| 44821 |
2021-06-04 11:40
|
 file32.exe 5e3c86d15d42bb7d2b0987377d556880
AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://p0.miraimibun.ru/SystemDataSqlClientSqlCachedBuffer70002
|
5
cengonic.xyz(83.136.233.220)
p0.miraimibun.ru(217.107.34.191)
194.5.97.61
83.136.233.220
217.107.34.191 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44822 |
2021-06-04 11:39
|
 file30.exe f487cf722746e92a8a38036e09acbe83
AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows RCE DNS Cryptographic key |
|
1
|
|
|
5.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44823 |
2021-06-04 11:38
|
 svch.exe 38c02aa6d06437949ae91666ffe8cacd
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows ComputerName DNS Cryptographic key keylogger |
2
http://www.iptrackeronline.com/
https://www.iptrackeronline.com/
|
8
www.iptrackeronline.com(104.26.0.222)
immzonenorthbellmorexxx.mangospot.net(194.5.97.61)
www.google.com(216.58.197.228)
142.250.204.36
194.5.97.61
13.107.21.200
104.26.1.222
142.250.66.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44824 |
2021-06-04 11:37
|
 Pb3Setp.exe 192157321ae17032b5edee8de07e0e86
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Ransomware Windows ComputerName DNS Cryptographic key crashed |
8
https://iplogger.org/1jE3z7
https://iplogger.org/1vjFz7
https://topnewsdesign.xyz/?user=pb3_1
https://topnewsdesign.xyz/?user=pb3_2
https://topnewsdesign.xyz/?user=pb3_3
https://topnewsdesign.xyz/?user=pb3_4
https://topnewsdesign.xyz/?user=pb3_5
https://topnewsdesign.xyz/?user=pb3_6
|
7
topnewsdesign.xyz(104.21.69.75)
iplogger.org(88.99.66.31) - mailcious
brershrowal.xyz(45.93.6.203)
88.99.66.31 - mailcious
194.5.98.144
45.93.6.203
104.21.69.75
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44825 |
2021-06-04 11:35
|
 vbc.exe a24fc1476d5da0d06ebcb6924a02bb18
AsyncRAT backdoor PWS .NET framework Ave Maria WARZONE RAT RemcosRAT Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check GIF Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows ComputerName DNS Cryptographic key DDNS keylogger |
2
http://www.iptrackeronline.com/
https://www.iptrackeronline.com/
|
11
www.google.com(216.58.197.228)
seencroundercontroller.webredirect.org(194.5.98.144)
www.iptrackeronline.com(104.26.1.222)
multipleentry90dayscontroller.homingbeacon.net(194.5.98.144)
safeduringthecoronavirus.duckdns.org(194.5.98.144)
bressonseencrounder.mangospot.net(194.5.98.144)
104.26.0.222
142.250.66.132
13.107.21.200
142.250.66.68
194.5.98.144
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44826 |
2021-06-04 11:35
|
 TClient.exe ac2b7f66f2c5fe32220626b45fb90626
AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44827 |
2021-06-04 11:33
|
 Recooouvre.exe 7e6280c6eb73dff0a99e07c1907f2392
PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
3.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44828 |
2021-06-04 11:32
|
 Handlour.exe f94af1a2500d42846a99873b32eb9418
PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows ComputerName |
1
http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/69mrt4d6h323uwdsk9gzwdsq7mdzhn9.exe
|
4
google.com(172.217.24.142)
limesfile.com(198.54.126.101) - malware
142.250.204.78
198.54.126.101 - malware
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
6.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44829 |
2021-06-03 22:06
|
 NmQ.vbs f40ee7101f30fe371156b330b90223a2
Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44830 |
2021-06-03 22:01
|
 NmQ.vbs 99376b1c3fd7c8c000bb64aa211aa2e5DNS |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44831 |
2021-06-03 21:27
|
 NmQ.html 6ec4b7568dc8b3b19f15d8fe7a2839f0
VBScript PowerShell Obfuscated File Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
|
2
211.114.66.77
172.217.161.174 - mailcious
|
|
|
6.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44832 |
2021-06-03 21:25
|
 4bd5e746e9329d8ab41a7d4fbbc91d... 6f02344b6417249656adb1c9530e2722
AsyncRAT backdoor Generic Malware PE File PE32 DLL .NET DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php - rule_id: 1517
|
7
email.yg9.me(198.13.62.186) - suspicious
iw.gamegame.info(104.21.21.221) - mailcious
ol.gamegame.info(172.67.200.215) - mailcious
ip-api.com(208.95.112.1)
198.13.62.186 - suspicious
104.21.21.221 - mailcious
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
2
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
|
7.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44833 |
2021-06-03 21:23
|
 ETC2.exe 340fc80338a3c3c557374768a228a1e6
PE File PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
4
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1622722580&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:2447884964&cup2hreq=a27df1d7403d37620c0c0dbf011f52828841c05d16d94ef1dc6b40b7e9cf943f
|
2
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
211.114.66.77
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44834 |
2021-06-03 21:22
|
 A4.exe 6972482b38fda49d5ea9f11bd2496909
BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key crashed |
1
http://45.134.225.35:7821/
|
1
|
|
|
9.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44835 |
2021-06-03 21:20
|
 america.exe 9de7dac414eb27813a810892a854d547
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|