| 10066 |
2021-05-05 20:18
|
 XHG.exe 56626bf21f8de8d051d744973cb2566c
.NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10067 |
2021-05-05 20:18
|
 WSH.exe 2c853d07d7708161ce87c0f32fd338d4
DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
3
wazzy131.ddns.net(105.112.150.127)
194.5.98.16
105.112.150.127
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10068 |
2021-05-05 20:17
|
 MLY.exe 322acea28d5d3b6a4172d4ff76350629
DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu(172.94.16.27) - mailcious
172.94.16.27
|
|
|
12.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10069 |
2021-05-05 10:26
|
 so.exe 5551346aa9f251895021b95a2a7cc390
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows DNS Cryptographic key crashed |
4
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1620177616&mv=m&mvi=2&pl=18&shardbypass=yes
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:2334453020&cup2hreq=0bff70b51a7bc59bc98bac3f6279a8763181015d48a5d097a178008b647ae880
|
3
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
142.250.66.99
211.114.66.77
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
10.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10070 |
2021-05-05 10:21
|
 vbc.exe 40b7776a47fc1062ec85c3e31c91eb81
AsyncRAT backdoor PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10071 |
2021-05-05 10:19
|
 mad.exe d96f52fc8733d2f4a127bdc44d4ceb25
Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
16.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10072 |
2021-05-05 10:16
|
 Ll2LxWOagynlSgJ.exe 9dfaa6afc47f0bf01155b7f8253f719b
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10073 |
2021-05-05 10:14
|
 krerb.exe 1c74d51a1d7177bf9b23f6a567adc047
PE64 OS Processor Check PE File VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10074 |
2021-05-05 10:14
|
 teret.exe 43de3367faeffa04f28ad1e3e1f154eb
PE64 PE File VirusTotal Malware unpack itself DNS crashed |
|
|
|
|
1.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10075 |
2021-05-05 10:10
|
 ashleyx.exe 34d4452c1b344685e3f5fd7d0e9640a1
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10076 |
2021-05-04 18:27
|
 Sample.exe ee7c05c530262450d2c5ace98ebbf8bc
PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
8.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10077 |
2021-05-04 18:22
|
 arinzex.exe b61fa321f22d56553ab37916d973cf4e
Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10078 |
2021-05-04 14:13
|
 p.exe ee0a1ec859b753abc30847157d81f37c
Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic ICMP traffic Disables Windows Security Check virtual network interfaces Firewall state off Kovter Windows Tor DNS Cryptographic key |
4
http://api.wipmania.com/
http://94.16.114.105:8080/tor/status-vote/current/consensus.z
http://185.215.113.93/cc11 - rule_id: 1276
http://199.58.81.140/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z
|
11
api.wipmania.com(212.83.168.196)
212.83.168.196
144.217.207.3
95.217.42.50
213.32.71.116
199.58.81.140
51.15.42.19
195.176.3.20
185.215.113.93 - malware
154.35.175.225 - mailcious
94.16.114.105
|
11
ET POLICY External IP Lookup Attempt To Wipmania
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185
SURICATA HTTP gzip decompression failed
ET P2P Tor Get Server Request
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Exit Node Traffic group 52
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52
|
1
http://185.215.113.93/cc11
|
10.8 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10079 |
2021-05-04 13:50
|
 46.exe 0a6569e45a3a38f7168f4c4aa0594627
tor Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS |
5
http://api.wipmania.com/
http://185.215.113.93/pepwn.exe - rule_id: 1282
http://185.215.113.93/cc11 - rule_id: 1276
http://86.59.21.38/tor/status-vote/current/consensus.z - rule_id: 1278
http://131.188.40.189:443/tor/server/fp/00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+022a5535f42b1a9f9aa755c4eab5f36fef9781d8+023ebbc57beb7f45473b3dc2aa811fb3aaba4466+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+03910f285a33f365838ec66ef2c2ef754d046760+03c3069e814e296eb18776eb61b1ecb754ed89fe+0512fe6be9cca0ed133152e64010b2fba141eb10+0516085d6cac40ed4cdcefdfc5ccf6b00de61ded+07623013c3361fe566b71c8cfcc6483d7587a827+0a2366980a2842d770ef8e136a7da14876360447+0ac4c4d8bca8da7bae6be3fea87442e724353cbf+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0cf8f3e6590f45d50b70f2f7da6605eca6cd408f+0d5bf9c0b7b3605a610eee2c43aeae366576cbc5.z - rule_id: 1280
|
12
api.wipmania.com(212.83.168.196)
212.83.168.196
95.217.42.50
45.66.156.176
51.195.253.209
141.255.162.34
83.212.103.129
185.215.113.93 - malware
131.188.40.189 - mailcious
86.59.21.38 - mailcious
5.196.71.24
149.56.45.200 - mailcious
|
18
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET POLICY External IP Lookup Attempt To Wipmania
ET INFO Executable Download from dotted-quad Host
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
ET P2P TOR 1.0 Server Key Retrieval
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578
ET POLICY PE EXE or DLL Windows file download HTTP
SURICATA HTTP gzip decompression failed
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET P2P Tor Get Server Request
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
|
4
http://185.215.113.93/pepwn.exe
http://185.215.113.93/cc11
http://86.59.21.38/
http://131.188.40.189:443/
|
12.4 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10080 |
2021-05-04 11:21
|
 46.exe 0a6569e45a3a38f7168f4c4aa0594627
tor PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key |
5
http://193.11.164.243:9030/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z
http://23.129.64.201/tor/status-vote/current/consensus.z - rule_id: 1277
http://api.wipmania.com/
http://185.215.113.93/cc22
http://185.215.113.93/cc11 - rule_id: 1276
|
11
api.wipmania.com(212.83.168.196)
23.129.64.201 - mailcious
130.185.250.214
173.75.39.61
212.83.168.196
46.105.121.228
141.255.162.34
193.11.164.243
185.215.113.93 - malware
131.188.40.189 - mailcious
149.56.45.200 - mailcious
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET INFO Executable Download from dotted-quad Host
SURICATA HTTP gzip decompression failed
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET P2P TOR 1.0 Server Key Retrieval
ET P2P Tor Get Server Request
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
|
2
http://23.129.64.201/
http://185.215.113.93/cc11
|
12.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|