43741 |
2021-01-25 18:03
|
ocxvtgdhf.exe fa61996281406afd069d1323ea5f2a4b Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
9
http://marianne.ac.ug/mozglue.dll http://marianne.ac.ug/nss3.dll http://marianne.ac.ug/vcruntime140.dll http://marianne.ac.ug/ http://marianne.ac.ug/main.php http://marianne.ac.ug/softokn3.dll http://marianne.ac.ug/msvcp140.dll http://marianne.ac.ug/sqlite3.dll http://marianne.ac.ug/freebl3.dll
|
2
marianne.ac.ug(185.215.113.77) 185.215.113.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
17.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43742 |
2021-01-25 18:02
|
rc.exe 3f802c0c44f93d751d4f34b7597cbbb2 Emotet Buffer PE AutoRuns Code Injection Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Windows Remote Code Execution DNS |
1
https://cdn.discordapp.com/attachments/720918485122940978/802520194248867870/Cdhzb
|
5
nothinglike.ac.ug(185.140.53.149) brudfascaqezd.ac.ug() cdn.discordapp.com(162.159.129.233) - malware 185.140.53.149 - mailcious 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43743 |
2021-01-25 17:56
|
HIM3YR2X3CAXX.doc 1a914e7ed24d27fda9787e43db958f44 Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://armakonarms.com/wp-includes/fz/ http://silkonbusiness.matrixinfotechsolution.com/js/q26/
|
14
www.bimception.com(162.241.224.176) - malware coworkingplus.es(104.21.89.78) - mailcious armakonarms.com(45.143.97.183) bbjugueteria.com(162.241.60.240) - mailcious silkonbusiness.matrixinfotechsolution.com(166.62.10.32) alugrama.com.mx(162.241.61.203) - malware 69.38.130.14 162.241.224.176 - malware 195.159.28.230 - mailcious 172.67.138.213 162.241.60.240 - mailcious 45.143.97.183 - mailcious 166.62.10.32 - phishing 162.241.61.203 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43744 |
2021-01-25 17:56
|
LOIAYA24O5N.doc fc195dcdb9d96b54f7099608aa433d25 Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Windows DNS |
|
4
cab.mykfn.com(103.143.46.51) - malware 69.38.130.14 195.159.28.230 - mailcious 103.143.46.51 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
7.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43745 |
2021-01-25 17:52
|
document_v152120.doc 3c9b171aa4191384845ffc13021f3a7f exploit crash unpack itself malicious URLs Tofsee Windows Exploit DNS DDNS crashed Downloader |
2
http://luckyserverhostdata.ddns.net/regasm/vbc.exe https://cdn.discordapp.com/attachments/783539498667343886/803133505454080030/Vzuer
|
6
luckyserverhostdata.ddns.net(23.95.85.164) moneyds.ddns.net(54.39.198.228) cdn.discordapp.com(162.159.134.233) - malware 54.39.198.228 162.159.129.233 - malware 23.95.85.164
|
4
ET POLICY DNS Query to DynDNS Domain *.ddns .net SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43746 |
2021-01-25 17:43
|
5J7RXTEGDKJO.doc 06f1cd7b07c7b6e68d13b9a2ab891fbc Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://armakonarms.com/wp-includes/fz/ http://silkonbusiness.matrixinfotechsolution.com/js/q26/
|
14
www.bimception.com(162.241.224.176) - malware coworkingplus.es(172.67.138.213) - mailcious armakonarms.com(45.143.97.183) bbjugueteria.com(162.241.60.240) - mailcious silkonbusiness.matrixinfotechsolution.com(166.62.10.32) alugrama.com.mx(162.241.61.203) - malware 162.241.224.176 - malware 195.159.28.230 - mailcious 69.38.130.14 162.241.60.240 - mailcious 104.21.89.78 - mailcious 166.62.10.32 - phishing 162.241.61.203 - malware 45.143.97.183 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
7.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43747 |
2021-01-25 17:43
|
ds2.exe 73bab81d76d1f752868c24916781c22a VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process malicious URLs Windows ComputerName Cryptographic key |
|
|
|
|
10.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43748 |
2021-01-25 09:52
|
Vk9l6FKHuYtZXyrGrE4pWV5.dll 6a83c6b085a72cdbcd23ccfa68650b41 |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43749 |
2021-01-25 09:52
|
x6O1a7mRwiyNq.dll 66f3eefa5bc67a8525e2a7512b1c8084 VirusTotal Malware |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43750 |
2021-01-25 09:33
|
sax.exe 59d9faec26f0c3be5c84225f575ae225 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs ComputerName crashed |
|
|
|
|
4.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43751 |
2021-01-25 09:31
|
pZe.dll 62c29a1aa2fb0caec459b5e92c0c4150 VirusTotal Malware |
|
|
|
|
1.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43752 |
2021-01-25 09:17
|
jvppp.exe f0d29684814fd6a0c8055b6cdbbb2477 Browser Info Stealer VirusTotal Malware AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files Check virtual network interfaces AppData folder malicious URLs IP Check Tofsee Windows Browser Remote Code Execution |
5
http://uehge4g6gh.2ihsfa.com/api/fbtime http://ip-api.com/json/ http://uehge4g6gh.2ihsfa.com/api/?sid=3786&key=d21e5c6cb1ca3b524f141040a924afb6 https://iplogger.org/18hh57 https://www.facebook.com/
|
8
uehge4g6gh.2ihsfa.com(207.246.80.14) ip-api.com(208.95.112.1) www.facebook.com(31.13.82.36) iplogger.org(88.99.66.31) 157.240.215.35 208.95.112.1 207.246.80.14 88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43753 |
2021-01-25 09:14
|
hip.exe 0f6002705ff1b71c1258291ecb6faf37 VirusTotal Malware Checks debugger unpack itself ComputerName DNS crashed |
|
|
|
|
3.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43754 |
2021-01-24 17:35
|
gonu.exe a89694cf36d00982d687ba2c798de763 VirusTotal Malware unpack itself DNS |
|
|
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43755 |
2021-01-24 17:33
|
bPjp.dll 8f8020ecd3bc9e9a5cdb021bb7287094 VirusTotal Malware |
|
|
|
|
1.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|