| 8971 |
2021-03-28 12:29
|
win230321.exe 66c3ae9bddbbbcc2cc979d23792f15ac
Azorult .NET framework Glupteba Malicious Library AsyncRAT backdoor Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed Downloader |
1
|
6
orpod.ru(195.128.123.215) - malware
www.google.com(172.217.25.100)
216.58.221.228 - suspicious
13.107.21.200
216.58.199.100
195.128.123.215 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
|
|
18.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8972 |
2021-03-27 11:36
|
 Encoding.html d7bb6b9d1cd02209f89dc0c4759ddd87
Antivirus Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://198.251.72.110/ALL.txt
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.bing.com/favicon.ico
|
3
ia801407.us.archive.org(207.241.228.147) - mailcious
207.241.228.147 - mailcious
198.251.72.110 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Windows executable base64 encoded
ET HUNTING EXE Base64 Encoded potential malware
|
|
10.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8973 |
2021-03-26 15:10
|
date.php ab70894ecc3d92c51f4086a1253bebb9
Emotet Gen Dridex TrickBot VirusTotal Malware PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://67.212.241.178/login.cgi?uri=/index.html - rule_id: 447
https://67.212.241.178/cookiechecker?uri=/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/ - rule_id: 447
https://71.40.62.107/rob86/TEST22-PC_W617601.8737B6E31BA23B3C4DD9E983745731F0/5/file/
https://67.212.241.178/index.html - rule_id: 447
|
9
67.212.241.178 - mailcious
71.40.62.107
73.103.36.158 - mailcious
71.66.92.190 - mailcious
50.197.243.125 - mailcious
68.201.55.46 - mailcious
70.119.149.64 - mailcious
72.128.158.51 - mailcious
71.42.188.85
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
3
https://67.212.241.178/
https://67.212.241.178/
https://67.212.241.178/
|
9.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8974 |
2021-03-25 19:19
|
topboix.scr fb9211bd03036666dcc42cf977c25bee
Antivirus AsyncRAT backdoor FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed |
7
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9DF487ED829B131DDBA24D56868C7EF2.html
http://www.studio4culture.net/pbt/?T8SD=/tJKmOzgObyDth2AimgKp1GAfCI75Iy8Hpxd4NC2Qufji5lDtIWEvn7RqfrmzGwFXt00o1/h&-ZPh=1bdtvL
http://www.inthemodern.com/pbt/?T8SD=edFuLU10S6R+QUZXHOLs8Ufxq0Mq2FT4YPyuEAx1sMS745R9//G9L19l2loeeFtYauV5DO+k&-ZPh=1bdtvL
http://www.myhealthyyvet.com/pbt/?T8SD=afMh07a73fMW/orJQhK5qCN6WNvDaJB3IMkHmVCl5ziw6Gpi4lzWx5IEyOJ1IOIrpMcp3ZYj&-ZPh=1bdtvL
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C3003343EF933D95A37D220246552C8.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C3003343EF933D95A37D220246552C8.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9DF487ED829B131DDBA24D56868C7EF2.html
|
10
www.myhealthyyvet.com(81.17.18.194)
www.studio4culture.net(85.13.132.154)
www.inthemodern.com(34.102.136.180)
braxsilcxfxc.net.br(172.67.137.252)
www.52wuan.net(216.250.110.37)
192.187.111.221 - mailcious
104.21.56.235
34.102.136.180 - mailcious
85.13.132.154
216.250.110.37
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8975 |
2021-03-25 19:17
|
bobox.scr 8bd5a5bc75611db2959a80fcc1b09fc8
Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
6
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-48F592BB547136A53419118581105564.html
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6D5C338B20CC9521BA9E3E8597574C38.html
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA495F0F022FADED7A010F28C72F8A57.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA495F0F022FADED7A010F28C72F8A57.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-48F592BB547136A53419118581105564.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6D5C338B20CC9521BA9E3E8597574C38.html
|
2
braxsilcxfxc.net.br(172.67.137.252)
104.21.56.235
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8976 |
2021-03-25 19:15
|
shedyx.scr ee27001b12f64424922ea7978a8e98c5
Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
6
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3C7AAD4ED72F74438CD34BEC400D3DD3.html
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6628EEC24B586EA652FFAAC607AFBD2C.html
http://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0075978B50A566BA116EB25127B04829.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0075978B50A566BA116EB25127B04829.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3C7AAD4ED72F74438CD34BEC400D3DD3.html
https://braxsilcxfxc.net.br/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6628EEC24B586EA652FFAAC607AFBD2C.html
|
2
braxsilcxfxc.net.br(104.21.56.235)
104.21.56.235
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8977 |
2021-03-25 17:44
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21 - rule_id: 490
|
2
35.166.81.240 - mailcious
8.8.7.7
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
1
https://35.166.81.240/waters/travel/new21
|
12.2 |
M |
42 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8978 |
2021-03-25 14:11
|
1090804085.exe 4920169cae3b94797609bcf4d6bc5df4
AsyncRAT backdoor VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports - rule_id: 526
|
3
i.worldhello.ru(81.177.140.169) - mailcious
88.198.3.5
81.177.140.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports
|
11.2 |
M |
27 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8979 |
2021-03-25 09:26
|
44279.7753403935.dat b23e337d7762ec41898979f395a36a61Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
|
4
feaser2347.club()
aws.amazon.com(13.225.123.73)
54.230.166.70
13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8980 |
2021-03-25 09:24
|
44279.7753403935.dat a6b5a888810589f293f8d6672c8d3600Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee |
1
|
3
feaser2347.club()
aws.amazon.com(13.225.123.73)
13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8981 |
2021-03-25 09:17
|
ot.exe 15ee48d0d4891a194ed102ec766bc0fc
Azorult .NET framework Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
4
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
172.67.188.154
131.186.161.70
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8982 |
2021-03-25 07:52
|
merit.php 2ae20b49ac0c8f59eaca5e08a319892cDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/
|
7
70.119.220.241
67.212.241.127
67.79.117.70
173.219.76.169
98.6.253.142
72.164.254.204
174.105.236.140
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8983 |
2021-03-25 07:07
|
https://docs.google.com/uc?id=... 108ecf579a7c6f931d9d759ff63ca8abCode Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit Advertising Google DNS crashed |
2
https://docs.google.com/uc?id=1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh
https://doc-0c-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/dkmsdqnsu7tk3l9vkd9s73dkgshbmq2b/1616623425000/17310870271488346433/*/1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh
|
4
doc-0c-4o-docs.googleusercontent.com(216.58.197.193)
docs.google.com(172.217.161.78) - mailcious
172.217.31.238 - suspicious
142.250.199.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8984 |
2021-03-24 18:33
|
1090804085.exe 4920169cae3b94797609bcf4d6bc5df4
AsyncRAT backdoor VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports
|
3
i.worldhello.ru(81.177.140.169)
88.198.3.5
81.177.140.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8985 |
2021-03-24 18:26
|
 redbutton.png 021b3c4f43ecf8719fcca871a483767b
Gen Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://50.208.68.153/tot66/TEST22-PC_W617601.5B121BBE4D719ABFFBB8DF57BCBB9815/5/kps/
|
4
50.208.68.153
98.6.253.142
162.155.225.130
24.153.175.236
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|