| 3631 |
2020-12-08 21:36
|
pg.exe 3f0522e4c0cff4215079b36695cdd78f
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName Cryptographic key crashed |
|
|
|
|
13.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3632 |
2020-12-08 21:37
|
regasm.exe e55da166e7ba466275234e9ee6b2a568
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
qqmailappupdate.ga() - mailcious
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
13.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3633 |
2020-12-08 21:39
|
pg.exe 3f0522e4c0cff4215079b36695cdd78f
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3634 |
2020-12-08 21:40
|
regasm.exe e55da166e7ba466275234e9ee6b2a568
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
qqmailappupdate.ga() - mailcious
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
13.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3635 |
2020-12-09 00:22
|
run.exe 39c2a273de3f1eee2dd6e567a00f1137
VirusTotal Malware Checks debugger RWX flags setting unpack itself malicious URLs Tofsee ComputerName DNS |
7
https://NuQuiedi8ezai5aHucei.cantusethis.fun/image/7YrVVqlz3Wa4Brxs2lL6km9I9X4h0sZZXa1ybb8dWIe_5MJE_Mx11PQDWmwylKv2x-6bDKVbGLkpGZdqRzfJv_XoId98rDl6lHBD_3Bkk-lwffTUIHJ1AKDaazJ7-Xi6slK-Fue_L9KFECsgPQ1VzvYpbgPzGP8hDyk3-JoS6RcVzLzZ/kitten.gif
https://ibee3sahkei7Ohcu9uGi.cantusethis.online/image/2I98TZx2dH2NAxV371dTiVpNXGUU129CaKjbdooY8ZyK4Wtfycncz8EG83cHkQLt8usyF5BesaIcHD5xcjJgpMDtiMRJqZBhoXXq5EVhOvJFeF3PFXfcG5XfwilO_NGhh1cXDdK6hsmwFYI7CAj81cMsxxjGHVY6Oiye468XQAwgyRXC/kitten.gif
https://NuQuiedi8ezai5aHucei.cantusethis.fun/image/nr94L9pGcB_LMxEVqWdX6xx9WAdS52sgLpjfFMwo9f7M0W89j_nYrYc29xVBoQaPtNs2ddZutcBaLDoTNAJkxobdjKYPmZQD50XuhgNRPpADSFmtU0fYedPvxksIzNXDwWcTb5SKgqv2JYZZTjj4t4Ucw3qALVJYfByageknRG5m-RGg/kitten.gif
https://ibee3sahkei7Ohcu9uGi.cantusethis.online/image/mLEW5dxIHtXNPX_fr2k5IRpzNs1U6QXqKJax3sommzTK3wH3ife2Z4E4md9Hr2hFstVYv9Bg2wpcIlTZMgwKDIDT4mwJl_rJ4UuATAVfUFoFRjdnVUm2s9XhqIEOwrsJx2l9pZKE7GHwK-iTSDaWfYMSrbCGIzySehL0S-8pKqRg939q/kitten.gif
https://Jae3Faita9jeiMeiVeiv.cantusethis.site/gifs/CR1IYk3kQFJckSFYPsVnpovfaErFRVttuTrvWVuKxbNbc19wGFvo4BCUx1jWAzbCI3kGOEHMhY3Njgpeo6BUixF_vOuYO6ROcOfey5TzDt2U6mngxOXoNERN9gafbuWOVsUjIgMosuZhh7YU2ZrI-hK-8zcXj2IV676qzH6FdCPxWyHt/kitten.gif
https://NuQuiedi8ezai5aHucei.cantusethis.fun/image/nJHftdho14XJHbaPq0nwcR5T_51Qycy6LLZ4js4GUmTO_8injdd_N4UYUI9Dj6EVtvWR79RAElpYAp2JNizDXITzKzwNtzOZ5WtJHAF_mQoBZv43UWl_49HBYdEK4nJZw0m09ZakJTH0CyHDTBZfLYcyZOCCA_XCfjI9G-sJ4_Rk17Y6/kitten.gif
https://Jae3Faita9jeiMeiVeiv.cantusethis.site/gifs/sIMSw_R6GvPlD3v5h1s9BzJBMut82wHMAKS1-OIUnxLi7QXRocWyQakKnflvnWxjmudcmfhS3yx0EFD_Gj4OKqjh5kohpf7vyXmEai1tVHwtdDNBfXuylf3TrKcm8L8v71t5g7q26EfYGey1YASSW6sgqZauETi0UiDwbccbLoJIxXtM/kitten.gif
|
6
ibee3sahkei7ohcu9ugi.cantusethis.online(104.24.100.216)
jae3faita9jeimeiveiv.cantusethis.site(104.31.80.164)
nuquiedi8ezai5ahucei.cantusethis.fun(104.24.112.9)
104.24.112.9 - mailcious
172.67.168.199
172.67.184.62
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3636 |
2020-12-09 00:22
|
remeus.exe 9bf1c67dbbc2b863c6254ef7415bb434
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://173.234.155.143:35253/IRemotePanel
http://checkip.amazonaws.com/
http://185.212.130.98/helper2.exe
https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63)
checkip.amazonaws.com(107.21.162.206)
whois.iana.org(192.0.32.59)
api.ip.sb(104.26.12.31)
172.67.75.172
192.0.32.59
172.104.79.63
185.212.130.98
173.234.155.143
34.200.69.241
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
|
|
18.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3637 |
2020-12-09 07:56
|
http://107.155.162.25/win/dati... ded38d3faf45c6798e0a430d060cd68c
Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://107.155.162.25/win/datidens.exe
|
1
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3638 |
2020-12-09 11:41
|
remeus.exe 9bf1c67dbbc2b863c6254ef7415bb434
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://173.234.155.143:35253/IRemotePanel
http://checkip.amazonaws.com/
https://api.ip.sb/geoip
|
9
WHOIS.APNIC.NET(172.104.79.63)
checkip.amazonaws.com(107.21.162.206)
whois.iana.org(192.0.32.59)
api.ip.sb(104.26.12.31)
172.67.75.172
192.0.32.59
52.20.197.7
172.104.79.63
173.234.155.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
17.2 |
|
42 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3639 |
2020-12-09 13:30
|
scriptxls_799079b3-8d0f-45bc-9... 85070f4325ad66976ac4a728fb393783
powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
cutt.ly(172.67.8.238) - mailcious
104.22.1.232 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3640 |
2020-12-09 13:31
|
vbc.exe 3b0789ad71be68843bf97f5885b03326
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3641 |
2020-12-09 15:54
|
온라인+학술대회+한시적+지원+관련+Q&A.hwp... 257a81471a001af1fa0d82069c92993c
VirusTotal Malware Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs |
|
|
|
|
3.0 |
M |
28 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3642 |
2020-12-09 18:04
|
warEXT.gif.exe 3e86685246c1fdcc9eef8b95986ba4e4
VirusTotal Malware Code Injection buffers extracted unpack itself crashed |
|
|
|
|
6.6 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3643 |
2020-12-09 18:05
|
warCS.gif.exe e5b54ad94c5af53fe63de33113e8ebc3
Emotet VirusTotal Malware Buffer PE Code Injection buffers extracted unpack itself malicious URLs crashed |
|
|
|
|
8.8 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3644 |
2020-12-09 18:06
|
온라인+학술대회+한시적+지원+관련+Q&A.hwp... 257a81471a001af1fa0d82069c92993c
VirusTotal Malware Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs DNS |
|
|
|
|
3.6 |
M |
28 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3645 |
2020-12-09 18:09
|
warEXT.gif.exe 3e86685246c1fdcc9eef8b95986ba4e4
VirusTotal Malware Code Injection buffers extracted unpack itself crashed |
|
|
|
|
6.6 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|