| 48616 |
2024-10-05 09:08
|
https://support.google.com/acc... 1537d8074e29fe130494edd6e4c547f5
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File icon OS Processor Ch Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
10
https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.googletagmanager.com/gtag/js?id=G-H30R9PNQFN
https://support.google.com/favicon.ico
https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
https://ssl.gstatic.com/gb/images/bar/al-icon.png
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://lh3.googleusercontent.com/9Y5oRPNXHvhG3TpmG0PTQ8lEEAJyuDiyMLujhC4R042jzmk6NUUE-IoF7XF2F5qLhDA=w895
https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff
https://www.google-analytics.com/analytics.js
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
|
12
www.googletagmanager.com(142.250.206.232)
lh3.googleusercontent.com(172.217.161.225)
ssl.gstatic.com(142.250.206.227)
support.google.com(142.250.206.206) - mailcious
www.google-analytics.com(142.250.76.142)
fonts.gstatic.com(142.250.207.99)
142.250.197.131
142.250.197.136
142.250.198.174
216.239.34.178
142.250.196.227
142.250.197.97
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48617 |
2024-10-05 09:09
|
https://support.google.com/acc... 9ef80065043aca7e2c81eba48e06c851
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format icon OS Processor Ch Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
10
https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.googletagmanager.com/gtag/js?id=G-H30R9PNQFN
https://support.google.com/favicon.ico
https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
https://ssl.gstatic.com/gb/images/bar/al-icon.png
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://lh3.googleusercontent.com/9Y5oRPNXHvhG3TpmG0PTQ8lEEAJyuDiyMLujhC4R042jzmk6NUUE-IoF7XF2F5qLhDA=w895
https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff
https://www.google-analytics.com/analytics.js
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
|
12
www.googletagmanager.com(142.250.206.232)
lh3.googleusercontent.com(172.217.161.225)
ssl.gstatic.com(142.250.206.227)
support.google.com(142.250.206.206) - mailcious
www.google-analytics.com(142.250.76.142)
fonts.gstatic.com(142.250.207.99)
142.250.197.46
142.250.198.195
142.250.197.200
142.250.76.227
142.250.71.193
142.250.71.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48618 |
2024-10-05 09:11
|
 TarNJ.txt.exe 08ca7124c1476f37f8f3b233cd5ac053
njRAT backdoor PE File .NET EXE PE32 Malware download njRAT VirusTotal Malware ICMP traffic DNS DDNS |
|
2
02oct.duckdns.org()
167.0.201.5
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
3.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48619 |
2024-10-05 09:14
|
seethedifferentwithgreatdayofi... 93f8cd6440e951545875706461d25854
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://51.83.251.113/650/picturewithgetmebackgreatdayfor.tIF
|
3
raw.githubusercontent.com(185.199.110.133) - malware
51.83.251.113
185.199.111.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48620 |
2024-10-05 09:14
|
seethemagicalthingstobeonlinew... 85bb9c92d8128e3c8cf070a813b9ba82
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.220.20/100/newprojectwithnewthingstobecome.tIF
|
3
raw.githubusercontent.com(185.199.108.133) - malware
185.199.108.133 - mailcious
192.3.220.20
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48621 |
2024-10-05 09:16
|
nicepciturewithnicewomenwholik... 26595ba1951c5b5b9b8a328be0d93f1c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://107.172.130.147/240/nicepciturewithggreatethingstobe.tIF
|
3
raw.githubusercontent.com(185.199.108.133) - malware
185.199.109.133 - mailcious
107.172.130.147 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48622 |
2024-10-05 09:18
|
 XClient.exe 490ceab952abd5b62925e15f4b7aa533
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
3.8 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48623 |
2024-10-05 09:18
|
 04a4f32fae41.exe#d16 beb37e304261bf24e18ec89f912c2039
Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download Vidar Malware c&c MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName crashed plugin |
8
http://proxy.johnmccrea.com//msvcp140.dll
http://proxy.johnmccrea.com//softokn3.dll
http://proxy.johnmccrea.com//vcruntime140.dll
http://proxy.johnmccrea.com//nss3.dll
http://proxy.johnmccrea.com//freebl3.dll
http://proxy.johnmccrea.com//mozglue.dll
http://proxy.johnmccrea.com//sql.dll
http://proxy.johnmccrea.com/
|
2
proxy.johnmccrea.com(141.98.233.156)
141.98.233.156
|
9
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48624 |
2024-10-05 09:20
|
 ped.exe 101a98643dbcbf0c0c02d45b8126a590
XWorm RedLine Infostealer UltraVNC Generic Malware WebCam Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48625 |
2024-10-05 09:21
|
 9dd06d870941.exe#d15 3c8ffa367ffc96a9fdad36fbe086f5b8
Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download Vidar Malware c&c MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName crashed plugin |
2
http://proxy.johnmccrea.com//sql.dll
http://proxy.johnmccrea.com/
|
2
proxy.johnmccrea.com(141.98.233.156)
141.98.233.156
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48626 |
2024-10-05 09:22
|
 file.exe 7300cad585fefa6a6f67c78ac264b128
Emotet Gen1 Malicious Library UPX AntiDebug AntiVM PE File PE64 CAB VirusTotal Malware AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself suspicious process Windows ComputerName Remote Code Execution |
|
|
|
|
5.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48627 |
2024-10-05 09:23
|
31agosto.vbs b9dbaa8493f8539ec491076723a57f6d
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
|
2
raw.githubusercontent.com(185.199.108.133) - malware
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48628 |
2024-10-05 09:24
|
 yvDk2VZluODBu6S.exe ce9466bd702a1dfc74c79be5fcd8f5f8
Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48629 |
2024-10-05 09:26
|
segura.vbs 52917612f2ba8deed79d211c0bd5746f
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
|
2
raw.githubusercontent.com(185.199.108.133) - malware
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48630 |
2024-10-05 09:30
|
 fedf8679e8d2.exe#d12 04c5017127f914464f5f0906071752ae
Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download Vidar Malware c&c MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName crashed plugin |
8
http://proxy.johnmccrea.com//msvcp140.dll
http://proxy.johnmccrea.com//softokn3.dll
http://proxy.johnmccrea.com//vcruntime140.dll
http://proxy.johnmccrea.com//nss3.dll
http://proxy.johnmccrea.com//freebl3.dll
http://proxy.johnmccrea.com//mozglue.dll
http://proxy.johnmccrea.com//sql.dll
http://proxy.johnmccrea.com/
|
2
proxy.johnmccrea.com(141.98.233.156)
141.98.233.156
|
9
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|