| 43636 |
2021-01-28 13:23
|
5555.jpg.exe de6108a215b25132877b39590951dce3 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43637 |
2021-01-28 12:20
|
6gdwwv.exe 77be0dd6570301acac3634801676b5d7
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29)
api.ipify.org(54.225.220.115)
54.235.189.250
185.100.65.29
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43638 |
2021-01-28 12:20
|
xkp369t.zip.exe ba58b7e985b1b06985ddd90a8a1c622b
VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows Cryptographic key |
|
|
|
|
3.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43639 |
2021-01-28 10:38
|
WAH.exe 1514dad5fc756723d4c00e0817605ae9
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu(46.243.219.56)
46.243.219.56
|
|
|
14.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43640 |
2021-01-28 10:37
|
vbc.exe fcbfe0655ddb6609b6145f5798e7c9bf
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43641 |
2021-01-28 10:26
|
rhddqtntq.rar.exe 6738ed3b1d050e85dabbe4f72b79fb89
VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43642 |
2021-01-28 10:26
|
tempz.scr 556fd7cf62874176af731b08c8ef34dd
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs installed browsers check Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software |
1
http://193.239.147.103/base/A8D4BE7F005361BFBD128FDF08D58189.html - rule_id: 225
|
3
becharnise.ir(104.237.252.85) - mailcious
193.239.147.103 - mailcious
104.237.252.85 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43643 |
2021-01-28 10:21
|
order2020.xlsx.jar 5187ae708fc760b89012cdf9dfff6f20
VirusTotal Malware Check memory heapspray unpack itself Java DNS |
|
1
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43644 |
2021-01-28 10:20
|
mbegtwcv.zip.exe 2d50e90a1ebaa057d502642e651391ce
VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43645 |
2021-01-28 10:16
|
IMG-79108.pdf.exe 98119f6305337412e58f0d3ca740a227
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://www.google.com/
|
7
checkip.dyndns.org(216.146.43.71)
freegeoip.app(172.67.188.154)
www.google.com(172.217.31.132)
74.125.203.104
216.146.43.71
64.233.189.147
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43646 |
2021-01-28 10:16
|
IMG-60612.pdf.exe d78c14fcae677b87f3d24ab6cb42ad92
VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows Cryptographic key |
1
|
4
www.google.com(172.217.31.132)
108.177.125.99
108.177.125.105
108.177.97.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43647 |
2021-01-28 10:12
|
IMG-6661.pdf.exe 3ecba85c4a6a88ffc472496da3200b78
VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows Cryptographic key |
1
|
3
www.google.com(172.217.31.164)
74.125.203.104
108.177.125.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43648 |
2021-01-28 10:11
|
IMG-11862.pdf.exe 5a7e3e87f007da7d39bd5cb58cac10d0
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
1
|
2
www.google.com(172.217.31.164)
64.233.189.106 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43649 |
2021-01-28 10:03
|
hm2.exe f49e0b01e26e5e197421c4260dd87545
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows DNS |
9
http://www.gdsjgf.com/bw82/?v2=7KG5rMnLNS/F00cUwyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27kzNH/2ON0tx/WWBZXRB&CZ=7nExZbW - rule_id: 173
http://www.rizrvd.com/bw82/?v2=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&CZ=7nExZbW - rule_id: 170
http://www.rizrvd.com/bw82/?v2=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&CZ=7nExZbW
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.wmarquezy.com/bw82/?v2=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&CZ=7nExZbW - rule_id: 181
http://www.sedaskincare.com/bw82/ - rule_id: 180
http://www.wmarquezy.com/bw82/ - rule_id: 181
http://www.sedaskincare.com/bw82/?v2=Tct1hGrTsO4wXuX+7y4OUHCQTPZT/SHKJbEPAo1kRuxvuV11m4iT8otUrtDadXdmrqCWO0Rp&CZ=7nExZbW - rule_id: 180
http://www.gdsjgf.com/bw82/ - rule_id: 173
|
9
www.rumblingrambles.com()
www.curateherstories.com(34.102.136.180) - mailcious
www.rizrvd.com(34.102.136.180) - mailcious
www.wmarquezy.com(192.0.78.25) - mailcious
www.sedaskincare.com(208.91.197.27) - mailcious
www.gdsjgf.com(34.102.136.180) - mailcious
192.0.78.24 - mailcious
34.102.136.180 - mailcious
208.91.197.27 - mailcious
|
|
8
http://www.gdsjgf.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.sedaskincare.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.sedaskincare.com/bw82/
http://www.gdsjgf.com/bw82/
|
12.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43650 |
2021-01-28 10:03
|
hm1.exe be84c387975b024f25dc96ec5f85f7bd
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
4
http://www.okcpp.com/bw82/?mR-0xBQ=Mfpkxl91HSlRqF4UwnoLlCSItQE/DRVdVWsqLGW7UZi4jMe9Kfon6cyi45I/1E+fR8PCPduN&4hL=uFQxrx4P1P68CHO - rule_id: 182
http://www.climaxnovels.com/bw82/?mR-0xBQ=ErYhPq09uXyhgRW3wS6+i9BP1HsxrMLlWLCRTnJEgagI3gz/PfG7PFvbtbGJ+B5PJFd9ne6N&4hL=uFQxrx4P1P68CHO
http://www.okcpp.com/bw82/ - rule_id: 182
http://www.climaxnovels.com/bw82/
|
11
www.nikolaichan.com(172.217.161.51) - mailcious
www.okcpp.com(3.16.142.83) - mailcious
www.kolamart.com(34.102.136.180) - mailcious
www.chrisbubser.digital()
www.climaxnovels.com(34.102.136.180)
www.curateherstories.com(34.102.136.180) - mailcious
www.gmobilet.com()
www.texasdryroof.com(34.102.136.180) - mailcious
74.125.204.121
3.140.151.209 - mailcious
34.102.136.180 - mailcious
|
|
2
http://www.okcpp.com/bw82/
http://www.okcpp.com/bw82/
|
8.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|