5926 |
2021-03-12 18:58
|
winlog.exe 9bdc8f00b437a66c1f1f0b6b45849d04 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion |
8
http://www.usopencoverage.com/nsag/ http://www.mauriciozarate.com/nsag/ http://www.usopencoverage.com/nsag/?NVlTnb=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&lhud=UJB4FDGPbJth http://www.translations.tools/nsag/?NVlTnb=1Yx90tXfD0vRUrwJZLNplGUVoptWSuBjE4n4ChdeuvIOAX2e1438cOyuyQxg5V577ZyhmWQ6&lhud=UJB4FDGPbJth http://www.mauriciozarate.com/nsag/?NVlTnb=Ue04sXlQiii509Shi2umXEvf3gsXdN0yxpr9ZQMQaC4qPH85OcBkfpKqwav3hGwaJkhlOFwu&lhud=UJB4FDGPbJth http://www.explorerthecity.com/nsag/ http://www.explorerthecity.com/nsag/?NVlTnb=nMtIT7UzM1V7BZ5QE53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDukCfRsacMPMH+iu4H70p&lhud=UJB4FDGPbJth http://www.translations.tools/nsag/
|
14
www.translations.tools(192.0.78.25) www.5bo5j.com(199.197.13.53) www.856380692.xyz(103.88.34.80) - mailcious www.usopencoverage.com(94.136.40.51) www.explorerthecity.com(91.195.240.94) www.mauriciozarate.com(199.34.228.56) www.bkhlep.xyz(150.95.255.38) 91.195.240.94 - phishing 94.136.40.51 - mailcious 150.95.255.38 - mailcious 103.88.34.80 - suspicious 199.197.13.53 192.0.78.25 - mailcious 199.34.228.56 - malware
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5927 |
2021-03-12 19:05
|
1090905469.exe 3ab5db8a82b6ca11f37100b4fa751c72 Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://62.109.7.229/ https://www.bing.com/ https://api.ip.sb/geoip
|
6
www.google.com(216.58.197.132) api.ip.sb(172.67.75.172) 216.58.199.100 104.26.12.31 13.107.21.200 62.109.7.229
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
16.6 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5928 |
2021-03-12 19:08
|
PO_2173_Scanned_13.pdf 0cb0ce99b82727b4701d9aeab2aa4451 ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5929 |
2021-03-12 22:01
|
49ea147d81571f44dd43ff4abb3792... b774f72c1f50fa5594c027e42eb167b7VirusTotal Malware |
|
|
|
|
1.8 |
|
61 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5930 |
2021-03-13 10:15
|
Deutsche Telekom GMBH.js dab72fabc42d262d099b12ce1f78e2ccVBScript AutoRuns WMI wscript.exe payload download unpack itself malicious URLs AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS Dropper |
1
|
3
ip-api.com(208.95.112.1) 208.95.112.1 194.5.98.104
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5931 |
2021-03-13 10:15
|
Artwork for packaging new orde... 9e9beaa940f1fa7725c4f767f4328d03 AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software |
|
1
|
|
|
18.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5932 |
2021-03-13 10:29
|
MINH)95587509878875HG.exe 6a5b6d86594bce78e78ade15cfc8d088 AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW human activity check Windows Tor ComputerName DNS DDNS |
|
3
new2021.myq-see.com(185.140.53.9) 185.140.53.9 185.140.53.138
|
3
ET TOR Known Tor Exit Node Traffic group 51 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51 ET INFO Observed DNS Query to .myq-see .com DDNS Domain
|
|
16.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5933 |
2021-03-13 10:31
|
ver titulo cobro0021585458933... df745c3bac7bf3a048215fcb8dbe75cb Azorult .NET framework Google Chrome User Data browser info stealer AsyncRAT backdoor Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
ochentaremc.duckdns.org(181.52.111.29) 181.52.111.29
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
13.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5934 |
2021-03-13 11:01
|
4.exe 3be6d1c77567a69b779c54f5d5d3ed77 Raccoon Stealer VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5935 |
2021-03-13 11:03
|
ver cobro titulo 0021585458933... df745c3bac7bf3a048215fcb8dbe75cb Azorult .NET framework Google Chrome User Data browser info stealer AsyncRAT backdoor suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5936 |
2021-03-14 11:45
|
5.exe 212b12e2686111514455c97b689c8457 Raccoon Stealer VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5937 |
2021-03-14 11:49
|
cox.exe bbb95b7fa85fc8a5ed036b545d1818d8 AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5938 |
2021-03-14 11:51
|
6.exe a8028f424afbd92523f47631fe948b7d Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName DNS |
1
|
3
fzFRrYhDpUDZFShxZlGePZtXFkn.fzFRrYhDpUDZFShxZlGePZtXFkn() ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5939 |
2021-03-14 11:56
|
governorx.exe bc952e771bda8a30f9c1a18687037644 email stealer Browser Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Check memory buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS crashed |
|
2
cbngroup.duckdns.org(134.19.179.179) 134.19.179.179
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
8.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5940 |
2021-03-14 12:16
|
IMG_0103_Scanned_120_37.pdf e5ac1ed6a1f096b7d16362595f913365 ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 131.186.113.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|