46141 |
2024-07-20 20:06
|
butterburnverysweetgirleated.g... 612b79418bc9dee5e9bf503df55a245c Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
|
4
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious 172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46142 |
2024-07-20 20:08
|
hc.hc.hc.hc.hchchchch.doc e677d8183d89a410a3ce59db5a2722d3 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
http://103.161.133.121/95095/butterburnverysweetgirleated.gIF
|
5
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious 103.161.133.121 - malware
172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46143 |
2024-07-20 20:08
|
winiti.exe 9a5faf2d13c1fb4ac9aa52154c3a6dc5 AgentTesla Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(172.67.74.152) ip-api.com(208.95.112.1) 104.26.13.205 208.95.112.1
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
|
|
14.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46144 |
2024-07-20 20:08
|
ZHHR.txt.exe fa702e456caa471e2b07df76d37de539 Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Malware download Remcos VirusTotal Malware Malicious Traffic Check memory Windows keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) www.vandashproject.site(103.161.133.243) 178.237.33.50 103.161.133.243
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
3.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46145 |
2024-07-20 20:10
|
g245x.exe 72cd0c2edee91a3d8e2b8a0b149ded12 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself WriteConsoleW crashed |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46146 |
2024-07-20 20:11
|
34v3vz.exe 61547b701d759958b78b75aeca77279c Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 OS Processor Check PE64 Malware download VirusTotal Email Client Info Stealer Malware AutoRuns Malicious Traffic WMI Creates executable files Windows utilities Checks Bios suspicious process WriteConsoleW anti-virtualization Windows Email ComputerName DNS |
3
http://185.196.10.57/ev643v4/api.php?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1898C939111C
http://185.196.10.57/ev643v4/api.php?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1898C939111C&tsk=5D9A
http://185.216.214.218/Population.exe
|
2
185.196.10.57 - malware
185.216.214.218 - mailcious
|
4
ET MALWARE ZharkBot User-Agent Observed ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46147 |
2024-07-20 20:11
|
uzopuzbkrpcziwca.txt.vbs 8850ab6fc8518f854ee3d29da8640d0f Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
6.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46148 |
2024-07-20 20:12
|
Population.exe 18bbc3fb86e902afb59c06811a5b01f4 Generic Malware Malicious Library Malicious Packer UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware PDB DNS |
|
1
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46149 |
2024-07-20 20:12
|
winiti.exe deed9f1fa07445c4e7529c820d42800c AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
1
|
2
api.ipify.org(104.26.12.205) 104.26.12.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46150 |
2024-07-20 20:14
|
mimilove.exe c67f3497c310c01018f599b3eebae99e Malicious Packer PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46151 |
2024-07-20 20:15
|
2.exe cd385c52e6ad2dd6a304839159534b7e Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46152 |
2024-07-20 20:16
|
3.0.exe eabbb27aa0d2776fc832a6cca0cef3e3 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46153 |
2024-07-20 20:16
|
winiti.exe f077adcb2d6ea5208dc2b37f94d21fc8 AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(104.26.13.205) ip-api.com(208.95.112.1) 104.26.13.205 208.95.112.1
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
13.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46154 |
2024-07-20 20:19
|
hn.gn.gn.gngn.gn.gn.gn.doc 5dc44b9ca9e7ce8958b2b6f36cc06ebd MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
3
http://ip-api.com/line/?fields=hosting
https://api.ipify.org/
http://107.172.4.179/656/winiti.exe
|
5
api.ipify.org(104.26.13.205)
ip-api.com(208.95.112.1) 107.172.4.179 - malware
104.26.12.205
208.95.112.1
|
10
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY External IP Lookup ip-api.com
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46155 |
2024-07-20 20:19
|
anony.exe 350292ff12ebe29fc711a05b2b38dc4a RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|