8971 |
2021-03-28 12:29
|
win230321.exe 66c3ae9bddbbbcc2cc979d23792f15ac Azorult .NET framework Glupteba Malicious Library AsyncRAT backdoor Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed Downloader |
1
|
6
orpod.ru(195.128.123.215) - malware www.google.com(172.217.25.100) 216.58.221.228 - suspicious 13.107.21.200 216.58.199.100 195.128.123.215 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
|
|
18.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8972 |
2021-03-27 11:36
|
Encoding.html d7bb6b9d1cd02209f89dc0c4759ddd87 Antivirus Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://198.251.72.110/ALL.txt http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://www.bing.com/favicon.ico
|
3
ia801407.us.archive.org(207.241.228.147) - mailcious 207.241.228.147 - mailcious 198.251.72.110 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Windows executable base64 encoded ET HUNTING EXE Base64 Encoded potential malware
|
|
10.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8973 |
2021-03-26 15:10
|
date.php ab70894ecc3d92c51f4086a1253bebb9 Emotet Gen Dridex TrickBot VirusTotal Malware PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://67.212.241.178/login.cgi?uri=/index.html - rule_id: 447 https://67.212.241.178/cookiechecker?uri=/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ - rule_id: 447 https://71.40.62.107/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ https://67.212.241.178/index.html - rule_id: 447
|
9
67.212.241.178 - mailcious 71.40.62.107 73.103.36.158 - mailcious 71.66.92.190 - mailcious 50.197.243.125 - mailcious 68.201.55.46 - mailcious 70.119.149.64 - mailcious 72.128.158.51 - mailcious 71.42.188.85
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
3
https://67.212.241.178/ https://67.212.241.178/ https://67.212.241.178/
|
9.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8974 |
2021-03-25 19:19
|
topboix.scr fb9211bd03036666dcc42cf977c25bee Antivirus AsyncRAT backdoor FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed |
7
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9DF487ED829B131DDBA24D56868C7EF2.html http://www.studio4culture.net/pbt/?T8SD=/tJKmOzgObyDth2AimgKp1GAfCI75Iy8Hpxd4NC2Qufji5lDtIWEvn7RqfrmzGwFXt00o1/h&-ZPh=1bdtvL http://www.inthemodern.com/pbt/?T8SD=edFuLU10S6R+QUZXHOLs8Ufxq0Mq2FT4YPyuEAx1sMS745R9//G9L19l2loeeFtYauV5DO+k&-ZPh=1bdtvL http://www.myhealthyyvet.com/pbt/?T8SD=afMh07a73fMW/orJQhK5qCN6WNvDaJB3IMkHmVCl5ziw6Gpi4lzWx5IEyOJ1IOIrpMcp3ZYj&-ZPh=1bdtvL http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C3003343EF933D95A37D220246552C8.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C3003343EF933D95A37D220246552C8.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9DF487ED829B131DDBA24D56868C7EF2.html
|
10
www.myhealthyyvet.com(81.17.18.194) www.studio4culture.net(85.13.132.154) www.inthemodern.com(34.102.136.180) braxsilcxfxc.net.br(172.67.137.252) www.52wuan.net(216.250.110.37) 192.187.111.221 - mailcious 104.21.56.235 34.102.136.180 - mailcious 85.13.132.154 216.250.110.37
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
13.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8975 |
2021-03-25 19:17
|
bobox.scr 8bd5a5bc75611db2959a80fcc1b09fc8 Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
6
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-48F592BB547136A53419118581105564.html http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6D5C338B20CC9521BA9E3E8597574C38.html http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA495F0F022FADED7A010F28C72F8A57.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA495F0F022FADED7A010F28C72F8A57.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-48F592BB547136A53419118581105564.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6D5C338B20CC9521BA9E3E8597574C38.html
|
2
braxsilcxfxc.net.br(172.67.137.252) 104.21.56.235
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8976 |
2021-03-25 19:15
|
shedyx.scr ee27001b12f64424922ea7978a8e98c5 Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
6
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3C7AAD4ED72F74438CD34BEC400D3DD3.html http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6628EEC24B586EA652FFAAC607AFBD2C.html http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0075978B50A566BA116EB25127B04829.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0075978B50A566BA116EB25127B04829.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3C7AAD4ED72F74438CD34BEC400D3DD3.html https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6628EEC24B586EA652FFAAC607AFBD2C.html
|
2
braxsilcxfxc.net.br(104.21.56.235) 104.21.56.235
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8977 |
2021-03-25 17:44
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21 - rule_id: 490
|
2
35.166.81.240 - mailcious 8.8.7.7
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
1
https://35.166.81.240/waters/travel/new21
|
12.2 |
M |
42 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8978 |
2021-03-25 14:11
|
1090804085.exe 4920169cae3b94797609bcf4d6bc5df4 AsyncRAT backdoor VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports - rule_id: 526
|
3
i.worldhello.ru(81.177.140.169) - mailcious 88.198.3.5 81.177.140.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports
|
11.2 |
M |
27 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8979 |
2021-03-25 09:26
|
44279.7753403935.dat b23e337d7762ec41898979f395a36a61Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
|
4
feaser2347.club() aws.amazon.com(13.225.123.73) 54.230.166.70 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8980 |
2021-03-25 09:24
|
44279.7753403935.dat a6b5a888810589f293f8d6672c8d3600Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee |
1
|
3
feaser2347.club() aws.amazon.com(13.225.123.73) 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8981 |
2021-03-25 09:17
|
ot.exe 15ee48d0d4891a194ed102ec766bc0fc Azorult .NET framework Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
4
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.70) 172.67.188.154 131.186.161.70
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8982 |
2021-03-25 07:52
|
merit.php 2ae20b49ac0c8f59eaca5e08a319892cDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/
|
7
70.119.220.241 67.212.241.127 67.79.117.70 173.219.76.169 98.6.253.142 72.164.254.204 174.105.236.140
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8983 |
2021-03-25 07:07
|
https://docs.google.com/uc?id=... 108ecf579a7c6f931d9d759ff63ca8abCode Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit Advertising Google DNS crashed |
2
https://docs.google.com/uc?id=1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh https://doc-0c-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/dkmsdqnsu7tk3l9vkd9s73dkgshbmq2b/1616623425000/17310870271488346433/*/1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh
|
4
doc-0c-4o-docs.googleusercontent.com(216.58.197.193) docs.google.com(172.217.161.78) - mailcious 172.217.31.238 - suspicious 142.250.199.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8984 |
2021-03-24 18:33
|
1090804085.exe 4920169cae3b94797609bcf4d6bc5df4 AsyncRAT backdoor VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports
|
3
i.worldhello.ru(81.177.140.169) 88.198.3.5 81.177.140.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8985 |
2021-03-24 18:26
|
redbutton.png 021b3c4f43ecf8719fcca871a483767b Gen Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://50.208.68.153/tot66/TEST22-PC_W617601.5B121BBE4D719ABFFBB8DF57BCBB9815/5/kps/
|
4
50.208.68.153 98.6.253.142 162.155.225.130 24.153.175.236
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|