| 42796 |
2021-08-17 18:02
|
 dow-4.exe 6ed87aec021b3fb313ccb925de4985b2
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42797 |
2021-08-17 18:00
|
 tooltipred.png 6d477a8502a9d2f05e587b2073b086cf
Emotet Gen1 UPX Malicious Library PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName RCE DNS crashed |
1
https://181.129.167.82/top115/TEST22-PC_W617601.D77311C718433BB88B57C4AF73BE1FD6/5/file/
|
3
46.99.175.217 - mailcious
181.129.167.82
46.99.175.149 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42798 |
2021-08-17 17:58
|
 03da82f27a042bb21948e80c788097... 445dfcd1f7f35099093f7320d467c76d
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware Check memory Windows crashed |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42799 |
2021-08-17 17:56
|
 file7.exe 8c69181e218d120c2222c285f73f3434
RAT Generic Malware Themida Packer UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://193.56.146.22:47861/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
193.56.146.22
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42800 |
2021-08-17 17:55
|
 8098nz2.exe 0d035197b133e068ebc338a99f994c54
AgentTesla(IN) Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42801 |
2021-08-17 17:53
|
 wire_transfer_document.pdf.exe b946cbd394d1a81712df966b92439dfd
PWS .NET framework Generic Malware Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42802 |
2021-08-17 17:53
|
 steammaa.dll edd1183d9e947e35574ae65441444e99
RAT Generic Malware PE File .NET DLL DLL PE32 VirusTotal Malware PDB |
|
|
|
|
0.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42803 |
2021-08-17 17:51
|
 uni.exe e557e609d2dddcf4ddb28062d142a5fc
RAT Generic Malware Antivirus PE File PE64 VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
6.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42804 |
2021-08-17 17:49
|
 emissor.NF-e2021.html bf374c1c15c6b220e02197c90c13eb7c
AntiDebug AntiVM MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/2.0.5/FileSaver.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip/3.6.0/jszip.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip-utils/0.1.0/jszip-utils.min.js
|
2
cdnjs.cloudflare.com(104.16.18.94) - mailcious
104.16.19.94
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42805 |
2021-08-17 17:46
|
 vbc.exe a5082cf7d178e6ecdff4b46002ab3347
UPX Malicious Library PE File OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.ga/BN22/fre.php
|
2
74f26d34ffff049368a6cff8812f86ee.ga(172.67.180.66)
172.67.180.66
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO HTTP Request to a *.ga domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
|
|
8.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42806 |
2021-08-17 17:46
|
 Informe-NF.e.html fd2058abd94d8f368866bdfbe81bb264
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/2.0.5/FileSaver.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip/3.6.0/jszip.min.js
https://cdnjs.cloudflare.com/ajax/libs/jszip-utils/0.1.0/jszip-utils.min.js
|
2
cdnjs.cloudflare.com(104.16.19.94) - mailcious
104.16.19.94
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42807 |
2021-08-17 17:45
|
 03da82f27a042bb21948e80c788097... ff2d2b1250ae2706f6550893e12a25f8
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware Check memory Windows crashed |
|
|
|
|
2.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42808 |
2021-08-17 17:42
|
 file2.exe a59ca1678fc13f5d50ca9f90dbd61b47
RAT Generic Malware Themida Packer UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://95.183.55.53:10724/ - rule_id: 4149
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
95.183.55.53 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://95.183.55.53:10724/
|
9.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42809 |
2021-08-17 17:42
|
 slock.exe bf7733075b871230f397db64e086783a
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
213.166.68.170 - mailcious
|
|
|
4.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42810 |
2021-08-17 17:39
|
 b.exe bfa3677a1d68a0b2bec0f0cba4c34416
Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files Windows utilities suspicious process AppData folder Windows DNS DDNS |
1
http://silentlegion.duckdns.org/badproc.txt
|
4
hashlegion.duckdns.org(3.67.42.250)
silentlegion.duckdns.org(3.142.212.137)
3.67.42.250
3.142.212.137
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|