5476 |
2021-02-26 13:26
|
RF_IMG_7510.jpg.exe 3a89cf2d6d2449ef1a9640af29f3a782 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
14.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5477 |
2021-02-26 13:45
|
winlog.exe 456dfe1f5220c97f904bd4704ea34956 VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion ComputerName crashed |
|
|
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5478 |
2021-02-26 13:45
|
ZkKfnBXzyAM9ArT.jpg.exe df86b2b21f34d6e798d6637dca03ca75 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS DDNS keylogger |
|
3
shahzad73.casacam.net(91.212.153.84) shahzad73.ddns.net() 91.212.153.84
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5479 |
2021-02-26 14:22
|
6hy67438ue.exe 77be0dd6570301acac3634801676b5d7 VirusTotal Malware malicious URLs IP Check crashed |
1
http://api.ipify.org/?format=xml
|
2
api.ipify.org(50.19.96.218) 23.21.76.253
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
3.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5480 |
2021-02-26 14:33
|
http://sundancemotelwy.com/dum... 2b1eb009e6282801c4ec6a417e9861e5 VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
sundancemotelwy.com(192.64.118.72) - malware 192.64.118.72 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SURICATA HTTP unable to match response to request
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5481 |
2021-02-26 14:37
|
4b70ed83db2eef5a_10[1].strike 2b1eb009e6282801c4ec6a417e9861e5 Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName DNS crashed |
1
https://45.155.173.242/rob64/TEST22-PC_W617601.0B3E53FB14C3BBC4D5B73E7BB4057318/5/file/ - rule_id: 282
|
4
142.112.79.223 41.77.134.250 - mailcious 45.155.173.242 - mailcious 131.255.106.152
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 16
|
1
|
6.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5482 |
2021-02-26 16:07
|
2202.gif 89b3aee211253205a4076bd11ab673e0 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.8 |
|
40 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5483 |
2021-02-27 11:41
|
Actualizacion 20210225facturay... ebe97dd3dfed6709339e442aa411fb3a VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
sesentaycuatrorem.duckdns.org(181.58.152.36) 181.58.152.36
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5484 |
2021-02-27 11:41
|
Hora, Lugar y hora.vbs 4f8a13f5cc132e50e3cfa031f571745f Malware VBScript powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key DDNS Dropper |
3
http://elvbs.store/vbs/2278466649.txt - rule_id: 289 https://paste.ee/r/bXy8G/0 - rule_id: 290 https://paste.ee/r/WbDha/0 - rule_id: 291
|
7
paste.ee(104.21.45.223) - mailcious elvbs.store(31.170.166.149) - malware negamerproteiper87.duckdns.org(46.246.82.80) - mailcious 104.21.45.223 - mailcious 46.246.82.80 172.67.219.133 - mailcious 31.170.166.149 - malware
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://elvbs.store/vbs/ https://paste.ee/r/bXy8G/0 https://paste.ee/r/WbDha/0
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5485 |
2021-02-27 11:46
|
anexo de la demanda y copia de... ebe97dd3dfed6709339e442aa411fb3a VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
sesentaycuatrorem.duckdns.org(181.58.152.36) 181.58.152.36
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5486 |
2021-02-27 11:47
|
FACTURA OBLIGACION No. 293130... a4e92f97f6c1513ab175beeb73499036 AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS DDNS keylogger |
|
1
telo1928.duckdns.org(192.168.0.17)
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5487 |
2021-02-27 11:52
|
Lugar, Fecha y Hora.vbs 4f8a13f5cc132e50e3cfa031f571745f Malware VBScript powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key DDNS Dropper |
3
http://elvbs.store/vbs/2278466649.txt - rule_id: 289 https://paste.ee/r/bXy8G/0 - rule_id: 290 https://paste.ee/r/WbDha/0 - rule_id: 291
|
6
paste.ee(104.21.45.223) - mailcious elvbs.store(31.170.166.149) - malware negamerproteiper87.duckdns.org(46.246.82.80) - mailcious 104.21.45.223 - mailcious 31.170.166.149 - malware 46.246.82.80
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
3
http://elvbs.store/vbs/ https://paste.ee/r/bXy8G/0 https://paste.ee/r/WbDha/0
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5488 |
2021-02-27 11:53
|
SOPORTES DE FACTURAS VENCIDAD ... 5af8b654df3d856dbaca4cc3fcfe74f6 Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
http://elvbs.store/vbs/28244404670.txt - rule_id: 289 http://elvbs.store/vbs/28244404670.txt https://paste.ee/r/WbDha/0 - rule_id: 291
|
5
paste.ee(172.67.219.133) - mailcious elvbs.store(31.170.166.149) - malware 172.67.219.133 - mailcious 185.19.85.143 31.170.166.149 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://elvbs.store/vbs/ https://paste.ee/r/WbDha/0
|
16.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5489 |
2021-02-27 11:55
|
http://oxcoz.com/nydprgwf/4425... d41d8cd98f00b204e9800998ecf8427e VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
http://oxcoz.com/nydprgwf/44252.dat http://oxcoz.com/favicon.ico http://oxcoz.com/wp-includes/images/w-logo-blue-white-bg.png
|
2
oxcoz.com(13.126.201.250) - malware 13.126.201.250 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5490 |
2021-02-27 11:57
|
Attachment_778094.xlsb 7a4b28a0fefe24ec6a85cb4990acbd26 VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself malicious URLs Tofsee DNS crashed |
2
http://195.123.220.249/campo/t2/t2 https://www.yahoo.com/
|
5
yahoo.com(98.137.11.163) www.yahoo.com(202.165.107.50) 195.123.220.249 - mailcious 202.165.107.50 74.6.231.20
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|