| 8701 |
2021-06-08 16:08
|
 BLI_057702308.exe 6f86775cd014c339e3c8b25563fd51d9
SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8702 |
2021-06-08 16:06
|
 BLI_0610_36_31.exe a8ad861ef6877f243bdfbb00ddf2f37b
SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
131.186.161.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8703 |
2021-06-08 16:04
|
 IMG_0001_205_60_37.exe c222dad25c8ba8ab2af48692ad261bcf
SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
10.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8704 |
2021-06-08 16:03
|
 RFL_0731_60_127.exe 52757942734a95026f4499e2747f8007
SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8705 |
2021-06-08 13:36
|
 file31.exe 76c0ff15fb4bc456ed615f6227549ef1
PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/
http://159.69.20.131/898
http://159.69.20.131/freebl3.dll
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.22)
159.69.20.131
74.114.154.18 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8706 |
2021-06-08 13:29
|
 file31.exe 76c0ff15fb4bc456ed615f6227549ef1
PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/
http://159.69.20.131/898
http://159.69.20.131/freebl3.dll
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.18)
159.69.20.131
74.114.154.18 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8707 |
2021-06-08 13:15
|
 Pb3Setp.exe ef4cd87768670dbe24f609336ebed7f7
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Ransomware Windows ComputerName DNS Cryptographic key crashed |
8
https://iplogger.org/1jE3z7
https://iplogger.org/1vjFz7
https://topnewsdesign.xyz/?user=pb3_1 - rule_id: 1776
https://topnewsdesign.xyz/?user=pb3_2 - rule_id: 1776
https://topnewsdesign.xyz/?user=pb3_3 - rule_id: 1776
https://topnewsdesign.xyz/?user=pb3_4 - rule_id: 1776
https://topnewsdesign.xyz/?user=pb3_5 - rule_id: 1776
https://topnewsdesign.xyz/?user=pb3_6 - rule_id: 1776
|
6
topnewsdesign.xyz(104.21.69.75) - mailcious
iplogger.org(88.99.66.31) - mailcious
brershrowal.xyz(45.93.6.203)
88.99.66.31 - mailcious
172.67.206.72
45.93.6.203
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
https://topnewsdesign.xyz/
https://topnewsdesign.xyz/
https://topnewsdesign.xyz/
https://topnewsdesign.xyz/
https://topnewsdesign.xyz/
https://topnewsdesign.xyz/
|
15.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8708 |
2021-06-08 12:31
|
 Setup2.exe 623c88cc55a2df1115600910bbe14457
Gen2 Emotet AsyncRAT backdoor Generic Malware VMProtect PE File PE32 DLL .NET DLL OS Processor Check GIF Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
8
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://iw.gamegame.info/report7.4.php - rule_id: 1517
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=244033&key=14a21546c007e98b00ef413b26924f80 - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396
http://ip-api.com/json/?fields=8198
https://iplogger.org/18hh57
https://www.facebook.com/
|
13
iw.gamegame.info(104.21.21.221) - mailcious
email.yg9.me(198.13.62.186) - suspicious
uyg5wye.2ihsfa.com(88.218.92.148) - mailcious
ol.gamegame.info(172.67.200.215) - mailcious
iplogger.org(88.99.66.31) - mailcious
ip-api.com(208.95.112.1)
www.facebook.com(157.240.215.35)
88.99.66.31 - mailcious
172.67.200.215
88.218.92.148 - malware
208.95.112.1
157.240.215.35
198.13.62.186 - suspicious
|
2
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/
|
11.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8709 |
2021-06-08 12:29
|
 file6.exe f3ffc2d2687032af9b489438f51cc484
PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS Cryptographic key |
3
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1623120979&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1005733331&cup2hreq=dda0a59bb688026faa03c7d250922336e588e1e06e6f8a90db4d467a71650afd
|
6
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
172.217.163.227
211.114.66.77
142.250.204.110
142.250.66.67
34.104.35.123
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
4.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8710 |
2021-06-08 12:29
|
 app.exe f0e0670ed51fa999a58e0efeb03a8b54
Generic Malware Malicious Packer PE File OS Processor Check PE32 Malware PDB Malicious Traffic unpack itself Tofsee Windows Remote Code Execution DNS crashed |
3
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:3869903145&cup2hreq=b5bb740be31ccef7629e0c1b45c31948a4619778d00020170d1deed9c66f5b6c
https://update.googleapis.com/service/update2
|
5
edgedl.me.gvt1.com(34.104.35.123)
142.250.207.67
34.104.35.123
172.217.174.195
142.250.199.67
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8711 |
2021-06-08 12:25
|
 file8.exe e8a064a89592dd0838137155a048a5a3
AsyncRAT backdoor PE File .NET EXE OS Processor Check PE32 PE64 VirusTotal Malware Malicious Traffic Tofsee Windows DNS crashed |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:3189767490&cup2hreq=57f661d37afb22c56bf47ced629abfdebff1d4d9a92840700f3ad3b5f2072610
|
2
edgedl.me.gvt1.com(34.104.35.123)
34.104.35.123
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8712 |
2021-06-08 12:24
|
 file7.exe d62aad019ac19432a4e859684dea793e
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName Cryptographic key crashed |
3
http://cengonic.xyz/ - rule_id: 1774
https://m3.hiterima.ru/SystemServiceModelXmlUtil37231
https://api.ip.sb/geoip
|
6
cengonic.xyz(45.138.72.148) - mailcious
m3.hiterima.ru(217.107.34.191)
api.ip.sb(104.26.13.31)
45.138.72.148 - mailcious
104.26.13.31
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
|
1
|
11.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8713 |
2021-06-08 12:22
|
 setup.exe 3150a1bf870aa243738b71875a62c51b
Process Kill PE File OS Processor Check PE32 Device_File_Check Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted ICMP traffic Windows utilities suspicious process AppData folder anti-virtualization Tofsee Windows Browser DNS |
4
http://www.waaer435fc.com/index.php/api/a
http://www.waaer435fc.com/index.php/api/fb
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1929671218&cup2hreq=c069310cfc1ab8df9c466b265e40c1b95d7f7ef5967930c7bce8b28276cd14bd
|
4
edgedl.me.gvt1.com(34.104.35.123)
www.waaer435fc.com(45.77.178.25)
45.77.178.25
34.104.35.123
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8714 |
2021-06-08 12:22
|
 BTQbrowser.exe b12fbbf68290508b870ea4f9d38a25b4
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows Cryptographic key |
1
https://h.kowashitekata.ru/SystemServiceModelDescriptionMetadataExchangeClientEncodingHelper13102 - rule_id: 1876
|
4
h.kowashitekata.ru(217.107.34.191) - mailcious
rododondast.xyz(185.141.27.166) - mailcious
185.141.27.166 - mailcious
217.107.34.191 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://h.kowashitekata.ru/SystemServiceModelDescriptionMetadataExchangeClientEncodingHelper13102
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8715 |
2021-06-08 10:50
|
 jooyu.exe aed57d50123897b0012c35ef5dec4184
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files ICMP traffic Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
6
http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396
http://ip-api.com/json/
https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150
https://iplogger.org/18hh57
https://www.facebook.com/
|
10
script.google.com(172.217.25.238)
iplogger.org(88.99.66.31) - mailcious
uyg5wye.2ihsfa.com(88.218.92.148) - mailcious
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
88.99.66.31 - mailcious
208.95.112.1
88.218.92.148 - malware
157.240.215.35
216.58.220.206 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/
|
7.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|