| 15166 |
2021-11-09 14:13
|
 keep-129648460.xls 046fb17c255af32459405373810f5080
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://dongarza.com/gJW5ma382Z/x.html
https://headlinepost.net/3AkrPbRj/x.html
|
4
dongarza.com(167.250.5.42)
headlinepost.net(162.241.169.247)
167.250.5.42 - mailcious
162.241.169.247
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15167 |
2021-11-09 14:15
|
 keep-129457992.xls abecccdb9291ed153a979b5a7c77d319
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://dongarza.com/gJW5ma382Z/x.html
https://headlinepost.net/3AkrPbRj/x.html
|
4
dongarza.com(167.250.5.42)
headlinepost.net(162.241.169.247)
167.250.5.42 - mailcious
162.241.169.247
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15168 |
2021-11-09 14:18
|
 keep-1295373157.xls 3bba7ba332871b9f9113db6e878adabb
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://dongarza.com/gJW5ma382Z/x.html
https://headlinepost.net/3AkrPbRj/x.html
|
4
dongarza.com(167.250.5.42)
headlinepost.net(162.241.169.247)
167.250.5.42 - mailcious
162.241.169.247
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15169 |
2021-11-09 18:36
|
 5925_1636306944_5969.exe 3c3c755028d448d6f561b14c3a1766e8
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15170 |
2021-11-09 18:37
|
 kelz - Copy.doc ee0c66256bd071a3471927903188b878
Antivirus VirusTotal Malware |
|
|
|
|
0.4 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15171 |
2021-11-09 18:39
|
 vbc.exe 65e4730d75a2dcfbc8416d4726d28b9b
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
12.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15172 |
2021-11-09 18:42
|
 setup-1.0.2_win.exe 517b1aedc5ab6a19a134f50833d3c059
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 PDB unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15173 |
2021-11-09 18:43
|
 kelz - Copy.doc ee0c66256bd071a3471927903188b878
Antivirus VirusTotal Malware RWX flags setting |
|
|
|
|
1.6 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15174 |
2021-11-09 18:43
|
wef.wbk 70c1a705af28923926d48b9181d383ad
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed Downloader |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://3.112.244.67/1114/vbc.exe
|
5
textbin.net(51.79.99.124)
apps.identrust.com(119.207.65.81)
3.112.244.67
51.79.99.124
121.254.136.57
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15175 |
2021-11-09 18:43
|
 214.exe 1d6229b2af3142658019bbbbbd73fc67
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
https://cdn.discordapp.com/attachments/901604840319369236/906982250766295060/LoaderUnhitable.exe
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15176 |
2021-11-09 18:46
|
 vbc.exe 52cc39a88039fadc477da1a88356126b
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(119.207.65.74)
121.254.136.27
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15177 |
2021-11-09 18:47
|
 kelz - Copy.doc.html ee0c66256bd071a3471927903188b878
Antivirus AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15178 |
2021-11-09 18:48
|
 7051_1636390521_5401.exe 35ff5f54ce6916b53bddc3b3d4acb854
RAT PWS .NET framework Generic Malware Themida Packer Malicious Library UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
https://www.bing.com/
https://cdn.discordapp.com/attachments/904759099487563809/904759174628515840/1.exe
|
5
www.google.com(172.217.25.68)
cdn.discordapp.com(162.159.129.233) - malware
23.88.98.112
162.159.133.233 - malware
142.250.204.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
20.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15179 |
2021-11-09 19:41
|
 .nomedia a9f5e8ed1013fdd89ae515db0b628a2b
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15180 |
2021-11-09 20:54
|
http://chek.zennolab.com/proxy... b6dc5502b3a9e484f096210896f467f5
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://chek.zennolab.com/proxy.php
http://chek.zennolab.com/favicon.ico
|
2
chek.zennolab.com(37.1.223.41)
37.1.223.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|