| 12151 |
2023-06-18 12:16
|
 Pagamento (1).doc 8c390292fb5916ec70e5c64016675687
PWS VBA_macro Generic Malware task schedule Downloader Antivirus DNS Code injection Sniff Audio ScreenShot KeyLogger AntiDebug AntiVM MSOffice File PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName Cryptographic key crashed |
1
https://firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/o/jod.jpg?alt=media&token=3735f1cc-35d0-4cea-8a29-811cec71fe1b
|
2
firebasestorage.googleapis.com(172.217.25.170) - phishing
172.217.31.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12152 |
2023-06-18 12:15
|
 Grey.exe 5d38aede0d5846ef5637db30b43eca60
PWS .NET framework(MSIL) UPX Confuser .NET OS Processor Check .NET EXE PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.211.55.2
172.67.75.172 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
7.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12153 |
2023-06-18 12:15
|
 game.exe 888983f654ddc26dbba28df2ccef74c0
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Disables Windows Security Windows Update |
|
|
|
|
4.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12154 |
2023-06-18 09:29
|
 secret_conversations.html e57fdf1dad4fabac8ad020453f07cdbb
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://scontent-lga3-2.xx.fbcdn.net/v/t1.6435-1/cp0/p24x24/240958031_2948688838792595_1661814721335136491_n.jpg?_nc_cat=108&ccb=1-5&_nc_sid=84712d&_nc_ohc=5Cm8iRXW8fkAX_M594l&_nc_ad=z-m&_nc_cid=1087&_nc_ht=scontent-lga3-2.xx&oh=4edcbd681cd75e62941efe15a0a2f60a&oe=6182CCBC
|
2
scontent-lga3-2.xx.fbcdn.net(157.240.241.1)
157.240.241.1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12155 |
2023-06-17 18:20
|
 cleanmgr.exe 1680103ba897689ec92f5940e043afb4
NSIS UPX Malicious Library PE32 PE File OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12156 |
2023-06-17 18:17
|
 djlw_zip.exe 90c4d8c8f396f66d9b556ab05344a8cd
Gen1 Emotet PWS .NET framework(MSIL) Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName Remote Code Execution |
|
|
|
|
4.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12157 |
2023-06-17 18:15
|
 maps.exe 02f7c729e7344aad545091d1bc408658
NSIS UPX Malicious Library PE32 PE File OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12158 |
2023-06-17 18:13
|
 steamrepairnet.exe 77d6c227485a414fd6676dc5a006a9cf
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File DLL PE32 VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates executable files Tofsee |
2
https://new-service.biliapi.net/picture/chatres/update/version.txt
https://cdn.wmpvp.com/steamWeb/F24DCA1346594DF3B954684015A7C50F-1686833838173.pdf
|
4
cdn.wmpvp.com(14.0.113.205)
new-service.biliapi.net(122.189.171.106)
14.0.113.205 - malware
113.207.69.188
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12159 |
2023-06-17 18:12
|
 chcike.exe 8ad0291a1dfaf355e5cfea617a747f40
PWS .NET framework(MSIL) UPX Confuser .NET OS Processor Check .NET EXE PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
6.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12160 |
2023-06-17 18:11
|
 cleanmgr.exe 0556da46f62c3da93a0de233dc1d76a9
NSIS UPX Malicious Library PE32 PE File OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76)
104.237.62.211
|
|
|
8.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12161 |
2023-06-17 18:10
|
 maps.exe 622db6be2018e48a527cd178ae2f94b5
NSIS UPX Malicious Library Admin Tool (Sysinternals etc ...) PE32 PE File OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12162 |
2023-06-17 18:09
|
 gate.exe 4be5a605c895baa84294466875582764
Generic Malware UPX Malicious Library OS Processor Check PE64 PE File Browser Info Stealer Malware download VirusTotal Malware MachineGuid Malicious Traffic Creates executable files unpack itself Disables Windows Security sandbox evasion IP Check PrivateLoader Tofsee Windows Browser DNS |
3
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://api.myip.com/
|
7
ipinfo.io(34.117.59.81)
vk.com(87.240.132.72) - mailcious
api.myip.com(104.26.9.59)
93.186.225.194 - mailcious
85.208.136.10 - mailcious
172.67.75.163
34.117.59.81
|
5
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
|
2
http://85.208.136.10/api/firegate.php
http://85.208.136.10/api/tracemap.php
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12163 |
2023-06-17 18:08
|
 %E5%A4%9A%E5%8A%9F%E8%83%BD.dl... cffa65118e7675001f5b61e0def9c1cc
DLL PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12164 |
2023-06-17 18:07
|
 build.exe dc3352babcf165a455d86f015a26b742
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12165 |
2023-06-16 19:56
|
 73687129598.pdf 3fe2c8d84c835b57baf80b2392da473f
PDF Suspicious Link PDF ZIP Format VirusTotal Malware Windows utilities Windows |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
|
|
|
|
2.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|