43936 |
2021-01-14 10:37
|
WindowsForsApp2.jpg.exe d3a6b158e1e9696487764681659b132e Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Kovter Windows ComputerName DNS |
|
1
103.147.184.53 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)
|
|
5.8 |
M |
42 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43937 |
2021-01-14 09:21
|
http://akybron.hu/wordpress/Tr... 00dc990ef89d168d1a2256a35efdaddd Dridex VirusTotal Malware Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
akybron.hu(92.61.114.113) - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43938 |
2021-01-13 18:29
|
VMQP93ODSB8.doc 5d945215f920eb558ea283588ea0ad85 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
|
14
snowremoval-services.com(35.209.101.201) - malware kitsunecomplements.com(149.202.105.228) - mailcious altrashift.com(104.27.159.29) - mailcious shop.animewho.com(104.18.40.172) - mailcious www.autoeck-baden.at(81.19.159.72) - mailcious ojodetigremezcal.com(45.77.102.200) - malware imperioone.com(162.241.203.91) - malware 45.77.102.200 - malware 162.241.203.91 - malware 35.209.101.201 - malware 81.19.159.72 - mailcious 149.202.105.228 - mailcious 172.67.217.110 172.67.180.86
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
14 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43939 |
2021-01-13 18:27
|
UN7.dll 0ee5c78c6e2ee9f8a8c201474fd03b2e VirusTotal Malware |
|
|
|
|
0.8 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43940 |
2021-01-13 17:10
|
QL-0217.jpg.exe 15368412abd71685cef34b2470ffd3a0 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.206.215.56/r-1/cgi.php - rule_id: 215
|
1
185.206.215.56 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://185.206.215.56/r-1/cgi.php
|
18.0 |
M |
36 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43941 |
2021-01-13 17:10
|
RG-1067.jpg.exe dbce571e89ef0357c78bb79dfa89bfad Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 131.186.113.70 104.28.5.151
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43942 |
2021-01-13 16:38
|
PO-75013.jpg.exe e7e6ee6ef97ff797562c91e0ff401ac4 Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 162.88.193.70 104.28.5.151
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43943 |
2021-01-13 16:37
|
PQ-0163.jpg.exe a9a388bb567d513a74c055c690931107 VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs Windows DNS Cryptographic key |
|
|
|
|
7.2 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43944 |
2021-01-13 13:38
|
PO-5042.jpg.exe f502ba6dcaa52430ff540dbdef13c40b Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.28.4.151) checkip.dyndns.org(162.88.193.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43945 |
2021-01-13 13:38
|
PO-013275.jpg.exe 5a409e1c8e75e0aa868951d8b792f054 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.28.5.151) checkip.dyndns.org(162.88.193.70) 104.28.4.151 216.146.43.70 - suspicious
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43946 |
2021-01-13 11:42
|
PO_60577.jpg.exe 000af790102eb884cfb98b2e4cf50d5a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.206.215.56/r-1/cgi.php
|
1
185.206.215.56 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
16.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43947 |
2021-01-13 11:42
|
J6GGOYSZA6JBA1M7.doc e93393396ea5952fc1f5a0f1a5c3eff8 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
|
14
snowremoval-services.com(35.209.101.201) - malware kitsunecomplements.com(149.202.105.228) - mailcious altrashift.com(104.27.158.29) - mailcious shop.animewho.com(104.18.40.172) - mailcious www.autoeck-baden.at(81.19.159.72) - mailcious ojodetigremezcal.com(45.77.102.200) - malware imperioone.com(162.241.203.91) - malware 81.19.159.72 - mailcious 104.27.159.29 - mailcious 104.18.40.172 162.241.203.91 - malware 35.209.101.201 - malware 149.202.105.228 - mailcious 45.77.102.200 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43948 |
2021-01-13 11:38
|
gtmr748f6nnpr2.exe ffa6c47e69a40d26136861ef8bc8c969 VirusTotal Malware Check memory malicious URLs Tofsee DNS |
1
https://soundvista.club/gtmr748f6nnpr2
|
2
soundvista.club(54.38.212.185) - mailcious 54.38.212.185 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43949 |
2021-01-13 11:38
|
GF-05448.jpg.exe 75608975989a15f4d05ce2dc7ecc987c VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs Windows Cryptographic key |
|
|
|
|
6.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43950 |
2021-01-13 11:32
|
E3-20210112_2343.doc df66ce237d60ca77253674acb51f9420 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
3
adsavy.com(192.254.224.20) - malware 192.254.224.20 - malware 161.49.84.2 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|