| 1 |
2021-06-02 18:04
|
 sg-3nlJH.exe 41a5ea7052e4e49b5f159511f4f3a1ec
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-06-02 09:52
|
 andre34.exe 8e92a33277fce903f46b4551b9871f8d
AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-06-02 09:31
|
 ConsoleApp18.exe 30467fd98253f96d877581e5af9c18f9
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
9.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-06-02 09:20
|
 po8703.exe ec901f509871709b2038cfa53a72f577
AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-05-31 18:14
|
 ConsoleApp9.exe 74e874bb14c48f4d33153798bb166edc
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.shootingstarsilver.com/nke/?iJE=zuk3YapxJyeS5yDfl4TPA09nInGwECJBlDdHUcMZwWsxT52AulIJdvBxa6+BAMGrKnOC+lM0&wXO=OZNlib
http://www.serenablackcreatives.com/nke/?iJE=EqsjWoDY/paPxbVQO8NthjbeDBl1OlPkKN2BHxM5LB9s4oLQ1ZRC2+hvSz2Y2gm/xFUb9BHt&wXO=OZNlib
|
4
www.serenablackcreatives.com(154.0.175.80)
www.shootingstarsilver.com(34.102.136.180)
154.0.175.80 - malware
34.102.136.180 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
|
8.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-05-31 18:05
|
 asd80.exe b7c53f778e82c1594d8a1a27ebb65af0
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-05-26 11:44
|
 IMG_3615_763_8.exe 87eb69c0cf08d284c76acc6666749a91
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege unpack itself DNS |
|
1
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-05-26 09:40
|
 IMG_3615_763_8.exe 87eb69c0cf08d284c76acc6666749a91
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.blueridgeholisticdental.com/nke/?8pdPzj6X=beluo/A3x1wk0axcPPYLRI6VL5KZoBZCIza2nCls1jNtqOSK3OGdLiR1PhbzTLTJ4aTYYmbD&_FNHAt=tVBl4PYHXHBx - rule_id: 1527
http://www.3556a.com/nke/?_FNHAt=tVBl4PYHXHBx&8pdPzj6X=Bu2S3uDiR9mXo57lDy6P1wh5eo8lJZxkJjBrRWLCJOJBpLyy7hXoE5ZXA8FCgXkaMfNP2bVp
|
4
www.blueridgeholisticdental.com(34.102.136.180) - mailcious
www.3556a.com(104.233.238.207)
104.233.238.207 - mailcious
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.blueridgeholisticdental.com/nke/
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-05-26 09:40
|
 0551038.exe c43aa3df483f13d1690fa6d26b38c203
PWS Loki[b] Loki[m] AsyncRAT backdoor Gen1 Gen2 DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Browser Email ComputerName Software |
1
http://ahsanulalam.buet.ac.bd/bvyukiu/index.php
|
2
ahsanulalam.buet.ac.bd(103.94.135.216)
103.94.135.216 - phishing
|
1
ET MALWARE AZORult v3.3 Server Response M1
|
|
10.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-05-26 09:39
|
 gg5f2.exe 2bb5676bd130e5516733682dc75da8df
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
9.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-05-26 09:37
|
 tendsoleApp2.exe c7619cc4826449419e212b8bef448e4e
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder DNS crashed |
|
1
|
|
|
10.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-05-26 09:34
|
 IMG_085_163_771.exe 719fad1c99b366347fabab8b752a1826
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
162.88.193.70
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-05-26 09:34
|
 ConsoleApp2.exe 89c52df7d4bf97d0f9913dc89f6527b2
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
10.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-05-26 09:27
|
 IMG_010436088.exe 5551d898c7b1d405bec3f8bb14d9c87b
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
6.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2021-05-26 09:26
|
 ConsoleApp1.exe 17b32d5270a778baa555f13bb3c25b14
AsyncRAT backdoor Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName Trojan DNS Downloader Password |
11
http://45.133.1.47/7.jpg
http://45.133.1.47/5.jpg
http://46.101.81.223/t.exe
http://45.133.1.47/
http://45.133.1.47/4.jpg
http://45.133.1.47/6.jpg
http://46.101.81.223/origin.exe
http://45.133.1.47/2.jpg
http://45.133.1.47/main.php
http://45.133.1.47/3.jpg
http://45.133.1.47/1.jpg
|
4
ieaspk.com(67.220.184.98)
46.101.81.223
67.220.184.98 - malware
45.133.1.47
|
15
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
13.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|