43621 |
2021-01-30 22:38
|
fdlaunchera.exe 361d3643b23e428cf9c2cf420751c1b1 Buffer PE AutoRuns Code Injection buffers extracted Creates executable files unpack itself AppData folder malicious URLs sandbox evasion Windows Remote Code Execution DNS |
|
2
t.nxxxn.ga(91.208.245.238) - mailcious 91.208.245.238
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
12.6 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43622 |
2021-01-30 22:38
|
document.doc d852cd3c154c4f51e69f5c55962c1570 VirusTotal Malware exploit crash unpack itself malicious URLs Exploit DNS crashed |
|
1
192.210.232.198 - malware
|
|
|
5.4 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43623 |
2021-01-30 22:30
|
cpu64.exe 64e66fd668ef21bbd3d5ebb8a76d2ef8 unpack itself malicious URLs DNS |
|
|
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43624 |
2021-01-30 22:30
|
87539487.jpg.exe 9b2be10d80b4a80c733fe8101234da89 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName DNS DDNS Software |
|
3
dns16-microsoft-health.com(8.208.101.136) winmonitor97435hr463n.hopto.org() 8.208.101.136
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.0 |
M |
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43625 |
2021-01-29 17:50
|
iqv2v9p7.zip.exe 86cdc85c3d58de12bf6e8783d044a105 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.0 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43626 |
2021-01-29 10:18
|
winlog2.exe d433d6c4c98e165cb999ae4e8fd5f0af VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
|
|
|
7.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43627 |
2021-01-29 10:18
|
winlog.exe d9cc09d0fd6c60708b7e0f2fa7cb2346 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://zangaa.com/kaka/kaka1/fre.php
|
2
zangaa.com(185.212.128.102) 45.128.207.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43628 |
2021-01-29 10:08
|
osamax.scr 233052898800d961e4fc3ef2a339f555 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://193.239.147.103/base/F4BA6DC1CB973DE9DAE5D0E9AA62DF30.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
12.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43629 |
2021-01-29 10:07
|
DSC_Canon_110202_23.01.2021.zi... 4568bbfb8b5a5161c8b1045051933788 unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43630 |
2021-01-29 09:59
|
IMG-0607.pdf.exe 263f0b35e5768e624a84ac122bbf6a8c Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk VMware IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://www.google.com/
|
7
www.google.com(172.217.25.100) freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.70) 162.88.193.70 64.233.189.104 172.67.188.154 64.233.189.106 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
16.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43631 |
2021-01-29 09:59
|
gwfa.exe a8417cfd71637c7371986737cff269cf VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
1
http://www.pincmd.com/zn7/?Wxo=H0DTRf2X8PY0Cn&OVolp=vl+DwuPw1Bs+eDz18phlFYzK3ZASrkTtaqWFbU4W2U0kNPdMaptnd8r6YjMJ59Q6viCts5io
|
3
www.idiocy.online() www.pincmd.com(103.82.55.155) 103.82.55.155
|
|
|
12.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43632 |
2021-01-29 09:39
|
1599400056-01282021.xls b4f063612cbe944f5f63e3e132793941 Malware download Dridex TrickBot VirusTotal Malware suspicious privilege Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter Windows ComputerName DNS Downloader |
|
7
irenegladsteinmd.smartwebsitedesign.com(174.138.190.165) - malware 195.123.241.214 5.34.180.185 23.254.224.2 107.152.46.188 185.82.126.38 174.138.190.165 - mailcious
|
6
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 ET MALWARE JS/WSF Downloader Dec 08 2016 M4
|
|
8.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43633 |
2021-01-29 09:39
|
bvsd.exe 3adae286b1688adb95794b29d21f6ca0 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
2
http://www.maalkhairaatwosu.com/zn7/?9r4P2=oso/Cug38AXv4G4StP3iQilmzyYWofIVZmnlkvEMG9MdkfwPUu/S3qzFyv953fkX+1OQlFou&EjU4Sz=fdMTVRIPlB http://www.brandonandrana.com/zn7/?9r4P2=yObgM5LPfCGfok7nL/KOJdbpHcl0xM+9kC0oAyaz/i+7Z5Vdx+6Mf7YcfMkbMiod0O2maEeO&EjU4Sz=fdMTVRIPlB
|
4
www.maalkhairaatwosu.com(5.181.216.120) www.brandonandrana.com(156.254.243.114) 5.181.216.120 156.254.243.114
|
|
|
11.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43634 |
2021-01-28 19:26
|
http://transplugin.io 242c23ea412530c7d94b77a7a978c176 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://transplugin.io/ http://transplugin.io/favicon.ico http://transplugin.io/iisstart.png
|
2
transplugin.io(103.253.40.225) - mailcious 103.253.40.225 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43635 |
2021-01-28 13:58
|
nfeX-99.msi d388da2bf1c9ef59eabce635a6909348 Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself malicious URLs AntiVM_Disk suspicious TLD VM Disk Size Check ComputerName DNS DDNS |
1
http://primo1982.1gb.ru/01/nobs.php
|
4
primomiguel.duckdns.org(104.41.55.10) primo1982.1gb.ru(81.177.49.5) 104.41.55.10 81.177.49.5
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)
|
|
5.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|