| 44701 |
2020-12-08 10:02
|
EGO.exe f084742f15cd553f5628cfd035c5ca7c
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44702 |
2020-12-08 09:45
|
euremen.exe b076d449c2fa8d8f1d8b8b07254df976
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs suspicious TLD IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://checkip.amazonaws.com/
http://94.177.123.237:35200/IRemotePanel
https://1ls32sh.worwokr.ru/RdeSWHLHdlCi
https://api.ip.sb/geoip
|
11
WHOIS.APNIC.NET(172.104.77.201)
checkip.amazonaws.com(34.193.115.2)
whois.iana.org(192.0.32.59)
1ls32sh.worwokr.ru(81.177.165.230)
api.ip.sb(172.67.75.172)
34.192.7.28
172.104.77.201
192.0.32.59
104.26.13.31
94.177.123.237
81.177.165.230 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
15.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44703 |
2020-12-08 09:45
|
EGO.exe f084742f15cd553f5628cfd035c5ca7c
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.142.93
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44704 |
2020-12-08 09:34
|
btc.exe 31d61cabf5e6f744076483baf9ac109c
VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee ComputerName |
1
https://hastebin.com/raw/texisoweni
|
2
hastebin.com(172.67.143.180) - mailcious
172.67.143.180 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44705 |
2020-12-08 09:34
|
CleanAV.exe 9d2c4275faf224f74ff5dd4c7c22aab3
VirusTotal Malware MachineGuid Malicious Traffic Checks debugger malicious URLs Tofsee Advertising Google |
1
https://drive.google.com/uc?export=download&id=132Sn_Vz6FSHGfTnQuID81Nd8J9_UQev-
|
2
drive.google.com(172.217.26.46) - mailcious
216.58.199.14 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44706 |
2020-12-08 08:01
|
http://shgshgsndynationalobjin... 9971aba6d9eca7e79d711b0b59e1edef
Dridex VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed Downloader |
1
http://shgshgsndynationalobjindustrialatsngpx.ydns.eu/shengdoc/vbc.exe
|
2
shgshgsndynationalobjindustrialatsngpx.ydns.eu(103.125.191.187)
103.125.191.187 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44707 |
2020-12-07 18:33
|
FLActivator v.3.6.exe 439fe5699fa97546a36332a9480904ad
Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://checkip.amazonaws.com/
http://176.31.198.8:35200/IRemotePanel
https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.77.201)
checkip.amazonaws.com(52.20.197.7)
whois.iana.org(192.0.32.59)
api.ip.sb(104.26.13.31)
176.31.198.8
192.0.32.59
20.43.94.199
104.26.13.31
34.193.115.2
172.104.79.63
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44708 |
2020-12-07 18:27
|
Ableton Activator v.3.1.exe 26eae8f979649f0e1cb7de1c01562697
Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://checkip.amazonaws.com/
http://176.31.198.8:35200/IRemotePanel
https://api.ip.sb/geoip
|
9
WHOIS.APNIC.NET(172.104.77.201)
checkip.amazonaws.com(52.20.197.7)
whois.iana.org(192.0.32.59)
api.ip.sb(172.67.75.172)
172.104.77.201
176.31.198.8
192.0.32.59
18.209.89.50
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44709 |
2020-12-07 17:43
|
GIG.exe f3a6f885c0c3e7853e44dd9e013897ff
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44710 |
2020-12-07 17:41
|
1_4_3.xls 890522e2846bc9ae0ee808db164ccdb5
Dridex VirusTotal Malware Creates executable files unpack itself malicious URLs Tofsee |
|
2
berlitzalahsa.sa(45.60.98.219) - malware
45.60.98.219
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44711 |
2020-12-07 14:20
|
xpertwar.exe 85063571eccad2a81103ea6603ba1e08
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Interception Windows Browser Email ComputerName DNS crashed |
|
4
google.ru(172.217.175.227)
195.140.214.82 - mailcious
172.217.25.3
192.3.194.245 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.4 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44712 |
2020-12-07 14:07
|
xpertwar.exe 85063571eccad2a81103ea6603ba1e08
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Interception Windows Browser Email ComputerName DNS crashed |
|
4
google.ru(172.217.175.227)
216.58.220.195
195.140.214.82 - mailcious
192.3.194.245 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.4 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44713 |
2020-12-07 13:38
|
xpertwar.exe 85063571eccad2a81103ea6603ba1e08
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Interception Windows Browser Email ComputerName DNS crashed |
|
4
google.ru(172.217.175.227)
195.140.214.82 - mailcious
172.217.24.35
192.3.194.245 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.4 |
M |
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44714 |
2020-12-07 11:45
|
conhost.exe a9e34ef1f1dd7f773bc6941d9b9e3ad9
VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows keylogger |
|
2
cloudhost.myfirewall.org(79.134.225.105) - mailcious
79.134.225.105 - mailcious
|
|
|
8.6 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44715 |
2020-12-07 11:24
|
xzx.exe aed69bded2c5920724549a7112b9fecb
VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|