6601 |
2021-03-29 14:05
|
musteri.exe c64253856d7af67fb3a75fe2cfcffd09 VirusTotal Malware PDB Check memory RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6602 |
2021-03-29 14:05
|
musteri.exe c64253856d7af67fb3a75fe2cfcffd09 VirusTotal Malware PDB Check memory RWX flags setting unpack itself DNS |
1
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.6 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6603 |
2021-03-29 14:06
|
musteri.exe c64253856d7af67fb3a75fe2cfcffd09 VirusTotal Malware PDB unpack itself |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
1.4 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6604 |
2021-03-29 14:07
|
musteri.exe c64253856d7af67fb3a75fe2cfcffd09 VirusTotal Malware PDB Check memory RWX flags setting unpack itself |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.0 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6605 |
2021-03-29 14:22
|
results 99c3d484c74f3595e7e5c1940f75a76e Email Client Info Stealer Malware Code Injection Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows Browser Email DNS |
2
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1406602533&cup2hreq=b4a4aa0bb84680f4c7628593531edebc96b8e3a1761733fc1aad09c2de38a3c1
|
2
edgedl.gvt1.com(142.250.34.2) 142.250.34.2
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6606 |
2021-03-29 17:54
|
PO_7201_60_74.pdf 83c01f327b9dad9768ca0e9703d4e34a Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
5
http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-82AE3B94C6E640BFD8A2B1B55E28013A.html - rule_id: 555 http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E5BB09F553C565796734AD4DA3E77A8F.html - rule_id: 555 http://checkip.dyndns.org/ http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FD2733653B32ACA3398F03021115FCB5.html - rule_id: 555 https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(104.21.19.200) x11fdf4few8f41f.com(104.21.73.19) - mailcious checkip.dyndns.org(131.186.161.70) 104.21.73.19 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
3
http://x11fdf4few8f41f.com/liverpool-fc-news/ http://x11fdf4few8f41f.com/liverpool-fc-news/ http://x11fdf4few8f41f.com/liverpool-fc-news/
|
15.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6607 |
2021-03-29 17:55
|
winlog.exe 7f675ad4beeabb7fd62a9750a499570eFormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder sandbox evasion DNS |
12
http://www.estiqama.net/m2be/ http://www.watchtofree.com/m2be/?CP=fyr+10g42Gqxc1oP4g7nbJJjJa6bzqp1uVFWcWZ7TIWPIKq1SSOIdiXCTiFl6Dc22E4QladY&nN=Sxl0iBepVBODj http://www.watchtofree.com/m2be/ http://www.hipnoseportugal.com/m2be/?CP=fyh/eIcWLzHdYVM4fMwwrsLD1ZW7Cr5WD4M+TzD/IfsF8P4vWPBgWGXIMzfqNHcT0XPQNNXV&nN=Sxl0iBepVBODj http://www.thinkcleanedu.com/m2be/?CP=Ycau8pAj/XaNEeATzdMxYV0HLSZZWx/92SzWGcEh6T05SXoe0LDAvqh/0eNxBCokjSO13ed1&nN=Sxl0iBepVBODj http://www.estiqama.net/m2be/?CP=Qo4KD+5hT4eOQLFCwLb4LDUCpH7heJjKIRzr1jRkVgQp+XrEPJL9m+CmGxW3caf4Gouz1Gdq&nN=Sxl0iBepVBODj http://www.aeo2.net/m2be/ http://www.aingline.com/m2be/ http://www.hipnoseportugal.com/m2be/ http://www.aingline.com/m2be/?CP=/cx1WigI5eNaC6i34KXME6WD5Ct7TvaQWlf5eu0+0EgzxF3BEesPFAZQYDHHoJuM8x1hM5KR&nN=Sxl0iBepVBODj http://www.thinkcleanedu.com/m2be/ http://www.aeo2.net/m2be/?CP=QAnod8LT1llQdxTrzzR37y2wBLdATPFFotOpszExPVQzgQdQkGKfb27zuJKRnWl89FGWsp7C&nN=Sxl0iBepVBODj
|
26
www.somht.com(172.106.71.28) www.aeo2.net(23.82.12.30) www.hipnoseportugal.com(204.11.56.48) www.fabulousfalafel.com() www.estiqama.net(162.241.226.91) www.thinkcleanedu.com(107.180.4.11) www.rakkuteno.icu() www.cvacity.info(62.149.128.40) www.capacitaciondelfuturo.com(104.21.15.71) www.aingline.com(119.59.120.8) www.bachsimplicity.com(198.100.154.154) www.sevenstepstohappy.co.uk(34.80.190.141) www.watchtofree.com(185.107.56.197) www.signi-notifcation.com() www.verratjewelry.com() 198.100.154.154 - mailcious 212.32.237.92 - suspicious 62.149.128.40 - mailcious 119.59.120.8 - mailcious 162.241.226.91 - mailcious 104.21.15.71 - mailcious 107.180.4.11 34.80.190.141 - mailcious 204.11.56.48 - phishing 82.192.82.228 172.106.71.28 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET INFO DNS Query for Suspicious .icu Domain
|
|
4.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6608 |
2021-03-29 17:56
|
745584778.js 65f5e916c44ce0e15b66dc940c1e70c1Malware AutoRuns Creates executable files Windows utilities suspicious process WriteConsoleW Windows ComputerName |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
5.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6609 |
2021-03-29 17:56
|
winlog.exe c7412ea19bbb688a8cfc8ee443e900f4 Azorult .NET framework AsyncRAT backdoor suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6610 |
2021-03-29 17:57
|
winlog.exe 4b7075ac72e26465423a8f25a5e5cc35FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself Windows utilities AppData folder sandbox evasion Windows DNS |
16
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://www.hayalimofen.net/jzvu/ http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://www.spinningx.com/jzvu/ http://www.cnhongzu.com/jzvu/?kHQ4=GbBZQ5JSHKPN0Thvfcr2a87+8xvJQA3P+rHV31dwg11RX4R8Kdu6q017I+Cr/VI4IAcfua7i&D81h=O2MHdPkXY http://www.xyfs360.com/jzvu/ http://www.cnhongzu.com/jzvu/ http://www.xyfs360.com/jzvu/?kHQ4=SsJi3DmCZMOCIuo9rHb6Fhk8/FNFWB1mneTVaX60PK9iWrXknIctgU7m1mqKu0v6MtwAyYPJ&D81h=O2MHdPkXY http://www.fountainhead410.com/jzvu/ http://www.theflesolay.com/jzvu/ http://www.hayalimofen.net/jzvu/?kHQ4=gLspv24Ftz5x3R/96yjNvLE0MxLLFqE11/KuZvUAhEY3T0n4VwWgZQVJILrGSeInenzMI/x6&D81h=O2MHdPkXY http://www.spinningx.com/jzvu/?kHQ4=QrbCyR+ny4V8BXL60BlxjH8G+EQuqcrIrt7PFyf9KPEYwwWsqh7Cnrz6YmkpvFX+Zn+6K1dr&D81h=O2MHdPkXY http://www.fountainhead410.com/jzvu/?kHQ4=gPJmkLd5Iumt7+/kXloFFkASjT6JhxFOIwMVszm/38cgqTBuSKrIjhSH0WtLGx7FJukKw9E+&D81h=O2MHdPkXY http://www.fionafrenchic.com/jzvu/?kHQ4=tjq8apEvNPOX7WXKiwDumaYegZKxjePbMe9bdlBbdr52bXYbP0a6PSNfBlGDx9F2KDLKphwM&D81h=O2MHdPkXY http://www.fionafrenchic.com/jzvu/ http://www.theflesolay.com/jzvu/?kHQ4=wIcuRrOnv+oUag4Twmrtuvhrxt2CMlpwUGrAnij+KJOReM/QwbT5AkOAlKhIJqC19xE8EW23&D81h=O2MHdPkXY
|
25
www.theflesolay.com(66.96.162.144) www.adassadelacruz.com(198.185.159.144) www.kundanbangles.com() - mailcious www.spinningx.com(198.185.159.145) www.cnhongzu.com(156.241.53.137) www.technicaljanu.com(154.219.150.138) www.maquinagsmlb.net(98.124.204.16) www.fionafrenchic.com(23.227.38.74) www.6116merrittdrive.com(75.2.89.28) www.hayalimofen.net(109.232.217.72) www.xyfs360.com(156.235.228.19) www.disinfectmylawofficeindy.com(104.16.14.194) www.fountainhead410.com(34.102.136.180) 156.235.228.19 98.124.204.16 - mailcious 66.96.162.144 75.2.89.28 - mailcious 154.219.150.138 - mailcious 34.102.136.180 - mailcious 109.232.217.72 104.16.16.194 - mailcious 23.227.38.74 - mailcious 198.185.159.145 - mailcious 198.185.159.144 - mailcious 156.241.53.137
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6611 |
2021-03-29 17:58
|
xls.exe c0615abb7bf663bed3b32f2c1b3808e1 Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
5.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6612 |
2021-03-29 17:58
|
jan11.exe 5368930e073889874745e520be58b06d AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows ComputerName DNS crashed keylogger |
|
1
|
|
|
12.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6613 |
2021-03-29 17:59
|
745584778.js 65f5e916c44ce0e15b66dc940c1e70c1Malware AutoRuns Creates executable files Windows utilities suspicious process WriteConsoleW Windows ComputerName |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6614 |
2021-03-29 18:00
|
org.exe 53cbb91272801963c8a1939f01533edb Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
11.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6615 |
2021-03-29 18:02
|
OaZ1lioRycGNrN3.exe 283ebf143882c80ebe4f5f1d906546de AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
12.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|