| 46111 |
2024-07-19 12:53
|
Archive.vbs 0579ce308b6dff7c66f18127103f1fd9
Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
4
pastecode.dev(172.66.43.27) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.66.43.27 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46112 |
2024-07-19 12:55
|
Qwredfrf.vbs ee74f2659329f51927d8aa7462d6a334
Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
4
pastecode.dev(172.66.43.27) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.66.43.27 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46113 |
2024-07-19 12:58
|
cno.cno.cno.cnocnocno.doc e5102c5df398cf5130a0367e6b2a37c3
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://103.161.133.121/80180/clearpicneedflowersnadimagesforhairwork.gIF
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
4
pastecode.dev(172.66.40.229) - mailcious
103.161.133.121 - malware
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46114 |
2024-07-19 12:59
|
clearpicneedflowersnadimagesfo... 0aa47a7b9d50ddc9c80c5ecbbc2f0f7b
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.43.27) - mailcious
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46115 |
2024-07-19 12:59
|
crosscheckworldwideharitreatme... 44d287360e5facd26cb038c5ce2f2eb7
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.40.229) - mailcious
172.66.40.229 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46116 |
2024-07-19 13:00
|
 new_clip.exe 7cfdc2aee2ad1a7ef6f7715178aa8f93
Generic Malware Malicious Packer UPX Antivirus PE File PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46117 |
2024-07-19 13:01
|
welovedatinGloVER.gif.vbs b2450a779394d5883f1259bf7eaab12b
Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
|
4
pastecode.dev(172.66.43.27) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46118 |
2024-07-19 13:01
|
 ebube.txt.exe 6945b84b9f31a66790fe9d25204e67cb
PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=02g1oaMK40Aq
|
2
whatismyipaddressnow.co(104.21.71.78)
172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46119 |
2024-07-19 13:02
|
 warsong.exe 2b40a46d4856cb9f79ecdd2d19ad74e7
Malicious Library .NET framework(MSIL) UPX ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46120 |
2024-07-19 13:04
|
 dew.txt.exe fa105fc59f412384d0209ea62e257305
Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Remcos VirusTotal Malware Malicious Traffic Check memory Windows keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
swre.remwavesw.com(141.98.10.11)
141.98.10.11 - malware
178.237.33.50
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
3.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46121 |
2024-07-19 13:04
|
 djsoftware.exe 7f81200d5a684a89dda672e85490ea30
Vidar Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(96.7.99.225) - mailcious
149.154.167.99 - mailcious
96.7.99.225
78.46.255.249 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199743486170
|
17.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46122 |
2024-07-19 13:04
|
safe_shell.shc.exe 0b6072d47b53fa8d3f9b28b449192dcc
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware Malicious Traffic unpack itself suspicious process DNS crashed |
1
http://47.128.226.30/code.bin
|
1
|
2
ET HUNTING Generic .bin download from Dotted Quad
ET HUNTING curl User-Agent to Dotted Quad
|
|
5.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46123 |
2024-07-19 13:06
|
 do0ntworryx1.exe 177dba5455e57afe9da6cfa0dda3d61d
Anti_VM PE File PE64 VirusTotal Malware Checks debugger sandbox evasion Browser crashed |
|
|
|
|
2.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46124 |
2024-07-19 13:06
|
 1.exe 4b0e023d1ddfc2a8166c652300375b1a
Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46125 |
2024-07-19 13:09
|
 6698c0ab59e68_aerosoft.exe#men... 0891d36dd26059e8a74ada84fd9885e5
Vidar Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
https://t.me/s41l0
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.46.255.249 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199743486170
|
15.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|