8791 |
2021-05-26 09:34
|
IMG_085_163_771.exe 719fad1c99b366347fabab8b752a1826 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8792 |
2021-05-26 09:32
|
ahk.jpg 4a5f8a1e40fb9eab2b8bd55efbe61a83 Gen2 Antivirus PE File OS Processor Check PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://paste.ee/r/EhrU
https://paste.ee/r/CxpZK
|
2
paste.ee(104.26.5.223) - mailcious 104.26.5.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8793 |
2021-05-26 09:26
|
ConsoleApp1.exe 17b32d5270a778baa555f13bb3c25b14 AsyncRAT backdoor Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName Trojan DNS Downloader Password |
11
http://45.133.1.47/7.jpg http://45.133.1.47/5.jpg http://46.101.81.223/t.exe http://45.133.1.47/ http://45.133.1.47/4.jpg http://45.133.1.47/6.jpg http://46.101.81.223/origin.exe http://45.133.1.47/2.jpg http://45.133.1.47/main.php http://45.133.1.47/3.jpg http://45.133.1.47/1.jpg
|
4
ieaspk.com(67.220.184.98) 46.101.81.223 67.220.184.98 - malware 45.133.1.47
|
15
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
13.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8794 |
2021-05-26 09:07
|
Document%20093250.xls 662ed1aced50cad399d305467f290fea VBA_macro MSOffice File VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed |
1
https://gettingreadytolearn.co.uk/portal/wall/posts/157/thumbs/BeAsmBuB.php
|
3
gettingreadytolearn.co.uk(109.169.78.226) 172.67.188.154 109.169.78.226
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8795 |
2021-05-26 09:00
|
PL_175_063_107.exe e2f9e8c9bc0c758d98ee96ff0779076c AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.161.70) 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8796 |
2021-05-26 08:58
|
IMG_078_36_110.exe 7991a1408bbb33e32dab67230cb4a0ff AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8797 |
2021-05-25 10:22
|
http://176.111.174.74/ACC.exe 1b566412e52165a3ef457cc7dd0ecfba AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.0 |
M |
26 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8798 |
2021-05-24 09:17
|
ehn410274214523502210vlbxohwp4 bc5d3090b4ec7ece19ce132d14c0e111 VBA_macro MSOffice File VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
8
https://an9news.com/aokhf/XPXV7/
https://www.17geci.com/vi2w6/Z5i/
https://rubycityvietnam.com/wp-admin/1c0NVtp/
https://lami-jo.com/wp-admin/VMeklEt/
http://vayvontinchap5s.com/vayvon5s.com/YH3mx/
http://jiamini.us-east-1.elasticbeanstalk.com/static/P1Vcv/
http://wach8.com/cgi-bin/5JyZcRU/
http://stopnote.vhostgo.com/?host=wach8.com&refer=
|
14
an9news.com(34.102.136.180) - malware
www.17geci.com() - malware
jiamini.us-east-1.elasticbeanstalk.com(23.22.53.61) - malware
rubycityvietnam.com(45.252.248.29) - malware
vayvontinchap5s.com() - malware
wach8.com(218.247.67.211) - malware
stopnote.vhostgo.com(116.140.34.68)
lami-jo.com(35.209.32.159) - malware 23.22.53.61 - malware
218.247.67.211 - malware
34.102.136.180 - mailcious
116.140.34.68
45.252.248.29 - mailcious
35.209.32.159
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8799 |
2021-05-23 10:55
|
Setup.exe d69ad8d2f432e57d4f5ecf5d7e7f9300 Emotet AsyncRAT backdoor PWS .NET framework Gen1 Glupteba BitCoin Generic Malware Anti_VM VMProtect AntiDebug AntiVM PE File PE32 DLL .NET DLL .NET EXE GIF Format OS Processor Check PE64 Browser Info Stealer VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VMware IP Check VM Disk Size Check installed browsers check Tofsee Ransomware GameoverP2P Zeus Windows Browser ComputerName Trojan Banking Amazon DNS Cryptographic key crashed keylogger |
28
http://ol.gamegame.info/report7.4.php http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe http://iw.gamegame.info/report7.4.php http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe http://87.251.71.193// - rule_id: 1393 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://www.google.com/ http://ipinfo.io/ip http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe http://ip-api.com/json/?fields=8198 http://ipinfo.io/country http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2 - rule_id: 1396 https://iplogger.org/18hh57 https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150 https://www.facebook.com/ https://api.ip.sb/geoip https://connectini.net/Series/SuperNitou.php https://news-systems.xyz/?user=barret2 https://news-systems.xyz/?user=barret1 https://iplogger.org/1Hpxd7 https://ipinfo.io/country https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
|
39
news-systems.xyz(104.21.33.129) iw.gamegame.info(104.21.21.221) www.google.com(216.58.197.228) c.pycharm3.ru(217.107.34.191) b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com(52.219.106.138) - malware email.yg9.me(198.13.62.186) google.com(172.217.25.78) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ol.gamegame.info(104.21.21.221) global-sc-ltd.com(199.188.201.83) connectini.net(162.0.210.44) ipinfo.io(34.117.59.81) limesfile.com(198.54.126.101) ip-api.com(208.95.112.1) www.facebook.com(157.240.215.35) api.ip.sb(172.67.75.172) iplogger.org(88.99.66.31) - mailcious reportyuwt4sbackv97qarke3.com(162.0.220.187) ipqualityscore.com(104.26.2.60) 87.251.71.193 - mailcious 162.0.220.187 52.219.84.224 216.58.197.196 - suspicious 88.218.92.148 - malware 104.26.3.60 198.13.62.186 104.21.33.129 - mailcious 199.188.201.83 157.240.215.35 88.99.66.31 - mailcious 104.21.21.221 162.0.210.44 34.117.59.81 217.107.34.191 - mailcious 198.54.126.101 216.58.197.206 - mailcious 208.95.112.1 172.67.200.215 104.26.13.31
|
10
ET POLICY External IP Lookup ip-api.com ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET POLICY PE EXE or DLL Windows file download HTTP ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY Possible External IP Lookup ipinfo.io ET POLICY Executable served from Amazon S3 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SURICATA HTTP unable to match response to request
|
3
http://87.251.71.193/ http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
25.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8800 |
2021-05-23 10:46
|
kakashi_cry.exe 62c59ba0375eebf49b4d80c290e69646 AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows |
1
|
3
www.google.com(172.217.161.36) 142.250.199.68 142.250.207.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8801 |
2021-05-23 10:23
|
hbggg.exe e6f6fd13001b8df1af345df56caba5de Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
5
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/?sid=210725&key=72674f7accaa137688c0ad545432594d - rule_id: 1396 http://ip-api.com/json/ https://iplogger.org/18hh57 https://www.facebook.com/
|
8
www.facebook.com(157.240.215.35) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ip-api.com(208.95.112.1) iplogger.org(88.99.66.31) - mailcious 88.99.66.31 - mailcious 208.95.112.1 88.218.92.148 - malware 157.240.215.35
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
7.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8802 |
2021-05-23 10:13
|
BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393 https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947 https://api.ip.sb/geoip
|
5
c.pycharm3.ru(217.107.34.191) api.ip.sb(172.67.75.172) 104.26.12.31 87.251.71.193 - mailcious 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
1
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8803 |
2021-05-21 16:34
|
ConsoleApp19.exe ccf10dc1a6d121efdf9c28443a56e8b7 AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8804 |
2021-05-21 16:33
|
ConsoleApp9.exe 0f938ac4802642b34cc7105fb04c32ac AsyncRAT backdoor AgentTesla Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8805 |
2021-05-21 10:23
|
PO%2006336801.xls f9288646e623a8a8f0fa5ff5f6b5e3d6 VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee |
10
https://greystonestructural.com/1y3dVMa45GFqjA.php
https://langgal.coop.np/0KafeflIy.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://marbiadesign.com/css/fonts/INVRhwduUaFS.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://superbeli.com/fMn3tApyS5wbJU.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://pratikmetals.com/system/database/drivers/pdo/subdrivers/FVTsLgQ1vriNlv.php
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
|
20
greystonestructural.com(107.180.3.18)
marbiadesign.com(192.185.52.136) - mailcious
pratikmetals.com(199.79.62.17) - mailcious
iminnovator.com(192.185.139.153) - mailcious
specs2go.shawalzahid.com(158.69.144.71) - mailcious
fotounirii.ro(89.35.173.76) - mailcious
welcometotheafterdeath.com(192.254.234.250) - mailcious
langgal.coop.np(192.185.110.229)
superbeli.com(103.31.135.171) - mailcious
lojamusic.com.br(162.241.2.234) - mailcious 192.185.139.153 - mailcious
192.254.234.250 - mailcious
103.31.135.171 - mailcious
107.180.3.18
192.185.52.136 - mailcious
192.185.110.229
199.79.62.17 - mailcious
89.35.173.76 - mailcious
162.241.2.234 - mailcious
158.69.144.71 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|