8821 |
2021-05-18 09:56
|
diagram-58895225.xls 16ec6ae1941a5f788d18aa6673be5fee MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
2.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8822 |
2021-05-18 09:56
|
diagram-58650286.xls a8f34f2a8de7b470c474c50c8cd4b15f MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
3
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious 172.67.200.215
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8823 |
2021-05-18 09:55
|
diagram-553418662.xls 62c064e08d3aef1d97e64068583345d1 MSOffice File Check memory unpack itself Tofsee crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8824 |
2021-05-18 09:28
|
Setup2.exe 46fcb8a8f7db4f6e098f1213b1955498 Gen2 Emotet Glupteba VMProtect PE File PE32 DLL GIF Format OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS crashed |
7
http://ol.gamegame.info/report7.4.php http://iw.gamegame.info/report7.4.php http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=293289&key=0b72a8497029bcfa3fd924f33ac1d264 http://uyg5wye.2ihsfa.com/api/fbtime http://ip-api.com/json/?fields=8198 https://www.facebook.com/
|
13
www.facebook.com(157.240.215.35) email.yg9.me(198.13.62.186) uyg5wye.2ihsfa.com(88.218.92.148) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) iw.gamegame.info(172.67.200.215) 117.18.237.29 208.95.112.1 172.67.200.215 104.21.21.221 88.218.92.148 - malware 157.240.215.35 198.13.62.186
|
3
ET POLICY External IP Lookup ip-api.com ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8825 |
2021-05-18 09:27
|
customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
4
http://uyg5wye.2ihsfa.com/api/fbtime http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc http://ip-api.com/json/ https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148) www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) 157.240.215.35 208.95.112.1 88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8826 |
2021-05-18 09:19
|
file4.exe 3795c43b2e06e15edb01a8a237243b08 AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29) api.faceit.com(104.17.63.50) ipinfo.io(34.117.59.81) cdn.discordapp.com(162.159.129.233) - malware 117.18.237.29 162.159.129.233 - malware 82.146.59.236 - mailcious 104.17.62.50 34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8827 |
2021-05-18 09:18
|
jooyu.exe aed57d50123897b0012c35ef5dec4184 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
5
http://uyg5wye.2ihsfa.com/api/fbtime http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928 https://iplogger.org/18hh57 https://www.facebook.com/
|
8
uyg5wye.2ihsfa.com(88.218.92.148) www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) iplogger.org(88.99.66.31) - mailcious 157.240.215.35 208.95.112.1 88.218.92.148 - malware 88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8828 |
2021-05-18 09:04
|
file5.exe 723a3fc8d6faeefe3f6ac7eca0f56570 Anti_VM PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows ComputerName Firmware crashed |
|
2
api.faceit.com(104.17.63.50) 104.17.63.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8829 |
2021-05-18 09:03
|
mega.exe ffba772f9ca82656131883f57760fe1d AgentTesla Gen1 Gen2 DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM PE File PE32 PE64 DLL Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself suspicious process WriteConsoleW Tofsee Windows |
3
https://hcqffw.db.files.1drv.com/y4m6dVzY8CCIhzjb-I23lqiX8p_OpgjX4UgVdcD0vA_YnoKFdHuI_cf0IQBZQmGX-eQsEGcduV3IN7eAcU_CjcQcnSp5UMgVJox_ksMyrBZxMM5xkIS4NZ1hMCXekymp67Rv6cQeoxxtT8ZaF-KX_igccR972RpYjhLBmlkgNtkaG1oMVNRD21JiWEo5UW2m9WT2m8rczGwxArlilVCac3m-A/Zgbjwrwwilzzptiybppmkkujxqzsfgg?download&psid=1 https://hcqffw.db.files.1drv.com/y4mVE2s76lcwPjMfcPCkq0z8SRIHO9DbIQsNNvOCDTHtjXuEV_NW2eFGXT_O-Ji6nLGV601ybW4ueJYpikq58o9lSIoSQFTXRVr2c0n7aj_iwFe1Elc_vM3W1Cjkvhs4DJ-tQ_Uy8y_AlyNmOjPWpkR4KCYnu4RKISMhLEaIrfJNCWU1BOYeQkDM_VfWzg2ofNrigxv_LUea2x98UWMgRC30Q/Zgbjwrwwilzzptiybppmkkujxqzsfgg?download&psid=1 https://onedrive.live.com/download?cid=56BCCEEF869BA531&resid=56BCCEEF869BA531%21109&authkey=APWq7QSqCmVR7dg
|
4
hcqffw.db.files.1drv.com(13.107.42.12) onedrive.live.com(13.107.42.13) - mailcious 13.107.42.13 - mailcious 13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8830 |
2021-05-18 09:00
|
C3b.exe edc4dc3947bcadc3039095321c71572a Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW BitRAT Windows ComputerName DNS DDNS keylogger |
|
2
cs50.publicvm.com(194.5.98.15) 194.5.98.15
|
1
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
13.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8831 |
2021-05-18 08:58
|
78x.exe 48db1efd405907c867358fe6ae8111e4 PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW BitRAT Windows ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
2
cs50.publicvm.com(194.5.98.15) 194.5.98.15
|
1
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
12.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8832 |
2021-05-18 07:43
|
build5_protected.exe 261d3ab4b1acf206d0d9684a3b1aece9 Anti_VM .NET EXE PE File PE32 Browser Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://94.26.248.58:19651// https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 94.26.248.58 - mailcious 104.26.12.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8833 |
2021-05-18 07:33
|
build3.exe 16cae166b40d0d51e16764dce9d76323 .NET EXE PE File PE32 Browser Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://94.26.248.58:19651// https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 94.26.248.58 - mailcious 104.26.12.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8834 |
2021-05-18 07:33
|
build1.exe 6add6f06cdfa94d50858317140cc31f8 PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://94.26.248.58:19651// https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 94.26.248.58 - mailcious 104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8835 |
2021-05-15 16:36
|
staticc.txt.ps1 da43b38aeb47472f876d6feaa0df358e Antivirus VirusTotal Malware powershell Check memory Creates shortcut unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
2
eu14.tmd.cloud(198.20.110.126) 198.20.110.126
|
2
ET INFO Observed DNS Query to .cloud TLD SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|