| 1 |
2021-04-30 09:48
|
 cutscroll.png f5c29728fe1f4226a8dc603d788a0a6f
PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/lib90/TEST22-PC_W617601.8F3740811540BBD5131268335F0573AB/5/kps/
|
2
103.54.41.193 - mailcious
178.134.47.166
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-07-27 18:01
|
 downloaddocument.do 8dd7c961c9cdbd69e9a5d86d7809fc50
Emotet Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/cookiechecker?uri=/rob112/TEST22-PC_W617601.BBA6BBFC307B02B331A6BB3F9DB5CC1F/5/file/ - rule_id: 2675
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://60.51.47.65/rob112/TEST22-PC_W617601.BBA6BBFC307B02B331A6BB3F9DB5CC1F/5/file/
https://138.34.28.219/index.html - rule_id: 2677
|
14
185.56.76.28 - mailcious
38.110.103.18 - mailcious
38.110.100.142 - mailcious
204.138.26.60 - mailcious
68.69.26.182 - mailcious
217.115.240.248 - mailcious
38.110.103.124 - mailcious
38.110.103.136 - mailcious
60.51.47.65 - mailcious
97.83.40.67 - mailcious
38.110.100.104 - mailcious
185.56.76.94 - mailcious
138.34.28.219 - mailcious
24.162.214.166 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 25
ET CNC Feodo Tracker Reported CnC Server group 17
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 16
|
3
https://138.34.28.219/cookiechecker
https://138.34.28.219/login.cgi
https://138.34.28.219/index.html
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-07-28 09:45
|
 porto.pdf.exe 8dd7c961c9cdbd69e9a5d86d7809fc50
Emotet Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://38.110.100.104/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/
https://138.34.28.219/index.html - rule_id: 2677
https://138.34.28.219/cookiechecker?uri=/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/ - rule_id: 2675
|
12
185.56.76.28 - mailcious
60.51.47.65 - mailcious
204.138.26.60 - mailcious
74.85.157.139 - mailcious
38.110.103.124 - mailcious
38.110.103.136 - mailcious
185.56.76.108 - mailcious
185.56.76.72
38.110.100.104 - mailcious
185.56.76.94 - mailcious
138.34.28.219 - mailcious
24.162.214.166 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 16
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
3
https://138.34.28.219/login.cgi
https://138.34.28.219/index.html
https://138.34.28.219/cookiechecker
|
8.8 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-08-01 09:30
|
 downloaddocument.do c0e07efbb0dd361490426661fe992f6f
Emotet Malicious Packer UPX Malicious Library DLL PE32 PE File Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://38.110.103.113/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/ - rule_id: 2675
https://138.34.28.219/index.html - rule_id: 2677
|
3
38.110.103.113 - mailcious
138.34.28.219 - mailcious
80.15.2.105 - mailcious
|
2
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
3
https://138.34.28.219/login.cgi
https://138.34.28.219/cookiechecker
https://138.34.28.219/index.html
|
5.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2022-01-19 14:00
|
 hBDR cbca79a4616d16f43d38d6da4e424e81
Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious
191.252.103.16 - mailcious
51.210.242.234 - mailcious
66.42.57.149 - mailcious
185.148.168.220 - mailcious
62.171.178.147 - mailcious
69.16.218.101 - mailcious
104.131.62.48 - mailcious
168.197.250.14 - mailcious
217.182.143.207 - mailcious
37.44.244.177 - mailcious
142.4.219.173 - mailcious
45.138.98.34 - mailcious
|
|
|
6.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2022-01-19 17:31
|
 AxVZTvof0xPasb9nP a3bb2614f2dd81a4420b80f88ffc0dc8
Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious
191.252.103.16 - mailcious
51.210.242.234 - mailcious
66.42.57.149 - mailcious
185.148.168.220 - mailcious
62.171.178.147 - mailcious
69.16.218.101 - mailcious
104.131.62.48 - mailcious
168.197.250.14 - mailcious
217.182.143.207 - mailcious
37.44.244.177 - mailcious
142.4.219.173 - mailcious
45.138.98.34 - mailcious
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2022-01-19 17:35
|
 28DnnQ 8c845dc825ff1726c17890c0295bfd72
Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious
191.252.103.16 - mailcious
51.210.242.234 - mailcious
66.42.57.149 - mailcious
185.148.168.220 - mailcious
62.171.178.147 - mailcious
69.16.218.101 - mailcious
104.131.62.48 - mailcious
168.197.250.14 - mailcious
217.182.143.207 - mailcious
37.44.244.177 - mailcious
142.4.219.173 - mailcious
45.138.98.34 - mailcious
|
|
|
6.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2022-01-20 07:54
|
 AxVZTvof0xPasb9nP 81e77ccebc0c638812cd75368710b856
Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion ComputerName DNS |
|
13
54.38.242.185 - mailcious
191.252.103.16 - mailcious
51.210.242.234 - mailcious
66.42.57.149 - mailcious
185.148.168.220 - mailcious
62.171.178.147 - mailcious
69.16.218.101 - mailcious
104.131.62.48 - mailcious
168.197.250.14 - mailcious
217.182.143.207 - mailcious
37.44.244.177 - mailcious
142.4.219.173 - mailcious
45.138.98.34 - mailcious
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2022-01-20 09:51
|
 invoice.doc 4925a10905e4df9d65e87afed2d77c45
Emotet Malicious Packer Malicious Library UPX PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself Windows utilities WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2022-01-20 10:07
|
 image.png 4925a10905e4df9d65e87afed2d77c45
Emotet Malicious Packer Malicious Library UPX PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself Windows utilities WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.8 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2022-01-21 10:14
|
 HyMifM 5e0566f6d637adbd87305470aa05d9db
emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/tGZKQVEPhVnxwfhuDvlpZfGAcjHlERyUyRAYZHoGiHfcxwJmqgiICeJrWs - rule_id: 9429
|
30
51.38.71.0 - mailcious
81.0.236.90 - mailcious
178.63.25.185 - mailcious
45.118.115.99 - mailcious
58.227.42.236 - mailcious
104.251.214.46 - mailcious
103.75.201.2 - mailcious
79.172.212.216 - mailcious
176.104.106.96 - mailcious
203.114.109.124 - mailcious
45.118.135.203 - mailcious
45.176.232.124 - mailcious
207.38.84.195 - mailcious
158.69.222.101 - mailcious
51.68.175.8 - mailcious
178.79.147.66 - mailcious
103.8.26.103 - mailcious
103.8.26.102 - mailcious
217.182.143.207 - mailcious
45.142.114.231 - mailcious
216.158.226.206 - mailcious
209.59.138.75 - mailcious
131.100.24.231 - mailcious
192.254.71.210 - mailcious
212.237.56.116 - mailcious
212.237.17.99 - mailcious
173.212.193.249 - mailcious
50.116.54.215 - mailcious
46.55.222.11 - mailcious
104.168.155.129 - mailcious
|
|
1
|
6.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2022-01-24 09:32
|
 pZMP 855b6c7b8fd6d8d6ea5e6526b60c5e6f
emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/wIOKnuxdenvY - rule_id: 9429
|
30
51.38.71.0 - mailcious
81.0.236.90 - mailcious
178.63.25.185 - mailcious
45.118.115.99 - mailcious
58.227.42.236 - mailcious
104.251.214.46 - mailcious
103.75.201.2 - mailcious
79.172.212.216 - mailcious
176.104.106.96 - mailcious
203.114.109.124 - mailcious
45.118.135.203 - mailcious
45.176.232.124 - mailcious
207.38.84.195 - mailcious
158.69.222.101 - mailcious
51.68.175.8 - mailcious
178.79.147.66 - mailcious
103.8.26.103 - mailcious
103.8.26.102 - mailcious
217.182.143.207 - mailcious
45.142.114.231 - mailcious
216.158.226.206 - mailcious
209.59.138.75 - mailcious
131.100.24.231 - mailcious
192.254.71.210 - mailcious
212.237.56.116 - mailcious
212.237.17.99 - mailcious
173.212.193.249 - mailcious
50.116.54.215 - mailcious
46.55.222.11 - mailcious
104.168.155.129 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 15
|
1
|
7.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2022-01-24 09:47
|
 0XCIyatvv2fEO60 af2501aafd182ef4e0d631a9d7c7e9a6
emotet Emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/TbinMujbCpADYUHbogPMyZxrbzXKucqRDwhPKUnoFassdiHzIHppBEcqAkTYhQu - rule_id: 9429
|
30
51.38.71.0 - mailcious
81.0.236.90 - mailcious
178.63.25.185 - mailcious
45.118.115.99 - mailcious
58.227.42.236 - mailcious
104.251.214.46 - mailcious
103.75.201.2 - mailcious
79.172.212.216 - mailcious
176.104.106.96 - mailcious
203.114.109.124 - mailcious
45.118.135.203 - mailcious
45.176.232.124 - mailcious
207.38.84.195 - mailcious
158.69.222.101 - mailcious
51.68.175.8 - mailcious
178.79.147.66 - mailcious
103.8.26.103 - mailcious
103.8.26.102 - mailcious
217.182.143.207 - mailcious
45.142.114.231 - mailcious
216.158.226.206 - mailcious
209.59.138.75 - mailcious
131.100.24.231 - mailcious
192.254.71.210 - mailcious
212.237.56.116 - mailcious
212.237.17.99 - mailcious
173.212.193.249 - mailcious
50.116.54.215 - mailcious
46.55.222.11 - mailcious
104.168.155.129 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 15
|
1
|
7.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2022-01-28 08:04
|
 1taimP6 70f2b77936c892f51dbc79e8057f8d70
emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/zlJRrHbKItyUliCUcWkSYAXbwMYxSDsssiRMqrOGuFclE - rule_id: 9429
|
30
216.158.226.206 - mailcious
81.0.236.90 - mailcious
162.243.175.63 - mailcious
195.154.133.20 - mailcious
45.118.115.99 - mailcious
212.24.98.99
104.251.214.46 - mailcious
138.185.72.26 - mailcious
51.15.4.22
103.75.201.2 - mailcious
185.157.82.209
203.114.109.124 - mailcious
45.118.135.203 - mailcious
212.237.5.209 - mailcious
79.172.212.216 - mailcious
192.254.71.210 - mailcious
129.232.188.93
209.59.138.75 - mailcious
188.40.137.206 - mailcious
164.68.99.3 - mailcious
200.17.134.35
159.8.59.82
58.227.42.236 - mailcious
185.157.82.211 - mailcious
45.176.232.124 - mailcious
212.237.17.99 - mailcious
178.63.25.185 - mailcious
50.116.54.215 - mailcious
46.55.222.11 - mailcious
173.214.173.220
|
6
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 7
ET CNC Feodo Tracker Reported CnC Server group 13
|
1
|
7.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2022-01-28 11:01
|
 c0s13I 3c1362345e40253964c6c05363812cb3
emotet Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
1
https://216.158.226.206/zlJRrHbKItyUliCUcWkSYAXbwMYxSDsssiRMqrOGuFclE - rule_id: 9429
|
26
81.0.236.90 - mailcious
162.243.175.63 - mailcious
195.154.133.20 - mailcious
45.118.115.99 - mailcious
212.24.98.99
212.237.5.209 - mailcious
104.251.214.46 - mailcious
138.185.72.26 - mailcious
51.15.4.22
103.75.201.2 - mailcious
185.157.82.209
45.118.135.203 - mailcious
45.176.232.124 - mailcious
79.172.212.216 - mailcious
192.254.71.210 - mailcious
129.232.188.93
209.59.138.75 - mailcious
188.40.137.206 - mailcious
200.17.134.35
216.158.226.206 - mailcious
159.8.59.82
58.227.42.236 - mailcious
185.157.82.211 - mailcious
178.63.25.185 - mailcious
46.55.222.11 - mailcious
173.214.173.220
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 13
|
1
|
7.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|