| 32926 |
2022-03-31 10:21
|
 vbc.exe 5b9d23eb5a8f6d5578897abbecfe3d37
AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.6 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32927 |
2022-03-31 10:09
|
 csrss.exe 6b58b7e02d133969181172d3cc544637
Loki PWS[m] PWS Loki[b] Loki.m .NET framework DNS AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ge11/fre.php - rule_id: 15193
|
2
sempersim.su(95.213.216.239) - mailcious
95.213.216.239 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ge11/fre.php
|
14.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32928 |
2022-03-31 10:07
|
 vbc.exe 31ffdc4b2379bfbdc3d8d62ee69720c2
RAT Generic Malware Antivirus .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.podensac.fr/modules/mod_footer/tmpl/Fifsawamp_Isfshxbh.bmp
|
2
www.podensac.fr(164.132.235.17)
164.132.235.17 - phishing
|
1
ET HUNTING Suspicious Terse Request for .bmp
|
|
6.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32929 |
2022-03-31 10:05
|
 FileForLoader.exe 60cf152f092168ce53bc6f66bb91956d
RAT .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
4.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32930 |
2022-03-31 10:03
|
 vbc.exe 5b9d23eb5a8f6d5578897abbecfe3d37
AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
10
http://www.alegalit.com/foi3/?-Z=7vaKO296IB4JZxxhBgX1L+qharY2cYnC+gXKdDvD7f2UagbsQVOs3p1IrnnKRNVd1N3yeV1o&2d=XnzLeLjp
http://www.winnigst0re.com/foi3/?-Z=rpkYSbn+3OEprlFWthejxD79u0lWrr0e4EZnU45dCgJ0AOgGPQXc6BcZoyTZhr/HICMlwYtO&2d=XnzLeLjp - rule_id: 15308
http://www.mall-mrc.com/foi3/?-Z=CASqq5ygneQ+nujBRoqgimWJByOODtTwhKIcifo97IoqOE6HTymy4LFHrKAnuX3EyKKRm6ZE&2d=XnzLeLjp
http://www.kipnesrealtygroup.com/foi3/?-Z=Qf2VmrT71ucf4pAgdnlcgALfr7QGourqx29GcQMr0u6tUSwNWwDnqjBwqa0N8NGMltIJuIgi&2d=XnzLeLjp
http://www.avida2015.com/foi3/?-Z=rt1OUDQadVws4Xhs2LnVv4bjZ/3lsVqV7VaWPyb3AMU04vmMWW78GpBmARU08em66FoQHcow&2d=XnzLeLjp
http://www.bmhdyw.com/foi3/?-Z=NBn/n/JxIpRD9oMIBZoIEiE/zDikgEG4ul1pGm8/ANTH3lJbgXLessZ6Stk3iAo3Szf2cghb&2d=XnzLeLjp
http://www.just-bussiness.online/foi3/?-Z=D+1uSx7o0la+Hbq4Pd+LMFmvxiP7ojE4/729CYIuiWZ9ATQqBudZyFokeGgk8P1SF/p7IgZN&2d=XnzLeLjp
http://www.lucro-fx.com/foi3/?-Z=Zki1QnX2nX5cKU3VY7m6jssZ+m1LgBoa4A4SgfRECbFNpyYgbGnRouKBk+mOD0fQ+Lsx4agD&2d=XnzLeLjp
http://www.solheimdesign.com/foi3/?-Z=gn9zX01XS+G7EO9y4hpF+vMCqIov4w9bxlRvbxoKSJS+DKRbeu+JOKqCrdF6sTGL5sO76wdr&2d=XnzLeLjp
http://www.signup.coupons/foi3/?-Z=qvnhfQFN8ZB3PYuGnRLNmBwIesO19Od2L/dQ7hwRnYsGMnl+l0DIui6O41Q+sS7Hhmu/+/Kb&2d=XnzLeLjp
|
25
www.solheimdesign.com(156.234.188.116)
www.avida2015.com(209.99.40.222)
www.bmhdyw.com(108.186.180.25)
www.scoopdoggy.online(203.170.80.250)
www.lucro-fx.com(172.67.139.184)
www.howtofindahotniche.com()
www.signup.coupons(13.250.255.10)
www.logoterapia.info()
www.revolvewsefsu.top()
www.mall-mrc.com(141.125.107.194)
www.just-bussiness.online(172.67.178.163)
www.kipnesrealtygroup.com(198.185.159.145)
www.winnigst0re.com(23.227.38.74)
www.alegalit.com(34.102.136.180)
172.67.178.163
198.49.23.145 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
104.21.89.94
203.170.80.250 - phishing
141.125.109.198 - mailcious
13.250.192.238 - mailcious
156.234.188.116
23.227.38.74 - mailcious
108.186.180.25
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DNS Query to a *.top domain - Likely Hostile
|
1
http://www.winnigst0re.com/foi3/
|
9.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32931 |
2022-03-31 10:03
|
 239.exe fb89d57447db2445a18842b156ede54a
PWS[m] RedLine stealer[m] AntiDebug AntiVM PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare VMware anti-virtualization installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
1
|
|
|
14.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32932 |
2022-03-31 10:02
|
 D.58921AOMOska.html ba0c00aa1170ea47b010db152e92c7d4
NPKI AntiDebug AntiVM MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/2.0.5/FileSaver.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip/3.6.0/jszip.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip-utils/0.1.0/jszip-utils.min.js
|
2
cdnjs.cloudflare.com(104.16.19.94) - mailcious
104.16.18.94
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32933 |
2022-03-31 09:59
|
 vbc.exe 79fc587b75385d13a0aefbb63b8f83a5
PWS .NET framework Generic Malware Antivirus .NET EXE PE32 PE File VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32934 |
2022-03-31 09:58
|
 GNF-866237674854.xlsm bcd007295846c9b233f30b7cfb3b5e3f
emotet MS_XLSX_Macrosheet Malicious Library UPX OS Processor Check DLL PE32 PE File Malware download Dridex TrickBot Malware Report AutoRuns Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows Exploit ComputerName DNS crashed |
1
http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/ - rule_id: 15447
|
22
harleyqueretaro.com(63.247.138.144) - malware
45.118.115.99 - mailcious
206.189.28.199 - mailcious
187.84.80.182 - mailcious
63.247.138.144 - malware
104.131.11.205 - mailcious
189.232.46.161 - mailcious
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
209.250.246.206 - mailcious
138.197.109.175 - mailcious
183.111.227.137 - mailcious
164.68.99.3 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
51.91.76.89 - malware
72.15.201.15 - mailcious
103.43.46.182 - mailcious
79.143.187.147 - mailcious
209.126.98.206 - mailcious
|
8
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 14
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
|
1
http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
|
10.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32935 |
2022-03-31 09:52
|
 vbc.exe f6a14671885a91da7686771f406ba217
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
17
http://www.ruckerlaw.net/sm3g/?XB30drqH=MgbgmYyfQK8Yft6DklNIETjuKR7tWJ4j0Td7IYewG4vFzGjQ2Wl0fc9w2X4NFmWStqN1J455&GzrLH=VBZHY8kpwnaHZF
http://www.jordysangels.com/sm3g/?XB30drqH=kQuqm19bivJdHmjon8FkMjOdz7N/xjnQlfMW6IplBeRn44ngNM4mXnAwGZAPK5tun4VdPMdU&Vr=Mj_TZJAxb
http://www.flowstack.club/sm3g/?XB30drqH=TOya8+XqMrr/dEc5IrSBpoMd5guvsXovNoZt+0gn/l6nM5OPxbKOMWq3PA/vbPy6+/+QErda&Vr=Mj_TZJAxb
http://www.chaconlogistics.com/sm3g/?XB30drqH=JVzrxIW3ckiDSi2q1J8oSITn1jLW6byRqGAtHd9Ggp5lSkrmFFLBiWdUFs3Z60Ro2617Xdai&Vr=Mj_TZJAxb
http://www.urgcity.com/sm3g/?XB30drqH=Z2YezO1DxHoo/56kHZdDEhZxs2MHYHM/MNg2M0r+7H8boXflmqWvhjjLcH9S3AXqlSFZ2SUk&GzrLH=VBZHY8kpwnaHZF
http://www.natural-vanilla.online/sm3g/?XB30drqH=nkKDoxbeBe4+5EBUxcODcNjTFfnDWXnZ1c2hMbfKAHkYt2/SEqIPgt75GrdueasMPUQ7LjiH&Vr=Mj_TZJAxb
http://www.moderncommerce.global/sm3g/?XB30drqH=kipovfspjHbNxGS+fu/PftEnIl89fWnhdzX52pRg056D5gvzYk9K0yNjCIy05bJj6upGSCOh&Vr=Mj_TZJAxb
http://www.tikibeachgraphics.com/sm3g/?XB30drqH=b9zPVotDUFRoF5q/nqONFtKuUQRlIOJbpkNVvnvhRy8HsyvlFbaY21cBHKqKOQ0r0RTuGdqT&Vr=Mj_TZJAxb
http://www.dazzleflat.com/sm3g/?XB30drqH=+W1PDcfcs3lhvzJHui61ZwYLP64aV9jEKLRccr1LJFF58sjQUDKEEVXteccxPnghkba4/sre&Vr=Mj_TZJAxb
http://www.beachpawsmobilegrooming.com/sm3g/?XB30drqH=xJ4ULyPH4RfWstYQD3G0/QSwiVTMY1+tgEnc4Vp21Nd6YLKj3mid+JMiPw+yrfb8C3eSO0Ef&Vr=Mj_TZJAxb
http://www.haulseattle.com/sm3g/?XB30drqH=PzU0nCLbnMPfuy+lcW1OKdc6ISXSDiZaOxsUV+JzqRVO4yyg0hzBo1rFRFnabtWXovyG0ii2&Vr=Mj_TZJAxb
http://www.bellospalace.com/sm3g/?XB30drqH=WegLRThYiww2Z3rQASz61ChUFyJ6YwK9A7zeKsWi+ut5rFt2L1n0sSCA0dZ0ebCxmciOc3Qu&Vr=Mj_TZJAxb
http://www.rozhunt.com/sm3g/?XB30drqH=Zj7qaKru2TyocNTCVxrozMJCjww13SmovqrCj7GoeA8M+Hab8Am9bIQTxIjLdJAdDo5QQDcn&Vr=Mj_TZJAxb
http://www.gordonzak.com/sm3g/?XB30drqH=IMRkBEdq0RH002unAZVesnzBSBdmHuVwUJZQkV5gI5QxqeV+/URJBVoqa7cIcsKq49PWCNlO&Vr=Mj_TZJAxb
http://www.daringtolivebook.club/sm3g/?XB30drqH=rCbo5kqieQ3kHMtRB7h0FHWbutgCp+KjmRl2W+qkqDeHZSuFGtCdxpwirEpI++m3T9Sam5Fh&Vr=Mj_TZJAxb
http://www.darkwadlights.com/sm3g/?XB30drqH=SME64nHAJl7B7CfcIeUISqulckVLmZdBhqAWe52dlLndD3FCSLkveYqHbRl7TwOgcgszcaur&Vr=Mj_TZJAxb
http://www.sincerityrealestate.com/sm3g/?XB30drqH=luoIc4MWRt1N8JTNoNSsZACjIjnuf71qj8Z9JD3wOZ/Fst+lOuYuegUHBBWpLYmxgh917hvV&Vr=Mj_TZJAxb
|
28
www.beachpawsmobilegrooming.com(34.102.136.180)
www.natural-vanilla.online(122.201.127.161)
www.dazzleflat.com(172.67.160.66)
www.flowstack.club(34.102.136.180)
www.urgcity.com(154.95.158.109)
www.sincerityrealestate.com(34.102.136.180)
www.daringtolivebook.club(34.102.136.180)
www.gordonzak.com(63.250.35.117)
www.jordysangels.com(23.227.38.74)
www.haulseattle.com(204.188.203.155)
www.bellospalace.com(23.227.38.74)
www.chaconlogistics.com(34.102.136.180)
www.ruckerlaw.net(162.241.218.13)
www.darkwadlights.com(41.216.181.200)
www.moderncommerce.global(185.167.177.120)
www.tikibeachgraphics.com(34.102.136.180)
www.rozhunt.com(104.21.58.174)
198.251.84.92 - mailcious
122.201.127.161 - mailcious
41.216.181.200
185.167.177.120
34.102.136.180 - mailcious
63.250.35.117
104.21.9.155
154.95.158.109
23.227.38.74 - mailcious
104.21.58.174
162.241.218.13
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32936 |
2022-03-31 09:51
|
 vbc.exe e07b836d7100bdf914686d2a75013f5c
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32937 |
2022-03-31 09:48
|
 crax.exe 55231926e74063b6a50f6588a46976bb
RAT PWS .NET framework Antivirus Malicious Packer Malicious Library UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32938 |
2022-03-31 09:48
|
 loader4.exe 686edb2f5b2e85e6dcc315bb30ff5af2
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
10
http://www.britiseum.com/grh2/?D8k8=44er5+1hxF2SnjpivQg9nzved9j4aqUuR7/2gb/X7qNWLMNghMPJhvKUZbf4BSnIV3U51jfY&nRwxCD=dX_LHRIPH2oL8
http://www.asiempelkamp.online/grh2/?D8k8=Qzr42EDcTypA07VZdhxmCFbydE78ME7V+iNTmZZGlbZ+WznzszkKYaosstKY8qOK0ibs9TUK&nRwxCD=dX_LHRIPH2oL8
http://www.cavorestaurant.com/grh2/?D8k8=CfvpprHFxTbhsPd5VWF2FxLTOB6FlRP1Bwy6QrQiV+WTvEHUcfF80DcywgBayRjuPknpvfmZ&nRwxCD=dX_LHRIPH2oL8
http://www.septembertorember.com/grh2/?D8k8=gcQinFWk2EgR+KgFXpDMPDMYBHoAvErHOb2KtAhwtdeiTbQMX//l/dzLG1eVghDAl+fS5aJ+&nRwxCD=dX_LHRIPH2oL8
http://www.light4autism.com/grh2/?D8k8=0w8BPz5Xx3yuMDGv7v3QZ4JUpcDnbW5R4zIjO3d+cMD2Yy9eRDRvj73Tu10CmOSgWULHkL+a&nRwxCD=dX_LHRIPH2oL8
http://www.nissimarble.com/grh2/?D8k8=DeubawTKbNvJc0ENjUpoWer8iaOAq/h5rIThaM6YEXAPzrbZ19a0KMxauNNgoqLDfD/gFBwl&nRwxCD=dX_LHRIPH2oL8
http://www.vehicleweek.com/grh2/?D8k8=/Dy73SR27wxs6+uG2p0ehTl0AsHRQRvqURX5Blt59PUDEIPkXGIVqqvuTO3QvabZFS1vWoTf&nRwxCD=dX_LHRIPH2oL8
http://www.ataraxxia.com/grh2/?D8k8=qFrRUH2vkMWGb+vCWJEBWYyoVUSRGUDyX6fRmno1rCYswa6lvN4BMjHZxwj3sCtd9diGTduz&nRwxCD=dX_LHRIPH2oL8
http://www.jfyxwz.com/grh2/?D8k8=e4ziR2QteNiKLWV8MQ0HgCG5ptbsenUakWipX4tbPNSgm+DsErCZHFPsBb56P2moerTMLeaT&nRwxCD=dX_LHRIPH2oL8
http://www.yandyh.com/grh2/?D8k8=iFU4BsCfY1qsss4Jls/Kdqj6kVcPlSXOTQFRs8l8lOS33nww1Q7O/xp2SzPvAG+sHKj33dwZ&nRwxCD=dX_LHRIPH2oL8
|
24
www.cibk-fm.com()
www.cavorestaurant.com(92.205.13.231)
www.jfyxwz.com(208.81.166.166)
www.vehicleweek.com(34.102.136.180)
www.felfundader.online()
www.vtscons.com()
www.kazinonadengi.com()
www.nissimarble.com(35.209.10.220)
www.light4autism.com(104.21.32.46)
www.asiapharmaglobal.com()
www.yandyh.com(103.224.182.241)
www.asiempelkamp.online(209.17.116.163)
www.septembertorember.com(162.0.217.47)
www.ataraxxia.com(34.102.136.180)
www.britiseum.com(3.131.61.99)
209.17.116.163 - mailcious
92.205.13.231
34.102.136.180 - mailcious
172.67.183.21
162.0.217.47
103.224.182.241 - mailcious
3.16.16.105 - mailcious
35.209.10.220
208.81.166.166
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32939 |
2022-03-31 09:47
|
 HLDoANj 2dfac1fecaf2e2f74aa1b195d50ea1e3
Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
21
1.234.2.232 - mailcious
72.15.201.15 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
164.68.99.3 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
45.118.115.99 - mailcious
209.250.246.206
5.9.116.246 - mailcious
138.197.109.175 - mailcious
206.189.28.199 - mailcious
103.43.46.182 - mailcious
183.111.227.137 - mailcious
104.131.11.205 - mailcious
189.232.46.161 - mailcious
79.143.187.147 - mailcious
187.84.80.182 - mailcious
51.91.76.89 - malware
209.126.98.206 - mailcious
45.176.232.124 - mailcious
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32940 |
2022-03-31 09:45
|
 vbc.exe e55fd41ca43acc27eb8ad30de08b1e7e
PWS[m] RAT UPX Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
mail.universaleagles-ye.com(162.241.252.77)
162.241.252.77 - mailcious
|
3
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|