4141 |
2020-12-31 16:43
|
TX2UBEUC.doc 2154178028c6e1626fc45b2c83962491 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://75.188.107.174/leec23t/tkqbcei/zli06nbp52/pm4lus2k2vtow0j/vfyp74/nimbm9hwewjms53/ - rule_id: 205
|
3
mediatorstewart.com(192.169.217.36) - malware 75.188.107.174 - mailcious 192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
1
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4142 |
2020-12-31 16:45
|
ZY8GA4.doc 2154178028c6e1626fc45b2c83962491 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://75.188.107.174/9ivdyj6k8wrm/ddkq4l5w5ymvfnjm/dbpmmoid33w6lf8x/ocob9bqonh/ok0dwqy5ammxv7l/ - rule_id: 205
|
3
mediatorstewart.com(192.169.217.36) - malware 75.188.107.174 - mailcious 192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
1
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4143 |
2021-01-03 14:08
|
102w.png.exe 331d3b10b6a34a95ec04b847b948d5b7 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
2
http://paste.ee/r/75Qgb https://paste.ee/r/75Qgb
|
2
paste.ee(172.67.219.133) - mailcious 172.67.219.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4144 |
2021-01-03 14:08
|
55555555555.jpg.exe 2841c67f91561d42cdd8aca3b1150731 DNS |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4145 |
2021-01-03 14:16
|
cred.dll 526e74e4e696af9cfd742bbd8d05889e FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
|
4
foflikenoiujiiik.cn() joikilloiujjtyaaa.xyz() 172.67.219.133 - mailcious 157.90.24.103 - malware
|
|
|
6.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4146 |
2021-01-03 14:16
|
A2POF9K.doc 822dec5f5d51a065b4ff2a0b46eaecf0 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://cahyaproperty.bbtbatam.com/mhD/ http://cahyaproperty.bbtbatam.com/cgi-sys/suspendedpage.cgi
|
14
coshou.com(207.148.24.55) techworldo.com(103.117.212.212) familylifetruth.com(162.254.150.6) - malware dieuhoaxanh.vn(112.213.89.42) - malware www.todoensaludips.com(142.44.230.78) - malware depannage-vehicule-maroc.com(81.169.145.152) - malware cahyaproperty.bbtbatam.com(101.50.1.27) 142.44.230.78 - mailcious 207.148.24.55 81.169.145.152 - malware 101.50.1.27 - mailcious 112.213.89.42 - malware 103.117.212.212 - mailcious 162.254.150.6 - malware
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4147 |
2021-01-03 14:29
|
uglNVuKJ8fDyYcpC8TZSUi.dll edcd762c12b22607a61e4c97e686f2d0 VirusTotal Malware PDB Malicious Traffic Checks debugger ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
|
3
138.197.99.250 - mailcious 152.170.79.100 - mailcious 190.247.139.101
|
|
|
9.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4148 |
2021-01-03 14:30
|
TC1WI34YWX4.doc 40f79fcaa6e497435e1ac54f87fe90ab Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
mediatorstewart.com(192.169.217.36) - malware 75.188.107.174 - mailcious 192.169.217.36 - malware 75.109.111.18 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4149 |
2021-01-03 14:38
|
ZG8Y0NI8.doc a92e2090f008413439f1936f59b92b6b Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
insvat.com(185.42.104.77) - malware 75.188.107.174 - mailcious 185.42.104.77 - malware 75.109.111.18 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4150 |
2021-01-03 14:40
|
aghkdfgh.exe 170faeb45ecbd3499349403e53573a5f Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
11
http://malscxa.ac.ug/nss3.dll http://malscxa.ac.ug/msvcp140.dll http://rebelfgighter.ac.ug/index.php http://malscxa.ac.ug/softokn3.dll http://malscxa.ac.ug/vcruntime140.dll http://malscxa.ac.ug/main.php http://malscxa.ac.ug/ http://malscxa.ac.ug/freebl3.dll http://malscxa.ac.ug/sqlite3.dll http://malscxa.ac.ug/mozglue.dll https://cdn.discordapp.com/attachments/752128569169281083/794719134130110464/Wypr123
|
10
rebelfgighter.ac.ug(194.61.53.10) - malware agentpapple.ac.ug() - mailcious cdn.discordapp.com(162.159.135.233) - malware discord.com(162.159.137.232) malscxa.ac.ug(194.61.53.10) taenaia.ac.ug(185.140.53.149) - mailcious 194.61.53.10 - malware 162.159.136.232 162.159.129.233 - malware 185.140.53.149 - mailcious
|
10
ET MALWARE AZORult v3.3 Server Response M3 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) ET INFO Executable Download from dotted-quad Host ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
28.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4151 |
2021-01-04 15:50
|
130322_FS_Setup.exe 0127495b7b6ec2eeb59684745fbcdf16 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.0 |
|
11 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4152 |
2021-01-04 19:15
|
BXC6N26G9.doc 40f79fcaa6e497435e1ac54f87fe90ab Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
4
mediatorstewart.com(192.169.217.36) - malware 75.188.107.174 - mailcious 75.109.111.18 - mailcious 192.169.217.36 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4153 |
2021-01-04 19:15
|
angelx.scr 980bd29a88ceb4a3e0f07d789768bcbf Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
13.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4154 |
2021-01-04 19:25
|
angelx.scr 980bd29a88ceb4a3e0f07d789768bcbf Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4155 |
2021-01-04 19:26
|
client_connector.exe 5d1df2995bd1b54b98368d2287d34713 VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder malicious URLs IP Check Tofsee Windows DNS |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
5
api.ipify.org(23.21.42.25) crt.comodoca.com(91.199.212.52) org-2fa.link() - malware 91.199.212.52 23.21.252.4
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|