8986 |
2021-03-23 17:58
|
simx.exe d27e2e5039cc62ca865c8090548c1552 Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8987 |
2021-03-23 11:35
|
svc.exe 3891f7dbf1513c0f9545a5425571a48f Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows |
1
|
2
www.google.com(172.217.25.196) 172.217.161.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8988 |
2021-03-23 11:28
|
task.exe 0938924f02dd026b77b615a79dde3ccc Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS |
1
|
3
www.google.com(172.217.161.68) 216.58.221.228 - suspicious 13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8989 |
2021-03-23 11:23
|
krnl_console_bootstrapper.exe 8f251ae83b2c4898354f35d4bbba2c03 Emotet AsyncRAT backdoor VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows |
2
https://k-storage.com/bootstrapper/files/hashs.php https://cdn.krnl.ca/version.txt
|
4
cdn.krnl.ca(104.21.37.17) k-storage.com(104.21.42.186) 172.67.208.22 172.67.202.108
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8990 |
2021-03-23 11:22
|
l8ywly0adHHMfa9UEHOA0OEd.exe f8372b779001bb5a6c401c657ee514ed Glupteba Emotet Gen Malicious Library AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces Tofsee Windows Advertising ComputerName DNS crashed |
8
http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475 http://188.93.233.223/proxy1.exe - rule_id: 473 http://whatitis.site/dlc/mixinte - rule_id: 472 http://103.124.106.203/cof4/inst.exe - rule_id: 474 https://iplogger.org/1ixtu7 https://iplogger.org/1ifti7 https://pastebin.com/raw/mH2EJxkv - rule_id: 469 https://iplogger.org/1hVa87
|
21
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware aretywer.xyz(45.144.30.78) - malware mytoolsprivacy.site() - malware jg3.3uag.pw() - mailcious whatitis.site(92.63.99.163) - malware iplogger.org(88.99.66.31) d0wnl0ads.online() - mailcious pastebin.com(104.23.99.190) - mailcious file.ekkggr3.com(172.67.162.110) - malware msiamericas.com(141.136.39.190) www.investinae.com(108.167.143.77) 92.63.99.163 - malware 188.93.233.223 - malware 103.124.106.203 - malware 88.99.66.31 - mailcious 141.136.39.190 104.23.99.190 - mailcious 45.144.30.78 - malware 5.101.110.225 - malware 104.21.66.169 108.167.143.77
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.pw domain - Likely Hostile SURICATA TLS invalid record type ET INFO Executable Download from dotted-quad Host SURICATA TLS invalid record/traffic ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
5
http://file.ekkggr3.com/iuww/jvppp.exe http://188.93.233.223/proxy1.exe http://whatitis.site/dlc/mixinte http://103.124.106.203/cof4/inst.exe https://pastebin.com/raw/mH2EJxkv
|
14.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8991 |
2021-03-23 11:22
|
razi.exe 457d4236836f28c4176e828ecfff8b05VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName DNS Cryptographic key crashed |
3
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1616465553&mv=m&mvi=3&pcm2cms=yes&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1418560779&cup2hreq=5b7edf2d3839da403b791dfdb567fe41a40a3942b94339dc204e2169d55f8ea3
|
2
r3---sn-3u-bh26.gvt1.com(59.18.44.14) 59.18.44.14
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
11.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8992 |
2021-03-23 11:21
|
IMG_1024_363_17.pdf ea02325d723cd8165ccf9c64e077a87c Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
5
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C3F214F949E47305302507F92E3ADFD.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AF5734FDC5BC02E3380E1236CC01A9AE.html - rule_id: 462 http://checkip.dyndns.org/ http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3F52D3AB76438B009A945DE627D1F05E.html - rule_id: 462 https://freegeoip.app/xml/175.208.134.150
|
6
liverpoolsupporters9.com(104.21.88.100) - mailcious freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 216.146.43.70 - suspicious 172.67.176.78 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
3
http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/
|
16.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8993 |
2021-03-23 10:51
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21
|
2
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
11.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8994 |
2021-03-23 10:44
|
44277.730641088.dat 8fd8de6608974999b4ed1b216651ae3eCheck memory Checks debugger unpack itself Tofsee |
|
2
aws.amazon.com(13.225.123.73) 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8995 |
2021-03-23 10:41
|
44277.6770474537.dat 57516c64b702f7c7a61a31d81c685575Check memory Checks debugger unpack itself Tofsee |
|
2
aws.amazon.com(13.225.123.73) 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8996 |
2021-03-23 10:39
|
IMG_251_45_013.pdf df3588fb9997696586162288ec739a17 Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
5
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C78BD7CD35DADE3CF28759182F2D653.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-594CCBFE44C1311D20FD1B50EFE25190.html - rule_id: 462 http://checkip.dyndns.org/ http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1C0077676695468E0E32CA103B3D6E8C.html - rule_id: 462 https://freegeoip.app/xml/175.208.134.150
|
6
liverpoolsupporters9.com(104.21.88.100) - mailcious freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 216.146.43.71 104.21.88.100 - mailcious 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
3
http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/
|
15.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8997 |
2021-03-23 10:39
|
DIqMUyT98Untp5QhexOCjQdS.exe e038387f7b4b7880c48d225db4b769d2 Glupteba Emotet Gen Malicious Library AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Advertising ComputerName DNS crashed |
8
http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475 http://188.93.233.223/proxy1.exe - rule_id: 473 http://whatitis.site/dlc/mixinte - rule_id: 472 http://103.124.106.203/cof4/inst.exe - rule_id: 474 https://iplogger.org/1ixtu7 https://iplogger.org/1lA5k https://pastebin.com/raw/mH2EJxkv - rule_id: 469 https://iplogger.org/1hVa87
|
21
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware aretywer.xyz(45.144.30.78) - malware mytoolsprivacy.site() - malware jg3.3uag.pw() whatitis.site(193.38.55.33) - malware iplogger.org(88.99.66.31) d0wnl0ads.online() - mailcious pastebin.com(104.23.99.190) - mailcious file.ekkggr3.com(104.21.66.169) - malware msiamericas.com(141.136.39.190) www.investinae.com(108.167.143.77) 188.93.233.223 - malware 103.124.106.203 - malware 88.99.66.31 - mailcious 141.136.39.190 104.23.99.190 - mailcious 45.144.30.78 - malware 193.38.55.33 5.101.110.225 - malware 104.21.66.169 108.167.143.77
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
5
http://file.ekkggr3.com/iuww/jvppp.exe http://188.93.233.223/proxy1.exe http://whatitis.site/dlc/mixinte http://103.124.106.203/cof4/inst.exe https://pastebin.com/raw/mH2EJxkv
|
14.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8998 |
2021-03-23 10:32
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21
|
2
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
11.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8999 |
2021-03-23 08:07
|
http://195.242.110.126/2021/Ms... de6717de7bd1daa595c0b00887c25f05VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://195.242.110.126/2021/MsWord.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9000 |
2021-03-23 07:56
|
http://185.250.148.252/44277.6... VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
162.243.164.215 185.250.148.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|