43636 |
2021-01-28 13:23
|
5555.jpg.exe de6108a215b25132877b39590951dce3 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43637 |
2021-01-28 12:20
|
6gdwwv.exe 77be0dd6570301acac3634801676b5d7 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29) api.ipify.org(54.225.220.115) 54.235.189.250 185.100.65.29
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43638 |
2021-01-28 12:20
|
xkp369t.zip.exe ba58b7e985b1b06985ddd90a8a1c622b VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows Cryptographic key |
|
|
|
|
3.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43639 |
2021-01-28 10:38
|
WAH.exe 1514dad5fc756723d4c00e0817605ae9 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu(46.243.219.56) 46.243.219.56
|
|
|
14.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43640 |
2021-01-28 10:37
|
vbc.exe fcbfe0655ddb6609b6145f5798e7c9bf VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43641 |
2021-01-28 10:26
|
rhddqtntq.rar.exe 6738ed3b1d050e85dabbe4f72b79fb89 VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43642 |
2021-01-28 10:26
|
tempz.scr 556fd7cf62874176af731b08c8ef34dd Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs installed browsers check Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software |
1
http://193.239.147.103/base/A8D4BE7F005361BFBD128FDF08D58189.html - rule_id: 225
|
3
becharnise.ir(104.237.252.85) - mailcious 193.239.147.103 - mailcious 104.237.252.85 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43643 |
2021-01-28 10:21
|
order2020.xlsx.jar 5187ae708fc760b89012cdf9dfff6f20 VirusTotal Malware Check memory heapspray unpack itself Java DNS |
|
1
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43644 |
2021-01-28 10:20
|
mbegtwcv.zip.exe 2d50e90a1ebaa057d502642e651391ce VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43645 |
2021-01-28 10:16
|
IMG-79108.pdf.exe 98119f6305337412e58f0d3ca740a227 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://www.google.com/
|
7
checkip.dyndns.org(216.146.43.71) freegeoip.app(172.67.188.154) www.google.com(172.217.31.132) 74.125.203.104 216.146.43.71 64.233.189.147 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43646 |
2021-01-28 10:16
|
IMG-60612.pdf.exe d78c14fcae677b87f3d24ab6cb42ad92 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows Cryptographic key |
1
|
4
www.google.com(172.217.31.132) 108.177.125.99 108.177.125.105 108.177.97.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43647 |
2021-01-28 10:12
|
IMG-6661.pdf.exe 3ecba85c4a6a88ffc472496da3200b78 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows Cryptographic key |
1
|
3
www.google.com(172.217.31.164) 74.125.203.104 108.177.125.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43648 |
2021-01-28 10:11
|
IMG-11862.pdf.exe 5a7e3e87f007da7d39bd5cb58cac10d0 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
1
|
2
www.google.com(172.217.31.164) 64.233.189.106 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43649 |
2021-01-28 10:03
|
hm2.exe f49e0b01e26e5e197421c4260dd87545 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows DNS |
9
http://www.gdsjgf.com/bw82/?v2=7KG5rMnLNS/F00cUwyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27kzNH/2ON0tx/WWBZXRB&CZ=7nExZbW - rule_id: 173 http://www.rizrvd.com/bw82/?v2=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&CZ=7nExZbW - rule_id: 170 http://www.rizrvd.com/bw82/?v2=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&CZ=7nExZbW http://www.rizrvd.com/bw82/ - rule_id: 170 http://www.wmarquezy.com/bw82/?v2=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&CZ=7nExZbW - rule_id: 181 http://www.sedaskincare.com/bw82/ - rule_id: 180 http://www.wmarquezy.com/bw82/ - rule_id: 181 http://www.sedaskincare.com/bw82/?v2=Tct1hGrTsO4wXuX+7y4OUHCQTPZT/SHKJbEPAo1kRuxvuV11m4iT8otUrtDadXdmrqCWO0Rp&CZ=7nExZbW - rule_id: 180 http://www.gdsjgf.com/bw82/ - rule_id: 173
|
9
www.rumblingrambles.com() www.curateherstories.com(34.102.136.180) - mailcious www.rizrvd.com(34.102.136.180) - mailcious www.wmarquezy.com(192.0.78.25) - mailcious www.sedaskincare.com(208.91.197.27) - mailcious www.gdsjgf.com(34.102.136.180) - mailcious 192.0.78.24 - mailcious 34.102.136.180 - mailcious 208.91.197.27 - mailcious
|
|
8
http://www.gdsjgf.com/bw82/ http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.sedaskincare.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.sedaskincare.com/bw82/ http://www.gdsjgf.com/bw82/
|
12.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43650 |
2021-01-28 10:03
|
hm1.exe be84c387975b024f25dc96ec5f85f7bd VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
4
http://www.okcpp.com/bw82/?mR-0xBQ=Mfpkxl91HSlRqF4UwnoLlCSItQE/DRVdVWsqLGW7UZi4jMe9Kfon6cyi45I/1E+fR8PCPduN&4hL=uFQxrx4P1P68CHO - rule_id: 182 http://www.climaxnovels.com/bw82/?mR-0xBQ=ErYhPq09uXyhgRW3wS6+i9BP1HsxrMLlWLCRTnJEgagI3gz/PfG7PFvbtbGJ+B5PJFd9ne6N&4hL=uFQxrx4P1P68CHO http://www.okcpp.com/bw82/ - rule_id: 182 http://www.climaxnovels.com/bw82/
|
11
www.nikolaichan.com(172.217.161.51) - mailcious www.okcpp.com(3.16.142.83) - mailcious www.kolamart.com(34.102.136.180) - mailcious www.chrisbubser.digital() www.climaxnovels.com(34.102.136.180) www.curateherstories.com(34.102.136.180) - mailcious www.gmobilet.com() www.texasdryroof.com(34.102.136.180) - mailcious 74.125.204.121 3.140.151.209 - mailcious 34.102.136.180 - mailcious
|
|
2
http://www.okcpp.com/bw82/ http://www.okcpp.com/bw82/
|
8.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|