5416 |
2021-02-25 09:18
|
crypt_sert.exe bc584a3be92cfdfda79446372fffa46d Browser Info Stealer FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
10
http://87.251.71.75:3214/ http://195.2.84.91/cpu.zip https://iplogger.org/1r2et7 https://iplogger.org/1rst77 https://iplogger.org/1tsef7 https://pastebin.com/raw/WmBNYXYN https://pastebin.com/raw/bnxCb5RP https://api.ip.sb/geoip https://blog.agencia10x.com/mex.exe https://blog.agencia10x.com/dance.exe
|
24
bbuseruploads.s3.amazonaws.com(52.216.165.51) - malware blog.agencia10x.com(172.67.213.210) - malware WHOIS.APNIC.NET(172.104.77.201) pool.minexmr.com(88.99.193.240) - mailcious iplogger.org(88.99.66.31) pastebin.com(104.23.98.190) - mailcious bitbucket.org(104.192.141.1) - malware api.ip.sb(104.26.12.31) whois.iana.org(192.0.32.59) 94.130.164.163 52.217.66.236 172.67.213.210 192.0.32.59 51.254.84.37 88.99.66.31 - mailcious 195.2.84.91 87.251.71.75 104.23.98.190 - mailcious 172.104.79.63 104.192.141.1 - mailcious 51.68.21.188 178.32.120.127 94.130.165.85 104.26.13.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DNS request for Monero mining pool ET INFO Dotted Quad Host ZIP Request
|
|
20.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5417 |
2021-02-25 09:26
|
fux.exe 5b60d41bd93869e36d90775be1ae7830 VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD sandbox evasion Tofsee Browser Remote Code Execution DNS crashed |
2
https://tttttt.me/jojmalbec https://simsimsalabim.top/
|
4
tttttt.me(95.216.186.40) simsimsalabim.top(104.21.7.191) 95.216.186.40 104.21.7.191
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile
|
|
10.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5418 |
2021-02-25 09:30
|
IMG_0352_Scanned.jpg.exe 6a4ce9c2b60181dad5c2ae6f01a21d65 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 131.186.113.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
17.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5419 |
2021-02-25 09:34
|
IMG_57109_Scanned.jpg.exe e880bfe979296c1fb516d0f90cd5fb16 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5420 |
2021-02-25 12:26
|
ipfile.exe 42c148811400c4e8eff02746f7a7d02b VirusTotal Malware unpack itself |
|
|
|
|
2.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5421 |
2021-02-25 12:26
|
Install_x86.exe e5d9d3e54ad6de4914eb6616193422c2 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
11.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5422 |
2021-02-25 13:12
|
klfile.exe 9dc97eaed4e61901afc327ce9f122262 VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5423 |
2021-02-25 13:15
|
nefile.exe f1db5dec529b190c6bf41cba87c68238 VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5424 |
2021-02-25 13:15
|
mofile.exe ca35b660415defe96fe6af4eb3a45d86 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5425 |
2021-02-25 13:19
|
safile.exe fb29c68fcd5e475cb99fa351c4fe2b2a VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5426 |
2021-02-25 13:20
|
sav.exe b8d5cdc69c2c1e3a9e3b3c4199afa00f VirusTotal Malware unpack itself DNS |
|
|
|
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5427 |
2021-02-25 13:47
|
svchost.exe 4f903d491720ed347758030fb7bd3158 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Checks Bios Detects VirtualBox suspicious process VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software |
|
|
|
|
9.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5428 |
2021-02-25 13:48
|
Showpieces.exe a6602f490e70a0c9846906944c01b1ba Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.14.13.58:3214/ https://api.ip.sb/geoip
|
7
WHOIS.APNIC.NET(172.104.79.63) whois.iana.org(192.0.32.59) api.ip.sb(172.67.75.172) 45.14.13.58 104.26.13.31 192.0.32.59 172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
11.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5429 |
2021-02-25 13:56
|
tolkio.php.exe 884dab96c679194fc5140322d5ce9e9d Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Kovter ComputerName DNS |
6
https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/14/user/test22/0/ https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/23/2000026/ https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/14/DNSBL/listed/0/ https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/0/Windows%207%20x64%20SP1/1103/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/Zzx3znrPnx1D3fT5F/ https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CInternetFreeDownloadManager6334076800%5Coftolkioxk.dwn/0/ https://178.54.230.164/rob16/TEST22-PC_W617601.DBB171938B5B3F0E1D3A54BB7A19BB90/5/kps/
|
7
150.134.208.175.b.barracudacentral.org(127.0.0.2) 150.134.208.175.cbl.abuseat.org() wtfismyip.com(95.217.228.176) - mailcious 150.134.208.175.zen.spamhaus.org() 95.217.228.176 185.234.72.84 - mailcious 178.54.230.164
|
4
ET POLICY IP Check wtfismyip.com ET POLICY curl User-Agent Outbound ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5430 |
2021-02-25 14:06
|
vbc.exe 2201881c6cc2de12c71f906e43178ef9 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.stremate.webcam/67d/?iB=L60FNlF/jVQ40BBK7iqnLkHUoLc/XzLmTX0PxR1gEKqFaHm4yGeaJYrL3ScYhPqvWFOTG2Zj&lH2h=VTRlddqP-RlHE0U
|
4
www.t-c-o-t-c.com() www.peakofgoodlife.com() www.stremate.webcam(207.246.147.192) 207.246.147.250
|
|
|
8.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|