| 8446 |
2023-09-21 09:35
|
 Abzyvhxf.exe 7044e350d5ce87c637beb058755884c2
UPX PE File PE32 .NET EXE OS Processor Check Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8447 |
2023-09-21 09:33
|
okwugwwoooooFile.vbs b3cccc4edd38f55ec657d671fa6eb95a
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://193.42.33.63/jdbfjhgkfhkfhkjgfkzokwugwoloki.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8448 |
2023-09-21 09:33
|
 TiWorker.exe 043e70250aeeec512af0393baf488866
LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://zang2.areen.top/_errorpages/zang2/five/fre.php
|
2
zang2.areen.top(172.67.194.123)
104.21.20.215 - mailcious
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8449 |
2023-09-21 09:30
|
 BestSoftware.exe 1c9cb19f72b337353fab5826b145b2f3
.NET framework(MSIL) PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
11.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8450 |
2023-09-21 09:30
|
 portfolio.url ab427bde003e2f9b64972710d82c99c3
AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.145.113/Scarica/foto.zip/portfolio.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8451 |
2023-09-21 09:30
|
 TiWorker.exe e10fec549c39c3274dcda749ec3a7119
.NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser |
5
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.xclshiye.com/ekss/?IsCSSlG=kHdraKEfjB12B9p7l0zuiFs0jFsPsK2ty+h3/NWt5GpHSXbsL17DJmxeUix/PqfBxVIu6n00WNchBCHR2+SzfbFa6JaE1snn4Qg/Xqk=&90PB=YunUmQDZezap
http://www.xclshiye.com/ekss/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
5
www.xnkm.monster(206.238.21.88)
www.xclshiye.com(154.204.197.87)
154.204.197.87
206.238.21.88
45.33.6.223
|
|
|
10.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8452 |
2023-09-21 09:21
|
 name.exe 4de0852d1496c803b17e3990f0411c54
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8453 |
2023-09-21 09:20
|
pass_setup1234.7z c0a9b3aec9fea6881332adfe384232c3
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
44
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe - rule_id: 36358
http://45.9.74.80/super.exe - rule_id: 36063
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://apps.identrust.com/roots/dstrootcax3.p7c
http://fc.ftimedica.com/netTime.exe
http://5.42.92.211/loghub/master - rule_id: 36282
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://77.91.68.238/love/no230.exe - rule_id: 36359
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://193.42.32.118/api/firecom.php
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.221/file/name.exe
https://vk.com/doc52355237_665938507?hash=m6OB9an6EOeD8heKew1wDxncbYrgO4cjTs8IHxSGOMH&dl=uy9JCFMd880sjLNRgNT9fjPRywC1WLtHDR3fT9z2QTX&api=1&no_preview=1#test2
https://vk.com/doc52355237_665872078?hash=Kz3PaU1L3NGuBFJAoGXACEafD960Cp8NVVxAzQR8U3H&dl=TGSEkTjAuxGOcQ0N10qRiCJlxoGRDvtzjKPataFdHhc&api=1&no_preview=1
https://mememania.net/test/gametools.exe
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc18596347_668003295?hash=XreQfq4NrtoZDNELVIDLcr1yWsXW1dqZDR7duHAGA7P&dl=pCTGBpgzC0ESbYP6jKlQReXTFcupII5gHdo5zk9YOZk&api=1&no_preview=1#delux
https://preconcert.pw/setup294.exe - rule_id: 36162
https://vk.com/doc52355237_665880768?hash=ubcUBEaLWzipHTOeg3jEhyfSeC0h7DJrmPTohND0B6D&dl=sqZTWs3nWU6WRCWJjrqnLtWUJOv5NeFbk7N6Ssv2Ifs&api=1&no_preview=1#redcl
https://sun6-20.userapi.com/c909218/u52355237/docs/d42/99a08ca55dfc/x11.bmp?extra=8lCSeefRbUfQ1dl7gbWZP9rbdidKpDTSF8OZ6II3c5dVhNYEE3JOfRSQ9QN0OKnu8ye-0PUn-xX1m3ghX-e-NPxQZdN986ED3XRYwWoTFI71f8ecdJ6L8zo5eALFHBYEKUxJUCo8jIKU5H66
https://vk.com/doc52355237_665938565?hash=XvxTzvFmz7lm4FmiX255WzfNZAIoEEiVPkRx4ZmjMgL&dl=9f0mriSzvdjZFQuHfBCX9y95tahovgb47vQqAJV8jo0&api=1&no_preview=1#rise
https://api.myip.com/
https://vk.com/doc17799268_667394499?hash=8O4zNnF9tP9wsaxLkeHeWDXqO2rxWYjyDP69QeOzwaz&dl=ozGE2ISNCA8zD35yB4dk4cB4VAjrpT4UYePmL4tZmmc&api=1&no_preview=1#utube
https://sun6-23.userapi.com/c909518/u52355237/docs/d47/c32a87b017af/328dj2afg.bmp?extra=AdLbRDTDwp25OjVl_rkgkBABFCOyonhlWW7CDMe9GL_9z2F3Rbp-qONbZweHREJZNxFW-9yWDZAfklcQE_aPRkRblSP8r_Qm4CI4CGb3xrvmHpyXHIpTKonFX0MBDXtzMzTcl6DXiw4DpN3M
https://sun6-23.userapi.com/c909628/u52355237/docs/d40/84a7e7bb4a92/RisePro.bmp?extra=xI9rQt-tAmVWJ4Cboh5rKsshtX-SsNrjxNURKcxJPprTTGiUnFY-yItehO5J0QNqNUV4-jVAUa2eSJ7Ltoa9bv0phLUk8UAOg_kVU668de0ePCpYqzcEkR-3L-C2_JaH40oJrXTO14MuCs0A
https://sun6-21.userapi.com/c909328/u52355237/docs/d26/2a08637c5a56/Bot_Clien.bmp?extra=y_zFyxma88H6dv--oDcF3mjcRiUllKPEI1NfWSYTjOkoS4VxUDz4pTNRjGBbIu1ESvSIn2GnyukrEBeSjITObbHP114lfjEtthAnLx_4lJ5308bG5Wa4IYJq9fmBBBcSF9HXYjPrSPBzB4yu
https://dzen.ru/?yredirect=true
https://vk.com/doc18596347_668016285?hash=PonWwXIKRFukGezNmW2MnNeYu7LcagbIrZ1mIj3kZ1T&dl=hMKz4JErXb8SqgVrul6D4r1N9nijVikLYJlJ2MlrC4H&api=1&no_preview=1#orig
https://sso.passport.yandex.ru/push?uuid=4af81aa5-42ac-465c-8b53-50abc5b79641&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_665906704?hash=twL5pVXU2zOTXLlVLVZr95EUqG9FWXoizRXa1VGWXa8&dl=DxECaHRbKbeWIf9PdqniyvNDb3PMMB293ucxAh6qla0&api=1&no_preview=1#qq
https://sun6-22.userapi.com/c909218/u52355237/docs/d17/f321660640ac/red.bmp?extra=krZWcq-zAkNaBNmsoERJsOJa3Cg1I6UjdOZU3L-GI9vyoD55Ev3Tbh_x-0cUyZ3Ri_FPWScrzLHj5EmKYU7OCZJBRziStKqu-UtjaWLFwrGE0KbWwLZDxyl3ong78toNCakJfLlTzw8ZTK-Q
https://vk.com/doc52355237_665940325?hash=vG1T2xzTiDOe4TmInLX7s7wjd83C3zXZYQEX1fBro3P&dl=zuGVKYwUQZwfzizd3ZYojpiw2upFzPGsk9fJVUbOtuz&api=1&no_preview=1#1
https://vk.com/doc52355237_665861662?hash=ImDE8wJKeKsidLNmyeypwBZxNsPon1YnZ9AJMNJmzVs&dl=759gQwYNSpwSgt6vmZb21ZfK2G3kzxLbJOWuWICosow&api=1&no_preview=1
https://neuralshit.net/32558400f22545916bbc3a5405a39f3c/7725eaa6592c80f8124e769b4e8a07f7.exe
https://sun6-21.userapi.com/c909518/u52355237/docs/d51/e8935b71753f/test22009.bmp?extra=E81y1PchGDLCccZqFap9XwnBZHb2tZOG_bLcYjV_6NiSBnzF-773e5vRBRDwsPpOBT7SVgT4BaH9tbQpDwEvlZSB_REPpHhM6B1x-Eiy6LTA3fAyvPWimR80u_LweADlyYBq41G2bV7421tC
https://sun6-23.userapi.com/c909328/u52355237/docs/d15/e12aaa6cce9f/crypted.bmp?extra=40Y6DawDYM7b7WOQZLfptmDCQJV-iehBJ1NFMFcRrAbaetx_gWbv82DdxhRfhyDLOz6AvRBmvSFPMuHCj46yy3X54agnQRB-o41VexMxCXISGOX7pQjHrn-yblo4XH_tpuTsNCucFrWANCsv
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c240331/u52355237/docs/d18/72647bd8c4c5/PL_Client.bmp?extra=wsnjoysZ-SfrRC-OO0LHysFRBWUhnNxWfKD6shBocvO0v5l5WBSXSRm9ylFlqqauG93DOhHDgQVUjLlwGBQOhEs9hM_b4yR2OzbAmPIkdzxIBh_hVV5VLzxD9ZjvpvW19VcIZBClXSVXiI5U
https://vk.com/doc52355237_665916972?hash=PGtJZU2lyBun4kcjAuDW4sr3qZoaazswmzm43vqfrD8&dl=fmNbRucq2G5KCRA22nIJETEH1oOZZHD8AqBpxxaUybz&api=1&no_preview=1
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
79
neuralshit.net(172.67.134.35)
db-ip.com(104.26.5.15)
sun6-23.userapi.com(95.142.206.3)
ipinfo.io(34.117.59.81)
yandex.ru(77.88.55.88)
wahaaudit.ps(213.6.54.58) - malware
dzen.ru(62.217.160.2)
preconcert.pw(172.67.197.101) - malware
iplogger.org(148.251.234.83) - mailcious
z.nnnaajjjgc.com(156.236.72.121) - malware
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
christopherantonio.top(46.173.215.72) - malware
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
sun6-20.userapi.com(95.142.206.0) - mailcious
ji.alie3ksgbb.com(104.21.90.117) - mailcious
iplogger.com(148.251.234.93) - mailcious
230907161118223.nmr.xrm42.top(94.156.35.76) - malware
octocrabs.com(104.21.21.189)
api.myip.com(104.26.8.59)
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.18.146.235)
vk.com(93.186.225.194) - mailcious
mememania.net(172.67.171.201)
iplis.ru(148.251.234.93) - mailcious
fc.ftimedica.com(45.130.231.6)
94.156.35.76 - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.145.235
51.38.95.107
172.67.197.101
45.130.231.6
94.142.138.221
91.215.85.147 - malware
77.91.68.238 - malware
62.217.160.2
172.67.171.201 - phishing
172.67.200.102
5.42.92.211 - mailcious
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
172.67.75.163
45.9.74.80 - malware
23.43.165.105
46.173.215.72 - mailcious
171.22.28.208 - malware
34.117.59.81
172.67.200.10
31.41.244.27 - mailcious
182.162.106.32
148.251.234.83
104.26.8.59
172.67.134.35
213.180.204.24
104.21.84.222 - malware
121.254.136.9
45.15.156.229 - mailcious
77.88.55.88
176.123.9.142 - mailcious
94.142.138.113 - mailcious
185.225.73.32 - mailcious
156.236.72.121 - mailcious
213.6.54.58 - malware
104.26.9.59
87.240.137.164 - mailcious
95.142.206.3
95.142.206.2
95.142.206.1 - mailcious
95.142.206.0 - mailcious
104.244.42.193 - suspicious
87.121.221.58 - malware
185.225.74.51 - mailcious
87.240.132.72 - mailcious
69.46.15.167 - mailcious
|
40
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
ET HUNTING ZIP file exfiltration over raw TCP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
|
12
http://hugersi.com/dl/6523.exe
http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
http://45.9.74.80/super.exe
http://45.15.156.229/api/tracemap.php
http://5.42.92.211/loghub/master
http://45.15.156.229/api/firegate.php
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://77.91.68.238/love/no230.exe
http://193.42.32.118/api/tracemap.php
http://94.142.138.113/api/firegate.php
https://preconcert.pw/setup294.exe
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8454 |
2023-09-21 09:18
|
 ienwscx.exe 710be6c7edbd56231c80ea627e7614c9
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8455 |
2023-09-21 09:17
|
 AnyDesk.exe 6e48a107a315a287e1e37592177cffec
Gen1 SmokeLoader RedLine stealer NSIS Generic Malware Suspicious_Script Downloader Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Obsidium protector ASPack Anti_VM Javascript_Blob PE File ftp PE32 DLL OS Processor Check VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8456 |
2023-09-21 09:16
|
 TiWorker.hta 708ae6bdeacfb88deca920e606bff2fd
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
1
http://103.183.115.28/T199W/wininit.exe
|
|
|
|
7.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8457 |
2023-09-21 09:13
|
 TiWorker.exe accd49056a71495f54d8d83ac2a3e901
NSIS Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8458 |
2023-09-21 05:10
|
http://edge-026.defra2.ce.appl...
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://edge-026.defra2.ce.apple-dns.net/
|
2
edge-026.defra2.ce.apple-dns.net(17.248.145.109)
17.248.145.109
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8459 |
2023-09-20 18:12
|
 omego.exe 72e4c036b96efd053d4233076fc4d426
Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8460 |
2023-09-20 18:09
|
 smss.exe ec1b1e9118b85599e702620abf7e9301
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
1
http://mous.midlandpaper.icu/_errorpages/mous/five/fre.php
|
|
|
|
1.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|