| 13276 |
2023-05-15 10:38
|
 .rels 77bf61733a633ea617a4db76ef769a4d
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13277 |
2023-05-15 10:38
|
 .rels 77bf61733a633ea617a4db76ef769a4d
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13278 |
2023-05-15 10:38
|
 [Content_Types].xml d392bb3733b38ef8a29301ec15c1b348
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13279 |
2023-05-15 10:36
|
 [Content_Types].xml d392bb3733b38ef8a29301ec15c1b348
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13280 |
2023-05-15 08:55
|
 bild6.exe 21eab81729333b160786a2de1b1e621d
RedLine stealer[m] PWS .NET framework RAT Generic Malware Downloader UPX Malicious Library Antivirus Confuser .NET Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP Key Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://ip-api.com/line?fields=query
|
8
archive.torproject.org(159.69.63.226)
api.telegram.org(149.154.167.220)
ip-api.com(208.95.112.1)
221.161.198.16
149.154.167.220
159.69.63.226
208.95.112.1
94.142.138.219
|
5
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13281 |
2023-05-15 08:53
|
baz_uniq.exe 6330864da59c02a1f1b1f115b2ef8f03
Gen1 MPRESS UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName Firmware DNS Software crashed |
5
http://195.201.47.75/3e1b82ea4c6209e2a251c89beae0984f
http://195.201.47.75/
http://195.201.47.75/recent.zip
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious
149.154.167.99 - mailcious
195.201.47.75
79.137.195.205 - mailcious
104.76.78.101 - mailcious
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host ZIP Request
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
14.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13282 |
2023-05-15 08:47
|
 Widgets.exe f0016739c32ff1b375e9bf3008a56991
Gen2 Gen1 RAT Generic Malware UPX Malicious Library Malicious Packer Antivirus HTTP PWS[m] Http API Internet API AntiDebug AntiVM OS Processor Check CAB .NET EXE PE File PE32 Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process Windows ComputerName DNS Cryptographic key crashed |
2
http://79.137.195.205/bot/regex
http://79.137.195.205/bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
|
1
79.137.195.205 - mailcious
|
1
ET MALWARE Laplas Clipper - SetOnline CnC Checkin
|
|
11.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13283 |
2023-05-14 17:48
|
 windows.exe c159fc653a86ef3eab80e5d06b9cfa2c
Formbook Gen1 Gen2 email stealer Generic Malware UPX Malicious Library Antivirus ASPack Malicious Packer PWS[m] Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 PowerShell OS Processor Check DLL ZIP Format BMP Format icon Browser Info Stealer Malware download Wshrat NetWireRC VirusTotal Email Client Info Stealer Malware VBScript AutoRuns suspicious privilege Check memory Checks debugger WMI wscript.exe payload download Creates shortcut Creates executable files unpack itself Windows utilities malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check human activity check Tofsee Ransomware Interception Windows Houdini Browser Email ComputerName DNS Cryptographic key DDNS Dropper |
13
http://142.202.242.176:6677/update-status%7CSDK+Installed
http://142.202.242.176:6677/give-me-chpv
http://142.202.242.176:6677/moz-sdk
http://ip-api.com/json/
http://142.202.242.176:6677/maili
http://142.202.242.176:6677/give-me-ffpv
http://wshsoft.company/python27.zip
http://142.202.242.176:6677/chrome
http://142.202.242.176:6677/is-ready
http://142.202.242.176:6677/update-status%7CInstalling+SDK
http://142.202.242.176:6677/ie
http://pastebin.com/raw/WVFt9GbZ
https://pastebin.com/raw/WVFt9GbZ
|
9
wshsoft.company(194.59.164.67) - malware
pastebin.com(104.20.68.143) - mailcious
vj5566.duckdns.org(142.202.242.176)
ip-api.com(208.95.112.1)
142.202.242.176
194.59.164.67 - malware
104.20.68.143 - mailcious
208.95.112.1
104.20.67.143 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY External IP Lookup ip-api.com
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
ET CHAT IRC USER command
|
|
10.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13284 |
2023-05-14 17:47
|
 vbc.exe 433b617e1991fb112c8aabfc41eb0b8d
PWS .NET framework Formbook Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
13.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13285 |
2023-05-14 17:46
|
 vbc.exe 72f99c537d61d38a113e121348cce0dd
NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder ComputerName |
10
http://www.treeremovalkingwood.com/dyeb/
http://www.treeremovalkingwood.com/dyeb/?kGdjNU=ot2zVt7gYiYVRQ9vvNmBHR7+ThDbtsc5ek8bGz74xX5U1doydBpcmiSkVy8u8MuUFpWdZPDPZrAoOHnwm5gEHBkymeZFezCBl1qs2nQ=&UO4=DKa-jcyBqnIB
http://www.sk676.com/dyeb/?kGdjNU=eRDn4OYLwGAFOe+oMCQszUCYwMg+uVi8ZbKWpPBz42pRqgBZU372Jy+dcILn2QiWfPdOhu0Hdz7kmVVrr+zaLBc9OSgj6EJ8eLn4AGY=&UO4=DKa-jcyBqnIB
http://www.gullsteam.com/dyeb/?kGdjNU=gpFiMZyRZMV876gQ5pKC/N1h/E4k1JTYqvKRrfnY4KgDM3MAJOrei7MZxy1PV3eRL73jRv6RgLSF36g9rJ5AMkJq2HAD/moUEr4eCPA=&UO4=DKa-jcyBqnIB
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.gullsteam.com/dyeb/
http://www.sk676.com/dyeb/
http://www.treeremovalkingwood.com/dyeb/?sG=ot2zVt7gYiYVRQ9vvNmBHR7+ThDbtsc5ek8bGz74xX5U1doydBpcmiSkVy8u8MuUFpWdZPDPZrAoOHnwm5gEHBkymeZFezCBl1qs2nQ=&yf=cr4dtDAlLT6_
http://www.sk676.com/dyeb/?sG=eRDn4OYLwGAFOe+oMCQszUCYwMg+uVi8ZbKWpPBz42pRqgBZU372Jy+dcILn2QiWfPdOhu0Hdz7kmVVrr+zaLBc9OSgj6EJ8eLn4AGY=&yf=cr4dtDAlLT6_
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
|
7
www.sk676.com(154.212.104.55)
www.treeremovalkingwood.com(104.21.11.173)
www.gullsteam.com(85.159.66.93)
104.21.11.173
85.159.66.93 - mailcious
154.212.104.55
45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13286 |
2023-05-14 17:43
|
 ProtonVPN_3.0.5.exe c5e15dbab0811bd42a6e4d62132ff459
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13287 |
2023-05-14 17:40
|
 ppls25.exe a14d01d96ea78f39f7e118582dad3cb9
Gen2 Gen1 UPX Malicious Library PE64 PE File VirusTotal Malware PDB Remote Code Execution DNS |
|
1
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13288 |
2023-05-14 17:36
|
 adminfunction.ps1 116867a52a3e60cc2eb90e5888a70cdd
Generic Malware Antivirus powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
https://www.joshbystrom.com/wp-admin/images/bubble_bg22.SVG
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13289 |
2023-05-14 17:36
|
loc.ps1 d7bd6a17466dbe1e448956b0018ad94d
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13290 |
2023-05-14 17:34
|
 builds 7d55ec6eb0d0d539f72efdeb800ad5bd
PWS .NET framework RAT Generic Malware UPX Malicious Packer OS Processor Check .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|