44026 |
2021-01-08 09:19
|
9WYIIhxH9L2WReqC3.dll bbb4ae6e86a6f44cf8ff27af3144f98f VirusTotal Malware PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Advertising ComputerName DNS Cryptographic key |
2
http://90.160.138.175/dyd8de/46fqeohkb/nw38kvhranelh2pyme/ - rule_id: 207 http://50.116.111.59:8080/mb49dwzno7/ - rule_id: 193
|
4
74.222.117.42 - mailcious 50.116.111.59 - mailcious 157.245.123.197 - mailcious 90.160.138.175 - mailcious
|
|
2
http://90.160.138.175/ http://50.116.111.59:8080/
|
10.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44027 |
2021-01-08 09:18
|
CreamNoteSetup_204_fNd51r4pd0_... 67e68935fc4f53a7a505353979210cd5 VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder malicious URLs installed browsers check Windows Browser ComputerName Firmware DNS |
1
http://downloads.zhyshuju.cn/ol-cn_qchtm.dll.lzma
|
5
task0.yyhuopin.com(120.79.220.29) task4.yyhuopin.com(120.79.220.29) downloads.zhyshuju.cn(114.80.187.72) 120.79.220.29 114.80.187.72
|
|
|
8.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44028 |
2021-01-07 18:48
|
dvh.msi 95c152becccd85709530c7b6a1f489fb VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
4.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44029 |
2021-01-07 15:35
|
svchost.exe 23a939174dc18c9dee0bb29cd7c3e859 VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
5
cnc.c25e6559668942.xyz() - malware api.ipify.org(54.235.189.250) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.243.164.148
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44030 |
2021-01-07 15:33
|
update.exe 383fec0cd20be62b6c12ea79664a2234 VirusTotal Malware DNS |
|
|
|
|
2.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44031 |
2021-01-07 15:22
|
rrrrr.exe 57dc4e64ee42edabebdd28b88479bd87 VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
3
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1609999938&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:2412808232&cup2hreq=0422a0f053dc550015119d6a33d7a57c8d6546991ab052f0d4096ef109c84e5b
|
3
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 142.250.199.78 59.18.45.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44032 |
2021-01-07 15:22
|
Shipppy.exe 35d3f86c5715649c8a4273e6a52b0b54 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
12.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44033 |
2021-01-07 12:31
|
Great_money_bin.exe b7eab6cec14c7e38271290aab595dbcd Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
https://hastebin.com/raw/vonepojura https://hastebin.com/raw/jelobajuwa https://hastebin.com/raw/juvunetale https://hastebin.com/raw/ekepinoqoy
|
2
hastebin.com(104.27.138.99) - mailcious 104.27.139.99 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44034 |
2021-01-07 12:30
|
normal_sig.exe 57e519ee214aa9d177cf54135296f28b VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44035 |
2021-01-07 11:08
|
7.exe d17b424e6865ccfc1f790313c85347e2 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check DNS |
1
|
3
ip-api.com(208.95.112.1) 208.95.112.1 79.134.225.102 - mailcious
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44036 |
2021-01-07 11:07
|
4BAJ5O.doc 8d7c388e144427e46654e1f1d75de590 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
|
14
astrologiaexistencial.com(31.22.4.141) - malware mail.ninosindigochile.cl(104.248.239.10) - mailcious mirvalgroup.com(167.99.163.124) - mailcious walkerswebshop.com(149.255.62.16) - mailcious unimedunihealth.com(172.67.201.73) - mailcious www.dirgantaratuba.com(202.67.13.163) - mailcious wp.gensoukyou.org(172.67.188.124) - mailcious 104.248.239.10 - mailcious 104.31.64.148 - mailcious 31.22.4.141 - malware 104.27.135.101 - mailcious 149.255.62.16 - mailcious 202.67.13.163 - mailcious 167.99.163.124 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44037 |
2021-01-07 11:05
|
4BAJ5O.doc 8d7c388e144427e46654e1f1d75de590 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
|
14
astrologiaexistencial.com(31.22.4.141) - malware unimedunihealth.com(172.67.201.73) - mailcious mirvalgroup.com(167.99.163.124) - mailcious walkerswebshop.com(149.255.62.16) - mailcious mail.ninosindigochile.cl(104.248.239.10) - mailcious www.dirgantaratuba.com(202.67.13.163) - mailcious wp.gensoukyou.org(172.67.188.124) - mailcious 104.248.239.10 - mailcious 31.22.4.141 - malware 149.255.62.16 - mailcious 104.31.64.148 - mailcious 202.67.13.163 - mailcious 167.99.163.124 - mailcious 104.27.134.101
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44038 |
2021-01-07 11:04
|
4BAJ5O.doc 8d7c388e144427e46654e1f1d75de590 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
|
14
astrologiaexistencial.com(31.22.4.141) - malware mail.ninosindigochile.cl(104.248.239.10) - mailcious mirvalgroup.com(167.99.163.124) - mailcious walkerswebshop.com(149.255.62.16) - mailcious unimedunihealth.com(104.27.135.101) - mailcious www.dirgantaratuba.com(202.67.13.163) - mailcious wp.gensoukyou.org(104.31.65.148) - mailcious 104.248.239.10 - mailcious 31.22.4.141 - malware 149.255.62.16 - mailcious 104.31.64.148 - mailcious 202.67.13.163 - mailcious 167.99.163.124 - mailcious 104.27.134.101
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44039 |
2021-01-07 11:03
|
7.exe d17b424e6865ccfc1f790313c85347e2 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check DNS |
1
|
3
ip-api.com(208.95.112.1) 79.134.225.102 - mailcious 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44040 |
2021-01-07 10:44
|
4BAJ5O.doc 8d7c388e144427e46654e1f1d75de590 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
|
14
astrologiaexistencial.com(31.22.4.141) - malware mail.ninosindigochile.cl(104.248.239.10) - mailcious mirvalgroup.com(167.99.163.124) - mailcious walkerswebshop.com(149.255.62.16) - mailcious unimedunihealth.com(172.67.201.73) - mailcious www.dirgantaratuba.com(202.67.13.163) - mailcious wp.gensoukyou.org(172.67.188.124) - mailcious 104.248.239.10 - mailcious 31.22.4.141 - malware 149.255.62.16 - mailcious 202.67.13.163 - mailcious 167.99.163.124 - mailcious 104.27.134.101 172.67.188.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|