1 |
2021-09-24 09:23
|
Product_Specifications_Details... 5627f70136a7169cabb92e648311b855 KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890371414232801301/Qapvbbflsprygnfy.dll
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2021-09-24 09:19
|
Product_Specifications_Details... bbe72c8d0a9c597fb116a040f06255af KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890370492152836126/Zupdzrq.dll
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2021-09-24 09:07
|
BRL_2451020032016.exe 4660dca1c3905ea903c4cb3bd9f73733 KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890375742800674867/Jaaawwddhyyacoivresx.dll
|
2
cdn.discordapp.com(162.159.133.233) - malware 162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2021-09-24 09:05
|
706012088801.exe ff77d7b1fa1099ec7bb3215ad2be0871 KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890530283374403594/Xtwlmzor.dll
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2021-04-29 10:03
|
FLP_5012_306_171.exe a746c90dae245470777071a6c41dea07 KeyBase AgentTesla Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Password |
9
http://5azc.xyz/3.jpg http://5azc.xyz/1.jpg http://5azc.xyz/ http://5azc.xyz/7.jpg http://5azc.xyz/main.php http://5azc.xyz/6.jpg http://5azc.xyz/4.jpg http://5azc.xyz/2.jpg http://5azc.xyz/5.jpg
|
2
5azc.xyz(45.144.225.201) 45.144.225.201 - mailcious
|
6
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
11.4 |
M |
22 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2021-04-29 09:04
|
FLP_5012_306_171.exe a746c90dae245470777071a6c41dea07 KeyBase AgentTesla Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Password |
9
http://5azc.xyz/3.jpg http://5azc.xyz/1.jpg http://5azc.xyz/ http://5azc.xyz/7.jpg http://5azc.xyz/main.php http://5azc.xyz/6.jpg http://5azc.xyz/4.jpg http://5azc.xyz/2.jpg http://5azc.xyz/5.jpg
|
2
5azc.xyz(45.144.225.201) 45.144.225.201 - mailcious
|
6
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
12.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2021-04-26 18:27
|
IMG_106_680_74_80.pdf e05e738dcb98a9f8c125138b492f82e5 AgentTesla KeyBase Keylogger Gen1 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://osiq.icu/main.php http://osiq.icu/2.jpg http://osiq.icu/1.jpg http://osiq.icu/ http://osiq.icu/3.jpg http://osiq.icu/5.jpg http://osiq.icu/7.jpg http://osiq.icu/4.jpg http://osiq.icu/6.jpg
|
2
osiq.icu(45.15.143.157) 45.15.143.157
|
7
ET INFO DNS Query for Suspicious .icu Domain ET POLICY Data POST to an image file (jpg) ET INFO HTTP POST Request to Suspicious *.icu domain ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Possible EXE Download From Suspicious TLD ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2021-04-26 18:27
|
IMG_5023075401.pdf 427e21ef958ea63e6a12ce4d8d5a3e55 AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 131.186.113.70 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2021-04-26 18:23
|
FLP_1037850047.pdf d32bc982566fbb8d81d3012779d3c320 AgentTesla KeyBase Keylogger Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2021-04-26 18:12
|
IMG_608943011.pdf 5f0e74e8c039c771ec8c2fa77981c7dd AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.71 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2021-04-26 18:11
|
DFI_0451_587_032.pdf 2e85f22e8e3436b38af2299a04f0cad8 AgentTesla KeyBase Keylogger malicious URLs ComputerName |
|
2
vtqt.xyz(45.85.90.14) - mailcious 45.85.90.14
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2021-04-23 18:18
|
FSL_456021054.pdf c0555665c606123b68c3c746f238743c AgentTesla KeyBase Keylogger AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2021-04-22 18:25
|
IMG_10540078520047.pdf.exe 0584b79b0075099a377c30ffa0bfee28 KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.161.70) 131.186.161.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2021-04-22 18:22
|
IMG_045_00_37_3210.pdf.exe 99e0c2ac9236cfedc7dbeffdde956fe2 KeyBase Keylogger VirusTotal Malware malicious URLs ComputerName |
|
2
zvv.asia(45.133.1.27) 45.133.1.27 - mailcious
|
|
|
3.2 |
M |
28 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2021-04-22 17:18
|
IMG_045_00_37_3210.pdf.exe 99e0c2ac9236cfedc7dbeffdde956fe2VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS crashed |
|
2
zvv.asia(45.133.1.27) 45.133.1.27 - mailcious
|
|
|
9.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|