5896 |
2021-03-11 18:52
|
Invoice.exe f99fbbda34957150a2c05dbb195e7657 Antivirus AsyncRAT backdoor Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Kovter Windows ComputerName DNS Cryptographic key DDNS crashed |
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B941ECD3C6B23E723CAD0DA46DC64E87.html - rule_id: 361 http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2EED919138E5D4606ED44E8BE0B7D61.html - rule_id: 361
|
5
moneymoney98.ddns.net(23.227.202.250) liverpoolofcfanclub.com(172.67.174.240) - mailcious 23.227.202.250 172.67.174.240 104.21.31.39 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/ http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
13.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5897 |
2021-03-12 09:19
|
Payment Invoice.exe 11aba0510bad95a7b385c86d00d9626c AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows DNS Cryptographic key |
1
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B570610122DD0E0BD6A6020C4AB66FC9.html - rule_id: 361
|
3
liverpoolofcfanclub.com(172.67.174.240) - mailcious 23.105.131.217 172.67.174.240
|
|
1
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
12.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5898 |
2021-03-12 09:56
|
9BodUd5kI1nYXHR.exe 92ba638ea41b8d8653906fc653e54aa0 Loki Azorult .NET framework Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://www.cambridgelodge.com.au/wp-admin/js/Panel/five/fre.php - rule_id: 295
|
2
www.cambridgelodge.com.au(27.121.66.73) - mailcious 27.121.66.73 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://www.cambridgelodge.com.au/wp-admin/js/Panel/five/fre.php
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5899 |
2021-03-12 10:21
|
REQUEST FOR QUOTATION.exe 0de43aaaea16c9a582370553e9edecf1 AsyncRAT backdoor VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5900 |
2021-03-12 10:21
|
Payment receipt.exe 2bd6dce81140df7d3b1aded2093bfddc Antivirus AsyncRAT backdoor VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F7555F59805560CF2805C28E652A2475.html - rule_id: 361 http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5A586201F5280DFB96F94F51B83AEFA9.html - rule_id: 361
|
3
liverpoolofcfanclub.com(104.21.31.39) - mailcious 23.105.131.217 104.21.31.39 - mailcious
|
|
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/ http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
15.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5901 |
2021-03-12 11:55
|
493745173.exe b582051ea2ba53c5c4c57e0580e88bd1 UltraVNC VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key crashed |
|
1
|
|
|
7.0 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5902 |
2021-03-12 11:56
|
117627132.exe 8facf3fbd4f254baa6cff18055fba078 AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://2ttp.tolganfor.ru/SystemCodeDomCompilerCodeDomCompilationConfigurationSectionHandlerl
|
2
2ttp.tolganfor.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
52 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5903 |
2021-03-12 12:42
|
675933445.exe 6570ab9cc7574be94cbd7def47089e76 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://45.144.29.195:3214/ https://pp.sldov.ru/SystemNetConfigurationSmtpSpecifiedPickupDirectoryElementInternalL https://api.ip.sb/geoip
|
5
pp.sldov.ru(81.177.139.41) - mailcious api.ip.sb(104.26.12.31) 81.177.139.41 - malware 104.26.13.31 45.144.29.195
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
14.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5904 |
2021-03-12 12:44
|
494818992.exe a1dbce02232adc2298ea67e387694b42VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Remote Code Execution DNS |
|
|
|
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5905 |
2021-03-12 13:43
|
872027265.exe f9193808726bf166c76170b5020edb00 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs suspicious TLD installed browsers check Tofsee Ransomware Windows Browser ComputerName Cryptographic key Software crashed |
3
http://tallipere.xyz/ https://uhuua.ru/NewtonsoftJsonUtilitiesReflectionUtilscDisplayClassP https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63) uhuua.ru(81.177.139.41) whois.iana.org(192.0.32.59) tallipere.xyz(94.140.115.156) api.ip.sb(172.67.75.172) 172.104.77.201 192.0.32.59 104.26.12.31 81.177.139.41 - malware 94.140.115.156
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5906 |
2021-03-12 13:44
|
1618469631.exe 31055a78f49e732959933d81f7ee4de1 Azorult .NET framework AsyncRAT backdoor VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
5.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5907 |
2021-03-12 14:14
|
1694582027.exe e4e9be25d58ace415d3c1481986b99ff AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows Cryptographic key |
1
https://1pri.oradza.ru/SystemNetHttpListenerDisconnectAsyncResultv
|
2
1pri.oradza.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5908 |
2021-03-12 14:15
|
1740773763.exe cf75f0b1db8bf6733a56de4e83185314Malware download VirusTotal Malware Check memory Creates executable files unpack itself suspicious process malicious URLs WriteConsoleW WordPress DNS |
|
2
stone-premium.com(108.167.142.232) - malware 108.167.142.232 - malware
|
1
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
|
|
5.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5909 |
2021-03-12 14:24
|
1776646202.exe c4007a10fead6776db900abff2ae55b2 AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://i.itdenther.ru/SystemNetUnsafeNclNativeMethodsRegistryHelpern
|
2
i.itdenther.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5910 |
2021-03-12 14:25
|
1873085694.exe fea26a213a022eb79c3f7dee7f9d107a UltraVNC AsyncRAT backdoor VirusTotal Malware Buffer PE PDB Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows Cryptographic key crashed |
3
https://xnw.itdenther.ru/855732125.exe https://pp.sldov.ru/856125340.exe https://50n0.tolganfor.ru/SystemNetHttpListenerExceptionU
|
4
pp.sldov.ru(81.177.139.41) - mailcious 50n0.tolganfor.ru(81.177.139.41) - malware xnw.itdenther.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|