| 6376 |
2021-03-22 19:33
|
 6057f0b3469f5f4a8c5b2301 efd98f09ec7ba7786c52de27e584521f
VirusTotal Malware DNS |
|
|
|
|
1.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6377 |
2021-03-22 19:33
|
clr.exe 3a7d2f1815f84f8f678af316d2475e34
UltraVNC Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://74.119.193.164:3214/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
74.119.193.164
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6378 |
2021-03-22 19:35
|
WSJ.exe 268be7c17bc610c75f97fea90cfedd19VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
3.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6379 |
2021-03-22 19:38
|
t1st7fiw71PI8ri.exe 6068539d04dfe381fb260a9448bfcd04
Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6380 |
2021-03-22 19:38
|
 proxy1.exe bcd2583086d55ae0e1444378c2892c1dunpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6381 |
2021-03-22 19:38
|
 file.exe 62321000418c3b540e76298b71794e94VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6382 |
2021-03-22 19:43
|
PlayerUI4.exe d6687321a99faf81d8a0e0df030fb8ce
Emotet Gen AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder Tofsee Windows Advertising ComputerName DNS crashed |
10
http://mytoolsprivacy.site/downloads/privacytools3.exe - rule_id: 476
http://103.124.106.203/cof4/inst.exe - rule_id: 474
http://whatitis.site/dlc/mixinte - rule_id: 472
http://aretywer.xyz/Corepad092.exe - rule_id: 477
http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475
http://188.93.233.223/proxy1.exe - rule_id: 473
https://iplogger.org/1ixtu7
https://iplogger.org/1lp5k
https://pastebin.com/raw/mH2EJxkv - rule_id: 469
https://iplogger.org/1hVa87
|
23
aretywer.xyz(45.144.30.78) - malware
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware
mytoolsprivacy.site(179.43.158.179) - malware
jg3.3uag.pw()
whatitis.site(91.200.41.57) - malware
iplogger.org(88.99.66.31)
d0wnl0ads.online() - mailcious
pastebin.com(104.23.98.190) - mailcious
file.ekkggr3.com(104.21.66.169) - malware
msiamericas.com(141.136.39.190)
www.investinae.com(108.167.143.77)
172.67.162.110 - malware
45.133.1.139 - malware
188.93.233.223 - malware
103.124.106.203 - malware
88.99.66.31 - mailcious
141.136.39.190
179.43.158.179 - malware
45.144.30.78 - malware
104.23.98.190 - mailcious
5.101.110.225 - malware
91.200.41.57
108.167.143.77
|
9
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
7
http://mytoolsprivacy.site/downloads/privacytools3.exe
http://103.124.106.203/cof4/inst.exe
http://whatitis.site/dlc/mixinte
http://aretywer.xyz/Corepad092.exe
http://file.ekkggr3.com/iuww/jvppp.exe
http://188.93.233.223/proxy1.exe
https://pastebin.com/raw/mH2EJxkv
|
18.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6383 |
2021-03-22 19:48
|
PlayerUI.exe 1bce563f5e72b35bc1d2b0c9429c503b
Trojan_PWS_Stealer Credential User Data Emotet Antivirus AsyncRAT backdoor SQLite Cookie Gen Browser Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser Advertising ComputerName DNS crashed |
14
http://mytoolsprivacy.site/downloads/privacytools3.exe - rule_id: 476
http://www.fddnice.pw/ - rule_id: 482
http://103.124.106.203/cof4/inst.exe - rule_id: 474
http://www.cncode.pw/ - rule_id: 481
http://whatitis.site/dlc/mixinte - rule_id: 472
http://aretywer.xyz/Corepad092.exe - rule_id: 477
http://www.fjzbqb.com/Home/Index/lkdinl - rule_id: 483
http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475
http://188.93.233.223/proxy1.exe - rule_id: 473
https://iplogger.org/1Gbzj7
https://iplogger.org/1ixtu7
https://iplogger.org/1iPtu7
https://pastebin.com/raw/mH2EJxkv - rule_id: 469
https://iplogger.org/1hVa87
|
31
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware
aretywer.xyz(45.144.30.78) - malware
mytoolsprivacy.site(179.43.158.179) - malware
jg3.3uag.pw()
whatitis.site(92.63.99.163) - malware
file.ekkggr3.com(104.21.66.169) - malware
www.fddnice.pw(103.155.92.58) - mailcious
iplogger.org(88.99.66.31)
d0wnl0ads.online() - mailcious
www.fjzbqb.com(188.225.87.175) - mailcious
pastebin.com(104.23.98.190) - mailcious
www.cncode.pw(144.202.76.47) - mailcious
msiamericas.com(141.136.39.190)
www.yzxjgr.com(103.155.92.70) - malware
www.investinae.com(108.167.143.77)
92.63.99.163 - malware
172.67.162.110 - malware
103.155.92.70 - malware
188.93.233.223 - malware
103.124.106.203 - malware
88.99.66.31 - mailcious
141.136.39.190
104.23.99.190 - mailcious
179.43.158.179 - malware
45.144.30.78 - malware
144.202.76.47
188.225.87.175 - mailcious
5.101.110.225 - malware
103.155.92.58 - mailcious
45.133.1.139 - malware
108.167.143.77
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO HTTP Request to a *.pw domain
|
10
http://mytoolsprivacy.site/downloads/privacytools3.exe
http://www.fddnice.pw/
http://103.124.106.203/cof4/inst.exe
http://www.cncode.pw/
http://whatitis.site/dlc/mixinte
http://aretywer.xyz/Corepad092.exe
http://www.fjzbqb.com/Home/Index/lkdinl
http://file.ekkggr3.com/iuww/jvppp.exe
http://188.93.233.223/proxy1.exe
https://pastebin.com/raw/mH2EJxkv
|
21.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6384 |
2021-03-22 19:49
|
 askinstall28.exe 06035c751a095a6cbcd82229c8df63f9
Trojan_PWS_Stealer Credential User Data Emotet Antivirus AsyncRAT backdoor SQLite Cookie Gen Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481
http://www.fjzbqb.com/Home/Index/lkdinl - rule_id: 483
http://www.fddnice.pw/ - rule_id: 482
https://iplogger.org/1Gbzj7
|
8
iplogger.org(88.99.66.31)
www.fjzbqb.com(188.225.87.175) - mailcious
www.fddnice.pw(103.155.92.58) - mailcious
www.cncode.pw(144.202.76.47) - mailcious
88.99.66.31 - mailcious
144.202.76.47
188.225.87.175 - mailcious
103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO HTTP Request to a *.pw domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.cncode.pw/
http://www.fjzbqb.com/Home/Index/lkdinl
http://www.fddnice.pw/
|
11.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6385 |
2021-03-23 07:47
|
44277.6991231482.dat 9899291ba05ceb1414f53a323bd81bc0IcedID Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName DNS |
3
http://azorropulseee.fun/
https://oktavius34flo.website/news/1/255/0
https://aws.amazon.com/
|
7
azorropulseee.fun(167.172.240.248)
aws.amazon.com(13.225.123.73)
oktavius34flo.website(162.243.164.215)
littleshitthu.space(162.243.164.215)
162.243.164.215
99.86.203.73
167.172.240.248
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET MALWARE Win32/IcedID Requesting Encoded Binary M4
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6386 |
2021-03-23 07:54
|
income.exe b2ab5d8639c89d42acbdc362b86aca91
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html - rule_id: 462
|
2
liverpoolsupporters9.com(104.21.88.100) - mailcious
172.67.176.78
|
|
1
http://liverpoolsupporters9.com/liverpool-fc-news/
|
13.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6387 |
2021-03-23 07:56
|
http://185.250.148.252/44277.6... VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
162.243.164.215
185.250.148.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6388 |
2021-03-23 08:07
|
http://195.242.110.126/2021/Ms... de6717de7bd1daa595c0b00887c25f05VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://195.242.110.126/2021/MsWord.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6389 |
2021-03-23 08:26
|
IMG_501_76_1775.pdf b7b4beb6f830ff790cf1f21015cf92d6
Antivirus AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8C78FEF9D7DEEA83DEC8531E2C59D886.html - rule_id: 462
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-29CD977A7A361AF2606F27C6B01DEE59.html - rule_id: 462
|
3
liverpoolsupporters9.com(104.21.88.100) - mailcious
87.251.79.157 - mailcious
172.67.176.78
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
2
http://liverpoolsupporters9.com/liverpool-fc-news/
http://liverpoolsupporters9.com/liverpool-fc-news/
|
16.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6390 |
2021-03-23 10:32
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21
|
2
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
11.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|