| 30826 |
2022-05-23 16:55
|
 update.exe 56631af68a3da74a28cd90356d3fd6d9
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware |
|
|
|
|
0.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30827 |
2022-05-23 16:53
|
 spotify.exe 50dd36bb49db6776831887bd5c185fa9
PE File PE64 VirusTotal Malware Checks debugger WMI ComputerName |
|
|
|
|
3.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30828 |
2022-05-23 16:53
|
 %EF%BB%BF259_1.exe 4f7a427579f50779ecf321f86e06fc29
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware |
|
|
|
|
0.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30829 |
2022-05-23 12:42
|
 Sk7iJ9 55b8a285e688901b23630d99610ecd13
emotet MS_XLSX_Macrosheet VirusTotal Malware Creates executable files unpack itself suspicious process Tofsee |
2
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/ - rule_id: 16350
https://www.gonorthhalifax.ca/
|
5
www.gonorthhalifax.ca(34.117.168.233)
gonorthhalifax.com(216.239.38.21) - mailcious
eles-tech.com() - mailcious
34.117.168.233 - mailcious
216.239.32.21 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
|
4.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30830 |
2022-05-23 09:48
|
 account_security_repport.exe bac340e0ffe9121b7c86294e00c22c56
RAT UPX Malicious Library Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30831 |
2022-05-23 09:46
|
 IwJiHDBEAdwATHwfgY7 2071b307417f667853f239a0a8648286
UPX Malicious Packer Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report Checks debugger RWX flags setting unpack itself Kovter ComputerName RCE DNS |
|
8
54.38.143.246 - mailcious
5.189.160.61 - mailcious
202.29.239.162 - mailcious
2.58.16.87 - mailcious
188.166.229.148 - mailcious
185.148.168.15 - mailcious
94.177.178.26 - mailcious
119.59.125.140 - mailcious
|
7
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 13
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 10
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30832 |
2022-05-23 09:43
|
 clip2.jpg d1f7c68881a0232f16910354b033087f
UPX Malicious Library OS Processor Check PE File PE64 VirusTotal Malware PDB |
|
|
|
|
1.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30833 |
2022-05-23 09:41
|
 11hYk3bHJ dc718a4e9da03bbc0673313cd6d7715c
Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows ComputerName DNS crashed |
|
14
89.29.244.7 - mailcious
82.165.152.127 - mailcious
103.70.28.102 - mailcious
196.218.30.83 - mailcious
209.97.163.214 - mailcious
159.65.140.115
150.95.66.124 - mailcious
173.239.37.178 - mailcious
119.193.124.41 - mailcious
103.43.75.120
159.89.202.34
173.82.82.196
51.254.140.238 - mailcious
77.81.247.144 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 18
ET INFO TLS Handshake Failure
|
|
7.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30834 |
2022-05-23 09:40
|
 OqHwQ8xlWa5Goyo e651e7c9f3ff0821ac85ac431ca367a3
Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process sandbox evasion human activity check Kovter Windows ComputerName DNS crashed |
|
15
160.16.143.191
202.29.239.162 - mailcious
202.28.34.99
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
87.106.97.83 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107
165.22.73.229
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
8.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30835 |
2022-05-23 09:39
|
 Iye11aStLm1 9c8d23b78158bb374cb274c7682256e4
emotet Excel with Emotet MS_Excel_Hidden_Macro_Sheet UPX Malicious Library MSOffice File PE32 OS Processor Check DLL PE File Malware download VirusTotal Malware Report AutoRuns Creates executable files RWX flags setting exploit crash unpack itself Auto service suspicious process AntiVM_Disk VM Disk Size Check Tofsee Windows Exploit ComputerName DNS crashed |
1
http://www.garantihaliyikama.com/wp-admin/FjgB6I/ - rule_id: 15464
|
10
www.garantihaliyikama.com(213.128.75.146) - malware
www.gessersh.com(81.95.101.8) - malware
81.95.101.8 - malware
216.158.226.206 - mailcious
79.143.187.147 - mailcious
213.128.75.146 - malware
138.197.109.175 - mailcious
104.131.11.205 - mailcious
187.84.80.182 - mailcious
68.183.94.239 - mailcious
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 21
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 5
|
1
http://www.garantihaliyikama.com/wp-admin/FjgB6I/
|
9.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30836 |
2022-05-23 09:38
|
 PO.exe d29958ffc3ebde050e992fe24b7d735a
PWS[m] RAT PWS .NET framework UPX SMTP KeyLogger AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
3
api.telegram.org(149.154.167.220)
103.145.13.158 - malware
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30837 |
2022-05-23 09:37
|
 4l6T5s7EcTyT bf2f633fde70f181cc81fe6dffb048e7
Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows ComputerName DNS crashed |
|
15
160.16.143.191
202.29.239.162 - mailcious
202.28.34.99
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
87.106.97.83 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107
165.22.73.229
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
8.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30838 |
2022-05-23 09:36
|
 win32.exe c5097921cf3eed2cd852ec49e30c1d4d
Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30839 |
2022-05-23 09:35
|
 crypted.exe e91529f0e5cfd905fe9b3460ba50eef8
UPX Malicious Packer Malicious Library Create Service Socket DNS Escalate priviledges AntiDebug AntiVM PE32 OS Processor Check PE File VirusTotal Malware Code Injection buffers extracted RWX flags setting unpack itself DNS |
|
1
|
|
|
7.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30840 |
2022-05-23 09:34
|
 setup.exe 27271e988bb7512df6f3296e9b15f0e4
PWS[m] task schedule Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer Dridex TrickBot VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security Check virtual network interfaces IP Check Kovter Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
1
http://checkip.dyndns.org/
|
5
kabos.xyz(103.145.13.158) - malware
checkip.dyndns.org(158.101.44.242)
193.122.6.168
103.145.13.158 - malware
62.197.136.165
|
7
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
16.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|