| 45436 |
2021-05-23 10:21
|
 bin.exe edb386d29730158b61b5212b9b922a5a
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows RCE DNS crashed |
|
|
|
|
3.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45437 |
2021-05-23 10:20
|
 lv.exe e5e087b4c90602abb32b2464449c5c43
Emotet Glupteba Gen1 Gen2 PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45438 |
2021-05-23 10:15
|
 cred.dll 1606294ef66c020a6585301620aeb440
PWS Loki[b] Loki[m] DLL PE File PE32 FTP Client Info Stealer ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.57//1dEr2nYffd/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
|
|
6.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45439 |
2021-05-23 10:15
|
 scr.dll 7a77bc3281be4a356defa637d2d70014
Amadey DLL PE File PE32 JPEG Format ENERGETIC BEAR VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.57//1dEr2nYffd/index.php?scr=up
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
|
|
4.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45440 |
2021-05-23 10:15
|
 lv.exe 2809de5c1d9de29a85dcd05e179b70e4
AgentTesla Glupteba NPKI Gen1 Gen2 Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug Ant VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
LrSfxvUGrKDUSKClHcvcmajDA.LrSfxvUGrKDUSKClHcvcmajDA()
|
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45441 |
2021-05-23 10:14
|
 22.exe 84a289e78940e188a5d3cd76c99b609e
AsyncRAT backdoor PWS .NET framework Malicious Packer DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
freedemboiz.ddns.net(160.152.134.64) - mailcious
199.36.223.34
160.152.134.64
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45442 |
2021-05-23 10:13
|
 BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393
https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
https://api.ip.sb/geoip
|
5
c.pycharm3.ru(217.107.34.191)
api.ip.sb(172.67.75.172)
104.26.12.31
87.251.71.193 - mailcious
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45443 |
2021-05-23 10:13
|
 setup2.exe f7b84bc8e435cc4dd024f66cd53b3609
PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
|
|
|
2.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45444 |
2021-05-23 10:04
|
 file.exe 208d68b24b8a9d9f9db57f5f7705ecf9
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
3.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45445 |
2021-05-23 10:03
|
 setup1.exe a4015fd6918ebda49f3119c6851e2f56
PE File PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
1.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45446 |
2021-05-21 17:09
|
 0520_565103775327.doc 21d75f519830577395709b9e78bc8971
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
prournauseent.ru(176.9.248.145) - mailcious
tembovewinated.ru(185.10.45.99) - mailcious
api.ipify.org(54.235.83.248)
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
50.19.242.215
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
9.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45447 |
2021-05-21 16:38
|
 vg23ty.exe 0f66f5cd6f420f6d386924c0243cc6dc
AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://www.blueridgeholisticdental.com/nke/?b6=uV8TJry0ZtzhNvo&9rghd220=beluo/A3x1wk0axcPPYLRI6VL5KZoBZCIza2nCls1jNtqOSK3OGdLiR1PhbzTLTJ4aTYYmbD
|
3
www.blueridgeholisticdental.com(34.102.136.180)
www.soqbtiup.icu()
34.102.136.180 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45448 |
2021-05-21 16:34
|
 ConsoleApp19.exe ccf10dc1a6d121efdf9c28443a56e8b7
AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45449 |
2021-05-21 16:33
|
 ConsoleApp9.exe 0f938ac4802642b34cc7105fb04c32ac
AsyncRAT backdoor AgentTesla Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45450 |
2021-05-21 16:27
|
 vg23ty.exe 0f66f5cd6f420f6d386924c0243cc6dc
AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://www.daisy.photos/nke/?b6=h2yM4Zcqyl5zYTLZoZFTdz+q0PzETSYzB1r7CFHsdUVGmTt4pA27lzRJaz2sVEaOyrLDjNmk&DbG=_DKdFj
http://www.workseap.com/nke/?DbG=_DKdFj&b6=mhSwXDq/7jOnyGkHqIVBrQNGEBg/J92S9Fu5waQttFlwrCbgrKU5sQr5NLJsPaaf0eNzTs2a
|
3
www.daisy.photos(34.102.136.180)
www.workseap.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|