| 49276 |
2021-01-20 10:04
|
winlog3.exe 7832be91faea98b4f83d8abc7daa43c6
VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
3.8 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49277 |
2021-01-19 22:15
|
winlog2.exe 528c0afa9442eb19e7d109832366432c
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs ComputerName DNS |
24
http://www.livetigo.com/eaud/
http://www.lebaronfuneraire.com/eaud/
http://www.guorunme.com/eaud/?UTdDFJz=w7YbC4rMOqafhcHzbQ5oU6Bn/YJdbJv0jK2OKVVKOl8ak1UaHhTe7vJ7Ahc0ebo5l0EQNdBq&jL04lx=WXO834OHFDYTd
http://www.minbarlibya.com/eaud/
http://www.learnhour.net/eaud/
http://www.geraldreed.com/eaud/
http://www.learnhour.net/eaud/?UTdDFJz=JUq0vAPFOiawdqdb2+b91M0VP4hyudNtcG29yMoqv1KQvsPdQjOq60ZLWg8p1PXB+kYzciNx&jL04lx=WXO834OHFDYTd
http://www.mademarketingoss.com/eaud/
http://www.lebaronfuneraire.com/eaud/?UTdDFJz=WAvmXqQ0PE1axhQfNr0JQneOuJHUyTLsb+xelRkDhSTK3+we9hZ5SSWDnkmIPpmfeTbAuvqI&jL04lx=WXO834OHFDYTd
http://www.mademarketingoss.com/eaud/?UTdDFJz=PWPLxqk9OkCcz9a5cG/RXVhQZPp/PutuT4JAQQZmf7ycfHxDfPKzpKl0G4UoCL0bvdRsMGI0&jL04lx=WXO834OHFDYTd
http://www.ndblife.com/eaud/?UTdDFJz=+wafWxYmTRlMZ+qgCUxENZqEYoHQgwBbQLCqWhaDHxQRy6dMAMHZETyN3PjX68W12EOrfDzE&jL04lx=WXO834OHFDYTd
http://www.yesmywigs.com/eaud/?UTdDFJz=W/FsXQ9AMSMW5ZW2DTAjLUE+BpJBejPIMJjHVzZnFpT7LNjYIWUHJsiZzStIjTFY+czZ9NVi&jL04lx=WXO834OHFDYTd
http://www.blazorstore.com/eaud/
http://www.ndblife.com/eaud/
http://www.mettyapp.com/eaud/?UTdDFJz=EgIsbSRcjIMl5uy4QumJa2hk+2cljSbZfJztc2tCsxJvlN+QuynUoVMuxkaz9vgUraoY6szY&jL04lx=WXO834OHFDYTd
http://www.yesmywigs.com/eaud/
http://www.interseptors.com/eaud/
http://www.guorunme.com/eaud/
http://www.interseptors.com/eaud/?UTdDFJz=pz0YJmVRD64f6S5YGofgc/iZrvOO36JbHRYaZN1zegkMZxn7BU2Edlhl4EoAfF9cUi5tjI84&jL04lx=WXO834OHFDYTd
http://www.blazorstore.com/eaud/?UTdDFJz=dDW4s5C9volUgwKm6uPpJmsAKuls4CbQPq3IbssJRkbxfkJJHOeAvsZc5AuQIgS7LZasar/m&jL04lx=WXO834OHFDYTd
http://www.livetigo.com/eaud/?UTdDFJz=WFtTVhoCEiLT+oYE9OELm5LoGjQXHmoXKzwZ7N00KKi/l2dH98W3HjdxVPRLsZVgMPUrENe9&jL04lx=WXO834OHFDYTd
http://www.mettyapp.com/eaud/
http://www.geraldreed.com/eaud/?UTdDFJz=WvvdH1HRECI6AXm1C1kLAA2Qhawr9v3d0n4Iy9SWuW1zQca/D9xywjUu8TqLKB5xLKsJmhnV&jL04lx=WXO834OHFDYTd
http://www.minbarlibya.com/eaud/?UTdDFJz=3/ITiuK5ux/fdUJioGzwml+TvlK+wvAdru6novIXrohnbWYrhMtPbzJtXAJGl5jtHnCroMO4&jL04lx=WXO834OHFDYTd
|
26
www.dajiankang.love()
www.coalitionsentiment.win()
www.learnhour.net(142.147.98.180)
www.blazorstore.com(192.64.119.103)
www.ndblife.com(34.102.136.180)
www.minbarlibya.com(185.53.177.13)
www.interseptors.com(104.252.75.184)
www.mademarketingoss.com(52.8.83.187)
www.yesmywigs.com(66.23.236.66)
www.tolentinestore.com()
www.mettyapp.com(34.102.136.180)
www.livetigo.com(104.21.57.171)
www.guorunme.com(156.224.53.101)
www.lebaronfuneraire.com(217.70.184.50)
www.geraldreed.com(54.208.77.124)
156.224.53.101
142.147.98.180
104.252.75.184
34.102.136.180 - mailcious
217.70.184.50 - mailcious
54.208.77.124 - mailcious
66.23.236.66
104.21.57.171
192.64.119.103
185.53.177.13 - suspicious
52.8.83.187
|
|
|
11.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49278 |
2021-01-19 22:14
|
winlog.exe b75247013200d602f98dc3801d2bde2f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
10
http://www.modshiro.com/eaud/?qR-Lprxp=iYimu2Mk5JDdo0F5scecwzfC+OCvXZJe88Hc4nJqqcXdL2DvcDKgfZJlJkZoF/3I4dQdEBzQ&SVjH9b=yjRhbdjpRBV
http://www.casinocerto.com/eaud/
http://www.mademarketingoss.com/eaud/
http://www.casinocerto.com/eaud/?qR-Lprxp=SyqGIieTUsbyHPqLeFx7ImJJb+0PxKIK5sSUsUukqPXS0WL6I+iBynP3H4JScrHXuAzlpnFw&SVjH9b=yjRhbdjpRBV
http://www.learnhour.net/eaud/?qR-Lprxp=JUq0vAPFOiawdqdb2+b91M0VP4hyudNtcG29yMoqv1KQvsPdQjOq60ZLWg8p1PXB+kYzciNx&SVjH9b=yjRhbdjpRBV
http://www.missfoxie.com/eaud/
http://www.missfoxie.com/eaud/?qR-Lprxp=qwsKjudnR+FQ5dEDPeUPM7MjjnSjPQ/7C93cZJCmnM+aUvVL1QSP4NdK1d+CicIt1ovm6z2p&SVjH9b=yjRhbdjpRBV
http://www.mademarketingoss.com/eaud/?qR-Lprxp=PWPLxqk9OkCcz9a5cG/RXVhQZPp/PutuT4JAQQZmf7ycfHxDfPKzpKl0G4UoCL0bvdRsMGI0&SVjH9b=yjRhbdjpRBV
http://www.learnhour.net/eaud/
http://www.modshiro.com/eaud/
|
13
www.dajiankang.love()
www.learnhour.net(142.147.98.180)
www.gigashit.com()
www.missfoxie.com(34.102.136.180)
www.casinocerto.com(213.186.33.5)
www.mademarketingoss.com(52.8.83.187)
www.bosman-smm.online()
www.modshiro.com(75.126.104.229)
75.126.104.229
142.147.98.180
34.102.136.180 - mailcious
213.186.33.5 - mailcious
52.8.83.187
|
|
|
9.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49279 |
2021-01-19 21:19
|
vbc.exe f958e1e18b67ac9edc2668bac133b64a
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.boykinspto.com/p7t/?XRAlD4Ep=EjLktqOymAeSUl5faZ892P9ZH6FCPTExa/FdOlqBj8MdP0PlKSALnLpfb8yKFgb/VZtbDhQo&W4=GvIHh
http://www.meet2night.site/p7t/?W4=GvIHh&XRAlD4Ep=v2ASHKYESZXYAQk5RH2Jxz9yUWHCMHT+p2M7lUUCRZdGaVgCcM2ln4cMMowZNlwHv92V27dI
|
4
www.meet2night.site(185.27.134.110)
www.boykinspto.com(172.217.161.51)
185.27.134.110
74.125.203.121
|
|
|
9.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49280 |
2021-01-19 21:18
|
vbc2.exe 80c7f8dde5eef2dd1866d5af37512bd4
VirusTotal Malware Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
7.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49281 |
2021-01-19 20:56
|
u.exe 185dd5ec503c683da355a50e70f25c68
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49282 |
2021-01-19 20:54
|
SSLLibrary.dll c99beb77fb6ab9314865979f3122c1e4
VirusTotal Malware |
|
|
|
|
1.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49283 |
2021-01-19 20:40
|
Rsigned.exe ae8ba034c111e338ffc8cced610e23c7
Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Windows RCE DNS DDNS |
2
https://4ubimq.am.files.1drv.com/y4m4lnVPpGALsthCItGyb2cPKYuA40mB6tD_5GKiu1_0lwGdjC1HeliFnXXllr2T2Q6XUq50DI4rnQ8CpDedRvTN7cg_7VGWadZnDfzXXK8cm7hMsnouupryVUDuO5zjW-xV9uFXkHbJgMDADrxQEKzccC5UZxSiA7meOy7ADgz_FvB9Ex_gNSobLxpu6ae20tWNUg2z4bKmHuymiTHQ604_w/Rvchn?download&psid=1
https://1drv.ws/u/s!Ajd-Sr902mBzd_7UyeoxtFFPG9Y?e=euWPMY?
|
6
4ubimq.am.files.1drv.com(13.107.42.12) - mailcious
1drv.ws(168.235.93.122) - mailcious
4sureme.ddns.net(185.140.53.202)
168.235.93.122 - mailcious
13.107.42.12 - malware
185.140.53.202
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
10.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49284 |
2021-01-19 20:40
|
scr.dll 767ee463439c4ec6b754a81e2eb358fb
VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
3.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49285 |
2021-01-19 20:32
|
IMG_53771.pdf.exe 86b54654ac95dc27eb76c8dce196d3b8
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
216.146.43.71
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
15.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49286 |
2021-01-19 20:30
|
Protected Client.vbs 7c2461575cefe582992751922a989015
VirusTotal Malware powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
4
alabamapropertymanagers.com(181.214.142.116) - mailcious
google.com(172.217.31.174)
142.250.199.78
181.214.142.116 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49287 |
2021-01-19 20:23
|
doc.exe 72f92854f536ce2e3b3fc7f158799759
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
|
|
|
|
10.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49288 |
2021-01-19 20:23
|
document.doc 6d238a412f808d2c4c56865d7f4c4d16
VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself malicious URLs Tofsee Windows Exploit DNS DDNS crashed |
2
https://1drv.ws/u/s!Ajd-Sr902mBzd_7UyeoxtFFPG9Y?e=euWPMY?
https://4ubimq.am.files.1drv.com/y4mD95cjvSzb1cLKPMU4zVgLYIuTekR_rchDoTddAzJMfDvYl94d8dZOLi0pQuCGiY95ktUW1U2fT9D76suf1LhYJxupJgL7SC5QJfYOnw5XPTm5nYlrK5E1unEZWb8vkHgMFj_QLOnVdxmgAE1jf7OVuiRg6IUAep3axl9X4I4i6El7OshpV4Kxle_9djttJeOaZBFMHEynyh0_8N6nCHo0Q/Rvchn?download&psid=1
|
7
4ubimq.am.files.1drv.com(13.107.42.12) - mailcious
1drv.ws(168.235.93.122) - mailcious
4sureme.ddns.net(185.140.53.202)
168.235.93.122 - mailcious
13.107.42.12 - malware
192.3.22.59 - malware
185.140.53.202
|
7
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49289 |
2021-01-19 20:07
|
dir2.exe d4ecd2bd3d00a12dffcf55e006eb7b24
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
17
http://www.thedancehalo.com/bw82/ - rule_id: 174
http://www.magnabeautystyle.com/bw82/
http://www.wmarquezy.com/bw82/?RvE=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&Mfg=lHNl - rule_id: 181
http://www.wmarquezy.com/bw82/ - rule_id: 181
http://www.rizrvd.com/bw82/?RvE=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Mfg=lHNl - rule_id: 170
http://www.rizrvd.com/bw82/?RvE=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Mfg=lHNl
http://www.kolamart.com/bw82/?RvE=U5qlNe3tyC/qCLFLbAk3bGcrOcPwpu2hHSyAkQWR0ho6UxGTq/9WR0LXkn1o9vYYLIYSfAyI&Mfg=lHNl
http://www.learnplaychess.com/bw82/
http://www.kolamart.com/bw82/
http://www.texasdryroof.com/bw82/
http://www.learnplaychess.com/bw82/?RvE=vnC2wafbyMQPYeEKgN7BidCBviMCiZSnX+uSg1OBIsHa5LvWqJWZ2VbpSwmofqXZDe4zcQN4&Mfg=lHNl
http://www.texasdryroof.com/bw82/?RvE=WPjawucHEOTRaQcXyEhbXuDFOfp4BixOPJfSyoP8BvloJ8X7v2Ymrx8NNNNEmDNuJoaF8eZP&Mfg=lHNl
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.magnabeautystyle.com/bw82/?RvE=9KGhaNjnZA+1vlfhEmkWJtXE2Tv4ryq1r5IcCqZotckyUU+N2GtErHSRaSsv7jjytCtfnkwq&Mfg=lHNl
http://www.gdsjgf.com/bw82/?RvE=7KG5rMnLNS/F00cUwyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27kzNH/2ON0tx/WWBZXRB&Mfg=lHNl - rule_id: 173
http://www.gdsjgf.com/bw82/ - rule_id: 173
http://www.thedancehalo.com/bw82/?RvE=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&Mfg=lHNl - rule_id: 174
|
12
www.learnplaychess.com(103.250.186.248)
www.kolamart.com(34.102.136.180)
www.thedancehalo.com(34.102.136.180) - mailcious
www.magnabeautystyle.com(184.168.131.241)
www.rizrvd.com(34.102.136.180) - mailcious
www.wmarquezy.com(192.0.78.25) - mailcious
www.texasdryroof.com(34.102.136.180)
www.gdsjgf.com(34.102.136.180) - mailcious
184.168.131.241 - mailcious
34.102.136.180 - mailcious
103.250.186.248 - mailcious
192.0.78.25 - mailcious
|
|
8
http://www.thedancehalo.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
http://www.gdsjgf.com/bw82/
http://www.gdsjgf.com/bw82/
http://www.thedancehalo.com/bw82/
|
9.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49290 |
2021-01-19 20:06
|
dir1.exe 257331ce21922bcbf76f740b83278672
VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|