| 5926 |
2021-03-12 18:58
|
winlog.exe 9bdc8f00b437a66c1f1f0b6b45849d04
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion |
8
http://www.usopencoverage.com/nsag/
http://www.mauriciozarate.com/nsag/
http://www.usopencoverage.com/nsag/?NVlTnb=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&lhud=UJB4FDGPbJth
http://www.translations.tools/nsag/?NVlTnb=1Yx90tXfD0vRUrwJZLNplGUVoptWSuBjE4n4ChdeuvIOAX2e1438cOyuyQxg5V577ZyhmWQ6&lhud=UJB4FDGPbJth
http://www.mauriciozarate.com/nsag/?NVlTnb=Ue04sXlQiii509Shi2umXEvf3gsXdN0yxpr9ZQMQaC4qPH85OcBkfpKqwav3hGwaJkhlOFwu&lhud=UJB4FDGPbJth
http://www.explorerthecity.com/nsag/
http://www.explorerthecity.com/nsag/?NVlTnb=nMtIT7UzM1V7BZ5QE53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDukCfRsacMPMH+iu4H70p&lhud=UJB4FDGPbJth
http://www.translations.tools/nsag/
|
14
www.translations.tools(192.0.78.25)
www.5bo5j.com(199.197.13.53)
www.856380692.xyz(103.88.34.80) - mailcious
www.usopencoverage.com(94.136.40.51)
www.explorerthecity.com(91.195.240.94)
www.mauriciozarate.com(199.34.228.56)
www.bkhlep.xyz(150.95.255.38)
91.195.240.94 - phishing
94.136.40.51 - mailcious
150.95.255.38 - mailcious
103.88.34.80 - suspicious
199.197.13.53
192.0.78.25 - mailcious
199.34.228.56 - malware
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5927 |
2021-03-12 19:05
|
1090905469.exe 3ab5db8a82b6ca11f37100b4fa751c72
Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://62.109.7.229/
https://www.bing.com/
https://api.ip.sb/geoip
|
6
www.google.com(216.58.197.132)
api.ip.sb(172.67.75.172)
216.58.199.100
104.26.12.31
13.107.21.200
62.109.7.229
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
16.6 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5928 |
2021-03-12 19:08
|
PO_2173_Scanned_13.pdf 0cb0ce99b82727b4701d9aeab2aa4451
ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(162.88.193.70)
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5929 |
2021-03-12 22:01
|
49ea147d81571f44dd43ff4abb3792... b774f72c1f50fa5594c027e42eb167b7VirusTotal Malware |
|
|
|
|
1.8 |
|
61 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5930 |
2021-03-13 10:15
|
Deutsche Telekom GMBH.js dab72fabc42d262d099b12ce1f78e2ccVBScript AutoRuns WMI wscript.exe payload download unpack itself malicious URLs AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS Dropper |
1
|
3
ip-api.com(208.95.112.1)
208.95.112.1
194.5.98.104
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5931 |
2021-03-13 10:15
|
Artwork for packaging new orde... 9e9beaa940f1fa7725c4f767f4328d03
AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software |
|
1
|
|
|
18.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5932 |
2021-03-13 10:29
|
MINH)95587509878875HG.exe 6a5b6d86594bce78e78ade15cfc8d088
AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW human activity check Windows Tor ComputerName DNS DDNS |
|
3
new2021.myq-see.com(185.140.53.9)
185.140.53.9
185.140.53.138
|
3
ET TOR Known Tor Exit Node Traffic group 51
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51
ET INFO Observed DNS Query to .myq-see .com DDNS Domain
|
|
16.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5933 |
2021-03-13 10:31
|
ver titulo cobro0021585458933... df745c3bac7bf3a048215fcb8dbe75cb
Azorult .NET framework Google Chrome User Data browser info stealer AsyncRAT backdoor Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
ochentaremc.duckdns.org(181.52.111.29)
181.52.111.29
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
13.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5934 |
2021-03-13 11:01
|
4.exe 3be6d1c77567a69b779c54f5d5d3ed77
Raccoon Stealer VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5935 |
2021-03-13 11:03
|
ver cobro titulo 0021585458933... df745c3bac7bf3a048215fcb8dbe75cb
Azorult .NET framework Google Chrome User Data browser info stealer AsyncRAT backdoor suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5936 |
2021-03-14 11:45
|
5.exe 212b12e2686111514455c97b689c8457
Raccoon Stealer VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5937 |
2021-03-14 11:49
|
cox.exe bbb95b7fa85fc8a5ed036b545d1818d8
AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5938 |
2021-03-14 11:51
|
6.exe a8028f424afbd92523f47631fe948b7d
Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName DNS |
1
|
3
fzFRrYhDpUDZFShxZlGePZtXFkn.fzFRrYhDpUDZFShxZlGePZtXFkn()
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5939 |
2021-03-14 11:56
|
governorx.exe bc952e771bda8a30f9c1a18687037644
email stealer Browser Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Check memory buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS crashed |
|
2
cbngroup.duckdns.org(134.19.179.179)
134.19.179.179
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
8.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5940 |
2021-03-14 12:16
|
IMG_0103_Scanned_120_37.pdf e5ac1ed6a1f096b7d16362595f913365
ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|