| 46261 |
2024-07-24 09:14
|
simpleweightcreatednicething.g... bc2278089ce81da106bd59335fa9e998
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.40.229) - mailcious
172.66.40.229 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET MALWARE Base64 Encoded MZ In Image
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46262 |
2024-07-24 09:14
|
 pw.ps1 2ffeb8859aa9c7142ed094588a5442b8
Lnk Format GIF Format VirusTotal Malware powershell AutoRuns Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
http://94.131.117.72/ldht/index.php
|
3
fsnat.shop(93.127.200.211)
94.131.117.72 - mailcious
93.127.200.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46263 |
2024-07-24 09:15
|
wegivemebackwithentiresituatio... 45b6040d50bff71bd32e8d7a0bc56bd4
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS DDNS crashed keylogger |
3
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
http://198.46.178.229/42/winiti.exe
|
7
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168)
198.46.178.229 - malware
158.101.44.242
104.21.67.152
149.154.167.220 - mailcious
|
14
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
|
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46264 |
2024-07-24 09:17
|
thissystemchangingentireproces... 485c8b0bbaec4e72949307d766a4bfba
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
http://107.175.229.144/mydatinglifeissoggod.vbs
|
6
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.66.43.27 - mailcious
107.175.229.144 - mailcious
158.101.44.242
207.241.232.195 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
ET INFO Dotted Quad Host VBS Request
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46265 |
2024-07-24 09:20
|
Wasabi.msi 1cd72a4f59963a1fee86e0d98f47e17d
Generic Malware Malicious Library Antivirus UPX Malicious Packer MSOffice File OS Processor Check PE File DLL PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName |
1
http://downloadwasabi.is/Wasabi.msi
|
2
downloadwasabi.is(179.43.170.230)
179.43.170.230 - malware
|
|
|
3.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46266 |
2024-07-24 09:24
|
 DRWG-347RB1.pd.xls c433eae598bb293ae5c2f28ad9a61c3b
MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
3
http://jx.ax/Ld3
https://jx.ax/Ld3
http://54.38.139.98/55255/hbv/wewillgetitbackwithnewthingstounderstandwhatkindofthingsyoupeoplesaredoingwtihmeiamgetinbacktowithme________sheisverybeautifulgirlalwaysiknowwelll.doc
|
3
jx.ax(172.67.200.114)
54.38.139.98
172.67.200.114
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46267 |
2024-07-24 15:30
|
 scan0001.doc e96e2ed88e2f2fb80d02e7cd99a1420d
Doc XML Downloader Generic Malware Malicious Library UPX Word 2007 file format(docx) ZIP Format PE File DLL PE32 .NET DLL OS Processor Check RTF File doc VirusTotal Malware Microsoft buffers extracted Creates executable files unpack itself AppData folder Tofsee DNS |
9
http://office-updatecentral.com/armorer/opposing/stratifies/
http://office-updatecentral.com/armorer/opposing
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/canto
http://office-updatecentral.com/armorer/opposing/
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/exacerbating
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls
http://office-updatecentral.com/armorer/opposing/stratifies
|
2
office-updatecentral.com(94.141.120.137)
94.141.120.137
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
ET INFO TLS Handshake Failure
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
3.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46268 |
2024-07-24 15:38
|
 Purchase _Order_0000089.exe 9ce741958a80db120217ebad36bd9652
Malicious Library PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46269 |
2024-07-24 15:39
|
hersomethingnewhaveforwintoget... a819430cdd5da2c289f594ceac0f0035
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://46.183.222.11/935/crosscheckupdationsonhere.gIF
|
1
46.183.222.11 - mailcious
|
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46270 |
2024-07-24 15:41
|
wethkingwearereallyamazingtoge... 54092cf8f48bd4f9f31bdb16b2f6ee65
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://198.46.174.139/66077/winiti.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46271 |
2024-07-24 15:43
|
megreatwithyourlovertothinkabo... 29b3fc11ab9d647ec19d3e02364355b2
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed |
1
http://198.46.178.229/55433/winiti.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46272 |
2024-07-24 21:45
|
 test.exe 0784da3d1a6ab997b2842fbf73b29688
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware Check memory |
|
|
|
|
1.2 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46273 |
2024-07-25 08:51
|
 winiti.exe a7d6f198863dada7ed361290544efc77
Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware Checks debugger unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.139.11) - mailcious
13.107.139.11 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46274 |
2024-07-25 08:51
|
 csrss.exe f6bf8ada032d17192526ffebb48aed79
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader Malicious Library Malicious Packer Antivirus UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDe Remcos VirusTotal Malware Code Injection Check memory buffers extracted Remote Code Execution |
|
3
bossnacarpet.com(173.255.204.62) - mailcious
vegetachcnc.com(173.255.204.62)
173.255.204.62
|
1
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
7.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46275 |
2024-07-25 08:54
|
 Authenticator.exe 24c76871e844d80ed4b9622853ba3492
Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|