6376 |
2021-03-22 19:33
|
6057f0b3469f5f4a8c5b2301 efd98f09ec7ba7786c52de27e584521f VirusTotal Malware DNS |
|
|
|
|
1.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6377 |
2021-03-22 19:33
|
clr.exe 3a7d2f1815f84f8f678af316d2475e34 UltraVNC Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://74.119.193.164:3214/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 74.119.193.164 104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6378 |
2021-03-22 19:35
|
WSJ.exe 268be7c17bc610c75f97fea90cfedd19VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
3.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6379 |
2021-03-22 19:38
|
t1st7fiw71PI8ri.exe 6068539d04dfe381fb260a9448bfcd04 Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6380 |
2021-03-22 19:38
|
proxy1.exe bcd2583086d55ae0e1444378c2892c1dunpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6381 |
2021-03-22 19:38
|
file.exe 62321000418c3b540e76298b71794e94VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6382 |
2021-03-22 19:43
|
PlayerUI4.exe d6687321a99faf81d8a0e0df030fb8ce Emotet Gen AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder Tofsee Windows Advertising ComputerName DNS crashed |
10
http://mytoolsprivacy.site/downloads/privacytools3.exe - rule_id: 476 http://103.124.106.203/cof4/inst.exe - rule_id: 474 http://whatitis.site/dlc/mixinte - rule_id: 472 http://aretywer.xyz/Corepad092.exe - rule_id: 477 http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475 http://188.93.233.223/proxy1.exe - rule_id: 473 https://iplogger.org/1ixtu7 https://iplogger.org/1lp5k https://pastebin.com/raw/mH2EJxkv - rule_id: 469 https://iplogger.org/1hVa87
|
23
aretywer.xyz(45.144.30.78) - malware digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware mytoolsprivacy.site(179.43.158.179) - malware jg3.3uag.pw() whatitis.site(91.200.41.57) - malware iplogger.org(88.99.66.31) d0wnl0ads.online() - mailcious pastebin.com(104.23.98.190) - mailcious file.ekkggr3.com(104.21.66.169) - malware msiamericas.com(141.136.39.190) www.investinae.com(108.167.143.77) 172.67.162.110 - malware 45.133.1.139 - malware 188.93.233.223 - malware 103.124.106.203 - malware 88.99.66.31 - mailcious 141.136.39.190 179.43.158.179 - malware 45.144.30.78 - malware 104.23.98.190 - mailcious 5.101.110.225 - malware 91.200.41.57 108.167.143.77
|
9
ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.pw domain - Likely Hostile SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
7
http://mytoolsprivacy.site/downloads/privacytools3.exe http://103.124.106.203/cof4/inst.exe http://whatitis.site/dlc/mixinte http://aretywer.xyz/Corepad092.exe http://file.ekkggr3.com/iuww/jvppp.exe http://188.93.233.223/proxy1.exe https://pastebin.com/raw/mH2EJxkv
|
18.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6383 |
2021-03-22 19:48
|
PlayerUI.exe 1bce563f5e72b35bc1d2b0c9429c503b Trojan_PWS_Stealer Credential User Data Emotet Antivirus AsyncRAT backdoor SQLite Cookie Gen Browser Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser Advertising ComputerName DNS crashed |
14
http://mytoolsprivacy.site/downloads/privacytools3.exe - rule_id: 476 http://www.fddnice.pw/ - rule_id: 482 http://103.124.106.203/cof4/inst.exe - rule_id: 474 http://www.cncode.pw/ - rule_id: 481 http://whatitis.site/dlc/mixinte - rule_id: 472 http://aretywer.xyz/Corepad092.exe - rule_id: 477 http://www.fjzbqb.com/Home/Index/lkdinl - rule_id: 483 http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475 http://188.93.233.223/proxy1.exe - rule_id: 473 https://iplogger.org/1Gbzj7 https://iplogger.org/1ixtu7 https://iplogger.org/1iPtu7 https://pastebin.com/raw/mH2EJxkv - rule_id: 469 https://iplogger.org/1hVa87
|
31
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware aretywer.xyz(45.144.30.78) - malware mytoolsprivacy.site(179.43.158.179) - malware jg3.3uag.pw() whatitis.site(92.63.99.163) - malware file.ekkggr3.com(104.21.66.169) - malware www.fddnice.pw(103.155.92.58) - mailcious iplogger.org(88.99.66.31) d0wnl0ads.online() - mailcious www.fjzbqb.com(188.225.87.175) - mailcious pastebin.com(104.23.98.190) - mailcious www.cncode.pw(144.202.76.47) - mailcious msiamericas.com(141.136.39.190) www.yzxjgr.com(103.155.92.70) - malware www.investinae.com(108.167.143.77) 92.63.99.163 - malware 172.67.162.110 - malware 103.155.92.70 - malware 188.93.233.223 - malware 103.124.106.203 - malware 88.99.66.31 - mailcious 141.136.39.190 104.23.99.190 - mailcious 179.43.158.179 - malware 45.144.30.78 - malware 144.202.76.47 188.225.87.175 - mailcious 5.101.110.225 - malware 103.155.92.58 - mailcious 45.133.1.139 - malware 108.167.143.77
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO HTTP Request to a *.pw domain
|
10
http://mytoolsprivacy.site/downloads/privacytools3.exe http://www.fddnice.pw/ http://103.124.106.203/cof4/inst.exe http://www.cncode.pw/ http://whatitis.site/dlc/mixinte http://aretywer.xyz/Corepad092.exe http://www.fjzbqb.com/Home/Index/lkdinl http://file.ekkggr3.com/iuww/jvppp.exe http://188.93.233.223/proxy1.exe https://pastebin.com/raw/mH2EJxkv
|
21.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6384 |
2021-03-22 19:49
|
askinstall28.exe 06035c751a095a6cbcd82229c8df63f9 Trojan_PWS_Stealer Credential User Data Emotet Antivirus AsyncRAT backdoor SQLite Cookie Gen Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481 http://www.fjzbqb.com/Home/Index/lkdinl - rule_id: 483 http://www.fddnice.pw/ - rule_id: 482 https://iplogger.org/1Gbzj7
|
8
iplogger.org(88.99.66.31) www.fjzbqb.com(188.225.87.175) - mailcious www.fddnice.pw(103.155.92.58) - mailcious www.cncode.pw(144.202.76.47) - mailcious 88.99.66.31 - mailcious 144.202.76.47 188.225.87.175 - mailcious 103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile ET INFO HTTP Request to a *.pw domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.cncode.pw/ http://www.fjzbqb.com/Home/Index/lkdinl http://www.fddnice.pw/
|
11.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6385 |
2021-03-23 07:47
|
44277.6991231482.dat 9899291ba05ceb1414f53a323bd81bc0IcedID Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName DNS |
3
http://azorropulseee.fun/ https://oktavius34flo.website/news/1/255/0 https://aws.amazon.com/
|
7
azorropulseee.fun(167.172.240.248) aws.amazon.com(13.225.123.73) oktavius34flo.website(162.243.164.215) littleshitthu.space(162.243.164.215) 162.243.164.215 99.86.203.73 167.172.240.248
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET MALWARE Win32/IcedID Requesting Encoded Binary M4
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6386 |
2021-03-23 07:54
|
income.exe b2ab5d8639c89d42acbdc362b86aca91 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html - rule_id: 462
|
2
liverpoolsupporters9.com(104.21.88.100) - mailcious 172.67.176.78
|
|
1
http://liverpoolsupporters9.com/liverpool-fc-news/
|
13.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6387 |
2021-03-23 07:56
|
http://185.250.148.252/44277.6... VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
162.243.164.215 185.250.148.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6388 |
2021-03-23 08:07
|
http://195.242.110.126/2021/Ms... de6717de7bd1daa595c0b00887c25f05VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://195.242.110.126/2021/MsWord.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6389 |
2021-03-23 08:26
|
IMG_501_76_1775.pdf b7b4beb6f830ff790cf1f21015cf92d6 Antivirus AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8C78FEF9D7DEEA83DEC8531E2C59D886.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-29CD977A7A361AF2606F27C6B01DEE59.html - rule_id: 462
|
3
liverpoolsupporters9.com(104.21.88.100) - mailcious 87.251.79.157 - mailcious 172.67.176.78
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
2
http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/
|
16.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6390 |
2021-03-23 10:32
|
rl8.exe 5ab10b180aca215ff3af5ec0e0e00b87Malware download Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process sandbox evasion Kovter Windows ComputerName DNS |
1
https://35.166.81.240/waters/travel/new21
|
2
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
11.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|