| 49006 |
2021-02-04 18:19
|
svchost.exe 8fa44c395d73279bc27b6a32ff5970d6
VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW IP Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
4
http://92.63.193.103/k2sfon2/kk1bgvqj94m1qbue3reb8q75k6itd/c5fdd0dded1be4517ae72e19a2705bd2bfaae08f.php?zyr55X=4d5PSunbE1ztsZT&LuWWeai0aflKLuK4NFjJuQtpT0Dm=mStg4fKiA8d5EyxJc&969457ff941a70a504d8bda0dcf279ce=2a80e77aaeb7a1a00c5efc1d4fb3e85b&4165c4c028ab791202f51b4b7234b5e6=dbb1ff180da67a6c3d331bd83b86e444c638094f&zyr55X=4d5PSunbE1ztsZT&LuWWeai0aflKLuK4NFjJuQtpT0Dm=mStg4fKiA8d5EyxJc
http://92.63.193.103/k2sfon2/kk1bgvqj94m1qbue3reb8q75k6itd/c5fdd0dded1be4517ae72e19a2705bd2bfaae08f.php?zyr55X=4d5PSunbE1ztsZT&LuWWeai0aflKLuK4NFjJuQtpT0Dm=mStg4fKiA8d5EyxJc&c97f33ea5aa0364824f80fcc5f957961=21234f6e0cd1b68db5e3234cf9977477&zyr55X=4d5PSunbE1ztsZT&LuWWeai0aflKLuK4NFjJuQtpT0Dm=mStg4fKiA8d5EyxJc
http://92.63.193.103/k2sfon2/kk1bgvqj94m1qbue3reb8q75k6itd/g694bh3ns51edxv6zar0dn/1fa86d9a9b196db26e3e0512bef6fcc9.php?zyr55X=4d5PSunbE1ztsZT&LuWWeai0aflKLuK4NFjJuQtpT0Dm=mStg4fKiA8d5EyxJc&ec688ce426f37867e0f2b01c8c528210=MWZwMTO4cDM3EmYmdTNmZGO5kDZ2ETN3kDZ5kzMkJjNwEDOzcDN0gDM&65e0e67c5da0880fd88623ad7931af22=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&596242afa7b5cf4131cba7ce0cdb7e01=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&92246143302063f33e1be7a667f32d52=QTZ4UzN0gzY2cTZlJmZlZ2N1AzNhNWMhRTYkVWO5kTN&ad725bf1b375d62258d5164bb96c8328=QfiIXZnFmbh1EItFmcn9mcQJiOic3bk5WaXR1QBJCL9JCa0VXYn5WazNXat9CXvlmLvZmbpBXavw1LcpzcwRHdoJiOiUWbkFWZyJCLiwWdvV2UvwVYpNXQiojIl52b6VWbpRnIsIiN4EzMwIiOiwWY0N3bwJCLi02bjVGblRFIhVmcvtEI2YzN0MVQiojInJ3biwiI0gzN54iNyEDLwYjN14yNzIiOiM2bsJCLiI1SiojI5JHduV3bjJCLiwWdvV2UiojIu9WanVmciwiIsV3blNlI6ISe0l2YiwiIwUTMuQzMx4COwIjL1cTMiojIwlmI7pjIvZmbJBXSiwiILJVQEJiOicUQUJCLiIjM0NXZ0JiOiUWbh5kclNXViwiIDBVLyIDVTVEViojIl1WYONEUiwiI0lmQgQjNg40SgwWYu9WazNXZm9mcQByNgM3dvRmbpdlI6IiclZlbpdlIsISWiojIulWbkF0cpJCLi4kI6ISbhNmYld1cpJCLiklI6ISZu9Gaw9mcjlWTzlmIsIiNuQjLzIiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&4683a8252057ab1837c8e66ff3496cba=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&6c4cd6370417eabf0cd079e2ffd191d4=MzY2AzNxUTYlRTZwQ2Y2I2NzATZ3YmYyQTZjBTZkFWZ
https://ipinfo.io/json
|
3
ipinfo.io(216.239.36.21)
216.239.38.21 - phishing
92.63.193.103
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
12.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49007 |
2021-02-04 18:12
|
shample.exe e8fcf392ddcf20137e01e83a6275bc5a
AutoRuns PDB suspicious TLD Windows |
|
1
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49008 |
2021-02-04 18:07
|
shared.xls f623477eec15e20ba379032335f46743
VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://rebrand.ly/WdBPApoMACRO
https://cdn.discordapp.com/attachments/806091042163654659/806091413502427176/a.bat
|
6
rebrand.ly(54.81.48.211) - mailcious
thephotographersworkflow.com(162.241.65.200)
cdn.discordapp.com(162.159.130.233) - malware
162.159.134.233 - malware
54.81.48.211
162.241.65.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49009 |
2021-02-04 17:51
|
rx.exe 7f53292ca3fd26580244167e922db361
VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Windows ComputerName DNS Cryptographic key crashed |
1
http://93.115.18.97/Data/GetUpdateInfo
|
1
|
|
|
8.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49010 |
2021-02-04 17:50
|
ProductDiagnosticHelper.msi 038a0b84d1979d20c7a0788f3ca5a4ae
Malware download Dridex NetWireRC VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check Tofsee BitRAT ComputerName DNS |
|
3
datamicrotransfer.com(190.97.162.108) - malware
185.244.128.34
190.97.162.108 - malware
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
4.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49011 |
2021-02-04 17:48
|
lv.exe 5d2f84a7e74e6e5ff1db4c4038d0f5e4
VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check Tofsee Windows ComputerName crashed |
2
http://ip-api.com/line
https://iplogger.org/1rUs77
|
4
iplogger.org(88.99.66.31)
ip-api.com(208.95.112.1)
88.99.66.31 - mailcious
208.95.112.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
|
13.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49012 |
2021-02-04 17:45
|
Loader.exe d4c9ea37c5282f1844e4a440641434b2
Malware download VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Interception Windows ComputerName Trojan DNS Cryptographic key crashed |
20
http://microsoftenly.com/mts/gate.php?p=6
http://microsoftenly.com/mts/gate.php
http://microsoftenly.com/mts/gate.php?2bb=07AACE483BA0
http://microsoftenly.com/mts/gate.php?gpp=5
http://microsoftenly.com/mts/gate.php?ct=1
http://microsoftenly.com/mts/gate.php?gpp=6
http://microsoftenly.com/mts/gate.php?prf=1
http://microsoftenly.com/mts/gate.php?gpp=4
http://microsoftenly.com/mts/gate.php?pl=1
http://193.239.147.103/base/BFA6C7B41BE32307CAA06D5F6D8A6928.html - rule_id: 225
http://microsoftenly.com/mts/gate.php?gpp=1
http://microsoftenly.com/mts/gate.php?gpp=2
http://microsoftenly.com/mts/gate.php?gpp=3
http://microsoftenly.com/mts/gate.php?p=1
http://microsoftenly.com/mts/gate.php?lp=1
http://microsoftenly.com/mts/gate.php?p=3
http://microsoftenly.com/mts/gate.php?p=2
http://microsoftenly.com/mts/gate.php?p=5
http://microsoftenly.com/mts/gate.php?p=4
http://193.239.147.103/base/3639984F5BF8097998E70E3AABFA0304.html - rule_id: 225
|
5
microsoftenly.com(165.22.30.153)
www.microsoft.com(23.201.37.168)
23.201.37.168
193.239.147.103 - mailcious
165.22.30.153
|
1
ET MALWARE Trojan Generic - POST To gate.php with no referer
|
2
http://193.239.147.103/base/
http://193.239.147.103/base/
|
22.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49013 |
2021-02-04 17:42
|
file.exe b8b7b4f5bc704558dcf41a39c2f9fd6d
VirusTotal Malware unpack itself RCE |
|
|
|
|
2.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49014 |
2021-02-04 17:40
|
jng.exe c5bc25e433957078776a6cfcee5961c2
VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs Windows DNS Cryptographic key |
|
|
|
|
7.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49015 |
2021-02-04 16:17
|
EIC.exe 49318d20791b87d4bb0abca27ee83a67
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself suspicious process WriteConsoleW Windows Cryptographic key crashed |
|
|
|
|
6.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49016 |
2021-02-04 16:04
|
ecomx.exe 01b636a8ae4dd00d31df4fecc6b1190c
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS |
1
http://193.239.147.103/base/8B71C9C8D828D6A5216FE8145073752B.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
4.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49017 |
2021-02-04 16:00
|
cred.dll 6a860fb58935625b193316ead3384a1c
FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://176.111.174.35//Fn39vld2cS/index.php - rule_id: 248
|
1
|
|
1
http://176.111.174.35//Fn39vld2cS/index.php
|
6.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49018 |
2021-02-04 16:00
|
DsQwouT0.exe 943dff6e7979ded5b2d94f4e0503704a
VirusTotal Malware RCE |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49019 |
2021-02-04 11:04
|
aa.exe 1ff59d25828ac6ee321e571439410b12
VirusTotal Cryptocurrency Miner Malware Cryptocurrency SMB Traffic Potential Scan AutoRuns Check memory Creates executable files ICMP traffic unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows Browser ComputerName RCE DNS |
1
|
5
gxxs.monerogb.com() - mailcious
ip.3322.net(118.184.176.22)
dns.monerogb.com(103.246.218.179) - mailcious
118.184.176.22
103.246.218.179 - mailcious
|
5
ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net
ET POLICY Cryptocurrency Miner Checkin
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
15.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49020 |
2021-02-04 11:03
|
906249IMG_055708.pdf.exe 3a0f89e50b88ed60053533cca7003388
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://www.google.com/
|
6
www.google.com(172.217.25.196)
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
162.88.193.70
172.217.26.4 - suspicious
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
16.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|