| 49141 |
2021-01-29 10:08
|
osamax.scr 233052898800d961e4fc3ef2a339f555
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://193.239.147.103/base/F4BA6DC1CB973DE9DAE5D0E9AA62DF30.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
12.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49142 |
2021-01-29 10:07
|
DSC_Canon_110202_23.01.2021.zi... 4568bbfb8b5a5161c8b1045051933788
unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49143 |
2021-01-29 09:59
|
IMG-0607.pdf.exe 263f0b35e5768e624a84ac122bbf6a8c
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk VMware IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://www.google.com/
|
7
www.google.com(172.217.25.100)
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
162.88.193.70
64.233.189.104
172.67.188.154
64.233.189.106 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
16.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49144 |
2021-01-29 09:59
|
gwfa.exe a8417cfd71637c7371986737cff269cf
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
1
http://www.pincmd.com/zn7/?Wxo=H0DTRf2X8PY0Cn&OVolp=vl+DwuPw1Bs+eDz18phlFYzK3ZASrkTtaqWFbU4W2U0kNPdMaptnd8r6YjMJ59Q6viCts5io
|
3
www.idiocy.online()
www.pincmd.com(103.82.55.155)
103.82.55.155
|
|
|
12.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49145 |
2021-01-29 09:39
|
1599400056-01282021.xls b4f063612cbe944f5f63e3e132793941
Malware download Dridex TrickBot VirusTotal Malware suspicious privilege Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter Windows ComputerName DNS Downloader |
|
7
irenegladsteinmd.smartwebsitedesign.com(174.138.190.165) - malware
195.123.241.214
5.34.180.185
23.254.224.2
107.152.46.188
185.82.126.38
174.138.190.165 - mailcious
|
6
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
|
|
8.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49146 |
2021-01-29 09:39
|
bvsd.exe 3adae286b1688adb95794b29d21f6ca0
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
2
http://www.maalkhairaatwosu.com/zn7/?9r4P2=oso/Cug38AXv4G4StP3iQilmzyYWofIVZmnlkvEMG9MdkfwPUu/S3qzFyv953fkX+1OQlFou&EjU4Sz=fdMTVRIPlB
http://www.brandonandrana.com/zn7/?9r4P2=yObgM5LPfCGfok7nL/KOJdbpHcl0xM+9kC0oAyaz/i+7Z5Vdx+6Mf7YcfMkbMiod0O2maEeO&EjU4Sz=fdMTVRIPlB
|
4
www.maalkhairaatwosu.com(5.181.216.120)
www.brandonandrana.com(156.254.243.114)
5.181.216.120
156.254.243.114
|
|
|
11.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49147 |
2021-01-28 19:26
|
http://transplugin.io 242c23ea412530c7d94b77a7a978c176
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://transplugin.io/
http://transplugin.io/favicon.ico
http://transplugin.io/iisstart.png
|
2
transplugin.io(103.253.40.225) - mailcious
103.253.40.225 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49148 |
2021-01-28 13:58
|
nfeX-99.msi d388da2bf1c9ef59eabce635a6909348
Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself malicious URLs AntiVM_Disk suspicious TLD VM Disk Size Check ComputerName DNS DDNS |
1
http://primo1982.1gb.ru/01/nobs.php
|
4
primomiguel.duckdns.org(104.41.55.10)
primo1982.1gb.ru(81.177.49.5)
104.41.55.10
81.177.49.5
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)
|
|
5.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49149 |
2021-01-28 13:55
|
5319402.jpg.exe 331bdaa5cb5dab743006128aff340979 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49150 |
2021-01-28 13:24
|
5319402.jpg.exe 331bdaa5cb5dab743006128aff340979 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49151 |
2021-01-28 13:23
|
5555.jpg.exe de6108a215b25132877b39590951dce3 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49152 |
2021-01-28 12:20
|
6gdwwv.exe 77be0dd6570301acac3634801676b5d7
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29)
api.ipify.org(54.225.220.115)
54.235.189.250
185.100.65.29
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49153 |
2021-01-28 12:20
|
xkp369t.zip.exe ba58b7e985b1b06985ddd90a8a1c622b
VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows Cryptographic key |
|
|
|
|
3.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49154 |
2021-01-28 10:38
|
WAH.exe 1514dad5fc756723d4c00e0817605ae9
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu(46.243.219.56)
46.243.219.56
|
|
|
14.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49155 |
2021-01-28 10:37
|
vbc.exe fcbfe0655ddb6609b6145f5798e7c9bf
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|