| 43741 |
2021-01-25 18:03
|
ocxvtgdhf.exe fa61996281406afd069d1323ea5f2a4b
Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
9
http://marianne.ac.ug/mozglue.dll
http://marianne.ac.ug/nss3.dll
http://marianne.ac.ug/vcruntime140.dll
http://marianne.ac.ug/
http://marianne.ac.ug/main.php
http://marianne.ac.ug/softokn3.dll
http://marianne.ac.ug/msvcp140.dll
http://marianne.ac.ug/sqlite3.dll
http://marianne.ac.ug/freebl3.dll
|
2
marianne.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
17.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43742 |
2021-01-25 18:02
|
rc.exe 3f802c0c44f93d751d4f34b7597cbbb2
Emotet Buffer PE AutoRuns Code Injection Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Windows Remote Code Execution DNS |
1
https://cdn.discordapp.com/attachments/720918485122940978/802520194248867870/Cdhzb
|
5
nothinglike.ac.ug(185.140.53.149)
brudfascaqezd.ac.ug()
cdn.discordapp.com(162.159.129.233) - malware
185.140.53.149 - mailcious
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43743 |
2021-01-25 17:56
|
HIM3YR2X3CAXX.doc 1a914e7ed24d27fda9787e43db958f44
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://armakonarms.com/wp-includes/fz/
http://silkonbusiness.matrixinfotechsolution.com/js/q26/
|
14
www.bimception.com(162.241.224.176) - malware
coworkingplus.es(104.21.89.78) - mailcious
armakonarms.com(45.143.97.183)
bbjugueteria.com(162.241.60.240) - mailcious
silkonbusiness.matrixinfotechsolution.com(166.62.10.32)
alugrama.com.mx(162.241.61.203) - malware
69.38.130.14
162.241.224.176 - malware
195.159.28.230 - mailcious
172.67.138.213
162.241.60.240 - mailcious
45.143.97.183 - mailcious
166.62.10.32 - phishing
162.241.61.203 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43744 |
2021-01-25 17:56
|
LOIAYA24O5N.doc fc195dcdb9d96b54f7099608aa433d25
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Windows DNS |
|
4
cab.mykfn.com(103.143.46.51) - malware
69.38.130.14
195.159.28.230 - mailcious
103.143.46.51 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
7.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43745 |
2021-01-25 17:52
|
document_v152120.doc 3c9b171aa4191384845ffc13021f3a7f
exploit crash unpack itself malicious URLs Tofsee Windows Exploit DNS DDNS crashed Downloader |
2
http://luckyserverhostdata.ddns.net/regasm/vbc.exe
https://cdn.discordapp.com/attachments/783539498667343886/803133505454080030/Vzuer
|
6
luckyserverhostdata.ddns.net(23.95.85.164)
moneyds.ddns.net(54.39.198.228)
cdn.discordapp.com(162.159.134.233) - malware
54.39.198.228
162.159.129.233 - malware
23.95.85.164
|
4
ET POLICY DNS Query to DynDNS Domain *.ddns .net
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43746 |
2021-01-25 17:43
|
5J7RXTEGDKJO.doc 06f1cd7b07c7b6e68d13b9a2ab891fbc
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://armakonarms.com/wp-includes/fz/
http://silkonbusiness.matrixinfotechsolution.com/js/q26/
|
14
www.bimception.com(162.241.224.176) - malware
coworkingplus.es(172.67.138.213) - mailcious
armakonarms.com(45.143.97.183)
bbjugueteria.com(162.241.60.240) - mailcious
silkonbusiness.matrixinfotechsolution.com(166.62.10.32)
alugrama.com.mx(162.241.61.203) - malware
162.241.224.176 - malware
195.159.28.230 - mailcious
69.38.130.14
162.241.60.240 - mailcious
104.21.89.78 - mailcious
166.62.10.32 - phishing
162.241.61.203 - malware
45.143.97.183 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
7.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43747 |
2021-01-25 17:43
|
ds2.exe 73bab81d76d1f752868c24916781c22a
VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process malicious URLs Windows ComputerName Cryptographic key |
|
|
|
|
10.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43748 |
2021-01-25 09:52
|
Vk9l6FKHuYtZXyrGrE4pWV5.dll 6a83c6b085a72cdbcd23ccfa68650b41 |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43749 |
2021-01-25 09:52
|
x6O1a7mRwiyNq.dll 66f3eefa5bc67a8525e2a7512b1c8084
VirusTotal Malware |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43750 |
2021-01-25 09:33
|
sax.exe 59d9faec26f0c3be5c84225f575ae225
VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs ComputerName crashed |
|
|
|
|
4.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43751 |
2021-01-25 09:31
|
pZe.dll 62c29a1aa2fb0caec459b5e92c0c4150
VirusTotal Malware |
|
|
|
|
1.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43752 |
2021-01-25 09:17
|
jvppp.exe f0d29684814fd6a0c8055b6cdbbb2477
Browser Info Stealer VirusTotal Malware AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files Check virtual network interfaces AppData folder malicious URLs IP Check Tofsee Windows Browser Remote Code Execution |
5
http://uehge4g6gh.2ihsfa.com/api/fbtime
http://ip-api.com/json/
http://uehge4g6gh.2ihsfa.com/api/?sid=3786&key=d21e5c6cb1ca3b524f141040a924afb6
https://iplogger.org/18hh57
https://www.facebook.com/
|
8
uehge4g6gh.2ihsfa.com(207.246.80.14)
ip-api.com(208.95.112.1)
www.facebook.com(31.13.82.36)
iplogger.org(88.99.66.31)
157.240.215.35
208.95.112.1
207.246.80.14
88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43753 |
2021-01-25 09:14
|
hip.exe 0f6002705ff1b71c1258291ecb6faf37
VirusTotal Malware Checks debugger unpack itself ComputerName DNS crashed |
|
|
|
|
3.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43754 |
2021-01-24 17:35
|
gonu.exe a89694cf36d00982d687ba2c798de763
VirusTotal Malware unpack itself DNS |
|
|
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43755 |
2021-01-24 17:33
|
bPjp.dll 8f8020ecd3bc9e9a5cdb021bb7287094
VirusTotal Malware |
|
|
|
|
1.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|