| 5896 |
2021-03-11 18:52
|
Invoice.exe f99fbbda34957150a2c05dbb195e7657
Antivirus AsyncRAT backdoor Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Kovter Windows ComputerName DNS Cryptographic key DDNS crashed |
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B941ECD3C6B23E723CAD0DA46DC64E87.html - rule_id: 361
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2EED919138E5D4606ED44E8BE0B7D61.html - rule_id: 361
|
5
moneymoney98.ddns.net(23.227.202.250)
liverpoolofcfanclub.com(172.67.174.240) - mailcious
23.227.202.250
172.67.174.240
104.21.31.39 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
13.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5897 |
2021-03-12 09:19
|
Payment Invoice.exe 11aba0510bad95a7b385c86d00d9626c
AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows DNS Cryptographic key |
1
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B570610122DD0E0BD6A6020C4AB66FC9.html - rule_id: 361
|
3
liverpoolofcfanclub.com(172.67.174.240) - mailcious
23.105.131.217
172.67.174.240
|
|
1
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
12.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5898 |
2021-03-12 09:56
|
9BodUd5kI1nYXHR.exe 92ba638ea41b8d8653906fc653e54aa0
Loki Azorult .NET framework Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://www.cambridgelodge.com.au/wp-admin/js/Panel/five/fre.php - rule_id: 295
|
2
www.cambridgelodge.com.au(27.121.66.73) - mailcious
27.121.66.73 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://www.cambridgelodge.com.au/wp-admin/js/Panel/five/fre.php
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5899 |
2021-03-12 10:21
|
REQUEST FOR QUOTATION.exe 0de43aaaea16c9a582370553e9edecf1
AsyncRAT backdoor VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5900 |
2021-03-12 10:21
|
Payment receipt.exe 2bd6dce81140df7d3b1aded2093bfddc
Antivirus AsyncRAT backdoor VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F7555F59805560CF2805C28E652A2475.html - rule_id: 361
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5A586201F5280DFB96F94F51B83AEFA9.html - rule_id: 361
|
3
liverpoolofcfanclub.com(104.21.31.39) - mailcious
23.105.131.217
104.21.31.39 - mailcious
|
|
2
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
15.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5901 |
2021-03-12 11:55
|
493745173.exe b582051ea2ba53c5c4c57e0580e88bd1
UltraVNC VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key crashed |
|
1
|
|
|
7.0 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5902 |
2021-03-12 11:56
|
117627132.exe 8facf3fbd4f254baa6cff18055fba078
AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://2ttp.tolganfor.ru/SystemCodeDomCompilerCodeDomCompilationConfigurationSectionHandlerl
|
2
2ttp.tolganfor.ru(81.177.139.41)
81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
52 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5903 |
2021-03-12 12:42
|
675933445.exe 6570ab9cc7574be94cbd7def47089e76
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://45.144.29.195:3214/
https://pp.sldov.ru/SystemNetConfigurationSmtpSpecifiedPickupDirectoryElementInternalL
https://api.ip.sb/geoip
|
5
pp.sldov.ru(81.177.139.41) - mailcious
api.ip.sb(104.26.12.31)
81.177.139.41 - malware
104.26.13.31
45.144.29.195
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
14.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5904 |
2021-03-12 12:44
|
494818992.exe a1dbce02232adc2298ea67e387694b42VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Remote Code Execution DNS |
|
|
|
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5905 |
2021-03-12 13:43
|
872027265.exe f9193808726bf166c76170b5020edb00
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs suspicious TLD installed browsers check Tofsee Ransomware Windows Browser ComputerName Cryptographic key Software crashed |
3
http://tallipere.xyz/
https://uhuua.ru/NewtonsoftJsonUtilitiesReflectionUtilscDisplayClassP
https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63)
uhuua.ru(81.177.139.41)
whois.iana.org(192.0.32.59)
tallipere.xyz(94.140.115.156)
api.ip.sb(172.67.75.172)
172.104.77.201
192.0.32.59
104.26.12.31
81.177.139.41 - malware
94.140.115.156
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5906 |
2021-03-12 13:44
|
1618469631.exe 31055a78f49e732959933d81f7ee4de1
Azorult .NET framework AsyncRAT backdoor VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
5.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5907 |
2021-03-12 14:14
|
1694582027.exe e4e9be25d58ace415d3c1481986b99ff
AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows Cryptographic key |
1
https://1pri.oradza.ru/SystemNetHttpListenerDisconnectAsyncResultv
|
2
1pri.oradza.ru(81.177.139.41)
81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5908 |
2021-03-12 14:15
|
1740773763.exe cf75f0b1db8bf6733a56de4e83185314Malware download VirusTotal Malware Check memory Creates executable files unpack itself suspicious process malicious URLs WriteConsoleW WordPress DNS |
|
2
stone-premium.com(108.167.142.232) - malware
108.167.142.232 - malware
|
1
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
|
|
5.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5909 |
2021-03-12 14:24
|
1776646202.exe c4007a10fead6776db900abff2ae55b2
AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://i.itdenther.ru/SystemNetUnsafeNclNativeMethodsRegistryHelpern
|
2
i.itdenther.ru(81.177.139.41)
81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5910 |
2021-03-12 14:25
|
1873085694.exe fea26a213a022eb79c3f7dee7f9d107a
UltraVNC AsyncRAT backdoor VirusTotal Malware Buffer PE PDB Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows Cryptographic key crashed |
3
https://xnw.itdenther.ru/855732125.exe
https://pp.sldov.ru/856125340.exe
https://50n0.tolganfor.ru/SystemNetHttpListenerExceptionU
|
4
pp.sldov.ru(81.177.139.41) - mailcious
50n0.tolganfor.ru(81.177.139.41) - malware
xnw.itdenther.ru(81.177.139.41)
81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|