5296 |
2021-02-19 11:35
|
dgv.exe fdb4e0837585603e2a3c4feb1e152f72 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5297 |
2021-02-19 12:26
|
document.doc 0e2093f0408824baea6fd30e7d200087 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://5.39.217.221/win/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5298 |
2021-02-19 12:27
|
dutchx.scr 054378084de842ca5788d97ae1be4240 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.239.242.107/base/21D64E34E143EBC79AFD599A19616687.html - rule_id: 263 http://185.239.242.107/base/1C06388B82C5C429CCE7D57B562320BB.html - rule_id: 263
|
1
185.239.242.107 - mailcious
|
|
2
http://185.239.242.107/base/ http://185.239.242.107/base/
|
16.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5299 |
2021-02-19 13:24
|
jaga.exe 3a88ad54a185241786cf3dde0c291b5e FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows |
1
http://www.neftyfuentes.com/tboh/?9r70bd-P=KmKol9fk3gupyhahIpU4zRKwVGGzj5hrIedhtJJasqLS74N3ksEYJSQpA+XubBC1E0ukxJ8N&EhLpvJ=jdFp72Lpc
|
2
www.neftyfuentes.com(74.115.32.75) 74.115.32.75
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5300 |
2021-02-19 13:24
|
freshx.exe daa7547fdce007a6846bdf90f86cdeb7 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://185.239.242.107/base/9D65C94CBB7F4C410BDB1AE7D3AEF278.html - rule_id: 263
|
1
185.239.242.107 - mailcious
|
|
1
http://185.239.242.107/base/
|
14.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5301 |
2021-02-19 13:27
|
lpeg.exe 1c959263f110c933faff545bb05d99aa Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
8.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5302 |
2021-02-19 13:27
|
mnbv.exe 7b203ccfa960e4fabe05bf6c56afc797 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
8.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5303 |
2021-02-19 13:37
|
njstart_protected.exe da5f2763cf0fa84529d7ba0747010f5e Malware download njRAT NetWireRC VirusTotal Malware malicious URLs WriteConsoleW DNS DDNS |
|
2
freesoftdownloads.publicvm.com(200.83.136.8) 200.83.136.8 - mailcious
|
1
ET MALWARE Bladabindi/njRAT CnC Command (ll)
|
|
4.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5304 |
2021-02-19 13:37
|
molb.exe 7c583de0be488e478b9f9d9a6d9b6891 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
5
http://icanhazip.com/ https://onedrive.live.com/download?cid=89C2283E219D084B&resid=89C2283E219D084B%21715&authkey=AL6CsXGxuywK1bs https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00 https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709267&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709268&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
|
9
icanhazip.com(147.75.47.199) login.live.com(40.126.38.20) onedrive.live.com(13.107.42.13) - mailcious api.mylnikov.org(104.21.57.49) 136.144.56.255 20.190.165.20 13.107.42.13 - mailcious 104.21.57.49 147.75.47.199
|
2
ET POLICY IP Check Domain (icanhazip. com in HTTP Host) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5305 |
2021-02-19 13:42
|
plazxp.exe 3f7a846fde5fb18789c56b9246931ed2 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
4
http://icanhazip.com/ https://onedrive.live.com/download?cid=89C2283E219D084B&resid=89C2283E219D084B%21715&authkey=AL6CsXGxuywK1bs https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709576&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
|
9
icanhazip.com(147.75.47.199) login.live.com(40.126.38.18) onedrive.live.com(13.107.42.13) - mailcious api.mylnikov.org(172.67.141.244) 136.144.56.255 172.67.141.244 40.126.37.0 13.107.42.13 - mailcious 147.75.47.199
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
13.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5306 |
2021-02-19 13:46
|
queen.exe d91f98119c389c2673c45ef4fe9b1fda FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows |
2
http://www.achakhao.com/cbd/?jfIXkD=ZQBHVU5zkOOy64LYcNCqcwrZ7LRUSeLlsseUdX8oVjbQb0lqolQbFhGBFYOfCvIEws5Vm+Qy&UVI=D8ODAr http://www.drolmaorganic.com/cbd/?jfIXkD=st6CpzySBKLcHrpdDE5YQ9RZ/tuSkdX3kZTy0Mzk1xNTbpdBHCKL6SusdvP5/shfRqNUEBZk&UVI=D8ODAr
|
5
www.drolmaorganic.com(186.64.116.165) www.achakhao.com(23.111.175.173) www.stairliftzainfos.com() 23.111.175.173 186.64.116.165 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5307 |
2021-02-19 13:47
|
twox.exe 1a08a3826d57d19d0bdc7f3413ee46c3 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://192.236.147.189/custom/alien/html/base/9F8716930AC8F62FA2C2E3D5E7AAEF09.html
|
1
192.236.147.189 - malware
|
|
|
14.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5308 |
2021-02-19 22:40
|
scr.dll 245f28842136da057208ab20cb12c61a VirusTotal Malware Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.17//jG3cs2rP/index.php?scr=up - rule_id: 275
|
1
|
|
1
|
3.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5309 |
2021-02-19 22:42
|
44246.dat.exe 014f2fa8ad432b40c1c1a8b10f6b89af Checks debugger unpack itself sandbox evasion ComputerName |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5310 |
2021-02-19 22:46
|
in.exe 13b21115bd414b3cff0365351398e92a VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS |
1
|
2
www.google.com(172.217.175.36) 216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|