoriusalvin.com/a42m/?IWGZfq=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&6Za=ySE9k110 - rule_id: 39605
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.xn--bb55rtp-9va2p.store/a42m/?IWGZfq=SpRmwiWWWie0LiCQik30fMumghQ1V43TuTRukl4i+K/mOSJ9++mg5ZeFxUAkG3Pdc43Qwg0V3CKoqh5jVerICFqxOreCo6UFThdoK0ITtUR0x3kt6DvHO7oYbUe5+lYToPjvUAg=&6Za=ySE9k110
http://www.fidyart.com/a42m/?IWGZfq=TRa47sC0zg9DwlJH2ofZbpLPxb60FAnROaHr8XI2UWJs85O5KJ5v05dP6WLbumUjxgnYSz8VJIiFOj3/jDGGhDjJnNfIP19njrbmy90O84rAfsEKawWCksmZBQaaYfgJFBMVu+Q=&6Za=ySE9k110
http://www.tintasmaiscor.com/a42m/?IWGZfq=BaBbynwG2FaMiw+hhIbbh28MgtbEHbpnPsDfKOVNrs70A5vduIAGjxN5gftBLQVIAtEactO1mhmKtuNjdeyvWaHsEukAqVbBiuakY2ayn/21WOCwyWJ4ZPsM5Fw7u2uLCIVlGog=&6Za=ySE9k110 - rule_id: 39606
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.fidyart.com/a42m/
http://www.crimsoncascade.xyz/a42m/?IWGZfq=OaCxij+az8CWZkVV/54ln7Tii7cuYBvJsZdPmSHU0RFVoK/pLfrBdHMvdCD9qCJrgyFEUHy2yFOAdhP54QELuvsZtM/ZdHBp7cl68dN6EF+6a9fy3QPRhNX/VA1OInBnCfWbr6U=&6Za=ySE9k110
http://www.xn--bb55rtp-9va2p.store/a42m/
http://www.tintasmaiscor.com/a42m/ - rule_id: 39606
http://192.3.216.156/71120/smss.exe
|
17
www.crimsoncascade.xyz(162.0.237.22)
www.fidyart.com(63.250.43.146)
www.italiangreyhounds.online() - mailcious
www.xn--bb55rtp-9va2p.store(84.32.84.32)
www.gregoriusalvin.com(103.247.10.164) - mailcious
www.tintasmaiscor.com(162.240.81.18) - mailcious
www.designsbysruly.com() - mailcious
www.gcashservice247.com() - mailcious
www.weeveno.com() - mailcious
www.infomail.website() - mailcious 162.0.237.22
84.32.84.32 - mailcious
45.33.6.223
63.250.43.147
162.240.81.18 - mailcious
103.247.10.164 - mailcious
192.3.216.156 - malware
|
7
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious smss.exe in URI ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
4
http://www.gregoriusalvin.com/a42m/ http://www.gregoriusalvin.com/a42m/ http://www.tintasmaiscor.com/a42m/ http://www.tintasmaiscor.com/a42m/
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4000 |
2024-05-17 09:11
|
dl.php 9b811321fcab794c77c3f9a6b6622c37 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4001 |
2024-05-17 09:10
|
createdbeautifulimagesentirepl... 118a6298bf966ad5979e15faca957cbd MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.245.123.8/80090/createdveryhdimagestoview.png https://paste.ee/d/OJmBL
|
3
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 172.245.123.8 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4002 |
2024-05-17 09:10
|
mrngisagreatdayformebecausewew... 8dc3b5e3a2c0fbc303f76905e8247926 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware ICMP traffic RWX flags setting exploit crash Tofsee Exploit DNS DDNS crashed |
2
http://wednesdayyyymangeo.duckdns.org/morning_wednesdaydatingmango.vbs https://paste.ee/d/ougGo
|
4
wednesdayyyymangeo.duckdns.org(107.173.4.20) paste.ee(172.67.187.200) - mailcious 107.173.4.20 - malware 172.67.187.200 - mailcious
|
5
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
|
4.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4003 |
2024-05-17 07:43
|
shell.exe 346dae7e729ed4f192d213fcd2292d58 UPX MPRESS PE File PE32 DLL VirusTotal Malware AutoRuns Check memory Creates executable files AppData folder sandbox evasion Windows |
|
|
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4004 |
2024-05-17 07:41
|
grace.exe 6cb57b7bbac238426bb2f888fbfc3ed7 Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4005 |
2024-05-17 07:39
|
sb.exe 04bcca3d8db9f3034c8814acd8735073 Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Windows |
|
|
|
|
2.2 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|