8701 |
2021-06-08 16:08
|
BLI_057702308.exe 6f86775cd014c339e3c8b25563fd51d9 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8702 |
2021-06-08 16:06
|
BLI_0610_36_31.exe a8ad861ef6877f243bdfbb00ddf2f37b SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8703 |
2021-06-08 16:04
|
IMG_0001_205_60_37.exe c222dad25c8ba8ab2af48692ad261bcf SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
10.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8704 |
2021-06-08 16:03
|
RFL_0731_60_127.exe 52757942734a95026f4499e2747f8007 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8705 |
2021-06-08 13:36
|
file31.exe 76c0ff15fb4bc456ed615f6227549ef1 PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll http://159.69.20.131/softokn3.dll http://159.69.20.131/vcruntime140.dll http://159.69.20.131/ http://159.69.20.131/898 http://159.69.20.131/freebl3.dll http://159.69.20.131/msvcp140.dll http://159.69.20.131/nss3.dll https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.22) 159.69.20.131 74.114.154.18 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8706 |
2021-06-08 13:29
|
file31.exe 76c0ff15fb4bc456ed615f6227549ef1 PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
9
http://159.69.20.131/mozglue.dll http://159.69.20.131/softokn3.dll http://159.69.20.131/vcruntime140.dll http://159.69.20.131/ http://159.69.20.131/898 http://159.69.20.131/freebl3.dll http://159.69.20.131/msvcp140.dll http://159.69.20.131/nss3.dll https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.18) 159.69.20.131 74.114.154.18 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8707 |
2021-06-08 13:15
|
Pb3Setp.exe ef4cd87768670dbe24f609336ebed7f7 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Ransomware Windows ComputerName DNS Cryptographic key crashed |
8
https://iplogger.org/1jE3z7 https://iplogger.org/1vjFz7 https://topnewsdesign.xyz/?user=pb3_1 - rule_id: 1776 https://topnewsdesign.xyz/?user=pb3_2 - rule_id: 1776 https://topnewsdesign.xyz/?user=pb3_3 - rule_id: 1776 https://topnewsdesign.xyz/?user=pb3_4 - rule_id: 1776 https://topnewsdesign.xyz/?user=pb3_5 - rule_id: 1776 https://topnewsdesign.xyz/?user=pb3_6 - rule_id: 1776
|
6
topnewsdesign.xyz(104.21.69.75) - mailcious iplogger.org(88.99.66.31) - mailcious brershrowal.xyz(45.93.6.203) 88.99.66.31 - mailcious 172.67.206.72 45.93.6.203
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
https://topnewsdesign.xyz/ https://topnewsdesign.xyz/ https://topnewsdesign.xyz/ https://topnewsdesign.xyz/ https://topnewsdesign.xyz/ https://topnewsdesign.xyz/
|
15.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8708 |
2021-06-08 12:31
|
Setup2.exe 623c88cc55a2df1115600910bbe14457 Gen2 Emotet AsyncRAT backdoor Generic Malware VMProtect PE File PE32 DLL .NET DLL OS Processor Check GIF Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
8
http://ol.gamegame.info/report7.4.php - rule_id: 1518 http://iw.gamegame.info/report7.4.php - rule_id: 1517 http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=244033&key=14a21546c007e98b00ef413b26924f80 - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://ip-api.com/json/?fields=8198 https://iplogger.org/18hh57 https://www.facebook.com/
|
13
iw.gamegame.info(104.21.21.221) - mailcious email.yg9.me(198.13.62.186) - suspicious uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ol.gamegame.info(172.67.200.215) - mailcious iplogger.org(88.99.66.31) - mailcious ip-api.com(208.95.112.1) www.facebook.com(157.240.215.35) 88.99.66.31 - mailcious 172.67.200.215 88.218.92.148 - malware 208.95.112.1 157.240.215.35 198.13.62.186 - suspicious
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://ol.gamegame.info/report7.4.php http://iw.gamegame.info/report7.4.php http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
11.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8709 |
2021-06-08 12:29
|
file6.exe f3ffc2d2687032af9b489438f51cc484 PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS Cryptographic key |
3
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1623120979&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1005733331&cup2hreq=dda0a59bb688026faa03c7d250922336e588e1e06e6f8a90db4d467a71650afd
|
6
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 172.217.163.227 211.114.66.77 142.250.204.110 142.250.66.67 34.104.35.123
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
4.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8710 |
2021-06-08 12:29
|
app.exe f0e0670ed51fa999a58e0efeb03a8b54 Generic Malware Malicious Packer PE File OS Processor Check PE32 Malware PDB Malicious Traffic unpack itself Tofsee Windows Remote Code Execution DNS crashed |
3
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:3869903145&cup2hreq=b5bb740be31ccef7629e0c1b45c31948a4619778d00020170d1deed9c66f5b6c https://update.googleapis.com/service/update2
|
5
edgedl.me.gvt1.com(34.104.35.123) 142.250.207.67 34.104.35.123 172.217.174.195 142.250.199.67
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8711 |
2021-06-08 12:25
|
file8.exe e8a064a89592dd0838137155a048a5a3 AsyncRAT backdoor PE File .NET EXE OS Processor Check PE32 PE64 VirusTotal Malware Malicious Traffic Tofsee Windows DNS crashed |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:3189767490&cup2hreq=57f661d37afb22c56bf47ced629abfdebff1d4d9a92840700f3ad3b5f2072610
|
2
edgedl.me.gvt1.com(34.104.35.123) 34.104.35.123
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8712 |
2021-06-08 12:24
|
file7.exe d62aad019ac19432a4e859684dea793e AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName Cryptographic key crashed |
3
http://cengonic.xyz/ - rule_id: 1774 https://m3.hiterima.ru/SystemServiceModelXmlUtil37231 https://api.ip.sb/geoip
|
6
cengonic.xyz(45.138.72.148) - mailcious m3.hiterima.ru(217.107.34.191) api.ip.sb(104.26.13.31) 45.138.72.148 - mailcious 104.26.13.31 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
|
1
|
11.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8713 |
2021-06-08 12:22
|
setup.exe 3150a1bf870aa243738b71875a62c51b Process Kill PE File OS Processor Check PE32 Device_File_Check Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted ICMP traffic Windows utilities suspicious process AppData folder anti-virtualization Tofsee Windows Browser DNS |
4
http://www.waaer435fc.com/index.php/api/a http://www.waaer435fc.com/index.php/api/fb http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1929671218&cup2hreq=c069310cfc1ab8df9c466b265e40c1b95d7f7ef5967930c7bce8b28276cd14bd
|
4
edgedl.me.gvt1.com(34.104.35.123) www.waaer435fc.com(45.77.178.25) 45.77.178.25 34.104.35.123
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8714 |
2021-06-08 12:22
|
BTQbrowser.exe b12fbbf68290508b870ea4f9d38a25b4 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows Cryptographic key |
1
https://h.kowashitekata.ru/SystemServiceModelDescriptionMetadataExchangeClientEncodingHelper13102 - rule_id: 1876
|
4
h.kowashitekata.ru(217.107.34.191) - mailcious rododondast.xyz(185.141.27.166) - mailcious 185.141.27.166 - mailcious 217.107.34.191 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://h.kowashitekata.ru/SystemServiceModelDescriptionMetadataExchangeClientEncodingHelper13102
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8715 |
2021-06-08 10:50
|
jooyu.exe aed57d50123897b0012c35ef5dec4184 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files ICMP traffic Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
6
http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://ip-api.com/json/ https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150 https://iplogger.org/18hh57 https://www.facebook.com/
|
10
script.google.com(172.217.25.238) iplogger.org(88.99.66.31) - mailcious uyg5wye.2ihsfa.com(88.218.92.148) - mailcious www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) 88.99.66.31 - mailcious 208.95.112.1 88.218.92.148 - malware 157.240.215.35 216.58.220.206 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
7.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|