| 136 |
2021-05-18 09:19
|
 file4.exe 3795c43b2e06e15edb01a8a237243b08
AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D
https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe
https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29)
api.faceit.com(104.17.63.50)
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
117.18.237.29
162.159.129.233 - malware
82.146.59.236 - mailcious
104.17.62.50
34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 137 |
2021-05-18 09:27
|
 customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
4
http://uyg5wye.2ihsfa.com/api/fbtime
http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc
http://ip-api.com/json/
https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148)
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
157.240.215.35
208.95.112.1
88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 138 |
2021-05-18 09:38
|
 Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28
PE File OS Processor Check PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 139 |
2021-05-18 09:38
|
 Trinity-Miner_1.exe 3db9825a26cbb1f4bffd62194c5c52cc
AsyncRAT backdoor .NET EXE PE File OS Processor Check PE32 PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Auto service Check virtual network interfaces Windows ComputerName Firmware DNS |
|
2
pool.supportxmr.com(94.23.23.52) - mailcious
37.187.95.110
|
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 140 |
2021-05-18 09:56
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check DNS |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
7
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
172.67.200.215
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 141 |
2021-05-18 09:57
|
 CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193//
https://iplogger.org/1uP9s7
https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172)
42nn.hellomir.ru(217.107.34.191)
iplogger.org(88.99.66.31) - mailcious
87.251.71.193
88.99.66.31 - mailcious
104.26.13.31
37.187.95.110
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 142 |
2021-05-18 16:20
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
8
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
104.21.21.221
172.67.200.215
|
1
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 143 |
2021-05-18 17:37
|
 Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28
Generic Malware PE File OS Processor Check PE32 VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 144 |
2021-05-19 13:26
|
 wpp.exe 055c79de6e3f255beade0b35a0a2cd17
PE64 PE File OS Processor Check VirusTotal Malware PDB RWX flags setting unpack itself crashed |
|
|
|
|
2.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 145 |
2021-05-19 13:30
|
 FT_F.exe b423749c0dbdc698c0af44114a76a36d
Gen1 Gen2 Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare AppData folder sandbox evasion VMware anti-virtualization installed browsers check Ransomware Windows Browser Email ComputerName Firmware DNS DDNS Software crashed |
1
http://securityiccbba.ddns.net/PL341/index.php
|
2
securityiccbba.ddns.net(3.142.52.237) - malware
3.142.52.237 - malware
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE AZORult v3.3 Server Response M3
|
|
14.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 146 |
2021-05-19 13:31
|
 paypal.exe c436b9b71dd9f9bd7872f288fd632fb8
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 147 |
2021-05-19 13:45
|
 1.exe 296546fc0093734f42dfa96729643b86
Anti_VM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://3.22.172.216:64155//
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
3.22.172.216
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 148 |
2021-05-19 13:54
|
 GP_F.exe 024e33b8a7f7c5a5791d00422ed4a21a
PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware DNS crashed |
|
1
|
|
|
6.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 149 |
2021-05-20 09:28
|
 n8wwj8ZL6Q34VkW.exe c2eed737336b1194cd3297da7dee1128
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 150 |
2021-05-20 09:33
|
 FD1.exe 36f95f7e28e486ef9f48990e23a71ab0
Gen2 PE64 PE File OS Processor Check VirusTotal Malware PDB RWX flags setting unpack itself DNS crashed |
|
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|