10066 |
2021-05-05 20:18
|
XHG.exe 56626bf21f8de8d051d744973cb2566c .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10067 |
2021-05-05 20:18
|
WSH.exe 2c853d07d7708161ce87c0f32fd338d4 DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
3
wazzy131.ddns.net(105.112.150.127) 194.5.98.16 105.112.150.127
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10068 |
2021-05-05 20:17
|
MLY.exe 322acea28d5d3b6a4172d4ff76350629 DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu(172.94.16.27) - mailcious 172.94.16.27
|
|
|
12.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10069 |
2021-05-05 10:26
|
so.exe 5551346aa9f251895021b95a2a7cc390 AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows DNS Cryptographic key crashed |
4
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1620177616&mv=m&mvi=2&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:2334453020&cup2hreq=0bff70b51a7bc59bc98bac3f6279a8763181015d48a5d097a178008b647ae880
|
3
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 142.250.66.99 211.114.66.77
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
10.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10070 |
2021-05-05 10:21
|
vbc.exe 40b7776a47fc1062ec85c3e31c91eb81 AsyncRAT backdoor PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10071 |
2021-05-05 10:19
|
mad.exe d96f52fc8733d2f4a127bdc44d4ceb25 Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
16.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10072 |
2021-05-05 10:16
|
Ll2LxWOagynlSgJ.exe 9dfaa6afc47f0bf01155b7f8253f719b AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10073 |
2021-05-05 10:14
|
krerb.exe 1c74d51a1d7177bf9b23f6a567adc047 PE64 OS Processor Check PE File VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10074 |
2021-05-05 10:14
|
teret.exe 43de3367faeffa04f28ad1e3e1f154eb PE64 PE File VirusTotal Malware unpack itself DNS crashed |
|
|
|
|
1.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10075 |
2021-05-05 10:10
|
ashleyx.exe 34d4452c1b344685e3f5fd7d0e9640a1 PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10076 |
2021-05-04 18:27
|
Sample.exe ee7c05c530262450d2c5ace98ebbf8bc PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
8.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10077 |
2021-05-04 18:22
|
arinzex.exe b61fa321f22d56553ab37916d973cf4e Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10078 |
2021-05-04 14:13
|
p.exe ee0a1ec859b753abc30847157d81f37c Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic ICMP traffic Disables Windows Security Check virtual network interfaces Firewall state off Kovter Windows Tor DNS Cryptographic key |
4
http://api.wipmania.com/ http://94.16.114.105:8080/tor/status-vote/current/consensus.z http://185.215.113.93/cc11 - rule_id: 1276 http://199.58.81.140/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z
|
11
api.wipmania.com(212.83.168.196) 212.83.168.196 144.217.207.3 95.217.42.50 213.32.71.116 199.58.81.140 51.15.42.19 195.176.3.20 185.215.113.93 - malware 154.35.175.225 - mailcious 94.16.114.105
|
11
ET POLICY External IP Lookup Attempt To Wipmania ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185 SURICATA HTTP gzip decompression failed ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332 ET POLICY TOR Consensus Data Requested ET TOR Known Tor Exit Node Traffic group 52 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52
|
1
http://185.215.113.93/cc11
|
10.8 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10079 |
2021-05-04 13:50
|
46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS |
5
http://api.wipmania.com/ http://185.215.113.93/pepwn.exe - rule_id: 1282 http://185.215.113.93/cc11 - rule_id: 1276 http://86.59.21.38/tor/status-vote/current/consensus.z - rule_id: 1278 http://131.188.40.189:443/tor/server/fp/00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+022a5535f42b1a9f9aa755c4eab5f36fef9781d8+023ebbc57beb7f45473b3dc2aa811fb3aaba4466+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+03910f285a33f365838ec66ef2c2ef754d046760+03c3069e814e296eb18776eb61b1ecb754ed89fe+0512fe6be9cca0ed133152e64010b2fba141eb10+0516085d6cac40ed4cdcefdfc5ccf6b00de61ded+07623013c3361fe566b71c8cfcc6483d7587a827+0a2366980a2842d770ef8e136a7da14876360447+0ac4c4d8bca8da7bae6be3fea87442e724353cbf+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0cf8f3e6590f45d50b70f2f7da6605eca6cd408f+0d5bf9c0b7b3605a610eee2c43aeae366576cbc5.z - rule_id: 1280
|
12
api.wipmania.com(212.83.168.196) 212.83.168.196 95.217.42.50 45.66.156.176 51.195.253.209 141.255.162.34 83.212.103.129 185.215.113.93 - malware 131.188.40.189 - mailcious 86.59.21.38 - mailcious 5.196.71.24 149.56.45.200 - mailcious
|
18
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET INFO Executable Download from dotted-quad Host ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET P2P TOR 1.0 Server Key Retrieval ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578 ET POLICY PE EXE or DLL Windows file download HTTP SURICATA HTTP gzip decompression failed ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P Tor Get Server Request ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723 ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
|
4
http://185.215.113.93/pepwn.exe http://185.215.113.93/cc11 http://86.59.21.38/ http://131.188.40.189:443/
|
12.4 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10080 |
2021-05-04 11:21
|
46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key |
5
http://193.11.164.243:9030/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z http://23.129.64.201/tor/status-vote/current/consensus.z - rule_id: 1277 http://api.wipmania.com/ http://185.215.113.93/cc22 http://185.215.113.93/cc11 - rule_id: 1276
|
11
api.wipmania.com(212.83.168.196) 23.129.64.201 - mailcious 130.185.250.214 173.75.39.61 212.83.168.196 46.105.121.228 141.255.162.34 193.11.164.243 185.215.113.93 - malware 131.188.40.189 - mailcious 149.56.45.200 - mailcious
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET TOR Known Tor Exit Node Traffic group 74 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 ET COMPROMISED Known Compromised or Hostile Host Traffic group 109 ET INFO Executable Download from dotted-quad Host SURICATA HTTP gzip decompression failed ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P TOR 1.0 Server Key Retrieval ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
|
2
http://23.129.64.201/ http://185.215.113.93/cc11
|
12.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|