| 15376 |
2021-11-14 18:36
|
 2_f.exe a70df5f0cab9a6a58d218fb4f2ef9aec
Themida Packer Anti_VM UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
7.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15377 |
2021-11-14 18:36
|
 Grindstone.exe 7e400451e3153f07e15e9079b8bed063
RAT Gen1 Generic Malware UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName DNS Cryptographic key Password |
9
http://takpo.biz/
http://takpo.biz/3.jpg
http://takpo.biz/1.jpg
http://takpo.biz/main.php
http://takpo.biz/7.jpg
http://takpo.biz/5.jpg
http://takpo.biz/6.jpg
http://takpo.biz/4.jpg
http://takpo.biz/2.jpg
|
2
takpo.biz(192.64.117.201)
192.64.117.201 - phishing
|
8
ET INFO Observed DNS Query to .biz TLD
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Possible EXE Download From Suspicious TLD
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
|
|
15.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15378 |
2021-11-14 18:38
|
 247.exe cb4804b273c7aa139507dce67b808bf5
Generic Malware Themida Packer UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
7.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15379 |
2021-11-14 18:39
|
 nan.exe c545169abecbc4d469952b911066ab0b
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
uhie2020.duckdns.org(91.193.75.186)
uhie.hopto.org(91.193.75.186)
91.193.75.186
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.6 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15380 |
2021-11-14 18:41
|
 15234.exe 85ef0b629318f502fe3602ba97de74b3
Generic Malware Antivirus PE File PE32 PE64 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/908728351760453728/908728487655899239/miner.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15381 |
2021-11-14 18:43
|
 lozzzz1_signed_4.exe 4a0f69778cc534fc4ed63bc5e4bc946c
Gen2 Gen1 Generic Malware UPX Malicious Library Malicious Packer ASPack Antivirus Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 OS Processor Check GIF Format DLL PE64 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware Firewall state off anti-virtualization VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
6
http://cbs.wondershare.com/go.php?m=upgrade_info&pid=235&version=7.4.9.2&email=&updatebyua=1
http://iplogger.org/1BTpm7
http://platform.wondershare.com/time.php
http://platform.wondershare.com/interface.php?m=init
https://cdn.discordapp.com/attachments/909009344257994755/909012707053797376/ssehub.exe
https://cdn.discordapp.com/attachments/908226860402499608/908961057916207154/Zenar.exe
|
12
platform.wondershare.com(63.159.217.158)
us.wondershare.com()
iplogger.org(5.9.162.45) - mailcious
bitbucket.org(104.192.141.1) - malware
cdn.discordapp.com(162.159.133.233) - malware
cbs.wondershare.com(203.130.48.3)
45.67.231.218
203.130.48.18
162.159.130.233 - malware
5.9.162.45
104.192.141.1 - mailcious
203.130.48.16
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
23.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15382 |
2021-11-14 18:43
|
 41_1636810751_6422.exe f781a93e4bbeb163e5ff499d3a0f56af
Generic Malware Antivirus AntiDebug AntiVM PE File PE32 PE64 Browser Info Stealer VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed Downloader |
2
https://cdn.discordapp.com/attachments/908728351760453728/908731434611638292/15234.exe
https://cdn.discordapp.com/attachments/908728351760453728/908728487655899239/miner.exe
|
4
cdn.discordapp.com(162.159.135.233) - malware
203.130.48.16
162.159.135.233 - malware
80.85.138.229
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15383 |
2021-11-14 18:43
|
 shrrico.exe 4aa4dfd6b9b3ba9a2961b4a8f40d6b1b
RAT PWS .NET framework Generic Malware task schedule Malicious Library Malicious Packer UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer AsyncRAT Dridex NetWireRC TrickBot VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Kovter Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(104.21.19.200)
bbccdd.duckdns.org(45.144.225.178)
checkip.dyndns.org(193.122.130.0)
216.146.43.71
45.144.225.178
104.21.19.200
|
7
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
14.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15384 |
2021-11-14 18:45
|
 Request_000517_03107206PDF.exe f63e1268d0d33af7abee3329cb23e0cd
RAT Generic Malware Malicious Library PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
3.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15385 |
2021-11-14 18:45
|
 ISO_003820_03152IMG.exe 0360f849acb6816bd3e2ddcf51ef6f95
RAT Generic Malware Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(193.122.130.0)
172.67.188.154
158.101.44.242
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
15.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15386 |
2021-11-14 18:47
|
file.exe 8b9bce00bcd650b996c0d67d57675de7
Emotet Gen2 Formbook Generic Malware Malicious Library UPX PE File PE32 OS Processor Check MSOffice File JPEG Format VirusTotal Malware unpack itself Windows utilities suspicious process AppData folder WriteConsoleW anti-virtualization Ransomware Windows crashed |
|
|
|
|
5.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15387 |
2021-11-14 18:47
|
 joined.exe 7ac20345ed8615a12a8ac4f1e79f2cb4
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
1
|
|
|
8.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15388 |
2021-11-14 18:49
|
 Goalscorer.exe e922d31d9e42823f27cb8512b3afe7ac
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15389 |
2021-11-14 18:51
|
 vbc.exe 27d3f668c643e4fb0cb9d925ff18c1a4
Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
7
http://www.boraeresici.com/scb0/?wPX=PuUFza6JkAKwGoOaYS5KDzl4Ma1aI1cHEJ645VNa9r6R5B04mKyb4d8I8jDK1Wcj5hqzWdPA&1b=jnKtRlUpV
http://www.fromtotravel.com/scb0/?wPX=GvprbHektAl4D8IvPxepuajJQ09CC7TSnX+9RfBBDVuKDXES3GsMcohbU3Fqiu3PtbIJWgse&1b=jnKtRlUpV
http://www.oemlift.com/scb0/?wPX=oxdzckz1WDzVVbowfF3gXE5AD3hAcBtigHbrnVVZvjVKcpVIlg6EqFW48XjzDRc0/KM6TsbW&1b=jnKtRlUpV
http://www.llaa11.xyz/scb0/?wPX=LvVOqUj382vn4xaDmPdNbROBsfmX8/xJXi3b40WP3Ow6Tel98yunW6JlZzwoyviXGhVkmuQf&1b=jnKtRlUpV - rule_id: 6170
http://www.austinsv.net/scb0/?wPX=Zl2v3Gi0i97lZMwkTe4FzSn1z6vHC52v5qw/jpDTScDL/QFSibPt4rSdvZMU8uEZxsMcWvvh&1b=jnKtRlUpV
http://www.c7performance.com/scb0/?wPX=1jmKeEnKIzAf6pCXw/ofl7aJO1pMzzZmstFoRAeOWdzh0uaNmgLi+HK50LG8aU1aWwyktqDt&1b=jnKtRlUpV
http://www.regalosyartesania.com/scb0/?wPX=TNRA0R/xf/ZNbUY/f0BmmO9GBKrt7jtSacniP7lmW6u3ED/dUxbIXtNKOvVcxD1/iN1fBQ2x&1b=jnKtRlUpV
|
16
www.boraeresici.com(212.102.50.51)
www.spiegelverwarming.store()
www.austinsv.net(70.40.216.156)
www.fromtotravel.com(172.67.204.225)
www.llaa11.xyz(104.21.59.243)
www.c7performance.com(96.125.174.107)
www.andysmittkamp.com()
www.regalosyartesania.com(217.160.0.253)
www.oemlift.com(154.208.173.191)
212.102.50.51
154.208.173.191
104.21.61.17
70.40.216.156
104.21.59.243
217.160.0.253 - mailcious
96.125.174.107
|
3
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.llaa11.xyz/scb0/
|
13.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15390 |
2021-11-14 18:51
|
 240.exe bf34d3d86cc2a132f7779051b3cdbb78
Themida Packer UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
7.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|