44356 |
2024-05-17 09:16
|
sharzx.scr 4eabadc99a3505b71e02e73c43bcddab LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://193.238.153.15/evie1/five/fre.php
|
1
|
|
|
15.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44357 |
2024-05-17 09:17
|
loudd.scr aab1d3c0633ee5a766395a51c4b4cf66 LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://rocheholding.top/evie3/five/fre.php
|
2
rocheholding.top(104.21.65.180) - malware 104.21.65.180
|
8
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
15.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44358 |
2024-05-17 09:17
|
beautifulthingshappeningonbeau... a75f66170a17551071949b1188489af1 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/Rpug4
http://107.173.4.20/todaywegobeautifulgirl.vbs
|
4
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
107.173.4.20 - malware
45.33.6.223
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44359 |
2024-05-17 09:17
|
815abba63691f5311f254f757bad8b... e83ada5bc4a70e0802b8f35186758c81 Malicious Library Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself ComputerName |
|
|
|
|
2.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44360 |
2024-05-17 09:18
|
becauseofflowerwecantgivesucha... e050b72bd8f7f3c5a79af85cb1a1bd73 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.172.130.130/grace.exe
|
3
api.ipify.org(104.26.13.205) 104.26.13.205
107.172.130.130 - malware
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44361 |
2024-05-17 09:19
|
todaywegobeautifulgirl.vbs 8ebbcf9f93c0c88b68945c48415f6d98VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
|
2
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44362 |
2024-05-17 09:20
|
evengwalkreallynicetodoforheal... 8c2e6ab3fa1fe129f426869952a3a1d8 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted ICMP traffic RWX flags setting exploit crash Tofsee Exploit DNS DDNS crashed |
2
http://equalizerrr.duckdns.org/eveningdatingforeveryone.js https://paste.ee/d/6gQs6
|
4
equalizerrr.duckdns.org(107.173.4.20) - malware paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 107.173.4.20 - malware
|
5
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44363 |
2024-05-17 09:22
|
pappayaicecreamisreallysweeett... 82a5c6f30b627b675e1443db29fc4401 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://paste.ee/d/9Z62y
http://45.33.50.155/70001/creamicecreamHDpicture.bmp
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
45.33.50.155 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44364 |
2024-05-17 09:23
|
droidbase64controlfire.txt.exe 62407e6f5de13fbf40c50cfb124be93d AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44365 |
2024-05-17 09:26
|
build.exe c616f203d102449f4f786727edd6db3f Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE64 PE File DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself DNS |
|
1
|
|
|
3.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44366 |
2024-05-17 09:27
|
adminstor.exe 7578696faca7162febce592ab3c4c67b Generic Malware Malicious Library Malicious Packer UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS crashed |
|
1
|
|
|
4.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44367 |
2024-05-17 09:30
|
vpn-1002.exe 7282845f442c81d8f609bcc1a2853308 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1002 https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1002 https://cdn-edge-node.com/online_security_mkl.exe https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1002 https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1002
|
12
cdn-edge-node.com(172.67.165.254) 240429000936002.mjt.kqri92.top(94.156.35.76) d2iv78ooxaijb6.cloudfront.net(54.192.60.53) adblock2024.shop(172.67.176.247) d295fdouc92v9n.cloudfront.net(13.225.129.184) 172.67.165.254 54.192.60.39 104.21.43.83 13.225.129.128 101.42.35.39 - mailcious 179.43.158.2 121.254.136.9
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
|
12.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44368 |
2024-05-17 09:31
|
sheismybeautifulwifewholovedal... 9f23ffeb82b74830c9c26f7dd0a4f231 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://5.206.227.248/23009/smss.exe
|
1
5.206.227.248 - mailcious
|
2
ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious smss.exe in URI
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44369 |
2024-05-17 09:33
|
morning_wednesdaydatingmango.v... 67173407dd0195a835a2e0b7f76df411VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://paste.ee/d/ougGo - rule_id: 39671
|
2
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44370 |
2024-05-17 09:38
|
ms.exe da982330a3e82337e9a2aacae9b285ba PE64 PE File VirusTotal Malware unpack itself DNS crashed |
|
1
|
|
|
4.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|