| 44986 |
2021-05-27 10:28
|
 file21.exe f9003a4991f68b4b07e73ac1e89cf374
PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44987 |
2021-05-27 10:27
|
 AwSetp.exe 77a3dd75a7400c15f9a95929f2f76df6
AsyncRAT backdoor Gen1 .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Ransomware Windows Browser ComputerName Software crashed |
11
https://iplogger.org/1v9Fz7
https://iphonemail.xyz/
https://iplogger.org/1e9Ut7
https://news-systems.xyz/?user=aws2 - rule_id: 1515
https://news-systems.xyz/?user=aws3 - rule_id: 1515
https://news-systems.xyz/?user=aws1 - rule_id: 1515
https://news-systems.xyz/?user=aws6 - rule_id: 1515
https://news-systems.xyz/?user=aws4 - rule_id: 1515
https://news-systems.xyz/?user=aws5 - rule_id: 1515
https://iphonemail.xyz/api.php?getusers
https://iphonemail.xyz/api.php
|
6
news-systems.xyz(104.21.33.129) - mailcious
iphonemail.xyz(104.21.40.195)
iplogger.org(88.99.66.31) - mailcious
172.67.188.69
88.99.66.31 - mailcious
104.21.33.129 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
https://news-systems.xyz/
https://news-systems.xyz/
https://news-systems.xyz/
https://news-systems.xyz/
https://news-systems.xyz/
https://news-systems.xyz/
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44988 |
2021-05-27 10:27
|
 Setup2.exe 138f1e886df537f014b2d4a74efb57d3
Emotet Generic Malware VMProtect PE File PE32 DLL GIF Format Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check installed browsers check Browser ComputerName DNS crashed |
3
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php - rule_id: 1517
|
8
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215) - mailcious
ol.gamegame.info(172.67.200.215) - mailcious
ip-api.com(208.95.112.1)
172.67.200.215
104.21.21.221 - mailcious
208.95.112.1
198.13.62.186
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
|
2
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44989 |
2021-05-27 10:26
|
 BBQbrowser.exe 81189d695443fc7f2a0adab7a6957d89
AsyncRAT backdoor BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393
https://wlf.gofast24.ru/SystemServiceModelSecureConversationFebStrings25251
https://api.ip.sb/geoip
|
5
wlf.gofast24.ru(217.107.34.191)
api.ip.sb(104.26.12.31)
104.26.12.31
87.251.71.193 - mailcious
217.107.34.191 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
SURICATA HTTP unable to match response to request
|
1
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44990 |
2021-05-27 10:26
|
 WLP_Setup.exe 6bd3098fc75bd4616d1d069b41a366cd
AsyncRAT backdoor PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.144.225.163:57433//
https://api.ip.sb/geoip
|
7
masterself.world(172.67.134.204) - malware
api.ip.sb(172.67.75.172)
iplogger.org(88.99.66.31) - mailcious
104.21.25.222
88.99.66.31 - mailcious
104.26.12.31
45.144.225.163
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .world TLD
SURICATA HTTP unable to match response to request
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44991 |
2021-05-27 10:26
|
 file18.exe 495214dc4882127b4cf5480510ce440c
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows Cryptographic key crashed |
2
http://bargwelahar.xyz//
https://jv.inokkr.ru/SystemServiceModelChannelsPeerFlooderSimple47662
|
4
jv.inokkr.ru(195.161.41.50)
bargwelahar.xyz(5.44.45.140)
5.44.45.140
195.161.41.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44992 |
2021-05-27 10:00
|
Document 70259454.xls fa58cb567a2ffeee77053fadf440a56f
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://vitiligomatch.com/wpvitiligomatch/wp-includes/css/dist/block-directory/QaLUIUkxomX.php
https://bellaloveboutique.com/wp-content/themes/salient/includes/partials/tgTzKdqzGivuZ9.php
https://ppml.com.kh/ppml.com.kh/sothea.chhem/E7rTEXxjAS.php
https://marcoislandguidebook.com/wp-includes/js/tinymce/plugins/charmap/xltGrJWiK.php
https://ntf.gov.sb/components/com_acysms/views/unsubscribe/tmpl/8Wa80ysYUv6Klh.php
https://bycec.in/wp-includes/js/tinymce/plugins/charmap/1MRWRA8z2S2Ajv.php
https://houzzlink.com/wp-content/plugins/osen-wc-mpesa-master/updates/Puc/KOmZGbynRtPJ.php
https://labrie-sabette.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/gp5yHrBp.php
https://www.akseral.com/yonetim/vendors/iconfonts/font-awesome/css/wjM7uzNc3U8doR.php
https://alpax.elcanotradingcorp.com/public/bower_components/jquery/src/ajax/oAIZxkctW.php
|
26
ntf.gov.sb(192.185.32.234) - mailcious
labrie-sabette.com(173.230.252.50) - mailcious
alpax.elcanotradingcorp.com(108.167.181.248) - mailcious
www.akseral.com(83.150.213.154)
marcoislandguidebook.com(192.185.79.55) - mailcious
houzzlink.com(148.66.138.194) - mailcious
incoming.telemetry.mozilla.org(52.42.229.170)
definitionupdates.microsoft.com(23.40.44.112)
vitiligomatch.com(192.185.16.122) - mailcious
bycec.in(208.91.198.106) - mailcious
ppml.com.kh(209.188.15.214) - mailcious
bellaloveboutique.com(107.180.58.44) - mailcious
www.microsoft.com(23.212.13.232)
192.185.16.122 - mailcious
192.185.32.234 - mailcious
108.167.181.248 - mailcious
23.40.44.112
35.155.6.125
107.180.58.44 - mailcious
148.66.138.194 - malware
173.230.252.50 - mailcious
208.91.198.106 - malware
209.188.15.214 - mailcious
192.185.79.55 - mailcious
23.212.13.232
83.150.213.154 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44993 |
2021-05-27 09:56
|
 file5.exe c6409dcd1888eed5d528f85c21b89162
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware Checks debugger Creates executable files unpack itself suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee DNS |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://157.90.238.247:43252//
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
4
CXGVubAglGFDxYMBdULdcW.CXGVubAglGFDxYMBdULdcW()
api.ip.sb(104.26.12.31)
157.90.238.247
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
4.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44994 |
2021-05-27 09:56
|
 file20.exe e79511486f15a4f50b215af8440f25f9
AsyncRAT backdoor NPKI PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName RCE Cryptographic key Software crashed |
2
http://mitedaziko.xyz//
https://api.ip.sb/geoip
|
4
mitedaziko.xyz(94.140.115.158)
api.ip.sb(172.67.75.172)
94.140.115.158
172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44995 |
2021-05-27 09:56
|
 file2.exe 8e459aae5e232ee1e29e70645cd0fa83
PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
2.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44996 |
2021-05-27 09:56
|
 file4.exe 10e4779075440455a3a16bfb66aceb52
AsyncRAT backdoor PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName RCE Cryptographic key Software crashed |
2
http://gemmase.xyz//
https://api.ip.sb/geoip
|
4
gemmase.xyz(45.130.147.55)
api.ip.sb(104.26.12.31)
45.130.147.55
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44997 |
2021-05-27 09:56
|
 z9rNC7mJo4hH 24c28c9b3777b278fb4f05fbd7241a16
VBA_macro MSOffice File Vulnerability VirusTotal Malware Malicious Traffic unpack itself DNS |
6
http://everhappen.com/wp-content/ja/
http://susumiller.com/wp-admin/1/
http://leadercleverinvestissement.com/wp-admin/Ud/
http://www.leadercleverinvestissement.com/wp-admin/Ud/
http://laladiwanchandmodernwrestlingandyogacentre.com/wp-content/yuI/
http://kavensports.com/wp-includes/o/
|
14
susumiller.com(91.195.240.13) - malware
kavensports.com(173.212.251.233) - malware
laladiwanchandmodernwrestlingandyogacentre.com(68.66.226.86) - malware
wordpress-330097-1043717.cloudwaysapps.com()
www.leadercleverinvestissement.com(46.182.4.120)
everhappen.com(165.22.107.214) - malware
leadercleverinvestissement.com(46.182.4.120) - malware
ec2-52-56-233-157.eu-west-2.compute.amazonaws.com(52.56.233.157) - malware
68.66.226.86 - malware
91.195.240.13 - phishing
46.182.4.120 - malware
52.56.233.157 - malware
165.22.107.214 - malware
173.212.251.233 - mailcious
|
|
|
5.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44998 |
2021-05-27 09:56
|
 file1.exe a21e5912c536d5fde51b5269bcfb356b
PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44999 |
2021-05-27 09:54
|
 file19.exe 131296e016a70ea67760fa6eec3dca8f
Anti_VM PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows Firmware DNS crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
2
api.faceit.com(104.17.62.50)
104.17.62.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45000 |
2021-05-27 09:20
|
 file23.exe 4c9bb1adf101943c077c224a224ed490
PE64 PE File VirusTotal Malware unpack itself DNS |
|
|
|
|
3.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|