1 |
2021-04-30 09:48
|
cutscroll.png f5c29728fe1f4226a8dc603d788a0a6f PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/lib90/TEST22-PC_W617601.8F3740811540BBD5131268335F0573AB/5/kps/
|
2
103.54.41.193 - mailcious 178.134.47.166
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2021-07-27 18:01
|
downloaddocument.do 8dd7c961c9cdbd69e9a5d86d7809fc50 Emotet Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/cookiechecker?uri=/rob112/TEST22-PC_W617601.BBA6BBFC307B02B331A6BB3F9DB5CC1F/5/file/ - rule_id: 2675 https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674 https://60.51.47.65/rob112/TEST22-PC_W617601.BBA6BBFC307B02B331A6BB3F9DB5CC1F/5/file/ https://138.34.28.219/index.html - rule_id: 2677
|
14
185.56.76.28 - mailcious 38.110.103.18 - mailcious 38.110.100.142 - mailcious 204.138.26.60 - mailcious 68.69.26.182 - mailcious 217.115.240.248 - mailcious 38.110.103.124 - mailcious 38.110.103.136 - mailcious 60.51.47.65 - mailcious 97.83.40.67 - mailcious 38.110.100.104 - mailcious 185.56.76.94 - mailcious 138.34.28.219 - mailcious 24.162.214.166 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 25 ET CNC Feodo Tracker Reported CnC Server group 17 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 16
|
3
https://138.34.28.219/cookiechecker https://138.34.28.219/login.cgi https://138.34.28.219/index.html
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2021-07-28 09:45
|
porto.pdf.exe 8dd7c961c9cdbd69e9a5d86d7809fc50 Emotet Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674 https://38.110.100.104/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/ https://138.34.28.219/index.html - rule_id: 2677 https://138.34.28.219/cookiechecker?uri=/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/ - rule_id: 2675
|
12
185.56.76.28 - mailcious 60.51.47.65 - mailcious 204.138.26.60 - mailcious 74.85.157.139 - mailcious 38.110.103.124 - mailcious 38.110.103.136 - mailcious 185.56.76.108 - mailcious 185.56.76.72 38.110.100.104 - mailcious 185.56.76.94 - mailcious 138.34.28.219 - mailcious 24.162.214.166 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET CNC Feodo Tracker Reported CnC Server group 17 ET CNC Feodo Tracker Reported CnC Server group 22 ET CNC Feodo Tracker Reported CnC Server group 16 ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
3
https://138.34.28.219/login.cgi https://138.34.28.219/index.html https://138.34.28.219/cookiechecker
|
8.8 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2021-08-01 09:30
|
downloaddocument.do c0e07efbb0dd361490426661fe992f6f Emotet Malicious Packer UPX Malicious Library DLL PE32 PE File Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674 https://38.110.103.113/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/ https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/ - rule_id: 2675 https://138.34.28.219/index.html - rule_id: 2677
|
3
38.110.103.113 - mailcious 138.34.28.219 - mailcious 80.15.2.105 - mailcious
|
2
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
3
https://138.34.28.219/login.cgi https://138.34.28.219/cookiechecker https://138.34.28.219/index.html
|
5.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2022-01-19 14:00
|
hBDR cbca79a4616d16f43d38d6da4e424e81 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious 191.252.103.16 - mailcious 51.210.242.234 - mailcious 66.42.57.149 - mailcious 185.148.168.220 - mailcious 62.171.178.147 - mailcious 69.16.218.101 - mailcious 104.131.62.48 - mailcious 168.197.250.14 - mailcious 217.182.143.207 - mailcious 37.44.244.177 - mailcious 142.4.219.173 - mailcious 45.138.98.34 - mailcious
|
|
|
6.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2022-01-19 17:31
|
AxVZTvof0xPasb9nP a3bb2614f2dd81a4420b80f88ffc0dc8 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious 191.252.103.16 - mailcious 51.210.242.234 - mailcious 66.42.57.149 - mailcious 185.148.168.220 - mailcious 62.171.178.147 - mailcious 69.16.218.101 - mailcious 104.131.62.48 - mailcious 168.197.250.14 - mailcious 217.182.143.207 - mailcious 37.44.244.177 - mailcious 142.4.219.173 - mailcious 45.138.98.34 - mailcious
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2022-01-19 17:35
|
28DnnQ 8c845dc825ff1726c17890c0295bfd72 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious 191.252.103.16 - mailcious 51.210.242.234 - mailcious 66.42.57.149 - mailcious 185.148.168.220 - mailcious 62.171.178.147 - mailcious 69.16.218.101 - mailcious 104.131.62.48 - mailcious 168.197.250.14 - mailcious 217.182.143.207 - mailcious 37.44.244.177 - mailcious 142.4.219.173 - mailcious 45.138.98.34 - mailcious
|
|
|
6.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2022-01-20 07:54
|
AxVZTvof0xPasb9nP 81e77ccebc0c638812cd75368710b856 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious 191.252.103.16 - mailcious 51.210.242.234 - mailcious 66.42.57.149 - mailcious 185.148.168.220 - mailcious 62.171.178.147 - mailcious 69.16.218.101 - mailcious 104.131.62.48 - mailcious 168.197.250.14 - mailcious 217.182.143.207 - mailcious 37.44.244.177 - mailcious 142.4.219.173 - mailcious 45.138.98.34 - mailcious
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2022-01-20 09:51
|
invoice.doc 4925a10905e4df9d65e87afed2d77c45 Emotet Malicious Packer Malicious Library UPX PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself Windows utilities WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2022-01-20 10:07
|
image.png 4925a10905e4df9d65e87afed2d77c45 Emotet Malicious Packer Malicious Library UPX PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself Windows utilities WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.8 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2022-01-21 10:14
|
HyMifM 5e0566f6d637adbd87305470aa05d9db emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/tGZKQVEPhVnxwfhuDvlpZfGAcjHlERyUyRAYZHoGiHfcxwJmqgiICeJrWs - rule_id: 9429
|
30
51.38.71.0 - mailcious 81.0.236.90 - mailcious 178.63.25.185 - mailcious 45.118.115.99 - mailcious 58.227.42.236 - mailcious 104.251.214.46 - mailcious 103.75.201.2 - mailcious 79.172.212.216 - mailcious 176.104.106.96 - mailcious 203.114.109.124 - mailcious 45.118.135.203 - mailcious 45.176.232.124 - mailcious 207.38.84.195 - mailcious 158.69.222.101 - mailcious 51.68.175.8 - mailcious 178.79.147.66 - mailcious 103.8.26.103 - mailcious 103.8.26.102 - mailcious 217.182.143.207 - mailcious 45.142.114.231 - mailcious 216.158.226.206 - mailcious 209.59.138.75 - mailcious 131.100.24.231 - mailcious 192.254.71.210 - mailcious 212.237.56.116 - mailcious 212.237.17.99 - mailcious 173.212.193.249 - mailcious 50.116.54.215 - mailcious 46.55.222.11 - mailcious 104.168.155.129 - mailcious
|
|
1
|
6.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2022-01-24 09:32
|
pZMP 855b6c7b8fd6d8d6ea5e6526b60c5e6f emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/wIOKnuxdenvY - rule_id: 9429
|
30
51.38.71.0 - mailcious 81.0.236.90 - mailcious 178.63.25.185 - mailcious 45.118.115.99 - mailcious 58.227.42.236 - mailcious 104.251.214.46 - mailcious 103.75.201.2 - mailcious 79.172.212.216 - mailcious 176.104.106.96 - mailcious 203.114.109.124 - mailcious 45.118.135.203 - mailcious 45.176.232.124 - mailcious 207.38.84.195 - mailcious 158.69.222.101 - mailcious 51.68.175.8 - mailcious 178.79.147.66 - mailcious 103.8.26.103 - mailcious 103.8.26.102 - mailcious 217.182.143.207 - mailcious 45.142.114.231 - mailcious 216.158.226.206 - mailcious 209.59.138.75 - mailcious 131.100.24.231 - mailcious 192.254.71.210 - mailcious 212.237.56.116 - mailcious 212.237.17.99 - mailcious 173.212.193.249 - mailcious 50.116.54.215 - mailcious 46.55.222.11 - mailcious 104.168.155.129 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 5 ET CNC Feodo Tracker Reported CnC Server group 14 ET CNC Feodo Tracker Reported CnC Server group 3 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET INFO TLS Handshake Failure ET CNC Feodo Tracker Reported CnC Server group 19 ET CNC Feodo Tracker Reported CnC Server group 9 ET CNC Feodo Tracker Reported CnC Server group 15
|
1
|
7.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2022-01-24 09:47
|
0XCIyatvv2fEO60 af2501aafd182ef4e0d631a9d7c7e9a6 emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/TbinMujbCpADYUHbogPMyZxrbzXKucqRDwhPKUnoFassdiHzIHppBEcqAkTYhQu - rule_id: 9429
|
30
51.38.71.0 - mailcious 81.0.236.90 - mailcious 178.63.25.185 - mailcious 45.118.115.99 - mailcious 58.227.42.236 - mailcious 104.251.214.46 - mailcious 103.75.201.2 - mailcious 79.172.212.216 - mailcious 176.104.106.96 - mailcious 203.114.109.124 - mailcious 45.118.135.203 - mailcious 45.176.232.124 - mailcious 207.38.84.195 - mailcious 158.69.222.101 - mailcious 51.68.175.8 - mailcious 178.79.147.66 - mailcious 103.8.26.103 - mailcious 103.8.26.102 - mailcious 217.182.143.207 - mailcious 45.142.114.231 - mailcious 216.158.226.206 - mailcious 209.59.138.75 - mailcious 131.100.24.231 - mailcious 192.254.71.210 - mailcious 212.237.56.116 - mailcious 212.237.17.99 - mailcious 173.212.193.249 - mailcious 50.116.54.215 - mailcious 46.55.222.11 - mailcious 104.168.155.129 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 5 ET CNC Feodo Tracker Reported CnC Server group 3 ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET CNC Feodo Tracker Reported CnC Server group 14 ET CNC Feodo Tracker Reported CnC Server group 19 ET CNC Feodo Tracker Reported CnC Server group 9 ET CNC Feodo Tracker Reported CnC Server group 15
|
1
|
7.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2022-01-28 08:04
|
1taimP6 70f2b77936c892f51dbc79e8057f8d70 emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/zlJRrHbKItyUliCUcWkSYAXbwMYxSDsssiRMqrOGuFclE - rule_id: 9429
|
30
216.158.226.206 - mailcious 81.0.236.90 - mailcious 162.243.175.63 - mailcious 195.154.133.20 - mailcious 45.118.115.99 - mailcious 212.24.98.99 104.251.214.46 - mailcious 138.185.72.26 - mailcious 51.15.4.22 103.75.201.2 - mailcious 185.157.82.209 203.114.109.124 - mailcious 45.118.135.203 - mailcious 212.237.5.209 - mailcious 79.172.212.216 - mailcious 192.254.71.210 - mailcious 129.232.188.93 209.59.138.75 - mailcious 188.40.137.206 - mailcious 164.68.99.3 - mailcious 200.17.134.35 159.8.59.82 58.227.42.236 - mailcious 185.157.82.211 - mailcious 45.176.232.124 - mailcious 212.237.17.99 - mailcious 178.63.25.185 - mailcious 50.116.54.215 - mailcious 46.55.222.11 - mailcious 173.214.173.220
|
6
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET INFO TLS Handshake Failure ET CNC Feodo Tracker Reported CnC Server group 17 ET CNC Feodo Tracker Reported CnC Server group 6 ET CNC Feodo Tracker Reported CnC Server group 7 ET CNC Feodo Tracker Reported CnC Server group 13
|
1
|
7.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2022-01-28 11:01
|
c0s13I 3c1362345e40253964c6c05363812cb3 emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/zlJRrHbKItyUliCUcWkSYAXbwMYxSDsssiRMqrOGuFclE - rule_id: 9429
|
26
81.0.236.90 - mailcious 162.243.175.63 - mailcious 195.154.133.20 - mailcious 45.118.115.99 - mailcious 212.24.98.99 212.237.5.209 - mailcious 104.251.214.46 - mailcious 138.185.72.26 - mailcious 51.15.4.22 103.75.201.2 - mailcious 185.157.82.209 45.118.135.203 - mailcious 45.176.232.124 - mailcious 79.172.212.216 - mailcious 192.254.71.210 - mailcious 129.232.188.93 209.59.138.75 - mailcious 188.40.137.206 - mailcious 200.17.134.35 216.158.226.206 - mailcious 159.8.59.82 58.227.42.236 - mailcious 185.157.82.211 - mailcious 178.63.25.185 - mailcious 46.55.222.11 - mailcious 173.214.173.220
|
5
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET CNC Feodo Tracker Reported CnC Server group 6 ET CNC Feodo Tracker Reported CnC Server group 17 ET CNC Feodo Tracker Reported CnC Server group 13
|
1
|
7.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|