| 1 |
2021-04-20 09:48
|
 Zzsvkpq.pdf 542f3ea693d61187bd10db0376a6b3e7
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://osiq.club/main.php
http://osiq.club/3.jpg
http://osiq.club/1.jpg
http://osiq.club/2.jpg
http://osiq.club/6.jpg
http://osiq.club/4.jpg
http://osiq.club/
http://osiq.club/7.jpg
http://osiq.club/5.jpg
https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15)
osiq.club(45.133.1.27)
yoursite.com(172.67.133.191)
172.67.133.191
45.133.1.27
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-04-20 09:46
|
 Zeqenylvg.pdf d20d0d39b52c812da0ae519d68aa889b
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://45.144.225.201/5.jpg
http://45.144.225.201/7.jpg
http://45.144.225.201/main.php
http://45.144.225.201/1.jpg
http://45.144.225.201/
http://45.144.225.201/3.jpg
http://45.144.225.201/2.jpg
http://45.144.225.201/4.jpg
http://45.144.225.201/6.jpg
https://yoursite.com/
|
5
www.yoursite.com(172.67.133.191)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.133.191
45.144.225.201 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-04-20 09:44
|
 Zyxtp.pdf 2e2eba416b6ec3efaace0621e8e229d2FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs DNS crashed |
2
http://www.modernhub.info/mjl/?a6A=uph66JHsrNVGNCUaXy0CRaDonNXmoVh5zRt9w73BPeoSWHKtSCbsdH+sd/A90mvTrlKFb7J4&D8S=_FNl6X
http://www.stepsaudio.com/mjl/?a6A=5wA6ZAfOhSAkV9Q9C20cfTWDZDzzvC3eb7hTznAwP1bSJTbPDs7MPorxTKzxE4iNuImjDaAD&D8S=_FNl6X
|
4
www.stepsaudio.com(45.93.101.93)
www.modernhub.info(34.102.136.180)
45.93.101.93
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-04-20 09:40
|
 Mwjhem.pdf e3fb74ce4008f4d48cefbb730b6885a8FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS crashed |
8
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://www.chuhuu.com/spj6/?lhrLe=Sxo0xBu&EzrxB8oP=HjZyYsEZkwTC3D6yfhbMvXvrICKZ6yzTSz6vbOxKOKI1sAKeMZ8KkrJERMC6cBIgeMpULGI+
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.my-watch-strap.com/spj6/?lhrLe=Sxo0xBu&EzrxB8oP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX - rule_id: 1041
http://www.arsenismiaris.com/spj6/
http://www.my-watch-strap.com/spj6/ - rule_id: 1041
http://www.arsenismiaris.com/spj6/?EzrxB8oP=W+TzzxrzpAEFDFY3LS6IakzfITsHQ7mmEWozbE2zKffof0ZTrW2ibB75GbdT4oJXstOPeBkx&lhrLe=Sxo0xBu
http://www.chuhuu.com/spj6/
|
8
www.arsenismiaris.com(185.138.42.109)
www.chuhuu.com(23.227.38.74)
www.my-watch-strap.com(192.0.78.25)
www.cougarjack.net(161.77.93.90)
161.77.93.90
185.138.42.109
192.0.78.24 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.my-watch-strap.com/spj6/
http://www.my-watch-strap.com/spj6/
|
11.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-04-20 09:40
|
 Wvlvhrl.pdf 149b0568e10ba3994c5c88440221fb2e
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
12
http://vtqt.xyz/5.jpg
http://vtqt.xyz/7.jpg
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://vtqt.xyz/1.jpg
http://vtqt.xyz/
http://vtqt.xyz/3.jpg
http://vtqt.xyz/2.jpg
http://vtqt.xyz/4.jpg
http://vtqt.xyz/6.jpg
http://vtqt.xyz/main.php
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://yoursite.com/
|
6
www.yoursite.com(172.67.133.191)
vtqt.xyz(45.133.1.27)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.133.191
45.133.1.27
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-04-20 09:37
|
 Dmdckvjtg.pdf 46ddcd557521e886e2548e72097e01d6
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://orisinlog.com/main.php
http://orisinlog.com/5.jpg
http://orisinlog.com/7.jpg
http://orisinlog.com/1.jpg
http://orisinlog.com/3.jpg
http://orisinlog.com/2.jpg
http://orisinlog.com/ - rule_id: 108
http://orisinlog.com/4.jpg
http://orisinlog.com/6.jpg
https://yoursite.com/
|
6
orisinlog.com(45.144.225.201) - mailcious
www.yoursite.com(172.67.133.191)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.188.154
45.144.225.201 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
18.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-04-20 09:35
|
 Uekonhzz.pdf d4d8ef44275700e1b44a4c82fa18a7e7
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
8
www.yoursite.com(172.67.133.191)
freegeoip.app(172.67.188.154)
yoursite.com(104.21.14.15)
checkip.dyndns.org(131.186.161.70)
172.67.133.191
216.146.43.70 - suspicious
104.21.14.15
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-04-20 09:34
|
 Dtiqyjksq.pdf f800c3f06fc079a0b96c979a887c4000
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15)
freegeoip.app(104.21.19.200)
yoursite.com(172.67.133.191)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
172.67.188.154
172.67.133.191
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-04-20 09:31
|
 Hyjgyn.pdf 1ceae4d45ed09a9ed4d5c392a7654fa9
AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
3
www.yoursite.com(104.21.14.15)
yoursite.com(172.67.133.191)
172.67.133.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-04-20 09:29
|
 Famtf.pdf a4326b69873c799207e4c9d30c2ed3ac
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15)
freegeoip.app(172.67.188.154)
yoursite.com(172.67.133.191)
checkip.dyndns.org(216.146.43.71)
104.21.14.15
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-04-20 07:49
|
 Pvcjjru.exe 6581f25476a8e4009877ba7498489ef6
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
9
http://novget.com/3.jpg
http://novget.com/ - rule_id: 986
http://novget.com/main.php
http://novget.com/7.jpg
http://novget.com/5.jpg
http://novget.com/6.jpg
http://novget.com/4.jpg
http://novget.com/2.jpg
https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15)
novget.com(45.144.225.201) - mailcious
yoursite.com(104.21.14.15)
45.144.225.201
172.67.133.191
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-04-20 07:41
|
 Ddsfrkgc.pdf 764abd8daf6dddba262e3bbae25fdbf5
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
8
www.yoursite.com(104.21.14.15)
freegeoip.app(172.67.188.154)
yoursite.com(172.67.133.191)
checkip.dyndns.org(131.186.161.70)
172.67.133.191
131.186.161.70
104.21.14.15
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-04-20 07:41
|
 Fsbey.exe 8ab4c430e65defdd7b9975db28d3c92dFormBook Malware download Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows crashed |
14
http://www.my-watch-strap.com/spj6/?LZhP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX&U4kp=Ntx4ZhIXOh7XQrX
http://www.89xs.xyz/spj6/
http://www.shopjrock.com/spj6/?LZhP=qhnezQWTxjg/HbuTmF+cfz/AJC4nUSxVCtyRe9tzOWPiX7YfE01VM4G2EIPySa5O/Ai5gOof&U4kp=Ntx4ZhIXOh7XQrX
http://www.89xs.xyz/spj6/?LZhP=ChhDJUZ34acyioRDxU0I1eGwFTExh6t3ojTWkZgGpRLxdY0skGw1NzhaR82eRSGOOqXjwiEQ&U4kp=Ntx4ZhIXOh7XQrX
http://www.preciousvessel.com/spj6/?LZhP=AF++6DW1ZB7b6v+G1k1B+DYsQETFO/sfcexAS4/+ytZ88TDwDfNbFwA03zmQ8kbNf+vM1WkW&U4kp=Ntx4ZhIXOh7XQrX
http://www.shopjrock.com/spj6/
http://www.beautybar.sucks/spj6/
http://www.ourforms.net/spj6/
http://www.3thaiph.com/spj6/?LZhP=WELcilCtPEVEBOtiTM/sV79+dBkJlHKpkw1Y165Vpka6sd6WRde01ttFnmDHNGdBy+pSbyUZ&U4kp=Ntx4ZhIXOh7XQrX
http://www.beautybar.sucks/spj6/?LZhP=/RvMM/n/jqwCaC65EoynYgHRCQVKYKWSUzaDLW3VbuGWvlmwwixnAdJlTChBxsV8Vf/7elXq&U4kp=Ntx4ZhIXOh7XQrX
http://www.3thaiph.com/spj6/
http://www.my-watch-strap.com/spj6/
http://www.ourforms.net/spj6/?LZhP=b6QgBSz9IsgTBrSxM1TpvmYRkuJztgbn0YznHbeB8Xc6Pticprr/H1NbfIFannWFjAB+Rs5D&U4kp=Ntx4ZhIXOh7XQrX
http://www.preciousvessel.com/spj6/
|
13
www.3thaiph.com(104.161.87.55)
www.89xs.xyz(107.149.249.12)
www.shopjrock.com(34.102.136.180)
www.my-watch-strap.com(192.0.78.24)
www.preciousvessel.com(34.102.136.180)
www.beautybar.sucks(54.147.194.143)
www.ourforms.net(184.168.139.151)
184.168.139.151
107.149.249.12
54.147.194.143
34.102.136.180 - mailcious
104.161.87.55
192.0.78.25 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|