| 44941 |
2021-06-01 09:25
|
 Yx3PBY9RC15I0sLk.jpg.ps1 18fd76d1d31e0833d26a36729842c5f7
Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://cdn.discordapp.com/attachments/808540577594736675/848370661323702282/firefox.lnk
https://cdn.discordapp.com/attachments/808540577594736675/848370352207691826/gO9BxdwXEaBmHAS2.jpg
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44942 |
2021-05-31 18:14
|
 ConsoleApp9.exe 74e874bb14c48f4d33153798bb166edc
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.shootingstarsilver.com/nke/?iJE=zuk3YapxJyeS5yDfl4TPA09nInGwECJBlDdHUcMZwWsxT52AulIJdvBxa6+BAMGrKnOC+lM0&wXO=OZNlib
http://www.serenablackcreatives.com/nke/?iJE=EqsjWoDY/paPxbVQO8NthjbeDBl1OlPkKN2BHxM5LB9s4oLQ1ZRC2+hvSz2Y2gm/xFUb9BHt&wXO=OZNlib
|
4
www.serenablackcreatives.com(154.0.175.80)
www.shootingstarsilver.com(34.102.136.180)
154.0.175.80 - malware
34.102.136.180 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
|
8.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44943 |
2021-05-31 18:10
|
 svchost.exe 10d1dc044b4f546c7e1c29f40d364a77
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process anti-virtualization DNS |
|
|
|
|
3.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44944 |
2021-05-31 18:07
|
 dllhost.exe 10aad0ae040c9fbde27793e1cb213d73
PE File PE32 VirusTotal Malware Creates executable files DNS |
35
http://194.26.29.184:8888/gw?worker=magentoBrt
http://194.26.29.184:8888/gw?worker=bitrixChk&v=newback
http://194.26.29.184:8888/gw?worker=cp_chk
http://194.26.29.184:8888/gw?worker=backup&v=newback
http://194.26.29.184:8888/gw?worker=wpMagOcart
http://194.26.29.184:8888/gw?worker=joomlaBrt
http://194.26.29.184:8888/gw?worker=wpBrt
http://194.26.29.184:8888/gw?worker=joomlaChk
http://194.26.29.184:8888/gw?worker=mysql_b
http://194.26.29.184:8888/gw?worker=php_chk
http://194.26.29.184:8888/gw?worker=drupalChk
http://194.26.29.184:8888/project/active
http://194.26.29.184:8888/gw?worker=php_b
http://194.26.29.184:8888/gw?worker=postgres_b
http://194.26.29.184:8888/gw?worker=drupalBrt
http://194.26.29.184:8888/gw?worker=OCartBrt&v=newback
http://194.26.29.184:8888/gw?worker=htpasswdChk
http://194.26.29.184:8888/gw?worker=qnapChk
http://194.26.29.184:8888/gw?worker=OCartChk&v=newback
http://194.26.29.184:8888/gw?worker=Woo
http://194.26.29.184:8888/bots/knock?worker=Universal&os=Windows&version=3.13
http://194.26.29.184:8888/gw?worker=whm_b
http://194.26.29.184:8888/bots/chkVersion?currVers=3.13&arch=win
http://194.26.29.184:8888/gw?worker=qnapBrt
http://194.26.29.184:8888/gw?worker=whm_chk
http://194.26.29.184:8888/gw?worker=cp_b
http://194.26.29.184:8888/gw?worker=wpInst
http://194.26.29.184:8888/gw?worker=ftp_b
http://194.26.29.184:8888/gw?worker=admfind
http://194.26.29.184:8888/gw?worker=ftpChk
http://194.26.29.184:8888/gw?worker=htpasswdBrt
http://194.26.29.184:8888/gw?worker=magentoChk
http://194.26.29.184:8888/gw?worker=bitrixBrt&v=newback
http://194.26.29.184:8888/gw?worker=ssh_b
http://194.26.29.184:8888/gw?worker=wpChk&v=new
|
1
|
|
|
3.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44945 |
2021-05-31 18:06
|
 svchost.exe d850f8d4823240e54f834f85e09bd9e7
PE File PE32 VirusTotal Malware Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
|
|
|
|
3.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44946 |
2021-05-31 18:05
|
 asd80.exe b7c53f778e82c1594d8a1a27ebb65af0
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44947 |
2021-05-31 11:25
|
 qv55b3lqjXhJQckX.jpg.ps1 6ee03a2d6b4558fa09cdf1e33dcaa897
Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat - rule_id: 1678
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk - rule_id: 1677
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
4
lavishcuisine.com(192.169.204.60) - mailcious
cdn.discordapp.com(162.159.134.233) - malware
192.169.204.60 - mailcious
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44948 |
2021-05-31 11:15
|
 NmX.txt.html f69a35821e442a111ebbe08c7fc22060
VBScript PowerShell Obfuscated File VirusTotal Malware crashed |
|
|
|
|
0.8 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44949 |
2021-05-31 11:05
|
 ao.exe b1d319888860b7a6400c5e5099d59e48
Amadey PWS Loki[b] Loki[m] Admin Tool Sysinternals Antivirus HTTP Code injection Http API Internet API AntiDebug AntiVM PE File .NET EXE PE32 DLL JPEG Format Malware download Amadey FTP Client Info Stealer ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows Email ComputerName DNS Cryptographic key Software crashed |
3
http://185.215.113.38/fT5YhO/index.php
http://185.215.113.38//fT5YhO/index.php?scr=up
http://185.215.113.38//fT5YhO/index.php
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey CnC Check-In
|
|
20.2 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44950 |
2021-05-31 09:37
|
 Ls_Droid_v1.1.9.0.exe a1459b6cd648d10da05707b69166d2f6
Anti_VM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows Firmware crashed |
1
https://tinywebdb.ls-droid.com/testme.php
|
3
tinywebdb.ls-droid.com(109.106.250.191)
www.ls-droid.com(109.106.250.191)
109.106.250.191 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44951 |
2021-05-31 09:35
|
 jaja.exe 54262706e573614d224fec09edb4f7cf
Malicious Library Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44952 |
2021-05-31 09:32
|
 new.exe 03abf4527d2c88e4716e194e93c9b07b
AsyncRAT backdoor PWS .NET framework AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44953 |
2021-05-31 09:32
|
 ccsetup579.exe 195eecffa8cb3f26eb11eb4aa379eaf6
AsyncRAT backdoor Antivirus DNS Socket HTTP Code injection Http API Internet API ScreenShot Downloader AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44954 |
2021-05-31 09:31
|
 NmX.txt.html f69a35821e442a111ebbe08c7fc22060
Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
4
https://lavishcuisine.com/wp-content/uploads/2015/qv55b3lqjXhJQckX.jpg
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
https://lavishcuisine.com/wp-content/uploads/2015/v4ZH58inZ8qGCx2B.jpg
|
2
lavishcuisine.com
cdn.discordapp.com
|
|
|
6.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44955 |
2021-05-31 09:31
|
 al.exe 52abd9b0522751f14763b92baf4afa37
NPKI Antivirus PE64 PE File VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|