44116 |
2021-01-05 15:45
|
Admin_Tools.exe 1729da629b8b7da6915f50f95ef9204d Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution Cryptographic key Software crashed |
2
http://ensten.xyz/IRemotePanel https://api.ip.sb/geoip
|
8
ensten.xyz(193.110.3.139) WHOIS.APNIC.NET(172.104.77.201) whois.iana.org(192.0.32.59) api.ip.sb(104.26.13.31) 104.26.12.31 172.104.77.201 193.110.3.139 192.0.32.59
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
11.8 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44117 |
2021-01-05 14:10
|
UKGHJ90ZEO3Y15PL.doc 80509f5c54210bfa15c8bf805566c0bf Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://90.160.138.175/7l11jd0p8/d3x7vgv9oyd1srsr/ - rule_id: 207
|
3
etbnaman.com(103.237.147.16) - malware 103.237.147.16 - malware 90.160.138.175 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44118 |
2021-01-05 14:05
|
rc2.exe e3b457925bc3cba3821b5bdb00bdefc2 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Interception Windows |
1
https://cdn.discordapp.com/attachments/752128569169281083/795593138454528030/Pqlw123
|
7
taenaia.ac.ug(185.140.53.149) - mailcious agentpapple.ac.ug() - mailcious discord.com(162.159.128.233) cdn.discordapp.com(162.159.129.233) - malware 185.140.53.149 - mailcious 162.159.135.232 162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44119 |
2021-01-05 14:05
|
rc.exe 050e7be5bddc176e82d0ff30ac4791a0 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder malicious URLs Tofsee Interception Windows DNS |
1
https://cdn.discordapp.com/attachments/720918485122940978/789751272546631680/Momf123
|
7
taenaia.ac.ug(185.140.53.149) - mailcious agentpapple.ac.ug() - mailcious discord.com(162.159.138.232) cdn.discordapp.com(162.159.130.233) - malware 185.140.53.149 - mailcious 162.159.135.232 162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44120 |
2021-01-05 13:52
|
open.exe 9e4a36969d6edc82ee97420dccd5ae94 Dridex VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=open.exe&platform=0009&osver=5&isServer=0
|
2
docs.microsoft.com(104.74.218.152) 202.43.52.41
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
10.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44121 |
2021-01-05 13:51
|
PDFView.exe 5550592bb2d7a6a4226975d1c80ac7a4 VirusTotal Malware PDB malicious URLs Remote Code Execution |
|
|
|
|
2.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44122 |
2021-01-05 13:22
|
LPXG5NYP6IOKKZ.doc 413be7b6ad6a700647c63d645442db4b Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://90.160.138.175/3um8rbhey600v/hp7y/ - rule_id: 207 http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1609820182&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:1310171581&cup2hreq=1f33afdfb7a555c1cb41a46e19d5c7c6a628de427eb56bcdabd1b6aabc623dc6
|
5
etbnaman.com(103.237.147.16) - malware r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 90.160.138.175 - mailcious 103.237.147.16 - malware 59.18.45.210
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44123 |
2021-01-05 13:22
|
LwtKphm0VioM5i.dll 01a02861ee9e23fc4c44bd829ee5c69c VirusTotal Malware Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
|
1
|
|
|
6.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44124 |
2021-01-05 12:28
|
JIYAOcNz9PnnHBPR8IE.dll 8c5d3647e0f6ddc816f68672d676e185 Malware Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://125.0.215.60/x5mfejfkw/jfpom2nbf71d/wz85wajvogkbmjrz/c78icwpciw1yy4j8wmj/
|
1
|
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44125 |
2021-01-05 12:27
|
file2.exe cda50506fc8222349a4075117a896310 VirusTotal Malware RWX flags setting unpack itself malicious URLs Interception crashed |
|
2
discord.com(162.159.136.232) 162.159.137.232
|
|
|
4.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44126 |
2021-01-05 12:24
|
ds12.exe cffaa868ac7a83f2445cb1560cee3018 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs DNS crashed |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44127 |
2021-01-05 12:24
|
ds2.exe a2a8aec5eb32af3ed72c1b9a13bbead5 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process malicious URLs Windows ComputerName Cryptographic key |
|
|
|
|
11.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44128 |
2021-01-05 11:32
|
aLOKKbSPhUWqcVCXI.dll ecad7f36a5e3c8fe798c5b04b50cd1a4 VirusTotal Malware Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://90.160.138.175/bs5rxzi1/ - rule_id: 207
|
1
90.160.138.175 - mailcious
|
|
1
|
6.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44129 |
2021-01-05 11:32
|
ds1.exe 923949852c2c3ee9e6badc9d8461bd34 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs crashed |
|
|
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44130 |
2021-01-05 10:13
|
ac2.exe b16432bd584c9117d4dee9abc137499c VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS |
|
3
agentpurple.ac.ug() - mailcious agentttt.ac.ug(79.134.225.40) - mailcious 79.134.225.40 - mailcious
|
|
|
13.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|