136 |
2021-05-18 09:19
|
file4.exe 3795c43b2e06e15edb01a8a237243b08 AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29) api.faceit.com(104.17.63.50) ipinfo.io(34.117.59.81) cdn.discordapp.com(162.159.129.233) - malware 117.18.237.29 162.159.129.233 - malware 82.146.59.236 - mailcious 104.17.62.50 34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
137 |
2021-05-18 09:27
|
customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
4
http://uyg5wye.2ihsfa.com/api/fbtime http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc http://ip-api.com/json/ https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148) www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) 157.240.215.35 208.95.112.1 88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
138 |
2021-05-18 09:38
|
Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28 PE File OS Processor Check PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
139 |
2021-05-18 09:38
|
Trinity-Miner_1.exe 3db9825a26cbb1f4bffd62194c5c52cc AsyncRAT backdoor .NET EXE PE File OS Processor Check PE32 PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Auto service Check virtual network interfaces Windows ComputerName Firmware DNS |
|
2
pool.supportxmr.com(94.23.23.52) - mailcious 37.187.95.110
|
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
140 |
2021-05-18 09:56
|
27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16 PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check DNS |
3
http://ol.gamegame.info/report7.4.php http://ip-api.com/json/?fields=8198 http://iw.gamegame.info/report7.4.php
|
7
email.yg9.me(198.13.62.186) iw.gamegame.info(172.67.200.215) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) 198.13.62.186 208.95.112.1 172.67.200.215
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
141 |
2021-05-18 09:57
|
CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193// https://iplogger.org/1uP9s7 https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082 https://iplogger.org/favicon.ico https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172) 42nn.hellomir.ru(217.107.34.191) iplogger.org(88.99.66.31) - mailcious 87.251.71.193 88.99.66.31 - mailcious 104.26.13.31 37.187.95.110 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
142 |
2021-05-18 16:20
|
27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16 Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php http://ip-api.com/json/?fields=8198 http://iw.gamegame.info/report7.4.php
|
8
email.yg9.me(198.13.62.186) iw.gamegame.info(172.67.200.215) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) 198.13.62.186 208.95.112.1 104.21.21.221 172.67.200.215
|
1
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
143 |
2021-05-18 17:37
|
Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28 Generic Malware PE File OS Processor Check PE32 VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
144 |
2021-05-19 13:26
|
wpp.exe 055c79de6e3f255beade0b35a0a2cd17 PE64 PE File OS Processor Check VirusTotal Malware PDB RWX flags setting unpack itself crashed |
|
|
|
|
2.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
145 |
2021-05-19 13:30
|
FT_F.exe b423749c0dbdc698c0af44114a76a36d Gen1 Gen2 Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare AppData folder sandbox evasion VMware anti-virtualization installed browsers check Ransomware Windows Browser Email ComputerName Firmware DNS DDNS Software crashed |
1
http://securityiccbba.ddns.net/PL341/index.php
|
2
securityiccbba.ddns.net(3.142.52.237) - malware 3.142.52.237 - malware
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net ET MALWARE AZORult v3.3 Server Response M3
|
|
14.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
146 |
2021-05-19 13:31
|
paypal.exe c436b9b71dd9f9bd7872f288fd632fb8 AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
147 |
2021-05-19 13:45
|
1.exe 296546fc0093734f42dfa96729643b86 Anti_VM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://3.22.172.216:64155// https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 3.22.172.216
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
148 |
2021-05-19 13:54
|
GP_F.exe 024e33b8a7f7c5a5791d00422ed4a21a PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware DNS crashed |
|
1
|
|
|
6.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
149 |
2021-05-20 09:28
|
n8wwj8ZL6Q34VkW.exe c2eed737336b1194cd3297da7dee1128 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
150 |
2021-05-20 09:33
|
FD1.exe 36f95f7e28e486ef9f48990e23a71ab0 Gen2 PE64 PE File OS Processor Check VirusTotal Malware PDB RWX flags setting unpack itself DNS crashed |
|
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|