| 41341 |
2021-09-20 21:02
|
0bd168703d2bb6a6d5fffe115c4834... 3eb2ea9527590196759a92fdd24eaf8b
Gen2 Emotet Gen1 Generic Malware Malicious Packer Malicious Library MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Tofsee ComputerName DNS DDNS |
|
3
bit.ly(67.199.248.10) - mailcious
lubagalord.duckdns.org() - malware
67.199.248.10 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
2.8 |
|
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41342 |
2021-09-20 20:36
|
 1ade2bf9e1a716a8135883046afa00... 1734f4013eebe0f6390d89a202af8942
Gen2 MSOffice File VirusTotal Malware |
|
|
|
|
0.8 |
|
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41343 |
2021-09-20 10:19
|
 VideoRecoderDriveMaster.exe 89059c81d1e7400ddfb518e9c7fa026b
Themida Packer Malicious Packer PE64 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41344 |
2021-09-20 10:16
|
 40.exe 904b66229f5d7a3f7e55099b973416b6
Malicious Library UPX Admin Tool (Sysinternals etc ...) DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger WMI unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS |
|
1
|
|
|
7.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41345 |
2021-09-20 10:16
|
 PhoenixMiner.exe 33b49643272dc9044096dc01c71213b6
Generic Malware Malicious Packer UPX Malicious Library PE64 PE File OS Processor Check MSOffice File VirusTotal Malware |
|
|
|
|
1.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41346 |
2021-09-20 10:10
|
 Stub1.exe 81b5f1e1a01a892296aab30a2e83cf2f
RAT PWS .NET framework Gen2 Generic Malware Anti_VM Malicious Packer Malicious Library PE64 PE File OS Processor Check .NET EXE DLL VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
4
http://sherence.ru/323.exe - rule_id: 5192
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
|
4
sherence.ru(172.67.176.114) - malware
sh1729062.b.had.su(92.119.113.140) - mailcious
104.21.48.37 - malware
92.119.113.140 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41347 |
2021-09-20 09:58
|
 njbypass.txt.ps1 719f2de7ca5a43ef68f0edbbd432aa51
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41348 |
2021-09-20 09:58
|
 bypass.txt.ps1 beb711d4f12cbe69eab1fdf6757374a0
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41349 |
2021-09-20 09:53
|
 askinstall5.exe 61e0ed3cd468c91cd0641939a519c720
Gen2 Trojan_PWS_Stealer Emotet RAT NPKI Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie Admin Tool (Sysinternals etc ...) Anti_VM ASPack UPX Antivirus PE File OS Processor Check PE32 ELF PNG Format PE64 DLL MSOffice Browser Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName RCE crashed |
4
http://www.iyiqian.com/ - rule_id: 2326
http://www.khcyysy.com/Home/Index/lkdinl
https://iplogger.org/1XJq97
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.khcyysy.com(188.225.87.175)
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://www.iyiqian.com/
https://www.listincode.com/
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41350 |
2021-09-20 09:50
|
 14.exe 25b544886f92efc35d16afae0ccbe885
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41351 |
2021-09-20 09:47
|
 Updbdate.exe 7adeb7b9a3dbc0de7fdb92c72bdb0745
Malicious Library PE File PE32 PDB unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41352 |
2021-09-20 09:45
|
 76.exe cbf7ac18207051de82560b4621f7905f
Emotet RAT Gen1 UPX Malicious Library PE File PE32 PE64 DLL OS Processor Check Malware download VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
1
http://fareits.com/76.exe
|
2
fareits.com(172.67.169.14)
172.67.169.14
|
1
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
|
|
3.8 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41353 |
2021-09-20 09:45
|
 Mortician.exe 2744d06ccec54b48efc46c31a4260dbe
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41354 |
2021-09-20 09:44
|
 Stubchik.exe d5d4f07e59ffad621f322b68c12e411e
RAT Generic Malware Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 PE64 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
4
http://ip-api.com/line/?fields=hosting
http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6 - rule_id: 3585
http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyQTOxUTM&65ab24948c084368808c084126a043f5=wMmhDNzQjYmZTYiRzNxMTOjVWY0I2NhZWN0MTO5MGNxgjMxgjY0EmY&0c2329b9f0dc4c64441b4dcf29994306=d1nIhRDM1cjNwYmYlJzYmV2MjVmYlVjNjZ2M5cTM4YTO0QDOxgDNyI2NkJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=d1nIiojIhJGOmJWNjZmYxUTYxYGNiVTMiZGMzUWN5MDN4cTMyUjIsISY0ATN3YDMmJWZyMmZlNzYlJWZ1YzYmNTO3EDO2kDN0gTM4QjMidDZiojI4QTO5UTM2EjNxMDN2UzYlJjYkNzYjNmM4gzNjNTYjFmIsICN3EjNjNGOxAjN2UWOycjZ2UjYkFTOxEDOmhDOyIGN2ADN3MzYiFDNiojImRTZwYDZihDM5Q2Y4Y2Y1YjY1gzN5MTOxEmZwIDZkhjI7xSfikTMulkexcUSzsmaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpNnbPlWRHRGaSVEZ0YVbJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0UihmVHZldKhEZqZ1RiZkSp9UajVVUVp0QMlWUYF2QCNkTyEUaUxkQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ZHRWMGJjW1xmMjpHbXJmd4cVY1hTbaVHbHNGc5kHT20ESjBjUIFWavpWSsFzRahmVtNWa3lWSzZ1MixmTxwEasJzYCpUaPlWVtJmdwhlW0x2Rkl2dplkMnRVT6FkaJZTSDJGaSNzY2JkbJNXSTJmdOdlWzZ1RWdWRXpVe5IzUnllaONTU6VlQKl2TpNWbjZnSDxUaRR0TzsmaMJTSU10cBpmTyUlaMNTTqlkNJlXW2hXbJNXSpVFTKl2TptmbjBTNXRmdO1WSzl0QiFTOXpFVKl2TpRjMiBHZXpVeKNETpd3VkZnVyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWSzQzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W - rule_id: 3585
https://ipinfo.io/json
|
5
ipinfo.io(34.117.59.81)
ip-api.com(208.95.112.1)
34.117.59.81
62.109.1.30 - mailcious
208.95.112.1
|
4
ET POLICY External IP Lookup ip-api.com
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
2
http://62.109.1.30/triggers/vm_.php
http://62.109.1.30/triggers/vm_.php
|
12.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41355 |
2021-09-20 09:43
|
 customer2.exe dc70792e3bec9dbfd00abcceee8d849e
ASPack Malicious Library PE64 PE File OS Processor Check Browser Info Stealer Malware PDB Malicious Traffic Check memory Check virtual network interfaces IP Check Browser RCE |
3
http://staticimg.youtuuee.com/api/?sid=127597&key=aaaa13abc220dc22f7525c6e9fab78c8 - rule_id: 5258
http://staticimg.youtuuee.com/api/fbtime - rule_id: 5258
http://ip-api.com/json/
|
4
staticimg.youtuuee.com(45.136.151.102) - mailcious
ip-api.com(208.95.112.1)
45.136.151.102 - mailcious
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
2
http://staticimg.youtuuee.com/api/
http://staticimg.youtuuee.com/api/
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|