| 44596 |
2021-06-18 09:48
|
 mmm.exe 32e3f8a1ab7698ec5b0644a8ac1d34b8
PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44597 |
2021-06-18 09:46
|
 cmd.exe 63dcb28db1ff4d702e97a1fa3e9ac02d
PE File .NET EXE OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AppData folder Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
5.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44598 |
2021-06-18 09:46
|
 relvo.exe 3f891f4ea01741d664416c3b34f64208
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 VirusTotal Malware RCE |
|
|
|
|
2.6 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44599 |
2021-06-18 09:41
|
 test.exe d57237560c25aff34850ab1980a0fb04
PE File PE32 Dridex TrickBot VirusTotal Malware unpack itself Kovter DNS |
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
2.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44600 |
2021-06-18 09:12
|
 aim-2044108491.xlsb 6c8a2cdc722922d6e468d1d151a24333Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44601 |
2021-06-18 09:12
|
 aim-2042502358.xlsb 3cde67faa456fb5019f7ce2b163bee1dCheck memory Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44602 |
2021-06-18 09:12
|
 aim-2043102860.xlsb 2cdecf145abc952da288222aadb77c35Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44603 |
2021-06-18 09:07
|
vidarses.exe 7283347ba70004a56396caa0a2de7bb0
Gen1 PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName RCE Firmware DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/ - rule_id: 1881
http://159.69.20.131/898 - rule_id: 1882
http://159.69.20.131/freebl3.dll
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://bandakere.tumblr.com/
|
3
bandakere.tumblr.com(74.114.154.22)
159.69.20.131 - mailcious
74.114.154.22 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://159.69.20.131/
http://159.69.20.131/898
|
16.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44604 |
2021-06-18 09:07
|
 z7ggs.exe 6b7554c5f2b7a246639156524fb86a78
AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
4
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/e077b412e4e9b04043dfc595bae6abb1966ac987
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/a4bf8575ff58234bbfb45ede44543896e556da37
http://34.76.8.115/
https://tttttt.me/hellobroprocreate
|
3
tttttt.me(95.216.186.40) - mailcious
95.216.186.40 - mailcious
34.76.8.115
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44605 |
2021-06-18 09:06
|
srochno.exe 92520c1d6273560cedd77c3842810ad3
Gen1 PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName RCE Firmware DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/ - rule_id: 1881
http://159.69.20.131/freebl3.dll
http://159.69.20.131/929
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://bandakere.tumblr.com/
|
3
bandakere.tumblr.com(74.114.154.18)
159.69.20.131 - mailcious
74.114.154.18 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44606 |
2021-06-18 08:09
|
 Clapped.exe fb68c8251f6b0ce4c89fa24e61e8d1bc
AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://padflimyd.xyz/
https://api.ip.sb/geoip
|
4
padflimyd.xyz(45.130.151.186)
api.ip.sb(104.26.12.31)
45.130.151.186
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44607 |
2021-06-18 08:09
|
 relvo.exe 3f891f4ea01741d664416c3b34f64208
PE File PE32 VirusTotal Malware RCE DNS |
|
|
|
|
3.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44608 |
2021-06-18 08:03
|
 111s.exe ee4a89d1a2258c8b9a716bac64f15c2c
AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
2
http://verecalina.xyz/
https://api.ip.sb/geoip
|
4
api.ip.sb(104.26.12.31)
verecalina.xyz(141.136.0.96)
172.67.75.172
141.136.0.96
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
8.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44609 |
2021-06-18 08:03
|
http://188.119.113.80/1/test.e... d57237560c25aff34850ab1980a0fb04
AntiDebug AntiVM VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://188.119.113.80/1/test.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44610 |
2021-06-17 18:26
|
 win32.exe 5fcb1ad7eb5087f9645b96b2f7700a61
PWS Loki[b] Loki[m] .NET framework Admin Tool (Sysinternals etc ...) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
2
eyecos.ga(134.209.252.127) - mailcious
134.209.252.127
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
13.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|