| 45496 |
2021-05-18 16:20
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
8
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
104.21.21.221
172.67.200.215
|
1
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45497 |
2021-05-18 10:13
|
 SunLabsPlayer.exe 8639e05b36f6a6ecbc33e819d3654daa
Gen1 Antivirus Anti_VM PE File PE32 DLL PNG Format PE64 OS Processor Check GIF Format powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://moonlabmediacompany.com/data/data.7z
|
2
moonlabmediacompany.com(89.221.213.3)
89.221.213.3 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45498 |
2021-05-18 10:08
|
 cvhost.exe 5db833b014cd9a4b96d3e780543eaea6
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows RCE DNS crashed |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45499 |
2021-05-18 09:57
|
 CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193//
https://iplogger.org/1uP9s7
https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172)
42nn.hellomir.ru(217.107.34.191)
iplogger.org(88.99.66.31) - mailcious
87.251.71.193
88.99.66.31 - mailcious
104.26.13.31
37.187.95.110
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45500 |
2021-05-18 09:56
|
 diagram-58392516.xls 3e58b8987074c6d6b6725e2cbdb0494d
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
5
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
8
www.microsoft.com(23.201.37.168)
definitionupdates.microsoft.com(23.40.44.112)
incoming.telemetry.mozilla.org(44.240.8.189)
hermescomm.net(162.241.27.24) - mailcious
52.33.45.66
23.40.44.112
162.241.27.24 - suspicious
23.201.37.168
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45501 |
2021-05-18 09:56
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check DNS |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
7
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
172.67.200.215
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45502 |
2021-05-18 09:56
|
 diagram-58895225.xls 16ec6ae1941a5f788d18aa6673be5fee
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45503 |
2021-05-18 09:56
|
 diagram-58650286.xls a8f34f2a8de7b470c474c50c8cd4b15f
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
3
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
172.67.200.215
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45504 |
2021-05-18 09:55
|
 diagram-553418662.xls 62c064e08d3aef1d97e64068583345d1
MSOffice File Check memory unpack itself Tofsee crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45505 |
2021-05-18 09:38
|
 Trinity-Miner_1.exe 3db9825a26cbb1f4bffd62194c5c52cc
AsyncRAT backdoor .NET EXE PE File OS Processor Check PE32 PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Auto service Check virtual network interfaces Windows ComputerName Firmware DNS |
|
2
pool.supportxmr.com(94.23.23.52) - mailcious
37.187.95.110
|
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45506 |
2021-05-18 09:38
|
 Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28
PE File OS Processor Check PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45507 |
2021-05-18 09:28
|
 Setup2.exe 46fcb8a8f7db4f6e098f1213b1955498
Gen2 Emotet Glupteba VMProtect PE File PE32 DLL GIF Format OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS crashed |
7
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=293289&key=0b72a8497029bcfa3fd924f33ac1d264
http://uyg5wye.2ihsfa.com/api/fbtime
http://ip-api.com/json/?fields=8198
https://www.facebook.com/
|
13
www.facebook.com(157.240.215.35)
email.yg9.me(198.13.62.186)
uyg5wye.2ihsfa.com(88.218.92.148)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
iw.gamegame.info(172.67.200.215)
117.18.237.29
208.95.112.1
172.67.200.215
104.21.21.221
88.218.92.148 - malware
157.240.215.35
198.13.62.186
|
3
ET POLICY External IP Lookup ip-api.com
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45508 |
2021-05-18 09:27
|
 customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser RCE |
4
http://uyg5wye.2ihsfa.com/api/fbtime
http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc
http://ip-api.com/json/
https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148)
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
157.240.215.35
208.95.112.1
88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45509 |
2021-05-18 09:24
|
 app.exe 49dd88ce21471d18eb1048358a37ab98
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows RCE crashed |
|
|
|
|
3.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45510 |
2021-05-18 09:23
|
 toolspab2.exe eb3585c3f3e6b3b7ac66c9a41724534b
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows RCE DNS crashed |
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|