| 30781 |
2022-05-24 12:29
|
 Fgv77t71DAPm09UU 33ce0628fb349731b2485d8c5cebef82
UPX Malicious Packer Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName RCE DNS |
|
13
185.4.135.27 - mailcious
103.75.201.2 - mailcious
177.87.70.10 - mailcious
158.69.222.101 - mailcious
195.154.133.20 - mailcious
146.59.226.45 - mailcious
103.75.201.4 - mailcious
185.157.82.211 - mailcious
217.182.143.248 - mailcious
5.9.116.246 - mailcious
192.99.251.50 - mailcious
162.214.118.104 - mailcious
31.24.158.56 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 11
|
|
6.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30782 |
2022-05-24 09:50
|
 vbc.exe a86ffa9833d2c02d951db0bef4d46db4
PWS[m] PWS Loki[b] Loki.m RAT .NET framework Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf23/fre.php
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30783 |
2022-05-24 09:48
|
 Runtime%20Broker.exe 18d8c4391b614698704df2cde28e88c6
RAT PWS .NET framework Antivirus UPX Malicious Packer Malicious Library PE32 OS Processor Check .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30784 |
2022-05-24 09:47
|
 0x ce071bd162f9a16dce6ffc75cfb484c8
Formbook Hide_EXE AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
3.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30785 |
2022-05-24 09:47
|
 Chrome Setup Update.google.ht... 552ce288a0c4bd91716eb555bfb5ec4f
Generic Malware Antivirus AntiDebug AntiVM Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
1
http://31.41.244.231/AVAVA/WAW/F0.oo
|
1
|
2
ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
9.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30786 |
2022-05-24 09:44
|
 8 363495acb4327435709de91edaef8338
emotet MS_XLSX_Macrosheet VirusTotal Malware Creates executable files unpack itself suspicious process Tofsee |
2
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/ - rule_id: 16350
https://www.gonorthhalifax.ca/
|
5
www.gonorthhalifax.ca(34.117.168.233)
gonorthhalifax.com(216.239.36.21) - mailcious
eles-tech.com() - mailcious
216.239.36.21 - phishing
34.117.168.233 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30787 |
2022-05-24 09:41
|
 vbc.exe bfd832768c77c60e6cea6237509db468
AgentTesla PWS[m] browser info stealer Generic Malware Google Chrome User Data Antivirus Create Service Socket DNS Internet API Code injection Sniff Audio KeyLogger Downloader Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
salesumishcn.ddns.net(31.42.186.188) - mailcious
178.237.33.50
31.42.186.188 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30788 |
2022-05-24 09:40
|
 Cvfhkget00Lrk41a ea82ea6d6f5fa078359f2fb7a3820e3e
UPX Malicious Packer Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
17
1.234.2.232 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.7.5 - mailcious
188.44.20.25 - mailcious
70.36.102.35 - mailcious
131.100.24.231 - mailcious
153.126.146.25 - mailcious
92.240.254.110 - mailcious
119.193.124.41 - mailcious
173.212.193.249 - mailcious
176.56.128.118 - mailcious
51.254.140.238 - mailcious
45.142.114.231 - mailcious
51.91.76.89 - malware
46.55.222.11 - mailcious
|
7
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 4
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 8
|
|
5.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30789 |
2022-05-24 09:38
|
 Ghpwvaau.exe f90932c0feeed304b65bf0cb9ee79424
UPX Malicious Library PE32 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30790 |
2022-05-24 09:38
|
 vbc.exe 4c96e61d2cef9f60b84a0502d5f359eb
PWS[m] RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
us2.smtp.mailhostbox.com(208.91.198.46)
208.91.198.46
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30791 |
2022-05-24 09:36
|
 listbul.exe 8970a3db9f39923a4ef16fb39cd8acc5
MinGW GCC PE File PE64 IcedID Malware download VirusTotal Malware Malicious Traffic unpack itself |
1
|
2
pilatylu.com(94.140.115.34)
94.140.115.34
|
1
ET MALWARE Win32/IcedID Request Cookie
|
|
2.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30792 |
2022-05-24 09:35
|
 link.exe 7cebef3dd163c46c95bc5f128834fd88
UPX PE32 PE File VirusTotal Malware Check memory unpack itself |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30793 |
2022-05-24 09:34
|
 .winlogon.exe 2b7c7a158551f36c50a3fc8c01c514be
PWS[m] Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30794 |
2022-05-24 09:33
|
 .svchost.exe def22c7200a51d7950fc5c6f8ed7b429
RAT UPX Malicious Library PE32 PE File PNG Format DLL JPEG Format PE64 GIF Format VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder |
|
|
|
|
3.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30795 |
2022-05-24 09:32
|
 AR4nYNd9xpn 5d1006079971ca12ef0705445f44bbd0
UPX Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows ComputerName RCE DNS |
|
15
160.16.143.191 - mailcious
202.29.239.162 - mailcious
202.28.34.99 - mailcious
87.106.97.83 - mailcious
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107 - mailcious
165.22.73.229 - mailcious
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13
ET INFO TLS Handshake Failure
|
|
8.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|