| 1 |
2021-05-04 11:24
|
 Upafbvbme.exe 386e843ddabe44f203acc35788b5c749
AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Tor Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
173.75.39.61
216.146.43.71
104.21.19.200
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-05-04 11:18
|
 LFI_874_103_116.exe 090148a4d527120eaaa7d5d2f0aa5bf1
AsyncRAT backdoor PWS .NET framework AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
9
http://205.185.120.57/3.jpg
http://205.185.120.57/1.jpg
http://205.185.120.57/2.jpg
http://205.185.120.57/6.jpg
http://205.185.120.57/4.jpg
http://205.185.120.57/7.jpg
http://205.185.120.57/main.php - rule_id: 1232
http://205.185.120.57/5.jpg
http://205.185.120.57/ - rule_id: 1233
|
1
205.185.120.57 - mailcious
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://205.185.120.57/main.php
http://205.185.120.57/
|
12.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-05-04 11:13
|
 700223.exe 0f1616761218cc9712dcd268f4bb2d3f
AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
2.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-05-01 09:40
|
 Oijhsqdo.exe 5e947ca9bbb479131f613b845c742afb
AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware malicious URLs ComputerName DNS |
|
1
203.159.80.206 - mailcious
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-04-30 18:12
|
 IMG_0540001825.exe fd0e7153869bad651ae4ae4f1dbef3da
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-04-30 18:10
|
 Szakur.exe 6293b2f51ac52c926cfc5f87775a21fa
PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/PV/300/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-04-29 22:34
|
 IMG_8401_302_1076.exe ef8bf0e0c08418ed74b33120185fd044
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
12
http://205.185.120.57/3.jpg
http://205.185.120.57/1.jpg
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
http://205.185.120.57/2.jpg
http://205.185.120.57/6.jpg
http://205.185.120.57/4.jpg
http://205.185.120.57/7.jpg
http://205.185.120.57/main.php
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1619702178&mv=m&mvi=2&pl=18&shardbypass=yes
http://205.185.120.57/5.jpg
http://205.185.120.57/
https://update.googleapis.com/service/update2?cup2key=10:14166197&cup2hreq=20c1416b2a2f82aac11ca40fe5c42a5b84b2cf5a3833cc39ca852275cd0d3e53
|
4
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
205.185.120.57
211.114.66.77
142.250.199.67
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-04-29 22:26
|
 Cjedeld.exe 0c2525c34d612a6e6592c019032850e1
PWS .NET framework AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-04-29 10:52
|
 Pkstfvgdp.exe 13a8ca17d4b77f65052f928f39ef46b8
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Discord Browser Email ComputerName DNS Cryptographic key crashed Password |
11
http://5llion.com/5.jpg
http://5llion.com/main.php
http://5llion.com/7.jpg
http://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
http://5llion.com/1.jpg
http://5llion.com/3.jpg
http://5llion.com/2.jpg
http://5llion.com/
http://5llion.com/6.jpg
http://5llion.com/4.jpg
https://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
|
4
5llion.com(31.210.20.99)
cdn.discordapp.com(162.159.135.233) - malware
31.210.20.99
162.159.129.233 - malware
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET POLICY EXE File Downloaded from Discord
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-04-29 10:49
|
 IMG_650_617_250.exe b08a05459460a65935839eedb7f36569
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://203.159.80.206/4.jpg
http://203.159.80.206/6.jpg
http://203.159.80.206/2.jpg
http://203.159.80.206/1.jpg
http://203.159.80.206/3.jpg
http://203.159.80.206/main.php
http://203.159.80.206/5.jpg
http://203.159.80.206/7.jpg
http://203.159.80.206/
|
1
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
16.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-04-29 10:46
|
 IMG_001263082.exe 6e18d889d1ecbd6bc5e1adf9d92ad8c4
AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
131.186.161.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-04-29 10:38
|
 IMG_850_007_630.exe 378c246b3278f0343eb02a5f6dd63263
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://vpsthree.xyz/
http://vpsthree.xyz/6.jpg
http://vpsthree.xyz/4.jpg
http://vpsthree.xyz/2.jpg
http://vpsthree.xyz/3.jpg
http://vpsthree.xyz/1.jpg
http://vpsthree.xyz/main.php
http://vpsthree.xyz/7.jpg
http://vpsthree.xyz/5.jpg
|
2
vpsthree.xyz(95.181.164.213)
95.181.164.213
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-04-29 10:33
|
 IMG_0501_765_013.exe 716e89179126809cc5a4b476a03dda11
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://31.210.21.154/4.jpg
http://31.210.21.154/6.jpg
http://31.210.21.154/2.jpg
http://31.210.21.154/1.jpg
http://31.210.21.154/3.jpg
http://31.210.21.154/main.php
http://31.210.21.154/5.jpg
http://31.210.21.154/7.jpg
http://31.210.21.154/
|
1
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-04-29 10:29
|
 FPI_0485010214.exe 00bc3f04139ef508d1b9908f5664ded3
AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|