| 9316 |
2023-10-25 16:50
|
 up.ps1 21440931518ff0df59af9b94e52a7c84
Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
4
www.dropbox.com(162.125.84.18) - mailcious
ambjulio.com(62.72.22.30) - mailcious
62.72.22.30 - mailcious
162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9317 |
2023-10-25 16:42
|
 logsconversationtelegramgukiws... 12e353c522471d522f64e0c3541a1b7d
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM WriteConsoleW |
1
https://raw.githubusercontent.com/btse3/2410/main/about.md
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9318 |
2023-10-25 13:55
|
 xK9nHGYUpDXC.exe b5953f71d7caba8a79db276bc0d15b55
AsyncRAT task schedule Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDe VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.6 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9319 |
2023-10-25 13:52
|
qasx.vbs ff2a2bc8850b1ad61236bd460eb61e01
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://193.42.33.51/myn.txt
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware
172.67.222.26 - malware
193.42.33.51 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9320 |
2023-10-25 13:52
|
 SAN.txt.exe 6bdb7a11d0eaa407e7a7f34d794fb567
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS crashed |
|
4
api.ipify.org(64.185.227.156)
api.telegram.org(149.154.167.220)
173.231.16.77
149.154.167.220
|
6
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9321 |
2023-10-25 13:33
|
 MAH.txt.exe 7ea06a0e6c1e5707a23364ae6984b4f3
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
api.ipify.org(104.237.62.212)
api.telegram.org(149.154.167.220)
64.185.227.156
149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9322 |
2023-10-25 13:32
|
IGCC.vbs 42bc2a9470984d793673d9aae1a933b8
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.232.37/windows/HMT.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9323 |
2023-10-25 13:32
|
 KK.txt.ps1 671cd3920752aa4da1d0d0130fb79085
Generic Malware Antivirus VirusTotal Malware powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
http://194.180.48.14:222/.RTX/cod.pdf
|
|
|
|
2.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9324 |
2023-10-25 13:19
|
HTMLobject.vbs 74a3ea36669a5bdbeff3775545527a92
LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://141.98.6.91/windows/HNB.txt
|
8
mail.egyptscientific.com(192.185.51.90) - mailcious
imageupload.io(172.67.222.26) - malware
api.ipify.org(64.185.227.156)
104.21.83.102
141.98.6.91 - mailcious
192.185.51.90 - mailcious
64.185.227.156
23.67.53.27
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
20.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9325 |
2023-10-25 13:18
|
HTMLbrowser.vbs 80c07cfd04a28aa0b03f1396fdf81b2d
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://141.98.6.91/2150/1/MHM.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9326 |
2023-10-25 13:18
|
 HNB.txt.exe 43ec3cc0836bd759260e8cf120b79a7b
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
mail.egyptscientific.com(192.185.51.90) - mailcious
api.ipify.org(64.185.227.156)
192.185.51.90 - mailcious
104.237.62.212
23.209.95.50
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
8.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9327 |
2023-10-25 12:19
|
Comprobante_transfer.pdf.js c8bb8a34766ec04c304597c76d179f4b
ActiveXObject VirusTotal Malware wscript.exe payload download Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bOoA
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious
172.67.135.130 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
3.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9328 |
2023-10-25 12:19
|
cod.pdf.vbs b5ef73339bacf531b3d122ebd9509468
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9329 |
2023-10-25 12:19
|
 bQRH.exe ac63955ca4261eab11b0b3142360d160
njRAT backdoor Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder DNS DDNS |
|
1
dominicananjv.duckdns.org()
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
3.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9330 |
2023-10-25 11:22
|
 FX_432661.exe 897af5616bfd6af5b687876924f39ee3
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection Checks debugger wscript.exe payload download Creates executable files suspicious process Tofsee crashed |
|
2
m4gx.dns04.com(206.71.149.162)
206.71.149.162 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
5.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|