| 9196 |
2023-11-01 09:37
|
 jli.txt.exe 4a0d3c937e2ecb5ddc198d431901efef
Generic Malware Malicious Library UPX Malicious Packer Antivirus PE File DLL PE32 MZP Format OS Processor Check VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9197 |
2023-11-01 07:48
|
 build.exe 908ffa6f05e09995c1d3d51b08ccaa89
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9198 |
2023-11-01 07:47
|
 700.exe 450783b6304d896d217b0a816a3f4853
Hide_EXE Suspicious_Script_Bin Malicious Library UPX Socket Http API ScreenShot Escalate priviledges Steal credential HTTP DNS Code injection Internet API KeyLogger AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check Lnk Format GIF Format ZIP Form Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.59.81)
db-ip.com(104.26.5.15)
KXKQBfogIOh.KXKQBfogIOh()
172.67.75.166
91.103.253.146
34.117.59.81
|
6
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
|
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9199 |
2023-10-31 20:43
|
index.ps1 d41d8cd98f00b204e9800998ecf8427e
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9200 |
2023-10-31 18:06
|
 droidlokiiiiiiiiiiiibase64.txt... 58c5addb4156542d91c8ba18d4acc5d9
Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sweetwhore.dolphinair.top/_errorpages/sweetwhore/five/fre.php
|
2
sweetwhore.dolphinair.top(172.67.135.120)
172.67.135.120
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9201 |
2023-10-31 18:01
|
JDS.vbs 16c6922f713e35f485266c858eeeb038wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9202 |
2023-10-31 17:59
|
 HTMLbrowserHistoryCleanerhta.d... a5e653641362ac4e0fae2c211a6fd38d
MS_RTF_Obfuscation_Objects RTF File doc RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9203 |
2023-10-31 17:57
|
MSS.vbs 95ef971ad0bbdace8a049b8b59ddd0e8wscript.exe payload download Tofsee |
1
|
2
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9204 |
2023-10-31 17:53
|
 skx0IG9.exe 622018aa5fdba418e8aac635cc49a57e
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9205 |
2023-10-31 17:51
|
HRE.vbs dd68aaf78901710759406c19281e1d6bVirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9206 |
2023-10-31 17:49
|
 clip.exe b19c968d8ef12e145edacf8578f3440b
Themida Packer Generic Malware Malicious Library PE File PE64 VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9207 |
2023-10-31 17:47
|
 lowkeeeeeFile.hta 393385547048586dc9eac0ba496b5c6a
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
http://185.254.37.174/droidlokiiiiiiiiiiiibase64.txt
|
3
imageupload.io(104.21.83.102) - malware
185.196.8.176 - malware
104.21.83.102 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9208 |
2023-10-31 17:47
|
 pablozx.exe d1a01eb4380c0b5afecf2a8e2dc8902f
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder Windows |
2
http://www.alkemymedia.com/o6g2/?T6hH=TcJYskQeIEqvLoDqB2cxRl9kId57yTXFVFAzbVPo9SRnnSNvkE6PeNWURLP+oM0+OEqqsFHA&wPT=mf5T
http://www.maurice-paetzold.com/o6g2/?T6hH=MnMOobRyqH3XeIZSi0NOa/chdJyQ39ZlT6TVPdZ+J13HVMjUNzv4ngmdbhRoHvqCPt2c+K/j&wPT=mf5T
|
5
www.alkemymedia.com(3.33.152.147)
www.maurice-paetzold.com(81.169.145.151)
www.joannamulderlcpc.online()
81.169.145.151 - mailcious
3.33.152.147 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9209 |
2023-10-31 17:46
|
 XLARFQ77802578790.pdf.hta 9f5447784eb960df0833273eded3324c
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
2
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
http://185.254.37.174/cuzinebase64bxjhgvhsj.txt
|
2
imageupload.io(104.21.83.102) - malware
104.21.83.102 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9210 |
2023-10-31 17:45
|
 abd.exe b6d627dcf04d04889b1f01a14ec12405
Amadey Browser Login Data Stealer Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 JPEG Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser ComputerName DNS Software |
4
http://185.196.8.176/7jshasdS/Plugins/clip64.dll - rule_id: 37685
http://185.196.8.176/7jshasdS/Plugins/cred64.dll - rule_id: 37684
http://185.196.8.176/7jshasdS/index.php?scr=1 - rule_id: 37683
http://185.196.8.176/7jshasdS/index.php - rule_id: 37683
|
1
|
4
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1
|
4
http://185.196.8.176/7jshasdS/Plugins/clip64.dll
http://185.196.8.176/7jshasdS/Plugins/cred64.dll
http://185.196.8.176/7jshasdS/index.php
http://185.196.8.176/7jshasdS/index.php
|
12.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|