45076 |
2020-11-21 17:34
|
ozchgftrq.exe d7a52acd99d213cdeb1f91ed193868d0 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
8
http://taenaiaa.ac.ug/msvcp140.dll http://taenaiaa.ac.ug/main.php http://taenaiaa.ac.ug/sqlite3.dll http://taenaiaa.ac.ug/mozglue.dll http://taenaiaa.ac.ug/softokn3.dll http://taenaiaa.ac.ug/nss3.dll http://taenaiaa.ac.ug/vcruntime140.dll http://taenaiaa.ac.ug/freebl3.dll
|
2
taenaiaa.ac.ug(217.8.117.77) - mailcious 217.8.117.77 - suspicious
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45077 |
2020-11-21 17:34
|
POT.exe 51665d04b5fc3289e64ebb819e29e798 Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs DNS crashed |
|
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45078 |
2020-11-21 17:20
|
nnab.exe f87c759372219f7aea1b53289f8f4ad8 VirusTotal Malware Code Injection buffers extracted unpack itself sandbox evasion DNS crashed |
|
|
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45079 |
2020-11-21 17:20
|
ogo.exe 561e3075e7562f8e42a9f4e18e2c7635 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(54.204.14.42) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.142.93
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45080 |
2020-11-21 17:16
|
nnab.exe f87c759372219f7aea1b53289f8f4ad8 VirusTotal Malware Code Injection buffers extracted unpack itself sandbox evasion crashed |
|
|
|
|
5.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45081 |
2020-11-21 17:14
|
ds1.exe db0b8c1100f32aafe63cb885a30cc7e0 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs DNS crashed |
|
|
|
|
8.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45082 |
2020-11-21 17:14
|
fank.exe fe2b5814b851201115c8964989899a4e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(54.235.182.194) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.225.66.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45083 |
2020-11-21 17:09
|
ds1.exe db0b8c1100f32aafe63cb885a30cc7e0 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs crashed |
|
|
|
|
8.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45084 |
2020-11-21 17:09
|
document.doc bdf4feb317e41d2c450e006e90836e88 VirusTotal Malware exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
|
4
mofsetbay.ga(188.227.84.83) - mailcious historyiswiththosewhopeservewithallthestrugglesoflifefailingisn.ydns.eu(192.210.214.139) - malware 192.210.214.139 - suspicious 188.227.84.83
|
2
ET INFO DNS Query for Suspicious .ga Domain ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45085 |
2020-11-21 17:06
|
BQoFEXaNOEtJ9dC.exe cbd9b726eb72d78bfba34ae1a7719ef2 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName DNS crashed |
1
http://baharanvilla.ir/wp-includes/z/inc/d51b6e0eedd7ee.php
|
2
baharanvilla.ir(185.165.40.194) - mailcious 185.165.40.194 - suspicious
|
|
|
11.4 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45086 |
2020-11-21 17:05
|
azchgftrq.exe b403152a9d1a6e02be9952ff3ea10214 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Windows ComputerName |
|
2
morasergiox.ac.ug(217.8.117.77) - malware 217.8.117.77 - suspicious
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.6 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45087 |
2020-11-20 18:47
|
azchgftrq.exe b403152a9d1a6e02be9952ff3ea10214 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS |
10
http://taenaiaa.ac.ug/msvcp140.dll http://taenaiaa.ac.ug/main.php http://taenaiaa.ac.ug/sqlite3.dll http://taenaiaa.ac.ug/mozglue.dll http://taenaiaa.ac.ug/softokn3.dll http://taenaiaa.ac.ug/ http://taenaiaa.ac.ug/nss3.dll http://taenaiaa.ac.ug/vcruntime140.dll http://taenaiaa.ac.ug/freebl3.dll http://morasergiox.ac.ug/index.php
|
3
taenaiaa.ac.ug(217.8.117.77) morasergiox.ac.ug(217.8.117.77) - malware 217.8.117.77 - suspicious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
20.2 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45088 |
2020-11-20 18:46
|
ac.exe 49ba8ccea19e418fd166e89e46e2897f VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
3
agentpurple.ac.ug() - mailcious agentttt.ac.ug(79.134.225.40) - mailcious 79.134.225.40 - suspicious
|
|
|
9.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45089 |
2020-11-20 14:13
|
ac.exe 49ba8ccea19e418fd166e89e46e2897f VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
|
3
agentpurple.ac.ug() - mailcious agentttt.ac.ug(79.134.225.40) - mailcious 79.134.225.40 - suspicious
|
|
|
10.2 |
M |
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45090 |
2020-11-20 14:10
|
ac.exe 49ba8ccea19e418fd166e89e46e2897f VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
3
agentpurple.ac.ug() - mailcious agentttt.ac.ug(79.134.225.40) - mailcious 79.134.225.40 - suspicious
|
|
|
9.4 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|