| 48406 |
2024-09-26 09:58
|
niceworkingskillmadeeveryoneha... 7a9a05109dd848058fd327bc38459a3d
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.142/340/audiodg.exe
|
3
maan2u.com(112.137.173.77) - mailcious
107.175.243.142 - mailcious
112.137.173.77 - mailcious
|
8
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48407 |
2024-09-26 09:59
|
 dl d9d92da97544f0c2116d7375f2665110
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48408 |
2024-09-26 10:00
|
 vnobizxc.exe a4cd1ff60c7b69df5a061df3365e60c7
XWorm Generic Malware WebCam Malicious Library .NET framework(MSIL) Antivirus KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key keylogger |
|
4
api.telegram.org(149.154.167.220) - mailcious
172.217.24.225
142.250.197.238
149.154.167.220 - mailcious
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
13.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48409 |
2024-09-26 10:00
|
goodimageswithgoodfeatureshave... 59e879eb2a3f5f54db609e47b0596813
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.146.143/xampp/kbno/newthingswithnewpcituresgetin.tIF
|
3
ia600100.us.archive.org(207.241.227.240) - mailcious
207.241.227.240 - mailcious
192.3.146.143 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48410 |
2024-09-26 10:02
|
 nVvfLpoRTEWzzG.exe 48977f1b641a9a3d88329ac470152381
Generic Malware Malicious Library Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(158.101.44.242)
104.21.67.152
149.154.167.220 - mailcious
142.250.196.225
142.250.197.206
158.101.44.242
|
9
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
|
|
15.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48411 |
2024-09-26 10:05
|
 66f4247962974_vfdsgasd12.exe 8b0b12811b60a92a72b636a46fadb0ba
PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48412 |
2024-09-26 10:08
|
 3333.exe 0336bc6e2759bd7b5c400a447a55756e
Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
142.250.197.206
142.250.196.225
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
8.4 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48413 |
2024-09-26 10:10
|
 1.exe 814eede0c07f64e2ce4efbeede8928f4
Generic Malware Malicious Library Malicious Packer ASPack UPX PE File DllRegisterServer dll PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
172.217.24.225
142.250.197.238
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
8.8 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48414 |
2024-09-26 10:11
|
 win11.exe 613d958a64df2e883b11d994f57b1c80
Gen1 Generic Malware Malicious Library UPX PE File PE32 MZP Format JPEG Format DLL VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting unpack itself Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
10
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
142.250.199.110 - mailcious
38.147.172.248 - mailcious
69.42.215.252
142.250.197.97
162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48415 |
2024-09-26 10:22
|
 Hkbsse.exe e4f3ed3daf21363918afbc91db6f775b
Amadey Generic Malware Malicious Library Malicious Packer UPX Antivirus PE File PE32 OS Processor Check DLL PE64 JPEG Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder sandbox evasion installed browsers check Windows Browser ComputerName Cryptographic key Software |
4
http://amoamosss.com/Dem7kTu/Plugins/cred64.dll
http://amoamosss.com/Dem7kTu/Plugins/clip64.dll
http://amoamosss.com/Dem7kTu/index.php
http://amoamosss.com/Dem7kTu/index.php?scr=1
|
2
amoamosss.com(31.41.154.129)
31.41.154.129
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1
|
|
12.0 |
|
51 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48416 |
2024-09-26 10:27
|
 66f4186b24569_sfx_123_500.exe 9aca15a320ce8fe7eabb268f7116cbcc
Malicious Library UPX PE File PE32 VirusTotal Malware Check memory |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48417 |
2024-09-26 10:28
|
 xBneIooWzQjjOOg.exe 432644163e0aaa8a0269179e0e036eae
AgentTesla Formbook Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48418 |
2024-09-26 10:29
|
 66f4247628ddf_vfdsgsfd15.exe 38d89dee3e519cce0366a2ce70b7ec0d
PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48419 |
2024-09-26 10:29
|
 66f424844286a_vfdhgsd16.exe 77011ba24d1088a963898abc72c6e129
PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48420 |
2024-09-26 10:32
|
 VbcXXnmIwPPhh.exe 70262b2a7d84c44a127705652cdb57dc
Formbook Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
6
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(132.226.8.169)
172.67.177.134
132.226.247.73
149.154.167.220 - mailcious
|
9
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET HUNTING Telegram API Domain in DNS Lookup
|
|
16.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|