| 45571 |
2021-05-13 16:03
|
 easyon-1.exe a0b256269745ce17a7782647a66c9428
Emotet PE File PE32 DLL PE64 OS Processor Check Malware download Dridex Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities AntiVM_Disk sandbox evasion WriteConsoleW Firewall state off VM Disk Size Check Windows RCE |
16
http://www.seetrol.com/update3/NetScan.exe
http://www.seetrol.com/update3/MirrInst64.exe
http://www.seetrol.com/update3/105/x64/dfmirage.dll
http://www.seetrol.com/update3/105/x86/dfmirage.sys
http://www.seetrol.com/update3/068/dfmirage.sys
http://www.seetrol.com/update3/Install.txt
http://www.seetrol.com/update3/068/dfmirage.dll
http://www.seetrol.com/update3/105/dfmirage.cat
http://www.seetrol.com/update3/MirrInst32.exe
http://www.seetrol.com/update3/105/dfmirage.inf
http://www.seetrol.com/update3/SeetrolCenter.exe
http://www.seetrol.com/update3/105/x86/dfmirage.dll
http://www.seetrol.com/update3/068/dfmirage.inf
http://www.seetrol.com/update3/105/x64/dfmirage.sys
http://www.seetrol.com/update3/Uninstall.txt
http://www.seetrol.com/update3/068/dfmirage.cat
|
4
easyon.seetrol.com(1.209.106.212)
www.seetrol.com(45.115.155.209)
1.209.106.212
45.115.155.209
|
3
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
|
|
8.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45572 |
2021-05-13 11:02
|
 v.exe fa85dccdc26f4e37e751e644864e27e2
PWS .NET framework Malicious Packer DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
2
freedemboiz.ddns.net(199.36.223.213)
199.36.223.213
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45573 |
2021-05-13 11:00
|
 b.exe 1e21969ef30c0484bd1b9aaef1f16907
PWS .NET framework email stealer Malicious Packer DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check Windows DNS |
|
1
|
|
|
10.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45574 |
2021-05-13 10:58
|
 docsc.exe 457b22da77d4db093a31dd80a4b8963f
AsyncRAT backdoor Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Cryptographic key |
|
|
|
|
9.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45575 |
2021-05-13 10:57
|
 svchost.exe 2edb5a087966f25f972506500a48c9f3
AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
|
|
|
10.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45576 |
2021-05-13 10:08
|
 robopac.exe 0a2f3448bf0077279f98a5d9f2751d9c
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45577 |
2021-05-13 09:58
|
 image.exe 906c90c5a321e9d087056a07d6dff929
AsyncRAT backdoor email stealer Malicious Library DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45578 |
2021-05-13 09:57
|
wzreporteditor.rar 888c0a23a36025b29da51f002f458234
Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45579 |
2021-05-13 09:46
|
 update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679
UPX PE File PE32 VirusTotal Malware Check memory unpack itself RCE |
|
|
|
|
2.8 |
M |
27 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45580 |
2021-05-13 09:44
|
 update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679
UPX PE File PE32 VirusTotal Malware Check memory unpack itself RCE |
|
|
|
|
2.8 |
M |
27 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45581 |
2021-05-13 08:26
|
 update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679
PE File PE32 UPX VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows RCE DNS |
3
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2
https://update.googleapis.com/service/update2
|
4
edgedl.me.gvt1.com(34.104.35.123)
142.250.207.67
34.104.35.123
142.250.66.35
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45582 |
2021-05-13 08:23
|
 Asyn_gracet.exe a111a4a9058473075bea557a2ff2dfd6
AsyncRAT backdoor PWS .NET framework Malicious Library .NET EXE OS Processor Check PE File PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware Kovter DNS DDNS |
|
2
sipex2021.ddns.net(79.134.225.7) - mailcious
79.134.225.7 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
1.6 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45583 |
2021-05-13 08:23
|
 kn.exe 167f0a829df709cc4107369ed23fbdfb
Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:554636579&cup2hreq=f1e8358d230c769ebdd30f8b65f8e5e943940b09e34e48f61ef8e622dae553a6
|
5
edgedl.me.gvt1.com(34.104.35.123)
wespeaktruthtoman.sytes.net(79.134.225.47) - mailcious
79.134.225.47 - mailcious
34.104.35.123
142.250.204.99
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45584 |
2021-05-13 08:23
|
 XNAFrameworkClassLibrary.pdf eac4870e667458a95da0b52ed6457331
AsyncRAT backdoor DLL PE File .NET DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45585 |
2021-05-13 08:21
|
 knnnn.exe 62e8b40ed70c64fbd25a070a0c8b78f7
PWS Loki[b] Loki[m] AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://173.208.204.37/k.php/dbePePYEJ6qJn
|
1
173.208.204.37 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|