| 42136 |
2021-08-27 15:49
|
 Sensys_DSign_FY_2021_2022Setup... b919eae6a85535797d58048b45c8df00
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42137 |
2021-08-27 15:48
|
 Sonytec.exe 9f131b2c9238dec27437d330d4b2b872
RAT Generic Malware Antivirus KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Check virtual network interfaces suspicious process AppData folder sandbox evasion VMware anti-virtualization IP Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
5
http://ip-api.com/line/?fields=hosting
http://ifconfig.me/ip
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm&sb=1
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm&sd=1
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm
|
8
ifconfig.me(34.117.59.81)
ip-api.com(208.95.112.1)
whatsmyipaddress.biz(111.90.156.84)
ftp.pfsbankgroup.com(185.239.243.112)
111.90.156.84
185.239.243.112 - malware
208.95.112.1
34.117.59.81
|
5
ET POLICY External IP Lookup ip-api.com
ET INFO Observed DNS Query to .biz TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup Domain (ifconfig .me)
|
|
25.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42138 |
2021-08-27 15:47
|
 vbc.exe 97c2aecf2380200fc50b84d72af34480
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger buffers extracted ICMP traffic unpack itself Tofsee DNS |
1
https://a.tmp.ninja/aWRwMVU
|
6
a.tmp.ninja(198.251.89.86)
46.99.175.149 - mailcious
179.189.229.254 - mailcious
198.251.89.86
221.147.172.5 - mailcious
172.67.188.154
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42139 |
2021-08-27 15:46
|
 resizebar.png b4e0bc4b97c1ff7dc3964293fd10fa5a
Emotet Malicious Library AntiDebug AntiVM PE File PE32 Dridex TrickBot Malware suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
11
http://ipinfo.io/ip
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
https://105.27.205.34/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/pwgrabb64/
https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Cresizebar.png/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/z1RfvZD1vvtrtJVrhxtnnRnLXLxp397/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/10/62/UPAVJRPOIHULLMOEWW/7/
https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/nV95LdBjzHxVvvN9bbjL1B91hj9f3TTl/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/AHvzHrFQV1MQSv8aoTWrUcl1PKGXJRyJ/
|
9
ipinfo.io(34.117.59.81)
105.27.205.34 - mailcious
46.99.175.149 - mailcious
216.166.148.187 - mailcious
46.99.188.223 - mailcious
221.147.172.5 - mailcious
179.189.229.254 - mailcious
65.152.201.203 - mailcious
34.117.59.81
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY Possible External IP Lookup ipinfo.io
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42140 |
2021-08-27 15:45
|
 Adobe-GenP-2.7.exe 6467e9dd5d86c741aed49060e6d3fcd2
Malicious Library PE File PE64 OS Processor Check VirusTotal Malware Report Check memory Checks debugger unpack itself sandbox evasion human activity check DNS |
|
3
179.189.229.254 - mailcious
5.152.175.57 - mailcious
97.83.40.67 - mailcious
|
1
ET CNC Feodo Tracker Reported CnC Server group 25
|
|
3.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42141 |
2021-08-27 15:44
|
 tooltipred.png 4f907ddbf3e599e3d4f6687dcf69e747
Emotet Malicious Library AntiDebug AntiVM PE File PE32 Dridex TrickBot Malware Report suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
12
http://icanhazip.com/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/b5Jb57X3TvfZJdxFT53d/
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabb64/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/8uMoLXFfUKElAG6M7lPr/
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabc64/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/10/62/CETDHVSBTPT/7/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/file/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/NAT%20status/client%20is%20behind%20NAT/0/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Ctooltipred.png/0/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/user/test22/0/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/W86mMKPIM801nj2bSV6zifCFnf/
|
8
icanhazip.com(104.18.6.156)
104.18.6.156
179.189.229.254 - mailcious
194.146.249.137 - mailcious
5.152.175.57 - mailcious
97.83.40.67 - mailcious
62.99.79.77
104.21.19.200
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 25
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42142 |
2021-08-27 15:42
|
 build_2021-08-25_11-30.exe b27c38cb9a8a55bf5f24051bf8c39e91
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42143 |
2021-08-27 15:42
|
 bigshoezx.exe 61e17d354f8529a203207e491cab779e
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library SSL DNS Socket SMTP Escalate priviledges KeyLogger Internet API ScreenShot Dynamic Dns persistence AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs IP Check Tofsee Windows Browser Advertising Google Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://xred.site50.net/syn/SSLLibrary.dll
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://www.dropbox.com/s/dl/fzj752whr3ontsm/SSLLibrary.dll
https://www.000webhost.com/migrate?static=true
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
|
18
mail.nclanka.lk(162.214.77.81)
www.000webhost.com(104.19.185.120)
checkip.dyndns.org(132.226.247.73)
freedns.afraid.org(69.42.215.252)
freegeoip.app(104.21.19.200)
xred.site50.net(153.92.0.100)
docs.google.com(172.217.26.46) - mailcious
xred.mooo.com()
www.dropbox.com(162.125.84.18) - mailcious
95.181.157.213
162.214.77.81
153.92.0.100 - mailcious
172.217.26.46 - mailcious
104.19.185.120
69.42.215.252
172.67.188.154
158.101.44.242
162.125.84.18
|
8
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SURICATA SMTP invalid reply
ET POLICY Dropbox.com Offsite File Backup in Use
ET HUNTING Suspicious User-Agent Containing .exe
|
|
21.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42144 |
2021-08-27 15:40
|
 file9.exe 397081993526f201da9b0045b6cb6736
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
135.181.134.27 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42145 |
2021-08-27 15:38
|
 shef1.exe 842124b4ed12ad2f1bddb4360d69fdbb
Lazarus Family Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
172.67.75.172 - mailcious
95.181.157.213
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42146 |
2021-08-27 15:38
|
 playstore.apk f85f6697dbc42c8cb034716dccfe1371VirusTotal Malware |
|
|
|
|
0.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42147 |
2021-08-27 15:36
|
 petrols.exe 95a5feae6a76ea65d0c9fe06053788b5
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.247.73)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42148 |
2021-08-27 15:36
|
 ETC.exe 01b6e15274bdff55dd725ed01ad2ba23
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42149 |
2021-08-27 15:34
|
 XMR.exe 0f23f1451e66b86bc3e56dbb714da989
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42150 |
2021-08-27 15:34
|
 petrol.exe 700a021908885c05ef227a55452d9ffe
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|