| 13306 |
2023-05-14 17:03
|
 crypted%20%282%29.exe 7934a25163e1500d54aded65ce354308
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
4
camo.githubusercontent.com(185.199.111.133)
fonts.googleapis.com(142.250.207.106)
185.199.109.133 - mailcious
142.251.220.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13307 |
2023-05-14 17:02
|
 ProtonVPN_v3.0.5.exe 8589fe09a6ad2bdc47a753125086f742
Gen2 Generic Malware UPX Malicious Library Malicious Packer Antivirus OS Processor Check PE File PE32 CAB MSOffice File DLL VirusTotal Malware PDB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser ComputerName DNS |
|
|
|
|
4.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13308 |
2023-05-14 16:59
|
 testing.exe 1c74e42557c3d29c125070f17794ed65
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
4
camo.githubusercontent.com(185.199.108.133)
fonts.googleapis.com(142.250.207.106)
142.250.66.138
185.199.108.133 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13309 |
2023-05-14 10:15
|
 testing.exe 0bde80954b5c14814f29064c6424d374
RAT Emotet PWS .NET framework Loki_b UPX .NET EXE PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows ComputerName DNS Cryptographic key |
16
http://94.142.138.111/concerts/2.php - rule_id: 32678
http://94.142.138.111/concerts/13.php - rule_id: 32689
http://94.142.138.111/concerts/10.php - rule_id: 32686
http://94.142.138.111/software/Build_2s.exe - rule_id: 32694
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php - rule_id: 32685
http://94.142.138.111/concerts/11.php - rule_id: 32687
http://94.142.138.111/concerts/8.php - rule_id: 32684
http://94.142.138.111/concerts/6.php - rule_id: 32682
http://94.142.138.111/concerts/4.php - rule_id: 32680
http://94.142.138.111/concerts/1.php - rule_id: 32677
http://94.142.138.111/concerts/12.php - rule_id: 32688
http://94.142.138.111/concerts/7.php - rule_id: 32683
http://94.142.138.111/concerts/5.php - rule_id: 32681
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php - rule_id: 32679
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY External IP Lookup ip-api.com
|
14
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://94.142.138.111/software/Build_2s.exe
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://94.142.138.111/concerts/3.php
|
6.8 |
M |
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13310 |
2023-05-12 18:07
|
 Build_2s.exe 1c2b15ed1c8897bb466ec6f1a0f3e815
Emotet PWS .NET framework Loki_b RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key |
15
http://94.142.138.111/concerts/2.php - rule_id: 32678
http://94.142.138.111/concerts/13.php - rule_id: 32689
http://94.142.138.111/concerts/10.php - rule_id: 32686
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php - rule_id: 32685
http://94.142.138.111/concerts/11.php - rule_id: 32687
http://94.142.138.111/concerts/8.php - rule_id: 32684
http://94.142.138.111/concerts/6.php - rule_id: 32682
http://94.142.138.111/concerts/4.php - rule_id: 32680
http://94.142.138.111/concerts/1.php - rule_id: 32677
http://94.142.138.111/concerts/12.php - rule_id: 32688
http://94.142.138.111/concerts/7.php - rule_id: 32683
http://94.142.138.111/concerts/5.php - rule_id: 32681
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php - rule_id: 32679
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
13
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://94.142.138.111/concerts/3.php
|
5.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13311 |
2023-05-12 18:04
|
 photo190.exe d874573195e89d1fdd72f31050cfcdc2
RedLine stealer[m] Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer SMTP PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
|
2
185.161.248.75
77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/Plugins/clip64.dll
|
20.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13312 |
2023-05-12 18:03
|
 test2.exe 6d67904fdc38ee640fc49af5b9229d93
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
6.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13313 |
2023-05-12 18:01
|
QQQ%23%23%23%23%23%23%23%23%23... 96935f118fdeae482ef56256b22acf86
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://171.22.30.164/mancho/five/fre.php - rule_id: 32573
http://84.54.50.156/200/vbc.exe
|
2
171.22.30.164 - mailcious
84.54.50.156 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://171.22.30.164/mancho/five/fre.php
|
5.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13314 |
2023-05-12 18:01
|
QQQ%23%23%23%23%23%23%23%23%23... ee6851f7c64b5d019791616cc442f6e0
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://171.22.30.164/mancho/five/fre.php - rule_id: 32573
http://84.54.50.156/210/vbc.exe
|
2
171.22.30.164 - mailcious
84.54.50.156 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/mancho/five/fre.php
|
5.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13315 |
2023-05-12 18:00
|
 testing.exe 0bde80954b5c14814f29064c6424d374
RAT Emotet PWS .NET framework Loki_b UPX .NET EXE PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows ComputerName DNS Cryptographic key |
16
http://94.142.138.111/concerts/2.php - rule_id: 32678
http://94.142.138.111/concerts/13.php - rule_id: 32689
http://94.142.138.111/concerts/10.php - rule_id: 32686
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php - rule_id: 32685
http://94.142.138.111/concerts/11.php - rule_id: 32687
http://94.142.138.111/concerts/8.php - rule_id: 32684
http://94.142.138.111/concerts/6.php - rule_id: 32682
http://94.142.138.111/concerts/4.php - rule_id: 32680
http://94.142.138.111/concerts/1.php - rule_id: 32677
http://94.142.138.111/concerts/12.php - rule_id: 32688
http://94.142.138.111/concerts/7.php - rule_id: 32683
http://94.142.138.111/concerts/5.php - rule_id: 32681
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php - rule_id: 32679
http://94.142.138.111/software/Build_2s.exe
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY External IP Lookup ip-api.com
|
13
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://94.142.138.111/concerts/3.php
|
6.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13316 |
2023-05-12 17:59
|
 vbc.exe 44bd0753b6efa39826e713e4c6bc9353
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13317 |
2023-05-12 10:15
|
File_pass1234.7z 4ea64ab9cad02bd9b12703babb3aff3f
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
2
|
|
|
3.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13318 |
2023-05-12 10:09
|
File_pass1234.7z ebffa14573bad49ce1597ebfdb1b4219
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check Tofsee Windows Trojan DNS |
17
http://94.142.138.131/api/firegate.php
http://209.250.254.249:3002/
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
https://vk.com/doc797927207_660207612?hash=FSzZrKgaoQ4kHJpBkwwrcecQ1khON4e6uLnZZ4noFRc&dl=G44TOOJSG4ZDANY:1683818285:xjgWZ6U0zK8yMG56wSqaiurXm91s5Hva9jN75V78dpc&api=1&no_preview=1#L1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://sun6-20.userapi.com/c237331/u797927207/docs/d32/3b1562a610ff/AppLaunch.bmp?extra=JaJH0yubp6SiGMgQe6iQVtfr1GI70sFVas0bPqPOE1JgQPjQJeqc1JgcP7Vq06u_i8BJolccNfQmB4JVHlrkyw76zX1E9nDnBtN_Yc3_Z9h2uiwH-vXq0GCPy9mOftnGamUCUIwSIM6GaloEPQ
https://vk.com/doc797927207_659790319?hash=Yh4Zq10yI5sCv0Hozhs9Au2WzOHbviNeMCJ7fr1FFhg&dl=G44TOOJSG4ZDANY:1683130808:PeAzMOcy5CuRuNl362YRUH2t3JWVdZZHlGFYTsqzuwo&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc797927207_660158521?hash=CHoeq50dJohH7piMcIhWPTP8SZy13EEVPQr7nouPkeP&dl=G44TOOJSG4ZDANY:1683737741:EB7omsUVCkf03zctqWFhwJvAFNZLeHtx8gkUGk2PVDg&api=1&no_preview=1
https://sun6-21.userapi.com/c235131/u797927207/docs/d5/08764869d62d/asca1ex.bmp?extra=vqNkGdJUx9Ty6qIhbKHtHm-uvSM7pFAB70mGC-hwXtKeLLhMapHhAdWQp5Mhx3VaUG7ygp_A9SH2P8-3DGJUQZuEyrxPDUB1vgU0Ra1SDEQ6-E0IS8WQ7sWYLJoVk2tVh_Dy7Q72mppRd5Lw_A
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-20.userapi.com/c237231/u797927207/docs/d22/96329d1f2388/OriginalBuild.bmp?extra=wOQ0KkKvahESe2lcf4Z08mPMWxbrBrypeJGVgVKu4T7N-NXXMnRZCHlfbPtzIoPsAhYWS42eeMFfkSuWfqJygSWjaYYlF8BLVc6w7A0kxdFKuCDAlMbnzV6x3QG-8rMtL9KskuuoxyI1CIXz-A
https://vk.com/doc797927207_660166827?hash=S9d1LRpKkBqqaTTkzFYojvcJ3L3a8zzgjeJXmhRuRB8&dl=G44TOOJSG4ZDANY:1683746472:NUGgowD5mgwGUbp3JvSIkoB9wFYDzijcgoJB26mzagH&api=1&no_preview=1#orig5
|
28
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
ji.uiasehgjj.com(172.67.135.176) - malware
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
api.db-ip.com(104.26.5.15)
vk.com(87.240.132.67)
109.206.243.208 - malware
45.12.253.74 - malware
104.26.4.15
172.67.135.176 - malware
163.123.143.4 - mailcious
95.142.206.1
95.142.206.0
148.251.234.93 - mailcious
104.17.215.67
34.117.59.81
87.240.132.67
94.142.138.131 - mailcious
176.113.115.239 - malware
91.215.85.147 - malware
104.26.5.15
208.67.104.60 - mailcious
104.17.214.67
209.250.254.249
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
2
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13319 |
2023-05-12 10:06
|
 se1.exe 29531f95f2ffc356c67975a60effa857
PWS .NET framework RAT UPX SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13320 |
2023-05-12 10:02
|
File_pass1234.7z f12cefd0ab30a148d0d24f8b2db51554
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Trojan DNS |
17
http://85.208.136.10/api/firegate.php
http://209.250.254.249:3002/
http://5.181.80.133/api/tracemap.php
http://www.maxmind.com/geoip/v2.1/city/me
http://85.208.136.10/api/tracemap.php
https://vk.com/doc797927207_660207612?hash=FSzZrKgaoQ4kHJpBkwwrcecQ1khON4e6uLnZZ4noFRc&dl=G44TOOJSG4ZDANY:1683818285:xjgWZ6U0zK8yMG56wSqaiurXm91s5Hva9jN75V78dpc&api=1&no_preview=1#L1
https://sun6-20.userapi.com/c237331/u797927207/docs/d32/3b1562a610ff/AppLaunch.bmp?extra=JaJH0yubp6SiGMgQe6iQVtfr1GI70sFVas0bPqPOE1JgQPjQJeqc1JgcP7Vq06u_i8BJolccNfQmB4JVHlrkyw76zX1E9nDnBtN_Yc3_Z9h2uiwH-vfs0GCPy9mOftnGajBWUN9EdZ3VblhQOQ
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://vk.com/doc797927207_659790319?hash=Yh4Zq10yI5sCv0Hozhs9Au2WzOHbviNeMCJ7fr1FFhg&dl=G44TOOJSG4ZDANY:1683130808:PeAzMOcy5CuRuNl362YRUH2t3JWVdZZHlGFYTsqzuwo&api=1&no_preview=1
https://sun6-21.userapi.com/c235131/u797927207/docs/d5/08764869d62d/asca1ex.bmp?extra=vqNkGdJUx9Ty6qIhbKHtHm-uvSM7pFAB70mGC-hwXtKeLLhMapHhAdWQp5Mhx3VaUG7ygp_A9SH2P8-3DGJUQZuEyrxPDUB1vgU0Ra1SDEQ6-E0IS8eW7sWYLJoVk2tVh62ovw_1x8tWIpf3-Q
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc797927207_660158521?hash=CHoeq50dJohH7piMcIhWPTP8SZy13EEVPQr7nouPkeP&dl=G44TOOJSG4ZDANY:1683737741:EB7omsUVCkf03zctqWFhwJvAFNZLeHtx8gkUGk2PVDg&api=1&no_preview=1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-20.userapi.com/c237231/u797927207/docs/d22/96329d1f2388/OriginalBuild.bmp?extra=wOQ0KkKvahESe2lcf4Z08mPMWxbrBrypeJGVgVKu4T7N-NXXMnRZCHlfbPtzIoPsAhYWS42eeMFfkSuWfqJygSWjaYYlF8BLVc6w7A0kxdFKuCDAlMThzV6x3QG-8rMtL4D6kL2rwHFhWIT1-Q
https://vk.com/doc797927207_660166827?hash=S9d1LRpKkBqqaTTkzFYojvcJ3L3a8zzgjeJXmhRuRB8&dl=G44TOOJSG4ZDANY:1683746472:NUGgowD5mgwGUbp3JvSIkoB9wFYDzijcgoJB26mzagH&api=1&no_preview=1#orig5
|
27
db-ip.com(104.26.4.15)
hugersi.com(91.215.85.147) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
ji.uiasehgjj.com(104.21.7.34) - malware
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
api.db-ip.com(104.26.5.15)
vk.com(87.240.129.133)
109.206.243.208 - malware
45.12.253.74 - malware
104.26.4.15
95.142.206.0
172.67.135.176 - malware
163.123.143.4 - mailcious
95.142.206.1
87.240.132.78
91.215.85.147 - malware
5.181.80.133
34.117.59.81
85.208.136.10
94.131.106.196 - mailcious
176.113.115.239 - malware
104.26.5.15
94.142.138.113 - mailcious
104.17.214.67
209.250.254.249
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|