43486 |
2021-02-04 16:00
|
DsQwouT0.exe 943dff6e7979ded5b2d94f4e0503704a VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43487 |
2021-02-04 11:04
|
aa.exe 1ff59d25828ac6ee321e571439410b12 VirusTotal Cryptocurrency Miner Malware Cryptocurrency SMB Traffic Potential Scan AutoRuns Check memory Creates executable files ICMP traffic unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows Browser ComputerName Remote Code Execution DNS |
1
|
5
gxxs.monerogb.com() - mailcious ip.3322.net(118.184.176.22) dns.monerogb.com(103.246.218.179) - mailcious 118.184.176.22 103.246.218.179 - mailcious
|
5
ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net ET POLICY Unsupported/Fake Windows NT Version 5.0 ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net ET POLICY Cryptocurrency Miner Checkin ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
15.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43488 |
2021-02-04 11:03
|
906249IMG_055708.pdf.exe 3a0f89e50b88ed60053533cca7003388 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://www.google.com/
|
6
www.google.com(172.217.25.196) freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 162.88.193.70 172.217.26.4 - suspicious 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
16.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43489 |
2021-02-04 10:52
|
416212.jpg.exe 5210f2b1dea41fc2209ca7dccb4ec172 |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43490 |
2021-02-04 10:52
|
541310.jpg.exe ac7d58bf24cbc2083fe4a90f203c9ab5 Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43491 |
2021-02-04 10:14
|
6lajhbjyuk.exe 77be0dd6570301acac3634801676b5d7 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29) - mailcious api.ipify.org(54.243.164.148) 54.225.129.141 185.100.65.29 - mailcious
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43492 |
2021-02-04 10:14
|
winlog.exe 339fedf77e466d75dc3d7197fafa2ac3 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://azmtool.us/kaka/kaka1/fre.php
|
2
azmtool.us(89.235.184.241) 45.128.207.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43493 |
2021-02-04 09:59
|
vbc.exe 2ffc43d9e4d2482e7acfdcef863fe7e9 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS Cryptographic key |
4
http://www.starlevelopulence.com/kre/?jFNHix=0OfHdNz0HWhF9HvaatlBO/XroeHlL7Urm8EImvnpnos1yLwvrzvh2obe20hMQlWMYoNQHDpy&oXU=_0GDCjlXRtr4u http://www.babylist.info/kre/?jFNHix=mkx09hqXalb1sG7rIkwTo1+5sqNE9cKMt7dvRqdNeRtwcb/BKuz3t/EUP1FALOL4s9t4U09z&oXU=_0GDCjlXRtr4u http://www.smyleoberry.com/kre/?jFNHix=wPJk7tKGuyBEXolqs/BP21jfPD8XOzKUBfoK5nxEF3WPIHY1woaeT3O1l5lNU2VWzdsP7CRb&oXU=_0GDCjlXRtr4u http://www.canceledculture.net/kre/?jFNHix=sZpFlhXP8dA3ffHIyrPzRO7rgjEq65TwHsovkvKuC9nuE9nDYSZRHOFurjv11gPSsq5taiH9&oXU=_0GDCjlXRtr4u
|
10
www.smyleoberry.com(18.211.19.104) www.babylist.info(52.219.116.115) www.canceledculture.net(34.102.136.180) www.starlevelopulence.com(23.227.38.74) www.fu2car.com(198.74.106.243) - mailcious 3.93.205.129 52.219.117.59 198.74.106.243 - mailcious 34.102.136.180 - mailcious 23.227.38.74 - mailcious
|
|
|
10.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43494 |
2021-02-04 09:59
|
UDI.exe 103a67077a7c6f4efd59a2042168f08b VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43495 |
2021-02-04 09:46
|
svchost.exe c69a6a5f930af087691a861a2ba904eb Dridex VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://drsbake.com:443/js/t2/index.php
|
2
drsbake.com(69.10.52.210) 69.10.52.210 - mailcious
|
5
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET POLICY HTTP traffic on port 443 (POST)
|
|
11.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43496 |
2021-02-04 09:45
|
TEMP.so.exe f160c057fded2c01bfdb65bb7aa9dfcc Malware download Amadey VirusTotal Malware Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
1
http://186.122.150.107/cc/index.php - rule_id: 246
|
1
186.122.150.107 - mailcious
|
1
ET MALWARE Amadey CnC Check-In
|
1
http://186.122.150.107/cc/index.php
|
6.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43497 |
2021-02-04 09:40
|
bb.exe 2668dde5e520194c26a7dd49d1aab364 VirusTotal Malware AutoRuns Creates executable files malicious URLs sandbox evasion Windows Remote Code Execution DNS |
|
1
|
|
|
7.4 |
M |
57 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43498 |
2021-02-04 09:37
|
new.exe fea1df2cdbc8ed9c6a82bcce20402a0a VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
2
fire4fire.ddns.net() 79.134.225.52 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43499 |
2021-02-04 09:37
|
MLY.exe 3c9be33d1fd95c74f800e570cd4654eb VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
klakjadkkjbjkjhiji.gotdns.ch(104.243.245.159) 104.243.245.159
|
|
|
14.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43500 |
2021-02-04 09:20
|
lv.exe 5d2f84a7e74e6e5ff1db4c4038d0f5e4 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check Tofsee Windows ComputerName crashed |
2
http://ip-api.com/line https://iplogger.org/1rUs77
|
4
iplogger.org(88.99.66.31) ip-api.com(208.95.112.1) 88.99.66.31 - mailcious 208.95.112.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|