43546 |
2021-02-02 13:40
|
scr.dll 8a7fa2352851fddec50f91833637dc69 VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://45.155.205.65//b1a5gkSc2/index.php?scr=up
|
1
45.155.205.65 - mailcious
|
|
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43547 |
2021-02-02 13:39
|
self.exe 27493edfa85af8660f2c05f5eddf2969 Malware download Azorult Dridex TrickBot VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Kovter Browser ComputerName DNS |
1
http://168.119.251.131/index.php - rule_id: 234
|
1
168.119.251.131 - mailcious
|
6
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET MALWARE AZORult Variant.4 Checkin M2 ET MALWARE Win32/AZORult V3.2 Client Checkin M4 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://168.119.251.131/index.php
|
11.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43548 |
2021-02-02 13:37
|
pzf3d4h.zip.exe d91d846f2cd5f791cfae21bec49fb3d5 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
3.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43549 |
2021-02-02 13:36
|
rbv9d79.zip.exe ebca4076e0a420caf420bdcd98c91d3c VirusTotal Malware PDB unpack itself malicious URLs |
|
|
|
|
2.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43550 |
2021-02-02 13:24
|
Protected Client.vbs b8e153cc0bec4b58809b9d323cc55303 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
|
6
isrealpicker.duckdns.org(185.19.85.159) - mailcious fundhubusa.com(199.188.200.124) - malware google.com(216.58.220.110) 199.188.200.124 - malware 185.19.85.159 - mailcious 216.58.220.110
|
2
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43551 |
2021-02-02 13:23
|
private.png.exe f7fc343cbf86f08c7b529ab451677752 VirusTotal Malware Buffer PE Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs DNS crashed |
|
|
|
|
5.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43552 |
2021-02-02 12:13
|
pp.exe 7b8047fdbb913497713a07aeed0d0f4c VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
82.165.119.177 - mailcious
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43553 |
2021-02-02 11:42
|
pebro.exe ac4cd44715d6bcee3624efeaf5b7b107 Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Browser Email ComputerName DNS Software |
1
http://216.250.126.108/index.php
|
1
|
3
ET MALWARE AZORult Variant.4 Checkin M2 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE AZORult v3.2 Server Response M1
|
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43554 |
2021-02-02 11:37
|
pe.exe 40b3185fce9e7d377a4835d5c0420502 VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
82.165.119.177 - mailcious
|
|
|
11.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43555 |
2021-02-02 11:33
|
ndu.exe 57f69ad1d8f4ca03de19053597368a8d Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Browser Email ComputerName DNS Software |
1
http://74.208.108.87/index.php
|
1
|
3
ET MALWARE AZORult Variant.4 Checkin M2 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE AZORult v3.2 Server Response M1
|
|
15.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43556 |
2021-02-02 11:29
|
kali.jpg.exe 185dd5ec503c683da355a50e70f25c68 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
172.217.161.78 - phishing 172.217.26.35
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43557 |
2021-02-02 11:24
|
hkcmd.exe d7c6ddd2feb3c305103f5c3cbb81ba01 VirusTotal Malware suspicious privilege Malicious Traffic unpack itself Windows utilities suspicious process AppData folder Tofsee Windows DNS |
14
http://www.cbrealvitalize.com/bw82/ - rule_id: 171 http://www.thedancehalo.com/bw82/?q6A=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&rTIHm=GBLHRF_P88oplF - rule_id: 174 http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612232416&mv=m&mvi=7&pl=18&shardbypass=yes http://www.ramjamdee.com/bw82/?q6A=G5V/jI1nKTLenhjjo/i12Eg93VLS1Yw8/shPcO2Rcy1fy6ap4Ji+a3XMw6iEqnOAalcXPDfF&rTIHm=GBLHRF_P88oplF http://www.wmarquezy.com/bw82/ - rule_id: 181 http://www.thedancehalo.com/bw82/ - rule_id: 174 http://www.wmarquezy.com/bw82/?q6A=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&rTIHm=GBLHRF_P88oplF - rule_id: 181 http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://www.rizrvd.com/bw82/?q6A=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&rTIHm=GBLHRF_P88oplF - rule_id: 170 http://www.rizrvd.com/bw82/?q6A=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&rTIHm=GBLHRF_P88oplF http://www.rizrvd.com/bw82/ - rule_id: 170 http://www.cbrealvitalize.com/bw82/?q6A=QMz1n+xx2KiD30AmT9IbdZVffunkwaB1v+iSpZgJgwTVZu6PNQxJOIJjV5QBJp9Es7YbcplQ&rTIHm=GBLHRF_P88oplF - rule_id: 171 http://www.ramjamdee.com/bw82/ https://update.googleapis.com/service/update2?cup2key=10:3587760924&cup2hreq=b5973943769c1b90e1b64c5aecb7f4917a6723d3f17cfa38379a1fba2a7a22b8
|
27
www.learnplaychess.com(103.250.186.248) - mailcious www.illfingers.com(162.241.217.138) - mailcious www.thedancehalo.com(34.102.136.180) - mailcious www.h2oturkiye.com(94.73.146.42) - mailcious www.thrivezi.com(52.23.148.124) - mailcious www.healthyfifties.com(198.20.125.69) - mailcious www.rizrvd.com(34.102.136.180) - mailcious www.wmarquezy.com(192.0.78.25) - mailcious www.cbrealvitalize.com(34.102.136.180) - mailcious www.dealsonwheeeles.com(182.50.132.242) - mailcious r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) www.leadeligey.com(192.0.78.24) - mailcious www.ramjamdee.com(34.102.136.180) www.ninasangtani.com(34.102.136.180) - mailcious www.texasdryroof.com(34.102.136.180) - mailcious www.engageautism.info(34.102.136.180) - mailcious 172.217.26.35 162.241.217.138 - mailcious 59.18.45.210 52.23.148.124 - mailcious 34.102.136.180 - mailcious 94.73.146.42 - mailcious 172.217.161.78 - phishing 103.250.186.248 - mailcious 182.50.132.242 - mailcious 192.0.78.25 - mailcious 198.20.125.69 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
8
http://www.cbrealvitalize.com/bw82/ http://www.thedancehalo.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.thedancehalo.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/ http://www.cbrealvitalize.com/bw82/
|
6.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43558 |
2021-02-02 11:14
|
guy.exe e492cdbd78ea81ea8e634524441a22a4 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
|
|
|
9.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43559 |
2021-02-02 11:08
|
guy.exe e492cdbd78ea81ea8e634524441a22a4 VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
|
|
|
11.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43560 |
2021-02-02 11:06
|
cobaltstrike_shellcode.exe 93a1ae6fb7152ff6e8fa76f88e14658d Dridex TrickBot VirusTotal Malware Malicious Traffic unpack itself malicious URLs Kovter ComputerName DNS |
1
https://78.128.113.14/pixel.gif
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.2 |
|
60 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|