6391 |
2021-03-23 10:33
|
rldr.exe 4cf6fb8514073319e7759b4f66d13f08 Emotet Gen Dridex TrickBot VirusTotal Malware AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities sandbox evasion Kovter Windows ComputerName Remote Code Execution DNS crashed |
1
https://3.137.152.31/australia/tours/2021/allinclusive
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
8.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6392 |
2021-03-23 10:39
|
DIqMUyT98Untp5QhexOCjQdS.exe e038387f7b4b7880c48d225db4b769d2 Glupteba Emotet Gen Malicious Library AsyncRAT backdoor VirusTotal Malware Buffer PE AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Advertising ComputerName DNS crashed |
8
http://file.ekkggr3.com/iuww/jvppp.exe - rule_id: 475 http://188.93.233.223/proxy1.exe - rule_id: 473 http://whatitis.site/dlc/mixinte - rule_id: 472 http://103.124.106.203/cof4/inst.exe - rule_id: 474 https://iplogger.org/1ixtu7 https://iplogger.org/1lA5k https://pastebin.com/raw/mH2EJxkv - rule_id: 469 https://iplogger.org/1hVa87
|
21
digitalassets.ams3.digitaloceanspaces.com(5.101.110.225) - malware aretywer.xyz(45.144.30.78) - malware mytoolsprivacy.site() - malware jg3.3uag.pw() whatitis.site(193.38.55.33) - malware iplogger.org(88.99.66.31) d0wnl0ads.online() - mailcious pastebin.com(104.23.99.190) - mailcious file.ekkggr3.com(104.21.66.169) - malware msiamericas.com(141.136.39.190) www.investinae.com(108.167.143.77) 188.93.233.223 - malware 103.124.106.203 - malware 88.99.66.31 - mailcious 141.136.39.190 104.23.99.190 - mailcious 45.144.30.78 - malware 193.38.55.33 5.101.110.225 - malware 104.21.66.169 108.167.143.77
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
5
http://file.ekkggr3.com/iuww/jvppp.exe http://188.93.233.223/proxy1.exe http://whatitis.site/dlc/mixinte http://103.124.106.203/cof4/inst.exe https://pastebin.com/raw/mH2EJxkv
|
14.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6393 |
2021-03-23 10:39
|
IMG_251_45_013.pdf df3588fb9997696586162288ec739a17 Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
5
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C78BD7CD35DADE3CF28759182F2D653.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-594CCBFE44C1311D20FD1B50EFE25190.html - rule_id: 462 http://checkip.dyndns.org/ http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1C0077676695468E0E32CA103B3D6E8C.html - rule_id: 462 https://freegeoip.app/xml/175.208.134.150
|
6
liverpoolsupporters9.com(104.21.88.100) - mailcious freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 216.146.43.71 104.21.88.100 - mailcious 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
3
http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/
|
15.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6394 |
2021-03-23 10:39
|
zl4dyjvt8.tar d7e3c61a647a8cc25c54647c159b2f1a Gen VirusTotal Malware PDB unpack itself |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6395 |
2021-03-23 10:39
|
qzlz9s.zip 9a469c52c37fe47d2c22902d870ce2b4 Gen VirusTotal Malware PDB unpack itself |
|
|
|
|
1.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6396 |
2021-03-23 10:40
|
ji2szm.zip 6ee887226bf4ba5e4687b903b7e55320 Gen VirusTotal Malware PDB unpack itself |
|
|
|
|
1.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6397 |
2021-03-23 10:41
|
44277.4984482639.dat 826b1495edfab5462ab1947feba71821Check memory Checks debugger unpack itself |
|
1
aws.amazon.com(13.225.123.73)
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6398 |
2021-03-23 10:41
|
IMG_50_70_66301.pdf 01668f2d2ad79b219ed7a70eb570aa82 Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
3
http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-03215375E16F2F882FD636847597D069.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C8A9B590352BD9C6D2E64B3D14C088F9.html - rule_id: 462 http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-00ABB4FDC5DE2B65AF1BB30260F3DCA2.html - rule_id: 462
|
2
liverpoolsupporters9.com(172.67.176.78) - mailcious 104.21.88.100 - mailcious
|
|
3
http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/ http://liverpoolsupporters9.com/liverpool-fc-news/
|
15.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6399 |
2021-03-23 10:41
|
44277.6770474537.dat 28cd5aaa2b9e71078210bd3bccbdf935Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6400 |
2021-03-23 10:41
|
44277.6770474537.dat 57516c64b702f7c7a61a31d81c685575Check memory Checks debugger unpack itself Tofsee |
|
2
aws.amazon.com(13.225.123.73) 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6401 |
2021-03-23 10:44
|
44277.730641088.dat 8fd8de6608974999b4ed1b216651ae3eCheck memory Checks debugger unpack itself Tofsee |
|
2
aws.amazon.com(13.225.123.73) 13.225.123.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6402 |
2021-03-23 10:44
|
e3.exe acef650d85a7f1e7a9420b74f583d25bDridex TrickBot VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself Windows utilities sandbox evasion Kovter Windows ComputerName DNS crashed |
1
https://3.137.152.31/australia/tours/2021/allinclusive
|
2
3.137.152.31 167.172.240.248 - mailcious
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
6.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6403 |
2021-03-23 10:44
|
grays.gif 22f52089fd030b5f2c096631a61d5e01VirusTotal Malware Check memory Checks debugger unpack itself |
|
2
aws.amazon.com(13.225.123.73) 13.225.123.73
|
|
|
1.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6404 |
2021-03-23 10:45
|
sd5ers2.exe 12f16a39380db2f9b404581cb07253abVirusTotal Malware crashed |
|
|
|
|
0.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6405 |
2021-03-23 10:45
|
e1.exe a488537f1d95f3cbd78790059dd13bcfVirusTotal Malware AutoRuns Code Injection Check memory Creates executable files ICMP traffic Windows utilities sandbox evasion Windows ComputerName DNS crashed |
|
2
|
|
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|