43516 |
2021-02-03 14:49
|
scr.dll 2928f54a3af6cbea7c0d669b246c8bce VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself malicious URLs DNS |
1
http://176.111.174.35//Fn39vld2cS/index.php?scr=up
|
1
|
|
|
4.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43517 |
2021-02-03 14:47
|
svch.exe 2d2df98c3ca178862612a0527503ca5b VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee DNS crashed |
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43518 |
2021-02-03 14:39
|
proforma.exe 05f8d37087eb2818436f604cea3e5e87 VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key crashed keylogger |
1
|
4
primeswift.xyz(37.49.225.174) ip-api.com(208.95.112.1) 37.49.225.174 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43519 |
2021-02-03 14:39
|
Protected Client.vbs 9f969c41db50bac5bf029f83c5456a09 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
|
6
isrealpicker.duckdns.org(185.19.85.159) - mailcious kadsec.com(104.21.60.156) - mailcious google.com(172.217.25.206) 172.67.198.2 - mailcious 185.19.85.159 - mailcious 172.217.174.110 - phishing
|
2
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43520 |
2021-02-03 14:35
|
ppei.exe ac4cd44715d6bcee3624efeaf5b7b107 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
216.250.126.108 - mailcious
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43521 |
2021-02-03 14:35
|
odinaka.scr b509dff7edd46ff799f8f854d6de3617 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/1951E124E4B830EA95E6D2FA25528F31.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43522 |
2021-02-03 14:23
|
licenser.txt.exe edacbd011f5d6d4bd0646ebdff7499ca VirusTotal Malware Buffer PE Malicious Traffic Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows DNS crashed |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612329375&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:1322616147&cup2hreq=ac01f7a2c251c2866f15c996813e96ee5f7d9eb595388c0690c99723a89081fb https://update.googleapis.com/service/update2
|
2
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 59.18.45.210
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
7.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43523 |
2021-02-03 14:22
|
mii.exe 8315199b3ee08e32cf5d72c94c1827ee VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43524 |
2021-02-03 14:13
|
invoice_45212.doc f05f34a933c910b787d64a63d8514744 Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43525 |
2021-02-03 14:11
|
LFICfpXl.exe 4c656d0392ff282d9081b810eaf750ac Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43526 |
2021-02-03 14:08
|
IMG_66307.pdf.exe bb2edd99a1dad9fb9939097093d05d7b VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs Windows DNS Cryptographic key |
2
http://www.tadalafil.website/bf3/?mfsl7bH=A4iu9AFSZAHmJ87eX2MUXvaY7i9AXVG/TdX+xVE1sq0ivIz5Z/32lGuEfXM77lSrB27UNrLN&lZQ=7neHz4LxM http://www.myattorneychoicesyoufind.info/bf3/?mfsl7bH=mKqE3A0CXRpUt+fFMDX3v5GuUNIvxEkPYJ/lJc07Oa74ICGIZqQos7rjud4OjYPLQr7tTzFT&lZQ=7neHz4LxM
|
6
www.uk-calculation.net() www.myattorneychoicesyoufind.info(18.219.49.238) www.tadalafil.website(45.38.77.81) www.newbieeer.com() 45.38.77.81 18.218.104.7 - mailcious
|
|
|
11.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43527 |
2021-02-03 14:08
|
IMG_033847.pdf.exe 355ce5f436f157a68374f43db5fa3aae Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
185.206.215.56 - mailcious
|
|
|
16.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43528 |
2021-02-03 13:21
|
6lavfdk.exe 77be0dd6570301acac3634801676b5d7 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29) - mailcious api.ipify.org(54.235.83.248) 23.21.140.41 185.100.65.29 - mailcious
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43529 |
2021-02-03 13:19
|
HoBLAyiLzCsYr1.exe 63e7f1d5aea4b1614282674b825a8755 Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43530 |
2021-02-03 13:12
|
hkcmd.exe 5856fcb7ac7eb1fc802340f11b95fb9f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs |
4
http://www.rizrvd.com/bw82/?DV=AJ+QNFecOlCqC6Mw2IQHABBFVni950JEMBOKB0L9umdbPb2reP+VGKUB+B76IywbLc96v4tpuI6L+8Kj&zbMl=qFe8FTbpGXT048Cp - rule_id: 170 http://www.rizrvd.com/bw82/ - rule_id: 170 http://www.twistedtailgatesweeps1.com/bw82/ http://www.twistedtailgatesweeps1.com/bw82/?DV=kKEA6YlRADARBAvg3KZ9bmPUSI4mVgzFcD+4n/43cuZZWsHaK7WSUQb3y4w9bCImiSvZx+gnlQlACUHf&zbMl=qFe8FTbpGXT048Cp
|
12
www.riggsfarmfenceservices.com() - mailcious www.rumblingrambles.com() - mailcious www.curateherstories.com(34.102.136.180) - mailcious www.rizrvd.com(34.102.136.180) - mailcious www.fundamentaliemef.com(104.238.220.186) - mailcious www.blacksailus.com() - mailcious www.twistedtailgatesweeps1.com(184.168.131.241) www.magiclabs.media(198.49.23.145) - mailcious 104.238.220.186 - mailcious 198.185.159.144 - mailcious 34.102.136.180 - mailcious 184.168.131.241 - mailcious
|
|
2
http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|