| 8866 |
2023-09-06 16:55
|
 gusan.exe 2bd43c0d8154511c0e587f32867b64e2
Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 DLL VirusTotal Malware PDB Code Injection RWX flags setting unpack itself suspicious process AppData folder Remote Code Execution |
|
|
|
|
4.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8867 |
2023-09-06 16:05
|
 2cfa8e8aaadb6372a5cad4814785bb... a51fb67b5c13bb54aeb6126c2cadc61b
Generic Malware Malicious Library UPX Malicious Packer PE File PE32 VirusTotal Malware AutoRuns Creates executable files Windows Remote Code Execution DNS |
|
2
147.222.227.93
122.117.253.66
|
|
|
4.4 |
|
65 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8868 |
2023-09-06 14:14
|
 WWW14_n.exe e8e7a7c1a9b0aba35338c2de4d4bd0af
PrivateLoader Amadey RedLine Infostealer RedLine stealer Generic Malware Malicious Library UPX VMProtect .NET framework(MSIL) Confuser .NET Malicious Packer PWS SMTP AntiDebug AntiVM PE File PE64 OS Processor Check PE32 .NET EXE DLL wget Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check PrivateLoader Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.9.74.80/super.exe - rule_id: 36063
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.9.74.80/ummaa.exe - rule_id: 36186
http://red.mk/netTime.exe - rule_id: 36187
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://www.maxmind.com/geoip/v2.1/city/me
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://45.9.74.80/toolspub2.exe - rule_id: 36066
https://preconcert.pw/setup294.exe - rule_id: 36162
https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHSVg0utmIeVwn4vFkEZ55FEGR_EeCU6su
https://psv4.userapi.com/c235131/u44017378/docs/d5/fdcd3504e8e2/red.bmp?extra=jTIQRXaPDO1NXMmXQzzFrL0w8M0Aux3xQ53jP9K5Av5remAWM4J7b2bi3isiBFlCsp9FQNBSHuz3j5e9qdLEiiiGgHwS2dsPjt2cu0sirG6iWFSzreqm7rUEnldpiXUhrfN3QUEmNd-PGjtX
https://api.myip.com/
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwAaiux-eLDXjut3NIRQnlEpVeZ_pbxMeI
https://psv4.userapi.com/c909328/u44017378/docs/d1/0a7c8509d5a4/setup.bmp?extra=P2d8Fo57PDhjSbNAarsgzs7s47HfESup6nA9QPs2Jx9jlMkoKc6DXgshHhytmelgvUOzcd0WK42AeucPRw8quv3aFraVcKsYb_UHW5Cd0JUYBJDa80M3IYxPpdUAHDMFCB4T3ofEtFx6cwIp
https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84Edq559VzCTblgn2fgdwqBZ5N-BoxmH6
https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8vuSgC4s2KKLAdrZ_tDy6XI04Nl-lgHm
https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36188
https://psv4.userapi.com/c909328/u44017378/docs/d20/504a645fbcf0/3c8fttmg7n06dp.bmp?extra=nwBZ3AcWEYYSVAyNH3mk248SL5RSBNJDVe69N37eANsig_2_ecdHjz4OT6WcpyvVgAKIctZPELhQbJdVOBqe4OR66kMAtIyuFDxX2XlhP2KRT5d0TVgW8q7aU98EF1IW99b0I6cDT-cHsiy9
|
42
preconcert.pw(172.67.197.101) - malware
230809204625331.nes.dtf99.top(94.156.35.76) - malware
db-ip.com(104.26.5.15)
psv4.userapi.com(87.240.190.76)
api.db-ip.com(172.67.75.166)
api.myip.com(104.26.8.59)
www.maxmind.com(104.18.146.235)
iplis.ru(148.251.234.93) - mailcious
ironhost.io(172.67.193.129)
ipinfo.io(34.117.59.81)
sergejbukotko.com(104.21.59.53) - malware
sun6-23.userapi.com(95.142.206.3)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(93.186.225.194) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
red.mk(141.95.126.89) - malware
148.251.234.93 - mailcious
95.142.206.0 - mailcious
104.18.145.235
172.67.197.101
104.26.5.15
179.43.158.2
208.67.104.60 - mailcious
87.240.190.76
176.123.9.85 - mailcious
193.42.32.118 - mailcious
172.67.75.166
172.67.193.129
172.67.75.163
34.117.59.81
172.67.214.144 - malware
141.95.126.89 - malware
45.9.74.80 - malware
94.142.138.131 - mailcious
185.225.73.32 - mailcious
45.15.156.229 - mailcious
95.142.206.3
95.142.206.1 - mailcious
23.67.53.17
87.240.132.78 - mailcious
185.225.74.51 - mailcious
87.240.132.72 - mailcious
|
27
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.pw domain - Likely Hostile
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
13
http://94.142.138.131/api/firegate.php
http://45.9.74.80/super.exe
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
http://45.15.156.229/api/tracemap.php
http://45.9.74.80/ummaa.exe
http://red.mk/netTime.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://45.9.74.80/toolspub2.exe
https://preconcert.pw/setup294.exe
https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
24.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8869 |
2023-09-06 14:03
|
setup_pass.7z 1860765426cb420e321b2511a3c2652d
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows Discord RisePro Trojan DNS Downloader |
35
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://45.9.74.80/ummaa.exe - rule_id: 36186
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://77.91.68.238/info/fotos894.exe - rule_id: 36160
http://87.121.221.58/g.exe - rule_id: 35764
http://94.156.253.187/download/WWW14_n.exe - rule_id: 36185
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://www.maxmind.com/geoip/v2.1/city/me
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062
http://45.9.74.80/super.exe - rule_id: 36063
http://myfilebest.com/order/set17.exe - rule_id: 36161
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc44017378_668916923?hash=sOYzznQFdvahBVyVjkbZnzPi3TCGlZg6RM6IHhJTZtL&dl=WPCbPohX0oULQzTqTTGTJNQWxrKyDARUvPHJcYJtGbP&api=1&no_preview=1#qq
https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8PmSgC4s2KKLAdrZ-IWl7XcwtYoplwO1
https://vk.com/doc44017378_668903345?hash=Zaetqx11oeFBdkWDjedCOItoPTbkAjFxDdmH7zuyJRo&dl=y4MBsDhjAnxnZdtJN2fzh9BSudm5oc4mHzNl4ImM7J0&api=1&no_preview=1#1
https://preconcert.pw/setup294.exe - rule_id: 36162
https://vk.com/doc44017378_668916984?hash=z1dD7zDOKf4ZPQJxQGiBgAjggkhOTKzwGcbzPqETlMz&dl=qmY4pwWN7rzbugtcn7O1yC8XQAj2CqQOYWt2YS9MT9s&api=1&no_preview=1#9f
https://sun6-20.userapi.com/c909228/u44017378/docs/d21/7ad101a96b02/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=XXZOHqfnMq17vouPpzTFs3JuQrmoHXmTSMlflvAzh2GLImsRHfMz9eBd4CuMjz8ELbdw9smSs0DnbidzeGfroV0r-b9IgDwMl_TlfFZuryV19PDmHTTp_h0wGXPgYU4pHWQ3GNoEpMFPQLfl
https://sun6-23.userapi.com/c240331/u44017378/docs/d40/efd676633f21/test2.bmp?extra=7Tl2Y-CX-JxiRCYulouwERP3ItXHBJDXxyoPj0iVEHSIa9hZ7xvFnG2fGentCZSFBhCQxO-UxYGoZHq-WfhVsGNzMCnfmCbfx4QRc17JBaevHEahprxnIt83DzE8XokOPOHZg2UjY8lhxjkL
https://db-ip.com/
https://sun6-23.userapi.com/c909218/u44017378/docs/d31/28287d82e701/3.bmp?extra=Eia0Z52O_QfMzxBphvQv2mAhSnbUD5gztBKz2S-85eW2DofIDB-aCKBuZ393oBZW0tDYKH9h7atpaV_aJBQybspAkUHNC-pEe72vNCg8Kk1iD_XA5Um1USzPPozdvJvAOg3vHT-D_AIed8L2
https://dzen.ru/?yredirect=true
https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwA6qux-eLDXjut3NIGwniEJcDMP8LnpSO
https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84kVq559VzCTblgn2fgMn9BIrYrs9lDH_
https://sso.passport.yandex.ru/push?uuid=1c2cbbd3-3e8d-405c-9ea3-cfda8d7fc41e&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHS1o0utmIeVwn4vFkEZ17GUfHoBCOUPhw
https://sun6-22.userapi.com/c240331/u44017378/docs/d38/3cdd8ad7ce1f/crypted.bmp?extra=oWgEqzAKAoeJqXlNWcq1L2Twro57C2oqwpXLM14hc75rg4Axr9nzDq7o6meuTh0Y7BWbfc7d9cnupYGV36dyCqvgfEdnTEO8YF_-s6Jw3JzLfmxX6fhV9rtqGT0yzb_52y_5s8JLbtSZ8cII
https://sun6-23.userapi.com/c240331/u44017378/docs/d3/12830610f737/ResortedMetaphrase.bmp?extra=sJUz3R5N8E8T2U3-Oy6z6Gn4gPEMsBChQOzEqvJr5tl3sIwCWpIO_HTic5PfalDQbPCyxepzGd0O1Iq1W9y2aLpy91N7vAjZoAHfJCxaGS8jPoJgoJhoYvMfs3Q9JUjLDkS7cpeHQl7ZgZOs
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
68
db-ip.com(104.26.5.15)
sun6-23.userapi.com(95.142.206.3)
ipinfo.io(34.117.59.81)
agsnv.com(181.214.31.34) - malware
dzen.ru(62.217.160.2)
preconcert.pw(104.21.84.222) - malware
iplogger.org(148.251.234.83) - mailcious
telegram.org(149.154.167.99)
twitter.com(104.244.42.129)
myfilebest.com(104.21.56.98) - malware
cdn.discordapp.com(162.159.133.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
bitbucket.org(104.192.141.1) - malware
ralphkors.top(89.223.65.127) - malware
230809204625331.nes.dtf99.top(94.156.35.76) - malware
yandex.ru(77.88.55.88)
api.myip.com(172.67.75.163)
hugersi.com(91.215.85.147) - malware
ironhost.io(104.21.57.237)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.18.145.235)
vk.com(87.240.137.164) - mailcious
iplis.ru(148.251.234.93) - mailcious
51.89.253.22
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.145.235
181.214.31.34 - malware
104.192.141.1 - mailcious
91.215.85.147 - malware
77.91.68.238 - malware
89.223.65.127 - malware
62.217.160.2
104.26.5.15
179.43.158.2
5.255.255.77
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
172.67.193.129
104.21.56.98
121.254.136.18
87.240.132.67 - mailcious
34.117.59.81
94.156.253.187 - malware
148.251.234.83
213.180.204.24
104.21.84.222 - malware
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
94.142.138.113 - mailcious
185.225.73.32 - mailcious
87.240.132.78 - mailcious
162.159.129.233 - malware
45.15.156.229 - mailcious
172.67.75.163
104.26.4.15
95.142.206.3
95.142.206.2
95.142.206.1 - mailcious
95.142.206.0 - mailcious
104.244.42.193 - suspicious
87.121.221.58 - malware
94.142.138.131 - mailcious
|
34
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET HUNTING Suspicious services.exe in URI
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
16
http://45.15.156.229/api/firegate.php
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/firecom.php
http://45.9.74.80/ummaa.exe
http://94.142.138.113/api/firegate.php
http://77.91.68.238/info/fotos894.exe
http://87.121.221.58/g.exe
http://94.156.253.187/download/WWW14_n.exe
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/tracemap.php
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
http://45.9.74.80/super.exe
http://myfilebest.com/order/set17.exe
http://94.142.138.113/api/tracemap.php
https://preconcert.pw/setup294.exe
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8870 |
2023-09-06 09:54
|
http://bag.itunes.apple.com
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://bag.itunes.apple.com/
|
2
bag.itunes.apple.com(104.76.96.30)
104.76.96.30
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8871 |
2023-09-06 09:52
|
 .ACTIVATED.txt.ps1 a11d9710bf81fe62ed4ff6c69636c5ad
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://www.kbproducciones.com/.TEAK/.N1.jpg
https://www.kbproducciones.com/.TEAK/.M1.jpg
|
2
www.kbproducciones.com(50.63.15.171) - mailcious
50.63.15.171 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8872 |
2023-09-06 09:51
|
drumbod.vbs 74a00f5a6e6e6bcc963663701807acdc
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.253.116/idunknow.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8873 |
2023-09-06 09:50
|
 .ACTIVATED.txt.ps1 52c1304716cc38ab39a67edd91fe67b5
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://exploraretail.com/.TEAK/.M1.jpg
https://exploraretail.com/.TEAK/.N1.jpg
|
2
exploraretail.com(166.62.39.46) - mailcious
166.62.39.46 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8874 |
2023-09-06 09:49
|
odumodu.vbs 5094e3280f7ed666d18eb0147d7eb956
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.253.247/abachauba.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8875 |
2023-09-06 09:48
|
four.vbs 6a5cd526ba942ae59c401d41fec11d86
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
https://mail.isellemails.com/MediaLight/uploads/9e730e472a31e6458.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8876 |
2023-09-06 09:47
|
 ofertaprezi.pdf 736f8c7459170ca6818e5ca06c440711
PDF |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8877 |
2023-09-06 09:47
|
 sicilyzx.exe a2937fddd1379478133891a580f8fb53
.NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
9.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8878 |
2023-09-06 09:45
|
 .ACTIVATED.txt.ps1 63e6f6e9b68f39153e5651094fabb3b0
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://christianyouthforum.org/.TEAK/.M1.jpg
https://christianyouthforum.org/.TEAK/.N1.jpg
|
2
christianyouthforum.org(159.69.57.8)
159.69.57.8
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8879 |
2023-09-06 07:51
|
 calc2.exe 3b17576498da3c209ab711888ef5c66a
Malicious Library PE File PE32 VirusTotal Malware PDB DNS |
|
1
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8880 |
2023-09-06 07:49
|
 calc2.exe b83c9bd78a155d87c4322ce35cbc24ba
Malicious Library PE File PE32 VirusTotal Malware PDB DNS |
|
2
87.240.129.133 - mailcious
104.26.9.59
|
|
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|