| 44866 |
2024-06-05 09:14
|
lionandtigerbothareequalinthej... 652858a50ce6a2279d414b2d7ae4d0fe
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://172.234.221.211/909090/lionskingrestentirejungleimages.bmp
https://paste.ee/d/Joh1S
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
172.234.221.211 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44867 |
2024-06-05 09:17
|
lionsarecomparingtigerwiththey... 5e41130a09c6215e9e22e89afe0f3168
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.234.221.211/200901/Lionsarekingofjungletigerlandimages.bmp
https://paste.ee/d/Chu9y
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
172.234.221.211 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44868 |
2024-06-05 09:18
|
 Archvisitor.cur e55f25384365d8cb1cc6ffb71600ff50
Suspicious_Script_Bin VirusTotal Malware |
|
|
|
|
0.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44869 |
2024-06-05 09:18
|
 Quote.hta cd5915bac2ea167ddb7bcc2ae9ceab78
Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://198.23.201.89/warm/quote.exe
http://www.goldenjade-travel.com/fo8o/?oRtj25=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&lR=TJtS0SjWYL-G11_ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?oRtj25=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&lR=TJtS0SjWYL-G11_ - rule_id: 39855
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.magmadokum.com/fo8o/?oRtj25=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&lR=TJtS0SjWYL-G11_ - rule_id: 39856
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.rssnewscast.com/fo8o/?oRtj25=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&lR=TJtS0SjWYL-G11_ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.techchains.info/fo8o/?oRtj25=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&lR=TJtS0SjWYL-G11_ - rule_id: 39858
http://www.3xfootball.com/fo8o/?oRtj25=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&lR=TJtS0SjWYL-G11_ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/?oRtj25=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&lR=TJtS0SjWYL-G11_ - rule_id: 39853
|
17
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
198.23.201.89 - malware
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
14
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
|
13.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44870 |
2024-06-05 09:19
|
 obiz.scr 3a050f5830ff95d1858e94f231f7ea4b
AgentTesla Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.13.205)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44871 |
2024-06-05 09:20
|
lionsarekingofthejunglewhorule... c5858e4c690557b5240597db6e4d88c9
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://198.23.227.213/20040/igcc.exe
|
2
45.33.6.223
198.23.227.213 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44872 |
2024-06-05 09:23
|
lionsarekingofthejunglewhichcr... 96094535fe4ae7ea46eb3df5e0b45231
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://185.222.58.78/300333/lionsgetgorestkingenitreworldimage.bmp
https://paste.ee/d/uRpyT - rule_id: 40036
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
185.222.58.78 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44873 |
2024-06-05 09:26
|
 dion.hta 24be5183dd56c3d08bae8625fba83aaa
Formbook Gen1 Generic Malware Suspicious_Script_Bin Process Kill Antivirus Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PowerShell PE File DLL PE32 Device_File_Check OS Processor Check FormBook Browser Info Stealer Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key crashed |
4
http://198.23.201.89/warm/Auto%20R.exe
http://www.3xfootball.com/fo8o/?9LnGaVx=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9KJ=FLmtL7Haabh3IASW - rule_id: 39852
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
4
www.3xfootball.com(154.215.72.110) - mailcious
45.33.6.223
198.23.201.89 - malware
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
2
http://www.3xfootball.com/fo8o/
http://www.3xfootball.com/fo8o/
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44874 |
2024-06-05 09:27
|
 Auto%20R.exe 351650a422e427140d74d8c68185fa24
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.techchains.info/fo8o/?Kp=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&VOyp=e8WDb - rule_id: 39858
http://www.magmadokum.com/fo8o/?Kp=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&VOyp=e8WDb - rule_id: 39856
http://www.elettrosistemista.zip/fo8o/?Kp=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&VOyp=e8WDb - rule_id: 39860
http://www.rssnewscast.com/fo8o/?Kp=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&VOyp=e8WDb - rule_id: 39857
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.donnavariedades.com/fo8o/ - rule_id: 39861
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.3xfootball.com/fo8o/?Kp=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&VOyp=e8WDb - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.donnavariedades.com/fo8o/?Kp=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&VOyp=e8WDb - rule_id: 39861
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?Kp=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&VOyp=e8WDb - rule_id: 39855
http://www.goldenjade-travel.com/fo8o/?Kp=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&VOyp=e8WDb - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.kasegitai.tokyo/fo8o/?Kp=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&VOyp=e8WDb - rule_id: 39853
|
20
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.donnavariedades.com(23.227.38.74) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
|
18
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.3xfootball.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/
|
6.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44875 |
2024-06-05 23:26
|
 ICARUS.Setup.exe 225fcf1e03e30b492bd0aef35969329b
Emotet Gen1 NSIS Generic Malware Malicious Library UPX Malicious Packer Anti_VM Javascript_Blob PE File PE32 DLL PE64 OS Processor Check DllRegisterServer dll BMP Format Lnk Format GIF Format icon VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Auto service Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Ransomware GameoverP2P Interception Zeus Windows ComputerName Trojan Banking |
3
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3c775e75-aff8-4af1-aede-7a5c0349aa0b?P1=1718201907&P2=404&P3=2&P4=WiuGZ5IY9kx3eECOliePn%2bZR2Oa2T%2fIA6AoadHbz1e2TomQPzt6zla8iSDn3KibvVKZ7rCsNDdx37Vncvson%2bw%3d%3d
https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/latest?action=select
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/125.0.2535.85/files?action=GenerateDownloadInfo&foregroundPriority=true
|
9
msedge.f.tlu.dl.delivery.mp.microsoft.com(199.232.214.172)
msedge.api.cdp.microsoft.com(20.114.58.89)
self.events.data.microsoft.com(20.189.173.3)
config.edge.skype.com(52.123.254.33)
23.56.109.165
13.107.42.16
13.89.179.9
13.95.26.4
51.104.15.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
13.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44876 |
2024-06-06 14:27
|
 SetupTools.exe 5ec12277c0679d4761d265dd821f674f
Generic Malware Malicious Library UPX Antivirus PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS Cryptographic key |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44877 |
2024-06-06 14:51
|
 com.wag.walker_2.74.1.apk 54be4e2a316b871562c40088db968778
ZIP Format ftp Word 2007 file format(docx) OS Processor Check |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44878 |
2024-06-07 09:29
|
 xxun.exe 3311b8c3707f75831aa443db406c71e0
AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder Windows DNS |
|
1
|
|
|
6.8 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44879 |
2024-06-07 09:33
|
 lenin.exe fb2f90584265d465b4046c9a4e7c9bfa
UPX PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
104.26.5.15
34.117.186.192
147.45.47.126 - mailcious
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
16.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44880 |
2024-06-07 09:33
|
john.doc da2543ed3a6567896c950bfeb597814b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
25
https://universalmovies.top/john.scr
http://www.6666111p.vip/y3do/?Ugn9C=LOchJJI7j7x4RSIZOmRKrvMdEDW/MUxucIo24swAQXAkKIo03dsxd6yGfyoydnm7SmxXMXwHD0q4GFP2LgOY7CsTmAi6O8Bpro54P9T4NSt7/iYty+/boiJQGB1N3z+f5OnconY=&Pk=WONpQ
http://www.6666111p.vip/y3do/
http://www.sjzsls.com/9s2m/?Ugn9C=/AdC9GegXDS/vzNv1Epb/BfZDITsTVSRF0qSIgfFe+x3a1YrqDLlvj5NbVdHoQQDF7Kc5dLcM8fpOgktz/3sEUGAQfvn12WDGpve1l9b9ctB4wuylPXfAChK8iXjKhCfF0ELu94=&Pk=WONpQ
http://www.kvatromusic.online/yjik/
http://www.yetung.com/7ru5/?Ugn9C=ISPW+m88VBQNqH+k3JW84YG5Fk7QLrErwcAnWTSXodWIF9bOo25oIut7GSly+JY6T9/fHFYUtdHtiF5inQf0UQqeKTQ7bI9uaPa6a3iFF9Uz86xGPiVez/GDzFjvFDmTYUOptkY=&Pk=WONpQ
http://www.silverbrit.info/kj8f/?Ugn9C=4t9Vdj82cePVf5tb2btNPfj+cF91LcmybOtR99dnAhd1RJtV43KyF44o/jxPyXILLT2c7dvr4ObZNHuTbQFO2r18ofp9GNB90rnp1Ohw/CJp1ZbSd7nYHKYFKR9pZcLJ+FI+J6g=&Pk=WONpQ
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.beescy.xyz/pdwc/
http://www.stellardaysigning.com/xb5p/
http://www.kvatromusic.online/yjik/?Ugn9C=gdGtnhc9ASA4qX4b34OgRoYxE/bD+nb59vJiz4FtHHCSzpBYLiuXgNVcIgjaJpSMIjXnBANqWDNRr5Ocy1GAv43NZgQpgrLVhi6C63ziyaNAbXqEiKgPKznZLTw5BnTXjQFFRAg=&Pk=WONpQ
http://www.double2nllc.com/lphk/?Ugn9C=QQ9AzHzvXAdOb0MPNLfjUpWPUVpZplRrayXzypMYhteyq/MKivL68z82kZS9u6bhgeBbY+QYkFf+kg9uvjJAnI3fPdAT94WYiFSy6W9ZWxao1mFD7NGeSFfqjgfGWtv75CStAYk=&Pk=WONpQ
http://www.yetung.com/7ru5/
http://www.fullmoonbird.com/c8sr/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.hsck520.com/0tno/?Ugn9C=0cMGHWchhwDqjfnLTJDBZveg9su8HvUeph8XCipGvt+qmCtRZPbLeKFNzMXXlvLfrfTQKCJHTw1MhSXlslZDoNUiVnTSVKsqzzLfuZrJDhCegOsSgpp1goso0jrOzq9yXpycRq0=&Pk=WONpQ
http://www.jx2493.com/pozw/?Ugn9C=JIthcwf9sV4p+C20h/op7zy5aemm7SHr7Am9g1UXd9f/iLUD4eooIAhG548dbPLUr+vOyGwxDijlULi7DZZIjWvc3k9KEblL0qsgRpAZgA0owE5+Y5cgNDkhDspksm+EjunSeOk=&Pk=WONpQ
http://www.stellardaysigning.com/xb5p/?Ugn9C=j+BD0p8WhtBdy7Wd/KfVtBKjF7uQGjkUu2IQ9c2WN0jGyCZp1k8Rj1+VKsyVC4FAIa7rNa0t7jcnj4LfrYK/jtIwEqPY6NFmTaOReXQoO8B2hiELl0EMSu8ktx1OCucJ4jnvo9M=&Pk=WONpQ
http://www.silverbrit.info/kj8f/
http://www.hsck520.com/0tno/
http://www.fullmoonbird.com/c8sr/?Ugn9C=zxCFcO6tuZe6Dlje2mnTfb6r7hCrJw1WRvLQy3p8EhQbFOxorE0QYFIsUppT5UxA2U7/AhBO7aGzpI5DsnNWO/n9u3OyDwlwLJozLrszN4iVUZEIkN4QT6y8EX8/9tm01YM9dRM=&Pk=WONpQ
http://www.sjzsls.com/9s2m/
http://www.jx2493.com/pozw/
http://www.double2nllc.com/lphk/
http://www.beescy.xyz/pdwc/?Ugn9C=YGoy3hUgePQdZVGVI2JgguyNtFd/fyj/zkAvTLDf/KtKm9LDDFlO5Xfik+cH5iVSfdOqayVG+ARiT1VFNZO4tzOVhNMvL1fpmyaeyhkJTFsxeS49wBXCfHO+yKB+0kMKDU35Y5s=&Pk=WONpQ
|
25
www.sjzsls.com(154.212.44.122)
www.double2nllc.com(84.32.84.32)
www.kvatromusic.online(37.140.192.90)
www.yetung.com(121.37.199.72)
www.jx2493.com(103.195.51.41)
www.6666111p.vip(35.186.221.100)
www.fullmoonbird.com(172.67.176.31)
www.beescy.xyz(162.0.213.72)
universalmovies.top(104.21.74.191) - malware
www.hsck520.com(35.190.52.58)
www.stellardaysigning.com(13.248.213.45)
www.silverbrit.info(217.160.230.215)
121.37.199.72
104.21.48.23
35.190.52.58
13.248.213.45
37.140.192.90
84.32.84.32 - mailcious
35.186.221.100
162.0.213.72
103.195.51.41
154.212.44.122
45.33.6.223
217.160.230.215
104.21.74.191 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|