| 4141 |
2020-12-31 16:43
|
TX2UBEUC.doc 2154178028c6e1626fc45b2c83962491
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://75.188.107.174/leec23t/tkqbcei/zli06nbp52/pm4lus2k2vtow0j/vfyp74/nimbm9hwewjms53/ - rule_id: 205
|
3
mediatorstewart.com(192.169.217.36) - malware
75.188.107.174 - mailcious
192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4142 |
2020-12-31 16:45
|
ZY8GA4.doc 2154178028c6e1626fc45b2c83962491
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://75.188.107.174/9ivdyj6k8wrm/ddkq4l5w5ymvfnjm/dbpmmoid33w6lf8x/ocob9bqonh/ok0dwqy5ammxv7l/ - rule_id: 205
|
3
mediatorstewart.com(192.169.217.36) - malware
75.188.107.174 - mailcious
192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4143 |
2021-01-03 14:08
|
102w.png.exe 331d3b10b6a34a95ec04b847b948d5b7
VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
2
http://paste.ee/r/75Qgb
https://paste.ee/r/75Qgb
|
2
paste.ee(172.67.219.133) - mailcious
172.67.219.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4144 |
2021-01-03 14:08
|
55555555555.jpg.exe 2841c67f91561d42cdd8aca3b1150731
DNS |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4145 |
2021-01-03 14:16
|
cred.dll 526e74e4e696af9cfd742bbd8d05889e
FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
|
4
foflikenoiujiiik.cn()
joikilloiujjtyaaa.xyz()
172.67.219.133 - mailcious
157.90.24.103 - malware
|
|
|
6.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4146 |
2021-01-03 14:16
|
A2POF9K.doc 822dec5f5d51a065b4ff2a0b46eaecf0
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://cahyaproperty.bbtbatam.com/mhD/
http://cahyaproperty.bbtbatam.com/cgi-sys/suspendedpage.cgi
|
14
coshou.com(207.148.24.55)
techworldo.com(103.117.212.212)
familylifetruth.com(162.254.150.6) - malware
dieuhoaxanh.vn(112.213.89.42) - malware
www.todoensaludips.com(142.44.230.78) - malware
depannage-vehicule-maroc.com(81.169.145.152) - malware
cahyaproperty.bbtbatam.com(101.50.1.27)
142.44.230.78 - mailcious
207.148.24.55
81.169.145.152 - malware
101.50.1.27 - mailcious
112.213.89.42 - malware
103.117.212.212 - mailcious
162.254.150.6 - malware
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4147 |
2021-01-03 14:29
|
uglNVuKJ8fDyYcpC8TZSUi.dll edcd762c12b22607a61e4c97e686f2d0
VirusTotal Malware PDB Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
|
3
138.197.99.250 - mailcious
152.170.79.100 - mailcious
190.247.139.101
|
|
|
9.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4148 |
2021-01-03 14:30
|
TC1WI34YWX4.doc 40f79fcaa6e497435e1ac54f87fe90ab
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
mediatorstewart.com(192.169.217.36) - malware
75.188.107.174 - mailcious
192.169.217.36 - malware
75.109.111.18 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4149 |
2021-01-03 14:38
|
ZG8Y0NI8.doc a92e2090f008413439f1936f59b92b6b
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
insvat.com(185.42.104.77) - malware
75.188.107.174 - mailcious
185.42.104.77 - malware
75.109.111.18 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4150 |
2021-01-03 14:40
|
aghkdfgh.exe 170faeb45ecbd3499349403e53573a5f
Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
11
http://malscxa.ac.ug/nss3.dll
http://malscxa.ac.ug/msvcp140.dll
http://rebelfgighter.ac.ug/index.php
http://malscxa.ac.ug/softokn3.dll
http://malscxa.ac.ug/vcruntime140.dll
http://malscxa.ac.ug/main.php
http://malscxa.ac.ug/
http://malscxa.ac.ug/freebl3.dll
http://malscxa.ac.ug/sqlite3.dll
http://malscxa.ac.ug/mozglue.dll
https://cdn.discordapp.com/attachments/752128569169281083/794719134130110464/Wypr123
|
10
rebelfgighter.ac.ug(194.61.53.10) - malware
agentpapple.ac.ug() - mailcious
cdn.discordapp.com(162.159.135.233) - malware
discord.com(162.159.137.232)
malscxa.ac.ug(194.61.53.10)
taenaia.ac.ug(185.140.53.149) - mailcious
194.61.53.10 - malware
162.159.136.232
162.159.129.233 - malware
185.140.53.149 - mailcious
|
10
ET MALWARE AZORult v3.3 Server Response M3
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET INFO Executable Download from dotted-quad Host
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
28.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4151 |
2021-01-04 15:50
|
130322_FS_Setup.exe 0127495b7b6ec2eeb59684745fbcdf16
VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.0 |
|
11 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4152 |
2021-01-04 19:15
|
BXC6N26G9.doc 40f79fcaa6e497435e1ac54f87fe90ab
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
mediatorstewart.com(192.169.217.36) - malware
75.188.107.174 - mailcious
75.109.111.18 - mailcious
192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4153 |
2021-01-04 19:15
|
angelx.scr 980bd29a88ceb4a3e0f07d789768bcbf
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
13.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4154 |
2021-01-04 19:25
|
angelx.scr 980bd29a88ceb4a3e0f07d789768bcbf
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4155 |
2021-01-04 19:26
|
client_connector.exe 5d1df2995bd1b54b98368d2287d34713
VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder malicious URLs IP Check Tofsee Windows DNS |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
5
api.ipify.org(23.21.42.25)
crt.comodoca.com(91.199.212.52)
org-2fa.link() - malware
91.199.212.52
23.21.252.4
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|