9271 |
2021-02-19 10:23
|
chase_Summary.exe.pif d767852b7e5147ae9ea47d13bea99ef3 Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Windows Exploit Browser Email ComputerName Remote Code Execution DNS Software crashed |
6
http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1613697135&mv=m&mvi=3&pl=18&shardbypass=yes http://illusionist.com.my/go/PL341/index.php https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:3673027502&cup2hreq=10b0303d62efcb395ba139ce07619520c5e2e1633ea33264c2474e4433297a94 https://www.google.com/
|
7
illusionist.com.my(111.90.135.150) - malware r3---sn-3u-bh26.gvt1.com(59.18.44.14) www.google.com(172.217.26.36) 59.18.44.14 111.90.135.150 - malware 172.217.174.196 142.250.199.67
|
5
ET MALWARE AZORult v3.3 Server Response M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
23.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9272 |
2021-02-19 09:44
|
10.fbr.exe 853c5f48616fd2afd63e487d197c9796 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName Remote Code Execution DNS crashed |
|
7
200.52.147.93 - mailcious 142.202.191.164 - mailcious 194.5.249.156 - phishing 45.155.173.242 - mailcious 94.140.114.136 - mailcious 108.170.20.75 - mailcious 186.250.157.116 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 16 ET CNC Feodo Tracker Reported CnC Server group 24 ET CNC Feodo Tracker Reported CnC Server group 2 ET CNC Feodo Tracker Reported CnC Server group 12 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 4 ET CNC Feodo Tracker Reported CnC Server group 9
|
|
9.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9273 |
2021-02-18 22:22
|
setup.exe 708cf56061b75db614bd5ce9ebff2c75 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser ComputerName crashed |
8
http://www.wpobot.com/update.php?version=10165 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl http://www.wpobot.com/api.php http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x86.exe https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x64.exe https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x86.exe
|
4
www.wpobot.com(198.187.31.103) download.microsoft.com(23.40.44.112) 104.75.0.70 198.187.31.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9274 |
2021-02-18 18:44
|
maxs.exe e461c46a2ae8137c347fcb895c6bddf0 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.239.242.107/base/F877518494A88142C918652019EF505B.html - rule_id: 263 https://api.ipify.org/
|
3
api.ipify.org(23.21.126.66) 23.21.126.66 185.239.242.107 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.239.242.107/base/
|
14.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9275 |
2021-02-18 16:52
|
bb.exe 27a26b9535f908ea109a9e1fa986a842 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows Cryptographic key |
1
|
3
www.google.com(172.217.175.228) 216.58.220.196 172.217.31.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9276 |
2021-02-18 11:11
|
gdx.exe 5ca266f8c24963e0e9fc53a6f927c207 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows ComputerName crashed |
1
https://amstv.com.br/gd/inc/5994c42c079702.php
|
2
amstv.com.br(31.170.163.62) 31.170.163.62
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9277 |
2021-02-18 11:04
|
inst.exe a0e44abd155fd1acbbe9c9eda6e0f2fd VirusTotal Malware AutoRuns suspicious privilege ICMP traffic unpack itself malicious URLs Tofsee Windows Advertising crashed |
1
https://iplogger.org/1hVa87
|
2
iplogger.org(88.99.66.31) 88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9278 |
2021-02-18 09:46
|
jayson.exe bdd0e56f940036b718551617c496fcd0 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://87.251.71.75:3214/ https://api.ip.sb/geoip
|
7
WHOIS.APNIC.NET(172.104.77.201) whois.iana.org(192.0.32.59) api.ip.sb(104.26.12.31) 87.251.71.75 104.26.13.31 192.0.32.59 172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9279 |
2021-02-18 09:27
|
updatej.exe bdd0e56f940036b718551617c496fcd0 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
3
http://87.251.71.75:3214/ http://detectportal.firefox.com/success.txt?ipv4 https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.77.201) api.ip.sb(172.67.75.172) prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) whois.iana.org(192.0.32.59) detectportal.firefox.com(34.107.221.82) 192.0.32.59 87.251.71.75 104.26.13.31 34.107.221.82 172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9280 |
2021-02-17 18:31
|
updatej.exe bdd0e56f940036b718551617c496fcd0 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces AppData folder malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
4
http://87.251.71.75:3214/ https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/e9515cd4-e4be-4df8-a6ed-78ce94ca1ded/flesh.exe?Signature=M9LO0tkbfiY4JTZyMmcptbiWLWE%3D&Expires=1613554939&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=wazVzlSawVmjnWxohUU7axVxttdZHl3Q&response-content-disposition=attachment%3B%20filename%3D%22flesh.exe%22 https://iplogger.org/1rst77 https://api.ip.sb/geoip
|
13
bbuseruploads.s3.amazonaws.com(52.216.99.59) - malware WHOIS.APNIC.NET(172.104.77.201) api.ip.sb(172.67.75.172) bitbucket.org(104.192.141.1) - malware iplogger.org(88.99.66.31) whois.iana.org(192.0.32.59) 172.67.75.172 192.0.32.59 88.99.66.31 - mailcious 87.251.71.75 104.192.141.1 - mailcious 172.104.77.201 52.217.107.84
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
15.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9281 |
2021-02-17 18:06
|
55552020.exe 5b574e89d6b908f38c2237297183d2a4 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows |
1
|
2
www.google.com(216.58.220.100) 172.217.161.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9282 |
2021-02-17 17:52
|
Oba2021.exe 88859f612cdb90d2701697411232ca86 VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.26.4) 216.58.199.100 45.145.185.153 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9283 |
2021-02-17 17:43
|
7.oprt.exe 8fe3bd4d5898f1fd59347f9db14373f8 Malware download Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://193.8.194.96/rob57/TEST22-PC_W617601.D864B33623B35F4FF7123D119BBEDFD9/5/file/
|
6
45.230.244.20 142.202.191.164 - mailcious 193.8.194.96 45.155.173.242 - mailcious 94.140.114.136 - mailcious 108.170.20.75 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 4 ET CNC Feodo Tracker Reported CnC Server group 2 ET CNC Feodo Tracker Reported CnC Server group 24 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET CNC Feodo Tracker Reported CnC Server group 11 ET CNC Feodo Tracker Reported CnC Server group 16 ET CNC Feodo Tracker Reported CnC Server group 17 ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9284 |
2021-02-17 17:26
|
svchost.exe 19dbe94b766de8c0d6d2fddb3583a8a5 VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself Tofsee DNS |
3
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1254756231&cup2hreq=248a39b78b469512b1431d43c396ee274f15e61eb6e07bbd3373ca3b3c01ab37 https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
3
edgedl.gvt1.com(142.250.34.2) 142.250.34.2 142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9285 |
2021-02-17 15:50
|
index2.html 40c22934b91c83d2e5ae756b274bc7a3 Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
2
www.minpic.de(104.21.12.184) - mailcious 104.21.12.184 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|