46261 |
2024-07-24 09:14
|
simpleweightcreatednicething.g... bc2278089ce81da106bd59335fa9e998 Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176 https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.40.229) - mailcious 172.66.40.229 - mailcious 198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev) ET MALWARE Base64 Encoded MZ In Image ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46262 |
2024-07-24 09:14
|
pw.ps1 2ffeb8859aa9c7142ed094588a5442b8 Lnk Format GIF Format VirusTotal Malware powershell AutoRuns Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
http://94.131.117.72/ldht/index.php
|
3
fsnat.shop(93.127.200.211) 94.131.117.72 - mailcious 93.127.200.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46263 |
2024-07-24 09:15
|
wegivemebackwithentiresituatio... 45b6040d50bff71bd32e8d7a0bc56bd4 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS DDNS crashed keylogger |
3
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
http://198.46.178.229/42/winiti.exe
|
7
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168) 198.46.178.229 - malware
158.101.44.242
104.21.67.152
149.154.167.220 - mailcious
|
14
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
|
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46264 |
2024-07-24 09:17
|
thissystemchangingentireproces... 485c8b0bbaec4e72949307d766a4bfba MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
http://107.175.229.144/mydatinglifeissoggod.vbs
|
6
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious 172.66.43.27 - mailcious
107.175.229.144 - mailcious
158.101.44.242
207.241.232.195 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI ET INFO Dotted Quad Host VBS Request ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46265 |
2024-07-24 09:20
|
Wasabi.msi 1cd72a4f59963a1fee86e0d98f47e17d Generic Malware Malicious Library Antivirus UPX Malicious Packer MSOffice File OS Processor Check PE File DLL PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName |
1
http://downloadwasabi.is/Wasabi.msi
|
2
downloadwasabi.is(179.43.170.230) 179.43.170.230 - malware
|
|
|
3.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46266 |
2024-07-24 09:24
|
DRWG-347RB1.pd.xls c433eae598bb293ae5c2f28ad9a61c3b MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
3
http://jx.ax/Ld3
https://jx.ax/Ld3
http://54.38.139.98/55255/hbv/wewillgetitbackwithnewthingstounderstandwhatkindofthingsyoupeoplesaredoingwtihmeiamgetinbacktowithme________sheisverybeautifulgirlalwaysiknowwelll.doc
|
3
jx.ax(172.67.200.114) 54.38.139.98
172.67.200.114
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46267 |
2024-07-24 15:30
|
scan0001.doc e96e2ed88e2f2fb80d02e7cd99a1420d Doc XML Downloader Generic Malware Malicious Library UPX Word 2007 file format(docx) ZIP Format PE File DLL PE32 .NET DLL OS Processor Check RTF File doc VirusTotal Malware Microsoft buffers extracted Creates executable files unpack itself AppData folder Tofsee DNS |
9
http://office-updatecentral.com/armorer/opposing/stratifies/ http://office-updatecentral.com/armorer/opposing http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/canto http://office-updatecentral.com/armorer/opposing/ http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/ http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/exacerbating http://office-updatecentral.com/armorer/opposing/stratifies/beachheads http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls http://office-updatecentral.com/armorer/opposing/stratifies
|
2
office-updatecentral.com(94.141.120.137) 94.141.120.137
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 15 ET INFO TLS Handshake Failure ET USER_AGENTS Microsoft Office Existence Discovery User-Agent ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
3.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46268 |
2024-07-24 15:38
|
Purchase _Order_0000089.exe 9ce741958a80db120217ebad36bd9652 Malicious Library PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46269 |
2024-07-24 15:39
|
hersomethingnewhaveforwintoget... a819430cdd5da2c289f594ceac0f0035 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://46.183.222.11/935/crosscheckupdationsonhere.gIF
|
1
46.183.222.11 - mailcious
|
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46270 |
2024-07-24 15:41
|
wethkingwearereallyamazingtoge... 54092cf8f48bd4f9f31bdb16b2f6ee65 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://198.46.174.139/66077/winiti.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46271 |
2024-07-24 15:43
|
megreatwithyourlovertothinkabo... 29b3fc11ab9d647ec19d3e02364355b2 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed |
1
http://198.46.178.229/55433/winiti.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46272 |
2024-07-24 21:45
|
test.exe 0784da3d1a6ab997b2842fbf73b29688 Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware Check memory |
|
|
|
|
1.2 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46273 |
2024-07-25 08:51
|
winiti.exe a7d6f198863dada7ed361290544efc77 Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware Checks debugger unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.139.11) - mailcious 13.107.139.11 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46274 |
2024-07-25 08:51
|
csrss.exe f6bf8ada032d17192526ffebb48aed79 Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader Malicious Library Malicious Packer Antivirus UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDe Remcos VirusTotal Malware Code Injection Check memory buffers extracted Remote Code Execution |
|
3
bossnacarpet.com(173.255.204.62) - mailcious vegetachcnc.com(173.255.204.62) 173.255.204.62
|
1
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
7.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46275 |
2024-07-25 08:54
|
Authenticator.exe 24c76871e844d80ed4b9622853ba3492 Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|