6481 |
2021-03-24 16:33
|
lv.exe 7fb4bc02c317b69c178833f4af693b75 Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName Firmware crashed |
1
|
4
iLzeDyTgvR.iLzeDyTgvR() rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT() ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
9.0 |
M |
55 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6482 |
2021-03-24 17:14
|
lv.exe 7fb4bc02c317b69c178833f4af693b75 Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName Firmware crashed |
1
|
4
iLzeDyTgvR.iLzeDyTgvR() rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT() ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
9.0 |
M |
55 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6483 |
2021-03-24 17:36
|
lv.exe 7fb4bc02c317b69c178833f4af693b75 Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName Firmware crashed |
1
|
4
iLzeDyTgvR.iLzeDyTgvR() rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT() ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
9.0 |
M |
55 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6484 |
2021-03-24 18:01
|
lv.exe 7fb4bc02c317b69c178833f4af693b75 Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows ComputerName Firmware crashed |
1
|
4
iLzeDyTgvR.iLzeDyTgvR() rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT() ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
9.0 |
M |
55 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6485 |
2021-03-24 18:26
|
local.exe a47ec9f34b89e5cd0431b32a299579f9VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6486 |
2021-03-24 18:26
|
redbutton.png 021b3c4f43ecf8719fcca871a483767b Gen Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://50.208.68.153/tot66/TEST22-PC_W617601.5B121BBE4D719ABFFBB8DF57BCBB9815/5/kps/
|
4
50.208.68.153 98.6.253.142 162.155.225.130 24.153.175.236
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6487 |
2021-03-24 18:28
|
edgjpx01.zip 32223f9414898d30c0e67ddb00495cb7VirusTotal Malware |
|
|
|
|
0.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6488 |
2021-03-24 18:31
|
konko.exe 414336afee7e93cb70df4b5f250a01c4VirusTotal Malware DNS |
|
|
|
|
2.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6489 |
2021-03-24 18:32
|
winlog.exe d9902307e68c63e1599c4ab0cde18395FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion |
22
http://www.somht.com/m2be/?5j=ifCDsBLIuITK+LGSwbP7ucLsNIzdB7eAVKli539gxau1WIOKSQQ2NauSUkeMIVDcyV1m1TuN&vTdDF=LJBx http://www.owenvilla.com/m2be/?5j=9MJgJOZDJA3TPaRtVbh3/QgzrkQO30oUQC8dTS2K5U7tDXejglnmOj63KyFKCnfDQBByNDZH&vTdDF=LJBx http://www.sacoriverdisc.com/m2be/?5j=ni13qwl9oMnUm3AiByeM5YGjna+9B5CzzJ95XBDUHLeeP+pLbXhBG4DTpcgD6zwUbtWdjwRd&vTdDF=LJBx http://www.farmlifeonline.com/m2be/?5j=qmptEaLZrCzS8wGV+R6pyc9mStVJoqHtYTC/PAKTttcbO+kuOz821rn3eyW9LbBVjAUdJFnh&vTdDF=LJBx http://www.bachsimplicity.com/m2be/ http://www.sevenstepstohappy.co.uk/m2be/ http://www.thankyoumatcha.net/m2be/ http://www.capacitaciondelfuturo.com/m2be/?5j=JuGytuw2VxfQte3rKPqxcSs+eAHRIhMzmgi2qjF3W//4E0tsyJg/EsiU7NhRUhyD34G08D0/&vTdDF=LJBx http://www.lift-stock.xyz/m2be/ http://www.comercializadorajufe.com/m2be/?5j=+kbzAelfZERNulRwMMR+/Vs+88ma9PewxXeB5x6OR7C0tusCGMEYKavTgVfuH78Snsyt7Egy&vTdDF=LJBx http://www.farmlifeonline.com/m2be/ http://www.somht.com/m2be/ http://www.cvacity.info/m2be/ http://www.thankyoumatcha.net/m2be/?5j=ZadijtmLOkRVx6DCimWDe8SzeYYqpqHuxDl3vrR6BTBAwVnBK2gYa4n7L5K8u3Q1Zwic/vgO&vTdDF=LJBx http://www.lift-stock.xyz/m2be/?5j=dMV2iwLv44rMDc0Xy84MzFm30KDXXOa0l2JKNLHLNmPZS87ONfOEjN7Xl+rlLynxknxX5ftn&vTdDF=LJBx http://www.bachsimplicity.com/m2be/?5j=xrbmytv2xUVmSvMzdbroGQwspeoDnbTi2rZvbqTMTzC9e05HRkzmYXtexDpha4skvPZC1Tmx&vTdDF=LJBx http://www.cvacity.info/m2be/?5j=+ymgIVB8UjLw7GnSCSTG+4Qmonnd1NOjLVf+OJhKsAnFyz+U37p2kLcdnoXMrt5J42Ufd+P7&vTdDF=LJBx http://www.sacoriverdisc.com/m2be/ http://www.capacitaciondelfuturo.com/m2be/ http://www.sevenstepstohappy.co.uk/m2be/?5j=8TGzqWDl7PaPmTVvDtvqhODOTjAAtr8xONuQ5BTUnlorI9+IESwVjKVVX1fuZDRWAC7K+zRz&vTdDF=LJBx http://www.comercializadorajufe.com/m2be/ http://www.owenvilla.com/m2be/
|
23
www.sacoriverdisc.com(34.102.136.180) www.comercializadorajufe.com(34.102.136.180) www.dtzuixianya.com() www.somht.com(172.106.71.28) www.ponsatv.com() www.farmlifeonline.com(34.102.136.180) www.owenvilla.com(23.227.38.65) www.cvacity.info(62.149.128.40) www.thankyoumatcha.net(34.102.136.180) www.capacitaciondelfuturo.com(172.67.161.235) www.cvhrcm.com() www.bachsimplicity.com(198.100.154.154) www.sevenstepstohappy.co.uk(34.80.190.141) www.joncxvplw.com() www.lift-stock.xyz(150.95.255.38) 198.100.154.154 23.227.38.65 - phishing 62.149.128.40 - mailcious 34.102.136.180 - mailcious 150.95.255.38 - mailcious 104.21.15.71 34.80.190.141 - mailcious 172.106.71.28
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6490 |
2021-03-24 18:33
|
1090804085.exe 4920169cae3b94797609bcf4d6bc5df4 AsyncRAT backdoor VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://i.worldhello.ru/SystemCodeDomCodeNamespaceImports
|
3
i.worldhello.ru(81.177.140.169) 88.198.3.5 81.177.140.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6491 |
2021-03-24 18:35
|
ephost.exe 37b8f7b7e87d094474f76d5b8ca10d11VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6492 |
2021-03-25 07:07
|
https://docs.google.com/uc?id=... 108ecf579a7c6f931d9d759ff63ca8abCode Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit Advertising Google DNS crashed |
2
https://docs.google.com/uc?id=1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh https://doc-0c-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/dkmsdqnsu7tk3l9vkd9s73dkgshbmq2b/1616623425000/17310870271488346433/*/1R3TeqJQZQ-HPbj8ucMHoPixXDYmCuzmh
|
4
doc-0c-4o-docs.googleusercontent.com(216.58.197.193) docs.google.com(172.217.161.78) - mailcious 172.217.31.238 - suspicious 142.250.199.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6493 |
2021-03-25 07:52
|
merit.php 2ae20b49ac0c8f59eaca5e08a319892cDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://98.6.253.142/rob36/TEST22-PC_W617601.BB93B93366FF71F673BF0BB3D37F9F3F/5/kps/
|
7
70.119.220.241 67.212.241.127 67.79.117.70 173.219.76.169 98.6.253.142 72.164.254.204 174.105.236.140
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6494 |
2021-03-25 08:13
|
cmd.exe dfd05213e529c75e78fc9ccb31acaf4c Glupteba VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6495 |
2021-03-25 09:14
|
retrsd25.exe 78388676e1ebde4576357c3727a51787VirusTotal Malware unpack itself crashed |
|
|
|
|
1.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|