| 46471 |
2024-07-31 10:19
|
memissedverynicesweetkissheren... cf3ae921fc075c967cac5a5e384849bc
MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://192.3.176.174/75/wesimplykissyourlipsdeeply.gIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
192.3.176.174 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46472 |
2024-07-31 10:22
|
wearekingofthejunglewithentier... 070b1946c9ab7ef8801ece97cc27eb0c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.227.225.166/101/seemsgoodbutterflyherenow.gIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
192.227.225.166 - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46473 |
2024-07-31 10:22
|
 kjposter.exe 456509bf6306fe9f2f34cc8177cad73d
Confuser .NET Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key crashed |
|
|
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46474 |
2024-07-31 10:22
|
 taxpreperationz.exe 20bbb7f851683930e080e888e1fd7c5f
Gen1 NSIS Generic Malware Malicious Library UPX Malicious Packer Antivirus Javascript_Blob Anti_VM PE File PE32 DLL OS Processor Check PE64 ftp icon PNG Format Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder AntiVM_Disk Ransom Message VM Disk Size Check Ransomware |
|
|
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46475 |
2024-07-31 10:24
|
Archivejuudyyy.jpeg.vbs 7f2edeb8382cb0397d03bf2b3b32e528
ActiveXObject VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46476 |
2024-07-31 10:24
|
mywifeisbeautifull.vbs 02b6b577cf925689c42545770b951ac6
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
http://107.175.229.144/WHATISAMERICA.txt
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46477 |
2024-07-31 10:24
|
 Invoice-2024-07-29.url 123301099bd2b21b2b13bddb06c940dc
AntiDebug AntiVM URL Format Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
http://62.133.61.43:81/Downloads
http://62.133.61.43:81/
http://62.133.61.43:81/Downloads/UXSNUWNZ.exe
|
1
|
8
ET INFO Executable Download from dotted-quad Host
ET HUNTING WebDAV Retrieving .exe
ET HUNTING Successful PROPFIND Response for Application Media Type
ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46478 |
2024-07-31 10:26
|
iamworkingonentirethingstobeba... c1770981e03dda36b16f52acb050e99a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
1
192.3.176.154 - mailcious
|
|
|
5.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46479 |
2024-07-31 10:26
|
Archive.js d24a4b4852a8485e74220ee5979f2884
Generic Malware Antivirus ActiveXObject PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
http://107.175.229.144/WHATISAMERICA.txt
|
2
ia601606.us.archive.org(207.241.227.86)
207.241.227.86
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46480 |
2024-07-31 10:26
|
au.js dbe4c84c471b795ec32210638cd177cd
Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
7
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.130.0)
193.122.6.168
62.133.61.43 - malware
172.67.177.134
149.154.167.220 - mailcious
|
9
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET HUNTING Telegram API Domain in DNS Lookup
|
|
11.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46481 |
2024-07-31 10:34
|
iamworkingonentirethingstobeba... c1770981e03dda36b16f52acb050e99a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Exploit DNS crashed |
2
http://192.3.176.154/700/beautifulthingsherehappend.gIF
http://192.3.176.154/700/BNHH.txt
|
1
192.3.176.154 - mailcious
|
|
|
4.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46482 |
2024-07-31 14:45
|
Ledger Backup Guide.pdf.lnk 2f7d198bd913d4694467e2ded0e55ead
Generic Malware Antivirus Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM Lnk Format GIF Format PowerShell PE File PE32 Malware download AsyncRAT NetWireRC Vulnerability VirusTotal Malware VBScript Cryptocurrency wallets Cryptocurrency powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Ransomware Interception Windows Exploit ComputerName Trojan DNS Cryptographic key |
4
http://94.154.172.166/rwrv/3007f.hta
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
http://94.154.172.166/rwrv/23.exe
https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file
|
8
poslisoubor.cz(109.71.208.62)
www.mediafire.com(104.16.114.74) - mailcious
download2268.mediafire.com(199.91.155.9) - malware
41.216.183.3
94.154.172.166
109.71.208.62
104.16.114.74 - mailcious
199.91.155.9 - malware
|
19
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SURICATA Applayer Detect protocol only one direction
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET MALWARE Generic AsyncRAT Style SSL Cert
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
ET MALWARE VBS/TrojanDownloader.Agent.XAO Payload Inbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
19.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46483 |
2024-07-31 14:53
|
 3007f.hta d7690e8539ac10edbe4099d361fb7cb5
Generic Malware Antivirus Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PowerShell PE File PE32 Malware download Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
6
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt - rule_id: 41656
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
http://94.154.172.166/rwrv/23.exe - rule_id: 41655
http://94.154.172.166/rwrv/23.exe
https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file - rule_id: 41657
https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file
|
7
poslisoubor.cz(109.71.208.62)
www.mediafire.com(104.16.114.74) - mailcious
download2268.mediafire.com(199.91.155.9) - malware
109.71.208.62
104.16.114.74 - mailcious
199.91.155.9 - malware
94.154.172.166
|
9
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET INFO Executable Download from dotted-quad Host
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
3
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
http://94.154.172.166/rwrv/23.exe
https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file
|
15.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46484 |
2024-07-31 14:55
|
 23.exe 367009ea6fe948f4c0773f4cd1274a5f
Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File PE32 Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Ransomware Windows ComputerName DNS Cryptographic key |
2
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt - rule_id: 41656
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
|
3
poslisoubor.cz(109.71.208.62)
109.71.208.62
41.216.183.3 - mailcious
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SURICATA Applayer Detect protocol only one direction
ET MALWARE Generic AsyncRAT Style SSL Cert
|
1
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
|
12.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46485 |
2024-07-31 21:37
|
 dssdj.exe b78013e1727d77333e2780e95d064b4b
Malicious Library UPX PE File PE32 MZP Format DLL DllRegisterServer dll VirusTotal Malware Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check crashed |
|
|
|
|
3.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|