| 9271 |
2021-02-19 10:23
|
chase_Summary.exe.pif d767852b7e5147ae9ea47d13bea99ef3
Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Windows Exploit Browser Email ComputerName Remote Code Execution DNS Software crashed |
6
http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1613697135&mv=m&mvi=3&pl=18&shardbypass=yes
http://illusionist.com.my/go/PL341/index.php
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:3673027502&cup2hreq=10b0303d62efcb395ba139ce07619520c5e2e1633ea33264c2474e4433297a94
https://www.google.com/
|
7
illusionist.com.my(111.90.135.150) - malware
r3---sn-3u-bh26.gvt1.com(59.18.44.14)
www.google.com(172.217.26.36)
59.18.44.14
111.90.135.150 - malware
172.217.174.196
142.250.199.67
|
5
ET MALWARE AZORult v3.3 Server Response M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
23.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9272 |
2021-02-19 09:44
|
10.fbr.exe 853c5f48616fd2afd63e487d197c9796
Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName Remote Code Execution DNS crashed |
|
7
200.52.147.93 - mailcious
142.202.191.164 - mailcious
194.5.249.156 - phishing
45.155.173.242 - mailcious
94.140.114.136 - mailcious
108.170.20.75 - mailcious
186.250.157.116 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 12
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 9
|
|
9.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9273 |
2021-02-18 22:22
|
setup.exe 708cf56061b75db614bd5ce9ebff2c75
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser ComputerName crashed |
8
http://www.wpobot.com/update.php?version=10165
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://www.wpobot.com/api.php
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x86.exe
https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x64.exe
https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x86.exe
|
4
www.wpobot.com(198.187.31.103)
download.microsoft.com(23.40.44.112)
104.75.0.70
198.187.31.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9274 |
2021-02-18 18:44
|
maxs.exe e461c46a2ae8137c347fcb895c6bddf0
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.239.242.107/base/F877518494A88142C918652019EF505B.html - rule_id: 263
https://api.ipify.org/
|
3
api.ipify.org(23.21.126.66)
23.21.126.66
185.239.242.107 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.239.242.107/base/
|
14.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9275 |
2021-02-18 16:52
|
bb.exe 27a26b9535f908ea109a9e1fa986a842
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows Cryptographic key |
1
|
3
www.google.com(172.217.175.228)
216.58.220.196
172.217.31.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9276 |
2021-02-18 11:11
|
gdx.exe 5ca266f8c24963e0e9fc53a6f927c207
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows ComputerName crashed |
1
https://amstv.com.br/gd/inc/5994c42c079702.php
|
2
amstv.com.br(31.170.163.62)
31.170.163.62
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9277 |
2021-02-18 11:04
|
inst.exe a0e44abd155fd1acbbe9c9eda6e0f2fd
VirusTotal Malware AutoRuns suspicious privilege ICMP traffic unpack itself malicious URLs Tofsee Windows Advertising crashed |
1
https://iplogger.org/1hVa87
|
2
iplogger.org(88.99.66.31)
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9278 |
2021-02-18 09:46
|
jayson.exe bdd0e56f940036b718551617c496fcd0
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://87.251.71.75:3214/
https://api.ip.sb/geoip
|
7
WHOIS.APNIC.NET(172.104.77.201)
whois.iana.org(192.0.32.59)
api.ip.sb(104.26.12.31)
87.251.71.75
104.26.13.31
192.0.32.59
172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9279 |
2021-02-18 09:27
|
updatej.exe bdd0e56f940036b718551617c496fcd0
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
3
http://87.251.71.75:3214/
http://detectportal.firefox.com/success.txt?ipv4
https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.77.201)
api.ip.sb(172.67.75.172)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
whois.iana.org(192.0.32.59)
detectportal.firefox.com(34.107.221.82)
192.0.32.59
87.251.71.75
104.26.13.31
34.107.221.82
172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9280 |
2021-02-17 18:31
|
updatej.exe bdd0e56f940036b718551617c496fcd0
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces AppData folder malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
4
http://87.251.71.75:3214/
https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/e9515cd4-e4be-4df8-a6ed-78ce94ca1ded/flesh.exe?Signature=M9LO0tkbfiY4JTZyMmcptbiWLWE%3D&Expires=1613554939&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=wazVzlSawVmjnWxohUU7axVxttdZHl3Q&response-content-disposition=attachment%3B%20filename%3D%22flesh.exe%22
https://iplogger.org/1rst77
https://api.ip.sb/geoip
|
13
bbuseruploads.s3.amazonaws.com(52.216.99.59) - malware
WHOIS.APNIC.NET(172.104.77.201)
api.ip.sb(172.67.75.172)
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31)
whois.iana.org(192.0.32.59)
172.67.75.172
192.0.32.59
88.99.66.31 - mailcious
87.251.71.75
104.192.141.1 - mailcious
172.104.77.201
52.217.107.84
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
15.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9281 |
2021-02-17 18:06
|
55552020.exe 5b574e89d6b908f38c2237297183d2a4
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows |
1
|
2
www.google.com(216.58.220.100)
172.217.161.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9282 |
2021-02-17 17:52
|
Oba2021.exe 88859f612cdb90d2701697411232ca86
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.26.4)
216.58.199.100
45.145.185.153 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9283 |
2021-02-17 17:43
|
7.oprt.exe 8fe3bd4d5898f1fd59347f9db14373f8
Malware download Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://193.8.194.96/rob57/TEST22-PC_W617601.D864B33623B35F4FF7123D119BBEDFD9/5/file/
|
6
45.230.244.20
142.202.191.164 - mailcious
193.8.194.96
45.155.173.242 - mailcious
94.140.114.136 - mailcious
108.170.20.75 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 24
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 11
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 17
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9284 |
2021-02-17 17:26
|
svchost.exe 19dbe94b766de8c0d6d2fddb3583a8a5
VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself Tofsee DNS |
3
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1254756231&cup2hreq=248a39b78b469512b1431d43c396ee274f15e61eb6e07bbd3373ca3b3c01ab37
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
3
edgedl.gvt1.com(142.250.34.2)
142.250.34.2
142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9285 |
2021-02-17 15:50
|
index2.html 40c22934b91c83d2e5ae756b274bc7a3
Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
2
www.minpic.de(104.21.12.184) - mailcious
104.21.12.184 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|