| 12001 |
2023-06-23 10:49
|
File_pass1234.7z 517df90c3607b04503a88799117744de
Redline PWS Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS |
29
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://195.201.45.110/bd0df1dd34eafb737b9e54d14f3e5871 - rule_id: 34611
http://195.201.45.110/bd0df1dd34eafb737b9e54d14f3e5871
http://45.9.74.6/2.exe - rule_id: 34108
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://195.201.45.110/upload.zip - rule_id: 34612
http://195.201.45.110/upload.zip
http://83.97.73.134/gallery/photo085.exe - rule_id: 34603
http://as.imgjeoigaa.com/check/safe - rule_id: 33483
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://195.201.45.110/ - rule_id: 34613
http://194.169.175.132:3002/ - rule_id: 34588
http://as.imgjeoigaa.com/check/?sid=289818&key=d6fa3a0b9098a928ce5624f212532f76 - rule_id: 34487
https://steamcommunity.com/profiles/76561199235044780 - rule_id: 34616
https://sun6-21.userapi.com/c909618/u808950829/docs/d59/ab0358f3b741/u756.bmp?extra=82UFlUEVGr9s8GN2n9BlsLhr9CPJAc1KkYUy9ToWZkZola5S4t4OQ8SCHBtO00DmG2TAM5NUIYcLq_AHvQK5wofKHrwWZKA_AmiR1x9Wma-t_kaDR5uwQ1_igYNEP3SXyJHgzvPy8RwRlnAaIg
https://sun6-23.userapi.com/c909418/u228185173/docs/d27/bdfc4b84066c/WWW1.bmp?extra=zl8ZJi422TbuSF8Run1Fr_4_iifwGmqyNmrD8tlLWFdsPbX3mC9UgfC17BPXCxMAuleyp-NybUhjDWHzCu4-XbAfU9YYp4vr1IYO3U_p5F3JkNXZNOzZuHHhxMVU_cdL0ODNxB3DwlHkxemCuw
https://sun6-22.userapi.com/c909618/u808950829/docs/d28/7af1e571273a/ccloudcosmic.bmp?extra=0OqTxh0eg-p3jO-lFvbKUpNXrterD1idx4738_HqtVf0Q1IEtMcyaVuSEpmY2RxrVM_uQUI4Ed7aadq5gJQ0wU67azzyy40jr4Q4-2YdMmUyg8GMSB9FlgCXcZ2LIMWCGjN5YFlHMBmdyYqc8A
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc808950829_663225364?hash=uG0HHe0ozRcotxnJZa6AZZze3bjZPtVwx8WyYgILSXL&dl=Pcun0AwP8DTTuKfHM04A0OemJyzsd6LGZCdSS5nMTUD&api=1&no_preview=1#u
https://sun6-22.userapi.com/c236331/u808950829/docs/d59/2a5f422c272a/PMmp.bmp?extra=YOETmzTX8jqrHeYnc8V0wc3DR2Xt-4lSMvUSvDpULWAbH08Fj7IlMLME0_LweIk1sDJYa00A1bjxbhDPDjO8sRTzprEpDsUDZXb1yqJaiVRj5O-9qR8PU1wNzIo85fwEVMQSDBCRX_8N1Y35vw
https://sun6-21.userapi.com/c237131/u228185173/docs/d35/ddf77293df93/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=7YBYB3tUcMZzHCSxaN1wtMibu97IEtA_4MudhSzs-GbTI-2NqFyaIR9v12dWJ924q2U9Q7WmD2anBohNPb77UUpO_nwyiZSJ_nXlobzecgUAShmdPNtNS96jTZEXPy0MbVNvMCnL2vAJr8iI5Q
|
53
sun6-23.userapi.com(95.142.206.3)
filetops.com(176.123.0.55) - malware
db-ip.com(104.26.5.15)
as.imgjeoigaa.com(39.109.117.57) - mailcious
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
steamcommunity.com(23.198.103.114) - mailcious
ji.jahhaega2qq.com(104.21.18.146) - malware
iplogger.org(148.251.234.83) - mailcious
t.me(149.154.167.99) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(104.26.8.59)
www.maxmind.com(104.17.215.67)
sun6-22.userapi.com(95.142.206.2)
api.db-ip.com(172.67.75.166)
vk.com(87.240.137.164) - mailcious
us.imgjeoigaa.com(154.221.19.146) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
91.215.85.147 - malware
176.123.0.55 - malware
94.142.138.113 - mailcious
104.26.5.15
208.67.104.60 - mailcious
149.154.167.99 - mailcious
172.67.75.166
172.67.75.163
135.125.27.228
104.88.222.199
157.254.164.98 - mailcious
34.117.59.81
148.251.234.83
194.169.175.132 - mailcious
45.12.253.74 - malware
94.142.138.131 - mailcious
176.123.9.142
154.221.19.146 - mailcious
185.81.68.115 - mailcious
83.97.73.131 - malware
104.17.214.67
83.97.73.134 - malware
77.91.68.63 - malware
45.15.156.229 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
195.201.45.110 - mailcious
45.9.74.6 - malware
95.142.206.2
87.240.132.72 - mailcious
104.21.18.146
39.109.117.57 - mailcious
|
24
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
17
http://208.67.104.60/api/firegate.php
http://195.201.45.110/bd0df1dd34eafb737b9e54d14f3e5871
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://195.201.45.110/upload.zip
http://83.97.73.134/gallery/photo085.exe
http://as.imgjeoigaa.com/check/safe
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
http://77.91.68.63/doma/net/index.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://195.201.45.110/
http://194.169.175.132:3002/
http://as.imgjeoigaa.com/check/
https://steamcommunity.com/profiles/76561199235044780
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12002 |
2023-06-23 10:34
|
File_pass1234.7z e2ac211f43a2b29f42900b1fba935a42
Redline PWS Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey VirusTotal Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS Downloader |
30
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://195.201.45.110/bd0df1dd34eafb737b9e54d14f3e5871
http://45.9.74.6/2.exe - rule_id: 34108
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://83.97.73.134/gallery/photo085.exe - rule_id: 34603
http://as.imgjeoigaa.com/check/?sid=284722&key=6a95792c82c7f82750547a1c196202ab - rule_id: 34487
http://195.201.45.110/upload.zip
http://77.91.68.63/DSC01491/foto166.exe - rule_id: 34449
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://195.201.45.110/
http://as.imgjeoigaa.com/check/safe - rule_id: 33483
http://194.169.175.132:3002/ - rule_id: 34588
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://77.91.68.63/DSC01491/fotod85.exe - rule_id: 34450
https://vk.com/doc808950829_663224718?hash=MecbZtH1dewIoIW4kjPPGbZGLae6mvGIIKRzV97LeZz&dl=tuiyrZQKgq9qLcaQMk2ZMvnmbdHXhuzWormyzFZS5MT&api=1&no_preview=1
https://steamcommunity.com/profiles/76561199235044780
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-23.userapi.com/c909418/u228185173/docs/d27/bdfc4b84066c/WWW1.bmp?extra=zl8ZJi422TbuSF8Run1Fr_4_iifwGmqyNmrD8tlLWFdsPbX3mC9UgfC17BPXCxMAuleyp-NybUhjDWHzCu4-XbAfU9YYp4vr1IYO3U_p5F3JkNXZNO3RuHHhxMVU_cdL0OmXxRiWkQLkw77RuA
https://sun6-21.userapi.com/c237131/u228185173/docs/d35/ddf77293df93/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=7YBYB3tUcMZzHCSxaN1wtMibu97IEtA_4MudhSzs-GbTI-2NqFyaIR9v12dWJ924q2U9Q7WmD2anBohNPb77UUpO_nwyiZSJ_nXlobzecgUAShmdPNpFS96jTZEXPy0MbVM8YXzKifFdpcWN6A
https://sun6-21.userapi.com/c909618/u808950829/docs/d59/ab0358f3b741/u756.bmp?extra=82UFlUEVGr9s8GN2n9BlsLhr9CPJAc1KkYUy9ToWZkZola5S4t4OQ8SCHBtO00DmG2TAM5NUIYcLq_AHvQK5wofKHrwWZKA_AmiR1x9Wma-t_kaDR5q4Q1_igYNEP3SXyJmznKal9RwXl3xPKg
https://db-ip.com/
https://vk.com/doc808950829_663225364?hash=uG0HHe0ozRcotxnJZa6AZZze3bjZPtVwx8WyYgILSXL&dl=Pcun0AwP8DTTuKfHM04A0OemJyzsd6LGZCdSS5nMTUD&api=1&no_preview=1#u
https://sun6-22.userapi.com/c909618/u808950829/docs/d28/7af1e571273a/ccloudcosmic.bmp?extra=0OqTxh0eg-p3jO-lFvbKUpNXrterD1idx4738_HqtVf0Q1IEtMcyaVuSEpmY2RxrVM_uQUI4Ed7aadq5gJQ0wU67azzyy40jr4Q4-2YdMmUyg8GMSB5NlgCXcZ2LIMWCGjN5alYdYxbNm9-cog
https://sun6-22.userapi.com/c236331/u808950829/docs/d59/2a5f422c272a/PMmp.bmp?extra=YOETmzTX8jqrHeYnc8V0wc3DR2Xt-4lSMvUSvDpULWAbH08Fj7IlMLME0_LweIk1sDJYa00A1bjxbhDPDjO8sRTzprEpDsUDZXb1yqJaiVRj5O-9qR4HU1wNzIo85fwEVJ1ECEWQX6hZ1dCquA
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
54
sun6-23.userapi.com(95.142.206.3)
filetops.com(176.123.0.55) - malware
db-ip.com(104.26.4.15)
us.imgjeoigaa.com(154.221.19.146) - mailcious
as.imgjeoigaa.com(39.109.117.57) - mailcious
api.myip.com(104.26.9.59)
hugersi.com(91.215.85.147) - malware
iplis.ru(148.251.234.93) - mailcious
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
t.me(149.154.167.99) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.215.67)
api.db-ip.com(104.26.5.15)
vk.com(87.240.137.164) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
91.215.85.147 - malware
176.123.0.55 - malware
94.142.138.113 - mailcious
208.67.104.60 - mailcious
149.154.167.99 - mailcious
172.67.75.166
135.125.27.228
104.88.222.199
157.254.164.98 - mailcious
34.117.59.81
172.67.182.87 - malware
148.251.234.83
77.91.68.16 - malware
194.169.175.132 - mailcious
45.12.253.74 - malware
176.123.9.142
154.221.19.146 - mailcious
185.81.68.115 - mailcious
83.97.73.131 - malware
104.17.214.67
83.97.73.134 - malware
77.91.68.63 - malware
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
195.201.45.110
85.208.136.10 - mailcious
45.9.74.6 - malware
95.142.206.2
87.240.132.72 - mailcious
39.109.117.57 - mailcious
|
27
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
15
http://208.67.104.60/api/firegate.php
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://83.97.73.134/gallery/photo085.exe
http://as.imgjeoigaa.com/check/
http://77.91.68.63/DSC01491/foto166.exe
http://208.67.104.60/api/tracemap.php
http://77.91.68.63/doma/net/index.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://as.imgjeoigaa.com/check/safe
http://194.169.175.132:3002/
http://85.208.136.10/api/tracemap.php
http://77.91.68.63/DSC01491/fotod85.exe
|
7.4 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12003 |
2023-06-23 10:11
|
sdesdesdesdsesdfsdfefsfsdssdse... eecdb787bdf7328b2ebcdc0ab2751e7b
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash Windows Exploit DNS crashed |
1
http://192.3.109.146/256/cleanmgrse.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12004 |
2023-06-23 09:19
|
 lim.php 6a956b7342f7fbf9f65a969462e85772
Malicious Library DLL PE64 PE File Checks debugger crashed |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12005 |
2023-06-23 09:19
|
 sqlite3.dll e53d7ba028f3df8918c7447db0e05df8
UPX Malicious Library ASPack OS Processor Check DLL PE File PE32 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12006 |
2023-06-23 09:17
|
 vodka.dat 48765724de7c28a9e74eebf2d8feb11f
UPX DLL PE File PE32 Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12007 |
2023-06-23 09:17
|
 vodka.dat ede982f454787f5b0a24bb370dfbf296
UPX DLL PE File PE32 Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12008 |
2023-06-23 07:36
|
 203decdty8ubl2.exe eef19a1ded4b055516ed0979afa0ad98
UPX Malicious Library ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted WMI RWX flags setting unpack itself WriteConsoleW ComputerName DNS crashed |
|
1
|
|
|
9.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12009 |
2023-06-23 07:34
|
 kard.exe 86113f7629e68d99871c23161184a003
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware Telegram MachineGuid Malicious Traffic Check memory Tofsee ComputerName DNS |
3
http://128.140.94.214/74ffb434777462ab45643a4fb8c24501
https://steamcommunity.com/profiles/76561199508624021 - rule_id: 33702
https://t.me/looking_glassbot
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
128.140.94.214
104.76.78.101 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199508624021
|
4.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12010 |
2023-06-23 07:32
|
 pirat.exe d55dd4e79ced52edcbcf5603db6f91af
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware Telegram MachineGuid Malicious Traffic Check memory Tofsee ComputerName DNS |
3
http://128.140.94.214/5e26c4d62e9e0d4d9ffbb86b50401977
https://steamcommunity.com/profiles/76561199508624021 - rule_id: 33702
https://t.me/looking_glassbot
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
128.140.94.214
104.76.78.101 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199508624021
|
4.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12011 |
2023-06-23 07:31
|
 IqXYLXKzl6.exe 076569d51c616ec2446a2e6b85205764
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12012 |
2023-06-22 19:36
|
https://www.itsapi.top 9ea57b22677bef51eadaafdc317cbc00
PWS Downloader Create Service DGA Socket DNS Steal credential Hijack Network Code injection HTTP Sniff Audio Http API Internet API ScreenShot Escalate priviledges P2P persistence FTP KeyLogger AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs suspicious TLD Tofsee Windows Exploit DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
www.itsapi.top(172.67.191.51)
172.67.191.51
23.50.121.153
|
3
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12013 |
2023-06-22 17:45
|
 soft.exe fb374beeac9dbd0ce642063538e54cc6
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ipify.org(104.237.62.211)
91.235.128.141 - mailcious
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12014 |
2023-06-22 17:43
|
 chamberszx.exe 64928914be4ab456e1121004c886e8ba
PWS .NET framework(MSIL) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
cp5ua.hyperhost.ua(91.235.128.141) - mailcious
91.235.128.141 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12015 |
2023-06-22 17:41
|
 .NetFramework.exe b8bee86a938a8b2245aa9343077958a6
Formbook UltraVNC UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
8
http://www.nebospearlstore.com/hs95/?1bm=Tp1Q16eTyyFr/9820ss2rmwmQ0oPPkmLpKY7rHB1+FYugq/Z9zktgLv0kmgNLq8dd9uJbbaR&wZAH=qBZh3dgPI428dxRp&sql=1
http://www.nebospearlstore.com/hs95/
http://www.lamdalab.site/hs95/
http://www.lamdalab.site/hs95/?1bm=JBiWYeMVae/U7zyyrWQjLvSWhZhiz/bgBmnXuTLMdpY0x6el0GRFRuR829gCu79vkVyDfuvr&wZAH=qBZh3dgPI428dxRp&sql=1
http://www.cell-phones-0406-da-sa-fb.xyz/hs95/
http://www.cell-phones-0406-da-sa-fb.xyz/hs95/?1bm=7/SnWjC/NSWhQg/Ki83QdIn7p4XRRaufQw3ayVgZFyp+C6x9joVaVMu8GgCbz8fKVVJWEiID&wZAH=qBZh3dgPI428dxRp&sql=1
http://www.geldmaz.com/hs95/
http://www.geldmaz.com/hs95/?1bm=nBvmXAOBtoJuL2zRQhesRl0Xd6MDxNphrD0P/aHzfZwPrkAsbV35xTeF15KV/+i8n5VaGVMk&wZAH=qBZh3dgPI428dxRp&sql=1
|
11
www.jassimple.site(142.132.238.203)
www.geldmaz.com(213.186.33.5)
www.cell-phones-0406-da-sa-fb.xyz(104.17.157.1)
www.lamdalab.site(85.159.66.93)
www.nebospearlstore.com(50.62.221.122)
77.91.68.63 - malware
85.159.66.93 - mailcious
142.132.238.203
50.62.221.122 - mailcious
213.186.33.5 - mailcious
104.17.157.1
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|