| 8431 |
2023-09-21 09:48
|
omob.vbs 51c03a309d16578fe5a97464df18cac9
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://79.110.48.52/omox.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
104.21.45.138 - malware
182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8432 |
2023-09-21 09:47
|
eveningmmeddddFile.vbs 62154436f26a9ce3557b89b54e54fe16
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/613/515/original/rump_vbs_antivm.jpg?1695147255
http://193.42.33.63/mohammedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.43.165.66
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8433 |
2023-09-21 09:46
|
idex.vbs 3a386e7b334d9214f8d5fcf3f6876fd3
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://79.110.48.52/idesh.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8434 |
2023-09-21 09:45
|
aktivosssssssfileapamaFile.vbs cd664601408fb5dac516050fb44fe31c
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/536/original/rump_private.jpg?1695227110
http://193.42.33.63/mohammedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8435 |
2023-09-21 09:44
|
 irrkt.exe f2b5bfad4a3b0efd8aff6cd50c4f4e4b
PE File PE32 .NET EXE VirusTotal Malware Tofsee DNS |
1
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
|
5
cacerts.digicert.com(152.195.38.76)
onedrive.live.com(13.107.42.13) - mailcious
101.32.68.183 - mailcious
152.195.38.76
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8436 |
2023-09-21 09:44
|
jokiulob.vbs ddf4bc91c949a6dfe97246d424ce6a2e
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://185.225.75.151/okokukosib.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8437 |
2023-09-21 09:43
|
 wininit.exe d54ddeb1ceaa4b97d777db0335765e31
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403
http://www.igrashka.net/hcn4/?knM=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&ye5Im=alq0Y2 - rule_id: 36402
http://www.jedidylan.com/hcn4/?knM=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&ye5Im=alq0Y2 - rule_id: 36404
http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407
http://www.shakcham.top/hcn4/ - rule_id: 36405
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
http://www.igrashka.net/hcn4/ - rule_id: 36402
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.shakcham.top/hcn4/?knM=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&ye5Im=alq0Y2 - rule_id: 36405
http://www.jedidylan.com/hcn4/ - rule_id: 36404
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.edf23hravau.xyz/hcn4/?knM=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&ye5Im=alq0Y2 - rule_id: 36403
|
12
www.ekcc.xyz() - mailcious
www.ssongg12497.cfd(101.32.68.183) - mailcious
www.jedidylan.com(204.11.56.48) - mailcious
www.edf23hravau.xyz(20.247.39.217) - mailcious
www.shakcham.top(203.161.62.123) - mailcious
www.igrashka.net(91.206.200.88) - mailcious
203.161.62.123 - mailcious
101.32.68.183 - mailcious
204.11.56.48 - phishing
20.247.39.217 - mailcious
45.33.6.223
91.206.200.88 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
9
http://www.edf23hravau.xyz/hcn4/
http://www.igrashka.net/hcn4/
http://www.jedidylan.com/hcn4/
http://www.ssongg12497.cfd/hcn4/
http://www.shakcham.top/hcn4/
http://www.igrashka.net/hcn4/
http://www.shakcham.top/hcn4/
http://www.jedidylan.com/hcn4/
http://www.edf23hravau.xyz/hcn4/
|
11.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8438 |
2023-09-21 09:43
|
mohammmeddddFile.vbs ac706ae911a9abbe20f39aede390f201
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070
http://193.42.33.63/mohammedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8439 |
2023-09-21 09:41
|
GWA.vbs e2782eab20480b1650cd78de803acd82
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/613/515/original/rump_vbs_antivm.jpg?1695147255
http://94.156.161.167/tl/gr3424.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
222.122.182.234
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8440 |
2023-09-21 09:40
|
HVD.vbs 4a59ccc0ed465bacc7d52dfb498ad113
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/895/original/rump_vbs.jpg?1695246171
http://94.156.161.167/tl/ht4534.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8441 |
2023-09-21 09:39
|
 1.exe 3e0fe762ff4de77422e0da2f8460431a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8442 |
2023-09-21 09:37
|
 TiWorker.hta 328e0141e999dfe62d9429c5685aabd2
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
1
http://107.175.113.216/pastor/retain.exe
|
|
|
|
7.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8443 |
2023-09-21 09:37
|
 kellyzx.exe c9073e82ea54dc807fb8c89d205ef7f5
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8444 |
2023-09-21 09:35
|
 maxlobbing2.1.exe 8d7eea4fa1b573b722cac003a8aa205f
NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8445 |
2023-09-21 09:35
|
 Bitter.exe 17fa8319d0f676b0a4e69d629e3b46a3
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware Remote Code Execution crashed |
|
|
|
|
1.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|