| 44641 |
2021-06-18 09:53
|
 god.exe e5a571a66090b1a9c61ab60f41abc465
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44642 |
2021-06-18 09:52
|
 redbutton.png 1a5f3ca6597fcccd3295ead4d22ce70b
PE File OS Processor Check PE32 Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName RCE DNS crashed |
4
http://detectportal.firefox.com/success.txt?ipv4
https://27.72.107.215/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
https://190.110.179.139/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
https://186.97.172.178/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
|
8
mozilla.org(44.236.48.31)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
detectportal.firefox.com(34.107.221.82)
190.110.179.139
27.72.107.215
186.66.15.10
34.107.221.82
186.97.172.178
|
5
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44643 |
2021-06-18 09:49
|
 file.exe fb4bd33f89ac6417468bb1d4729f8b75
Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
3.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44644 |
2021-06-18 09:48
|
 mmm.exe 32e3f8a1ab7698ec5b0644a8ac1d34b8
PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44645 |
2021-06-18 09:46
|
 cmd.exe 63dcb28db1ff4d702e97a1fa3e9ac02d
PE File .NET EXE OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AppData folder Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
5.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44646 |
2021-06-18 09:46
|
 relvo.exe 3f891f4ea01741d664416c3b34f64208
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 VirusTotal Malware RCE |
|
|
|
|
2.6 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44647 |
2021-06-18 09:41
|
 test.exe d57237560c25aff34850ab1980a0fb04
PE File PE32 Dridex TrickBot VirusTotal Malware unpack itself Kovter DNS |
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
2.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44648 |
2021-06-18 09:12
|
 aim-2044108491.xlsb 6c8a2cdc722922d6e468d1d151a24333Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44649 |
2021-06-18 09:12
|
 aim-2042502358.xlsb 3cde67faa456fb5019f7ce2b163bee1dCheck memory Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44650 |
2021-06-18 09:12
|
 aim-2043102860.xlsb 2cdecf145abc952da288222aadb77c35Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44651 |
2021-06-18 09:07
|
vidarses.exe 7283347ba70004a56396caa0a2de7bb0
Gen1 PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName RCE Firmware DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/ - rule_id: 1881
http://159.69.20.131/898 - rule_id: 1882
http://159.69.20.131/freebl3.dll
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://bandakere.tumblr.com/
|
3
bandakere.tumblr.com(74.114.154.22)
159.69.20.131 - mailcious
74.114.154.22 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://159.69.20.131/
http://159.69.20.131/898
|
16.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44652 |
2021-06-18 09:07
|
 z7ggs.exe 6b7554c5f2b7a246639156524fb86a78
AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
4
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/e077b412e4e9b04043dfc595bae6abb1966ac987
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/a4bf8575ff58234bbfb45ede44543896e556da37
http://34.76.8.115/
https://tttttt.me/hellobroprocreate
|
3
tttttt.me(95.216.186.40) - mailcious
95.216.186.40 - mailcious
34.76.8.115
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44653 |
2021-06-18 09:06
|
srochno.exe 92520c1d6273560cedd77c3842810ad3
Gen1 PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName RCE Firmware DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/ - rule_id: 1881
http://159.69.20.131/freebl3.dll
http://159.69.20.131/929
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://bandakere.tumblr.com/
|
3
bandakere.tumblr.com(74.114.154.18)
159.69.20.131 - mailcious
74.114.154.18 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44654 |
2021-06-18 08:09
|
 Clapped.exe fb68c8251f6b0ce4c89fa24e61e8d1bc
AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://padflimyd.xyz/
https://api.ip.sb/geoip
|
4
padflimyd.xyz(45.130.151.186)
api.ip.sb(104.26.12.31)
45.130.151.186
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44655 |
2021-06-18 08:09
|
 relvo.exe 3f891f4ea01741d664416c3b34f64208
PE File PE32 VirusTotal Malware RCE DNS |
|
|
|
|
3.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|