| 45511 |
2021-05-18 09:19
|
 file4.exe 3795c43b2e06e15edb01a8a237243b08
AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D
https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe
https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29)
api.faceit.com(104.17.63.50)
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
117.18.237.29
162.159.129.233 - malware
82.146.59.236 - mailcious
104.17.62.50
34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45512 |
2021-05-18 09:18
|
 jooyu.exe aed57d50123897b0012c35ef5dec4184
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser RCE |
5
http://uyg5wye.2ihsfa.com/api/fbtime
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928
https://iplogger.org/18hh57
https://www.facebook.com/
|
8
uyg5wye.2ihsfa.com(88.218.92.148)
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
iplogger.org(88.99.66.31) - mailcious
157.240.215.35
208.95.112.1
88.218.92.148 - malware
88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45513 |
2021-05-18 09:18
|
 a7xsbjsf.zip afd9013de89b0b5ae549599c9afba03d
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45514 |
2021-05-18 09:14
|
 lhtr7x1pv.zip 283398a30cd7505b780c113d1838fc40
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
1.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45515 |
2021-05-18 09:13
|
 setup.exe b749832e5d6ebfc73a61cde48a1b890b
Process Kill PE File OS Processor Check PE32 Device_File_Check Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted ICMP traffic Windows utilities suspicious process AppData folder anti-virtualization Windows Browser |
2
http://www.wws23dfwe.com/index.php/api/fb
http://www.wws23dfwe.com/index.php/api/a
|
2
www.wws23dfwe.com(45.76.53.14)
45.76.53.14 - mailcious
|
|
|
7.2 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45516 |
2021-05-18 09:11
|
 file1.exe 7aadd46ba3b6e23aca20677ac281c03b
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows RCE crashed |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45517 |
2021-05-18 09:09
|
 file2.exe dba20ac697952657e4daee957e10a805
Raccoon Stealer Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows RCE crashed |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45518 |
2021-05-18 09:08
|
proof of payment.exe 7238cb41274f63e1d5463d9259facb19
AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
10.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45519 |
2021-05-18 09:07
|
 n9yo6g3m.rar e5769bdf194b0a6369c0f58cc16e5a96
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
1.8 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45520 |
2021-05-18 09:06
|
 b9cmykxv6.tar 0887cda7ee95f03a05cc7fa5d12ea1bc
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45521 |
2021-05-18 09:04
|
 file5.exe 723a3fc8d6faeefe3f6ac7eca0f56570
Anti_VM PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows ComputerName Firmware crashed |
|
2
api.faceit.com(104.17.63.50)
104.17.63.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45522 |
2021-05-18 09:03
|
 mega.exe ffba772f9ca82656131883f57760fe1d
AgentTesla Gen1 Gen2 DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM PE File PE32 PE64 DLL Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself suspicious process WriteConsoleW Tofsee Windows |
3
https://hcqffw.db.files.1drv.com/y4m6dVzY8CCIhzjb-I23lqiX8p_OpgjX4UgVdcD0vA_YnoKFdHuI_cf0IQBZQmGX-eQsEGcduV3IN7eAcU_CjcQcnSp5UMgVJox_ksMyrBZxMM5xkIS4NZ1hMCXekymp67Rv6cQeoxxtT8ZaF-KX_igccR972RpYjhLBmlkgNtkaG1oMVNRD21JiWEo5UW2m9WT2m8rczGwxArlilVCac3m-A/Zgbjwrwwilzzptiybppmkkujxqzsfgg?download&psid=1
https://hcqffw.db.files.1drv.com/y4mVE2s76lcwPjMfcPCkq0z8SRIHO9DbIQsNNvOCDTHtjXuEV_NW2eFGXT_O-Ji6nLGV601ybW4ueJYpikq58o9lSIoSQFTXRVr2c0n7aj_iwFe1Elc_vM3W1Cjkvhs4DJ-tQ_Uy8y_AlyNmOjPWpkR4KCYnu4RKISMhLEaIrfJNCWU1BOYeQkDM_VfWzg2ofNrigxv_LUea2x98UWMgRC30Q/Zgbjwrwwilzzptiybppmkkujxqzsfgg?download&psid=1
https://onedrive.live.com/download?cid=56BCCEEF869BA531&resid=56BCCEEF869BA531%21109&authkey=APWq7QSqCmVR7dg
|
4
hcqffw.db.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45523 |
2021-05-18 09:02
|
 tuvomaq.exe 524acaf48bdd42d49c4f6f485468bc67
PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://dcspm.xyz/TK/five/fre.php
|
1
|
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45524 |
2021-05-18 09:00
|
 C3b.exe edc4dc3947bcadc3039095321c71572a
Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW BitRAT Windows ComputerName DNS DDNS keylogger |
|
2
cs50.publicvm.com(194.5.98.15)
194.5.98.15
|
1
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
13.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45525 |
2021-05-18 09:00
|
 INVOICE%20CONFIRMATION.exe 47cb06b3265d633beef3831e2d9c73ff
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Detects VirtualBox VMware anti-virtualization ComputerName DNS Software |
|
1
|
|
|
13.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|