| 46816 |
2024-08-08 14:40
|
 95.hta f85f36a24ed9678e95ba7e369261d581
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/95/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46817 |
2024-08-08 14:41
|
 IEnetworks.hta 948f32b531ba5004430eacb7a1eaa9e3
Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://69.166.230.221/113/sahost.exe
|
1
|
5
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46818 |
2024-08-08 14:42
|
 66b1f63c9578f_doz.exe 07d615115d848b9b21d425e72116537e
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
188.245.87.202 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46819 |
2024-08-08 14:42
|
 66b274e0e1b95_shapr3D.exe a80b3beac20e2a5d805c51c36ba14a53
Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46820 |
2024-08-08 15:33
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware
189.15.73.202
|
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46821 |
2024-08-08 15:33
|
sweetdresswearwithgirlstyle.gI... 4d8093da8406aa5447403631e1383e8e
Generic Malware Antivirus Hide_URL PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
1
https://archive.org/download/nativee/nativee.jpg
|
2
archive.org(207.241.224.2) - mailcious
207.241.224.2 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46822 |
2024-08-08 16:03
|
 sahost.exe a50c4a5189f1223de3c44d7803972571
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(132.226.8.169)
172.67.177.134
132.226.247.73
|
6
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46823 |
2024-08-08 16:07
|
 Launcher_Setup.exe 6c1f3f90da84d774ee602dd603a5a22e
Emotet Generic Malware Malicious Library Malicious Packer UPX Anti_VM DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46824 |
2024-08-08 16:10
|
 Targeted Advance Persistent Th... ccec3e4857cbb197ac79b0f3b01f5189
Word 2007 file format(docx) ZIP Format Vulnerability VirusTotal Malware unpack itself Tofsee |
2
http://x1.i.lencr.org/
https://mofa-gov-pk.dowmload.info/869469_APT/doc.rtf
|
4
x1.i.lencr.org(23.207.177.83)
mofa-gov-pk.dowmload.info(213.183.55.169) - mailcious
23.41.113.9
213.183.55.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46825 |
2024-08-08 16:13
|
 Launcher_Setup.exe 6c1f3f90da84d774ee602dd603a5a22e
Emotet Generic Malware Malicious Library Malicious Packer UPX Anti_VM DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46826 |
2024-08-08 16:51
|
 카카오 엔터테인먼트의 지식재산권 침해 내용.PDF.ex... 6eaf878c7f1449d65f4b99d49aa9844a
Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX PE File PE32 MZP Format OS Processor Check DLL PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
7.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46827 |
2024-08-09 07:48
|
 sahost.exe 3470b26b4f683b2c79794d5a71b5d681
NSIS Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46828 |
2024-08-09 07:49
|
 Aatxl.exe 02b2f62e789410f8c256b0d63ac45a1a
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 Check memory Checks debugger buffers extracted unpack itself ComputerName crashed |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46829 |
2024-08-09 07:50
|
 30072024.exe aedfb26f18fdd54279e8d1b82b84559a
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
185.215.113.67 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46830 |
2024-08-09 07:51
|
 kitty.exe 0ec1f7cc17b6402cd2df150e0e5e92ca
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PE64 Malware download Email Client Info Stealer Malware AutoRuns Malicious Traffic WMI Creates executable files Windows utilities Checks Bios suspicious process WriteConsoleW anti-virtualization Tofsee Windows Email ComputerName DNS |
3
http://185.216.214.225/mingh.exe
https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7
https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7&tsk=5F9BD4
|
3
fusionflow-meta.net(172.67.162.233)
185.216.214.225
104.21.74.211
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|