| 48991 |
2021-02-05 10:42
|
document.doc 4e87ed4b9b082944c95ae960a71acee6
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://192.210.218.29/regasm/vbc.exe
|
1
192.210.218.29 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48992 |
2021-02-05 10:39
|
13jcAOKhFZ4p10l.exe 970239926ca7461a81faa9d3c0903f4e
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48993 |
2021-02-05 10:38
|
6lhjgfdghj.exe 77be0dd6570301acac3634801676b5d7
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29) - mailcious
api.ipify.org(54.225.129.141)
185.100.65.29 - mailcious
23.21.48.44
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
8.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48994 |
2021-02-05 09:53
|
vbc.exe aeb1715abadaf8a4a0ec5576eaf6197c
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Windows Browser Email ComputerName Software |
|
1
|
|
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48995 |
2021-02-05 09:45
|
Terminator.msi 99ad633f8692cf7e8ea375f7e611ca28
VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
1
185.244.128.34 - mailcious
|
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48996 |
2021-02-05 09:44
|
rx.exe 7f53292ca3fd26580244167e922db361
VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
8.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48997 |
2021-02-05 09:41
|
r1.exe 49c178fe7ccf97e9a20af386f51eb7e6
VirusTotal Malware Buffer PE AutoRuns MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs Windows DNS Cryptographic key keylogger |
|
1
185.244.128.34 - mailcious
|
|
|
11.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48998 |
2021-02-05 09:41
|
kali.txt.exe bc64988e6d3ba51bcfec450e031c62c8
VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
paste.ee(172.67.219.133) - mailcious
172.67.219.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48999 |
2021-02-04 19:32
|
order2020.xlsx.jar 5187ae708fc760b89012cdf9dfff6f20
VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.8 |
|
30 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49000 |
2021-02-04 19:31
|
ed1d6e16dd9ace1a1ec7fd.exe a2f509b83302c585a4853e15192b7ff0
VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.8 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49001 |
2021-02-04 18:31
|
doc09876578.exe beb762350c33540220d014b884e748f3
VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
22
http://www.l7zexitam.xyz/j5an/?lHKl=wp7aAKAL/m0UP5GY0SluVunmEiiRka0G8M132KeH1kjH6xL/7Vsceo9M25C+0DOTjq51a+A4&E6h4=8pDD8DnXm
http://www.nselife.com/j5an/?lHKl=ofvYRS1pVHXHPoJURX4HnPHmgtdVYrtBbq5HTbx2603jFXllC3x8Kpr59HAm9Xs8vuKAmmMD&E6h4=8pDD8DnXm
http://www.flatisteam.com/j5an/
http://www.kojyouibennto.com/j5an/
http://www.shopasha.com/j5an/?lHKl=NIif03N7SNcgzNJ6K7JT8uzO5NptMqTqNR08PtcGbWfBNNIPQew5WhGuddjjY797BAENpNNg&E6h4=8pDD8DnXm
http://www.kojyouibennto.com/j5an/?lHKl=GtsGKU+ycfjH4g+vFKxKrAlA+icoDKlyC6S9A6/joj4RyE2rnIzEB/2VzrHUYFTDa1Ij4eLs&E6h4=8pDD8DnXm
http://www.l7zexitam.xyz/j5an/
http://www.investorshighway.com/j5an/?lHKl=O50kZZrCVBhyHb4WoWs9pza7EaxTLYfkuwE/SzgYeYtbTTbr92+YFDBvetxQrQiczlaqY1NU&E6h4=8pDD8DnXm
http://www.bmtxm.com/j5an/
http://www.bmtxm.com/j5an/?lHKl=6SPexGdzEJp3y5VP8cy7OLUKwTeaGjB/WusfxloW69kYZYqYrDfxiL903ZrFTX3ky52oOI1z&E6h4=8pDD8DnXm
http://www.investorshighway.com/j5an/
http://www.thebihareye.com/j5an/?lHKl=9TUHoDDYem5uwq6G0Z4e0lrZAiYWDg5HHHzlqoVbvcgPET7GeAX7hvXoyDQ0iKaGD8tbbq+s&E6h4=8pDD8DnXm
http://www.thebihareye.com/j5an/
http://www.maratinsaat.info/j5an/
http://www.flatisteam.com/j5an/?lHKl=PjFFLIPg5tMecsvVWDnAWanm962LpvjMNLzmwcBVb5oN5GWE4CPn/vbbNrWGaMGnJ4Y0ra/3&E6h4=8pDD8DnXm
http://www.maratinsaat.info/j5an/?lHKl=LlTLzlzT9Iwys808RWYHNJd6QbhnwRrIMoYECW5OIS6ueG4lK3JPMcLS+z5DXZpa8Pl3Hahx&E6h4=8pDD8DnXm
http://www.retriever-home.com/j5an/?lHKl=tWrkevCw5Gb+NwGE1FEYItL37TgVRo/K7Wabm6bgkzhdKi/mi8+YznhbXfiwuwxIFAOCj+hc&E6h4=8pDD8DnXm
http://www.retriever-home.com/j5an/
http://www.nselife.com/j5an/
http://www.arnoldnaturalresources.com/j5an/?lHKl=2bQQcT9FHzgk1e4xZE2NsF1U5FYiaqMDZ7EZFnzx6gND6djcbQ8M+swXpdfQowL8tonOSzal&E6h4=8pDD8DnXm
http://www.shopasha.com/j5an/
http://www.arnoldnaturalresources.com/j5an/
|
25
www.flatisteam.com(154.86.87.102)
www.bmtxm.com(103.209.233.78)
www.lungi.cloud()
www.shopasha.com(45.76.29.144)
www.teramareprime.com()
www.investorshighway.com(216.10.245.204)
www.chuanxingtong.com()
www.nselife.com(34.102.136.180)
www.thebihareye.com(34.102.136.180)
www.maratinsaat.info(2.57.90.16)
www.retriever-home.com(74.220.199.6)
www.kojyouibennto.com(192.0.78.24)
www.arnoldnaturalresources.com(182.50.132.242)
www.l7zexitam.xyz(43.249.241.188)
www.yosyoshop.com()
216.10.245.204
34.102.136.180 - mailcious
154.86.87.102
45.76.29.144
74.220.199.6 - mailcious
182.50.132.242 - mailcious
2.57.90.16 - mailcious
192.0.78.25 - mailcious
43.249.241.188
103.209.233.78
|
1
ET INFO Observed DNS Query to .cloud TLD
|
|
6.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49002 |
2021-02-04 18:28
|
bigmanx.scr f33ad874f978a5882b114395cc182978
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/CB3E7F263B319F9CDB8A9BFA3EC60FF6.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
16.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49003 |
2021-02-04 18:26
|
bigmanx.exe c70760b818f8401d61a211943a54a4db
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49004 |
2021-02-04 18:25
|
a.bat 3779048d0752c8476e93344651bed1d8
VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49005 |
2021-02-04 18:19
|
WAH.exe b295230847525e67d4c7d23df1be0cae
Malware download Nanocore Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
wazzy113.ddns.net(46.243.219.32)
46.243.219.32
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|