8866 |
2023-09-06 16:55
|
gusan.exe 2bd43c0d8154511c0e587f32867b64e2 Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 DLL VirusTotal Malware PDB Code Injection RWX flags setting unpack itself suspicious process AppData folder Remote Code Execution |
|
|
|
|
4.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8867 |
2023-09-06 16:05
|
2cfa8e8aaadb6372a5cad4814785bb... a51fb67b5c13bb54aeb6126c2cadc61b Generic Malware Malicious Library UPX Malicious Packer PE File PE32 VirusTotal Malware AutoRuns Creates executable files Windows Remote Code Execution DNS |
|
2
147.222.227.93 122.117.253.66
|
|
|
4.4 |
|
65 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8868 |
2023-09-06 14:14
|
WWW14_n.exe e8e7a7c1a9b0aba35338c2de4d4bd0af PrivateLoader Amadey RedLine Infostealer RedLine stealer Generic Malware Malicious Library UPX VMProtect .NET framework(MSIL) Confuser .NET Malicious Packer PWS SMTP AntiDebug AntiVM PE File PE64 OS Processor Check PE32 .NET EXE DLL wget Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check PrivateLoader Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.9.74.80/super.exe - rule_id: 36063 http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://45.9.74.80/ummaa.exe - rule_id: 36186 http://red.mk/netTime.exe - rule_id: 36187 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://45.9.74.80/toolspub2.exe - rule_id: 36066 https://preconcert.pw/setup294.exe - rule_id: 36162 https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHSVg0utmIeVwn4vFkEZ55FEGR_EeCU6su https://psv4.userapi.com/c235131/u44017378/docs/d5/fdcd3504e8e2/red.bmp?extra=jTIQRXaPDO1NXMmXQzzFrL0w8M0Aux3xQ53jP9K5Av5remAWM4J7b2bi3isiBFlCsp9FQNBSHuz3j5e9qdLEiiiGgHwS2dsPjt2cu0sirG6iWFSzreqm7rUEnldpiXUhrfN3QUEmNd-PGjtX https://api.myip.com/ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwAaiux-eLDXjut3NIRQnlEpVeZ_pbxMeI https://psv4.userapi.com/c909328/u44017378/docs/d1/0a7c8509d5a4/setup.bmp?extra=P2d8Fo57PDhjSbNAarsgzs7s47HfESup6nA9QPs2Jx9jlMkoKc6DXgshHhytmelgvUOzcd0WK42AeucPRw8quv3aFraVcKsYb_UHW5Cd0JUYBJDa80M3IYxPpdUAHDMFCB4T3ofEtFx6cwIp https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84Edq559VzCTblgn2fgdwqBZ5N-BoxmH6 https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8vuSgC4s2KKLAdrZ_tDy6XI04Nl-lgHm https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36188 https://psv4.userapi.com/c909328/u44017378/docs/d20/504a645fbcf0/3c8fttmg7n06dp.bmp?extra=nwBZ3AcWEYYSVAyNH3mk248SL5RSBNJDVe69N37eANsig_2_ecdHjz4OT6WcpyvVgAKIctZPELhQbJdVOBqe4OR66kMAtIyuFDxX2XlhP2KRT5d0TVgW8q7aU98EF1IW99b0I6cDT-cHsiy9
|
42
preconcert.pw(172.67.197.101) - malware 230809204625331.nes.dtf99.top(94.156.35.76) - malware db-ip.com(104.26.5.15) psv4.userapi.com(87.240.190.76) api.db-ip.com(172.67.75.166) api.myip.com(104.26.8.59) www.maxmind.com(104.18.146.235) iplis.ru(148.251.234.93) - mailcious ironhost.io(172.67.193.129) ipinfo.io(34.117.59.81) sergejbukotko.com(104.21.59.53) - malware sun6-23.userapi.com(95.142.206.3) sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(93.186.225.194) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious red.mk(141.95.126.89) - malware 148.251.234.93 - mailcious 95.142.206.0 - mailcious 104.18.145.235 172.67.197.101 104.26.5.15 179.43.158.2 208.67.104.60 - mailcious 87.240.190.76 176.123.9.85 - mailcious 193.42.32.118 - mailcious 172.67.75.166 172.67.193.129 172.67.75.163 34.117.59.81 172.67.214.144 - malware 141.95.126.89 - malware 45.9.74.80 - malware 94.142.138.131 - mailcious 185.225.73.32 - mailcious 45.15.156.229 - mailcious 95.142.206.3 95.142.206.1 - mailcious 23.67.53.17 87.240.132.78 - mailcious 185.225.74.51 - mailcious 87.240.132.72 - mailcious
|
27
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.pw domain - Likely Hostile SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO TLS Handshake Failure ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
13
http://94.142.138.131/api/firegate.php http://45.9.74.80/super.exe http://230809204625331.nes.dtf99.top/f/fikim0809331.exe http://45.15.156.229/api/tracemap.php http://45.9.74.80/ummaa.exe http://red.mk/netTime.exe http://45.15.156.229/api/firegate.php http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://45.9.74.80/toolspub2.exe https://preconcert.pw/setup294.exe https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
24.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8869 |
2023-09-06 14:03
|
setup_pass.7z 1860765426cb420e321b2511a3c2652d PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows Discord RisePro Trojan DNS Downloader |
35
http://45.15.156.229/api/firegate.php - rule_id: 36052 http://hugersi.com/dl/6523.exe - rule_id: 32660 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://94.142.138.131/api/firecom.php - rule_id: 36179 http://45.9.74.80/ummaa.exe - rule_id: 36186 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://77.91.68.238/info/fotos894.exe - rule_id: 36160 http://87.121.221.58/g.exe - rule_id: 35764 http://94.156.253.187/download/WWW14_n.exe - rule_id: 36185 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062 http://45.9.74.80/super.exe - rule_id: 36063 http://myfilebest.com/order/set17.exe - rule_id: 36161 http://94.142.138.113/api/tracemap.php - rule_id: 28877 https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc44017378_668916923?hash=sOYzznQFdvahBVyVjkbZnzPi3TCGlZg6RM6IHhJTZtL&dl=WPCbPohX0oULQzTqTTGTJNQWxrKyDARUvPHJcYJtGbP&api=1&no_preview=1#qq https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8PmSgC4s2KKLAdrZ-IWl7XcwtYoplwO1 https://vk.com/doc44017378_668903345?hash=Zaetqx11oeFBdkWDjedCOItoPTbkAjFxDdmH7zuyJRo&dl=y4MBsDhjAnxnZdtJN2fzh9BSudm5oc4mHzNl4ImM7J0&api=1&no_preview=1#1 https://preconcert.pw/setup294.exe - rule_id: 36162 https://vk.com/doc44017378_668916984?hash=z1dD7zDOKf4ZPQJxQGiBgAjggkhOTKzwGcbzPqETlMz&dl=qmY4pwWN7rzbugtcn7O1yC8XQAj2CqQOYWt2YS9MT9s&api=1&no_preview=1#9f https://sun6-20.userapi.com/c909228/u44017378/docs/d21/7ad101a96b02/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=XXZOHqfnMq17vouPpzTFs3JuQrmoHXmTSMlflvAzh2GLImsRHfMz9eBd4CuMjz8ELbdw9smSs0DnbidzeGfroV0r-b9IgDwMl_TlfFZuryV19PDmHTTp_h0wGXPgYU4pHWQ3GNoEpMFPQLfl https://sun6-23.userapi.com/c240331/u44017378/docs/d40/efd676633f21/test2.bmp?extra=7Tl2Y-CX-JxiRCYulouwERP3ItXHBJDXxyoPj0iVEHSIa9hZ7xvFnG2fGentCZSFBhCQxO-UxYGoZHq-WfhVsGNzMCnfmCbfx4QRc17JBaevHEahprxnIt83DzE8XokOPOHZg2UjY8lhxjkL https://db-ip.com/ https://sun6-23.userapi.com/c909218/u44017378/docs/d31/28287d82e701/3.bmp?extra=Eia0Z52O_QfMzxBphvQv2mAhSnbUD5gztBKz2S-85eW2DofIDB-aCKBuZ393oBZW0tDYKH9h7atpaV_aJBQybspAkUHNC-pEe72vNCg8Kk1iD_XA5Um1USzPPozdvJvAOg3vHT-D_AIed8L2 https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwA6qux-eLDXjut3NIGwniEJcDMP8LnpSO https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84kVq559VzCTblgn2fgMn9BIrYrs9lDH_ https://sso.passport.yandex.ru/push?uuid=1c2cbbd3-3e8d-405c-9ea3-cfda8d7fc41e&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHS1o0utmIeVwn4vFkEZ17GUfHoBCOUPhw https://sun6-22.userapi.com/c240331/u44017378/docs/d38/3cdd8ad7ce1f/crypted.bmp?extra=oWgEqzAKAoeJqXlNWcq1L2Twro57C2oqwpXLM14hc75rg4Axr9nzDq7o6meuTh0Y7BWbfc7d9cnupYGV36dyCqvgfEdnTEO8YF_-s6Jw3JzLfmxX6fhV9rtqGT0yzb_52y_5s8JLbtSZ8cII https://sun6-23.userapi.com/c240331/u44017378/docs/d3/12830610f737/ResortedMetaphrase.bmp?extra=sJUz3R5N8E8T2U3-Oy6z6Gn4gPEMsBChQOzEqvJr5tl3sIwCWpIO_HTic5PfalDQbPCyxepzGd0O1Iq1W9y2aLpy91N7vAjZoAHfJCxaGS8jPoJgoJhoYvMfs3Q9JUjLDkS7cpeHQl7ZgZOs https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
68
db-ip.com(104.26.5.15) sun6-23.userapi.com(95.142.206.3) ipinfo.io(34.117.59.81) agsnv.com(181.214.31.34) - malware dzen.ru(62.217.160.2) preconcert.pw(104.21.84.222) - malware iplogger.org(148.251.234.83) - mailcious telegram.org(149.154.167.99) twitter.com(104.244.42.129) myfilebest.com(104.21.56.98) - malware cdn.discordapp.com(162.159.133.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) bitbucket.org(104.192.141.1) - malware ralphkors.top(89.223.65.127) - malware 230809204625331.nes.dtf99.top(94.156.35.76) - malware yandex.ru(77.88.55.88) api.myip.com(172.67.75.163) hugersi.com(91.215.85.147) - malware ironhost.io(104.21.57.237) sun6-22.userapi.com(95.142.206.2) www.maxmind.com(104.18.145.235) vk.com(87.240.137.164) - mailcious iplis.ru(148.251.234.93) - mailcious 51.89.253.22 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 181.214.31.34 - malware 104.192.141.1 - mailcious 91.215.85.147 - malware 77.91.68.238 - malware 89.223.65.127 - malware 62.217.160.2 104.26.5.15 179.43.158.2 5.255.255.77 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 172.67.193.129 104.21.56.98 121.254.136.18 87.240.132.67 - mailcious 34.117.59.81 94.156.253.187 - malware 148.251.234.83 213.180.204.24 104.21.84.222 - malware 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 94.142.138.113 - mailcious 185.225.73.32 - mailcious 87.240.132.78 - mailcious 162.159.129.233 - malware 45.15.156.229 - mailcious 172.67.75.163 104.26.4.15 95.142.206.3 95.142.206.2 95.142.206.1 - mailcious 95.142.206.0 - mailcious 104.244.42.193 - suspicious 87.121.221.58 - malware 94.142.138.131 - mailcious
|
34
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA Applayer Mismatch protocol both directions ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.pw domain - Likely Hostile ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure ET HUNTING Suspicious services.exe in URI ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
16
http://45.15.156.229/api/firegate.php http://hugersi.com/dl/6523.exe http://45.15.156.229/api/tracemap.php http://94.142.138.131/api/firecom.php http://45.9.74.80/ummaa.exe http://94.142.138.113/api/firegate.php http://77.91.68.238/info/fotos894.exe http://87.121.221.58/g.exe http://94.156.253.187/download/WWW14_n.exe http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://230809204625331.nes.dtf99.top/f/fikim0809331.exe http://45.9.74.80/super.exe http://myfilebest.com/order/set17.exe http://94.142.138.113/api/tracemap.php https://preconcert.pw/setup294.exe
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8870 |
2023-09-06 09:54
|
http://bag.itunes.apple.com Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://bag.itunes.apple.com/
|
2
bag.itunes.apple.com(104.76.96.30) 104.76.96.30
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA HTTP unable to match response to request
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8871 |
2023-09-06 09:52
|
.ACTIVATED.txt.ps1 a11d9710bf81fe62ed4ff6c69636c5ad Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://www.kbproducciones.com/.TEAK/.N1.jpg
https://www.kbproducciones.com/.TEAK/.M1.jpg
|
2
www.kbproducciones.com(50.63.15.171) - mailcious 50.63.15.171 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8872 |
2023-09-06 09:51
|
drumbod.vbs 74a00f5a6e6e6bcc963663701807acdc Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.253.116/idunknow.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8873 |
2023-09-06 09:50
|
.ACTIVATED.txt.ps1 52c1304716cc38ab39a67edd91fe67b5 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://exploraretail.com/.TEAK/.M1.jpg
https://exploraretail.com/.TEAK/.N1.jpg
|
2
exploraretail.com(166.62.39.46) - mailcious 166.62.39.46 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8874 |
2023-09-06 09:49
|
odumodu.vbs 5094e3280f7ed666d18eb0147d7eb956 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.253.247/abachauba.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8875 |
2023-09-06 09:48
|
four.vbs 6a5cd526ba942ae59c401d41fec11d86 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
https://mail.isellemails.com/MediaLight/uploads/9e730e472a31e6458.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8876 |
2023-09-06 09:47
|
ofertaprezi.pdf 736f8c7459170ca6818e5ca06c440711 PDF |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8877 |
2023-09-06 09:47
|
sicilyzx.exe a2937fddd1379478133891a580f8fb53 .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.telegram.org(149.154.167.220) 149.154.167.220
|
4
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup
|
|
9.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8878 |
2023-09-06 09:45
|
.ACTIVATED.txt.ps1 63e6f6e9b68f39153e5651094fabb3b0 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://christianyouthforum.org/.TEAK/.M1.jpg
https://christianyouthforum.org/.TEAK/.N1.jpg
|
2
christianyouthforum.org(159.69.57.8) 159.69.57.8
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8879 |
2023-09-06 07:51
|
calc2.exe 3b17576498da3c209ab711888ef5c66a Malicious Library PE File PE32 VirusTotal Malware PDB DNS |
|
1
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8880 |
2023-09-06 07:49
|
calc2.exe b83c9bd78a155d87c4322ce35cbc24ba Malicious Library PE File PE32 VirusTotal Malware PDB DNS |
|
2
87.240.129.133 - mailcious 104.26.9.59
|
|
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|