| 6601 |
2021-03-29 14:05
|
 musteri.exe c64253856d7af67fb3a75fe2cfcffd09
VirusTotal Malware PDB Check memory RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6602 |
2021-03-29 14:05
|
 musteri.exe c64253856d7af67fb3a75fe2cfcffd09
VirusTotal Malware PDB Check memory RWX flags setting unpack itself DNS |
1
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.6 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6603 |
2021-03-29 14:06
|
 musteri.exe c64253856d7af67fb3a75fe2cfcffd09
VirusTotal Malware PDB unpack itself |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
1.4 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6604 |
2021-03-29 14:07
|
 musteri.exe c64253856d7af67fb3a75fe2cfcffd09
VirusTotal Malware PDB Check memory RWX flags setting unpack itself |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.0 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6605 |
2021-03-29 14:22
|
 results 99c3d484c74f3595e7e5c1940f75a76e
Email Client Info Stealer Malware Code Injection Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows Browser Email DNS |
2
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1406602533&cup2hreq=b4a4aa0bb84680f4c7628593531edebc96b8e3a1761733fc1aad09c2de38a3c1
|
2
edgedl.gvt1.com(142.250.34.2)
142.250.34.2
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6606 |
2021-03-29 17:54
|
 PO_7201_60_74.pdf 83c01f327b9dad9768ca0e9703d4e34a
Antivirus AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
5
http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-82AE3B94C6E640BFD8A2B1B55E28013A.html - rule_id: 555
http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E5BB09F553C565796734AD4DA3E77A8F.html - rule_id: 555
http://checkip.dyndns.org/
http://x11fdf4few8f41f.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FD2733653B32ACA3398F03021115FCB5.html - rule_id: 555
https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(104.21.19.200)
x11fdf4few8f41f.com(104.21.73.19) - mailcious
checkip.dyndns.org(131.186.161.70)
104.21.73.19
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
3
http://x11fdf4few8f41f.com/liverpool-fc-news/
http://x11fdf4few8f41f.com/liverpool-fc-news/
http://x11fdf4few8f41f.com/liverpool-fc-news/
|
15.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6607 |
2021-03-29 17:55
|
winlog.exe 7f675ad4beeabb7fd62a9750a499570eFormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder sandbox evasion DNS |
12
http://www.estiqama.net/m2be/
http://www.watchtofree.com/m2be/?CP=fyr+10g42Gqxc1oP4g7nbJJjJa6bzqp1uVFWcWZ7TIWPIKq1SSOIdiXCTiFl6Dc22E4QladY&nN=Sxl0iBepVBODj
http://www.watchtofree.com/m2be/
http://www.hipnoseportugal.com/m2be/?CP=fyh/eIcWLzHdYVM4fMwwrsLD1ZW7Cr5WD4M+TzD/IfsF8P4vWPBgWGXIMzfqNHcT0XPQNNXV&nN=Sxl0iBepVBODj
http://www.thinkcleanedu.com/m2be/?CP=Ycau8pAj/XaNEeATzdMxYV0HLSZZWx/92SzWGcEh6T05SXoe0LDAvqh/0eNxBCokjSO13ed1&nN=Sxl0iBepVBODj
http://www.estiqama.net/m2be/?CP=Qo4KD+5hT4eOQLFCwLb4LDUCpH7heJjKIRzr1jRkVgQp+XrEPJL9m+CmGxW3caf4Gouz1Gdq&nN=Sxl0iBepVBODj
http://www.aeo2.net/m2be/
http://www.aingline.com/m2be/
http://www.hipnoseportugal.com/m2be/
http://www.aingline.com/m2be/?CP=/cx1WigI5eNaC6i34KXME6WD5Ct7TvaQWlf5eu0+0EgzxF3BEesPFAZQYDHHoJuM8x1hM5KR&nN=Sxl0iBepVBODj
http://www.thinkcleanedu.com/m2be/
http://www.aeo2.net/m2be/?CP=QAnod8LT1llQdxTrzzR37y2wBLdATPFFotOpszExPVQzgQdQkGKfb27zuJKRnWl89FGWsp7C&nN=Sxl0iBepVBODj
|
26
www.somht.com(172.106.71.28)
www.aeo2.net(23.82.12.30)
www.hipnoseportugal.com(204.11.56.48)
www.fabulousfalafel.com()
www.estiqama.net(162.241.226.91)
www.thinkcleanedu.com(107.180.4.11)
www.rakkuteno.icu()
www.cvacity.info(62.149.128.40)
www.capacitaciondelfuturo.com(104.21.15.71)
www.aingline.com(119.59.120.8)
www.bachsimplicity.com(198.100.154.154)
www.sevenstepstohappy.co.uk(34.80.190.141)
www.watchtofree.com(185.107.56.197)
www.signi-notifcation.com()
www.verratjewelry.com()
198.100.154.154 - mailcious
212.32.237.92 - suspicious
62.149.128.40 - mailcious
119.59.120.8 - mailcious
162.241.226.91 - mailcious
104.21.15.71 - mailcious
107.180.4.11
34.80.190.141 - mailcious
204.11.56.48 - phishing
82.192.82.228
172.106.71.28 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO DNS Query for Suspicious .icu Domain
|
|
4.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6608 |
2021-03-29 17:56
|
 745584778.js 65f5e916c44ce0e15b66dc940c1e70c1Malware AutoRuns Creates executable files Windows utilities suspicious process WriteConsoleW Windows ComputerName |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
5.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6609 |
2021-03-29 17:56
|
 winlog.exe c7412ea19bbb688a8cfc8ee443e900f4
Azorult .NET framework AsyncRAT backdoor suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6610 |
2021-03-29 17:57
|
winlog.exe 4b7075ac72e26465423a8f25a5e5cc35FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself Windows utilities AppData folder sandbox evasion Windows DNS |
16
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://www.hayalimofen.net/jzvu/
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.spinningx.com/jzvu/
http://www.cnhongzu.com/jzvu/?kHQ4=GbBZQ5JSHKPN0Thvfcr2a87+8xvJQA3P+rHV31dwg11RX4R8Kdu6q017I+Cr/VI4IAcfua7i&D81h=O2MHdPkXY
http://www.xyfs360.com/jzvu/
http://www.cnhongzu.com/jzvu/
http://www.xyfs360.com/jzvu/?kHQ4=SsJi3DmCZMOCIuo9rHb6Fhk8/FNFWB1mneTVaX60PK9iWrXknIctgU7m1mqKu0v6MtwAyYPJ&D81h=O2MHdPkXY
http://www.fountainhead410.com/jzvu/
http://www.theflesolay.com/jzvu/
http://www.hayalimofen.net/jzvu/?kHQ4=gLspv24Ftz5x3R/96yjNvLE0MxLLFqE11/KuZvUAhEY3T0n4VwWgZQVJILrGSeInenzMI/x6&D81h=O2MHdPkXY
http://www.spinningx.com/jzvu/?kHQ4=QrbCyR+ny4V8BXL60BlxjH8G+EQuqcrIrt7PFyf9KPEYwwWsqh7Cnrz6YmkpvFX+Zn+6K1dr&D81h=O2MHdPkXY
http://www.fountainhead410.com/jzvu/?kHQ4=gPJmkLd5Iumt7+/kXloFFkASjT6JhxFOIwMVszm/38cgqTBuSKrIjhSH0WtLGx7FJukKw9E+&D81h=O2MHdPkXY
http://www.fionafrenchic.com/jzvu/?kHQ4=tjq8apEvNPOX7WXKiwDumaYegZKxjePbMe9bdlBbdr52bXYbP0a6PSNfBlGDx9F2KDLKphwM&D81h=O2MHdPkXY
http://www.fionafrenchic.com/jzvu/
http://www.theflesolay.com/jzvu/?kHQ4=wIcuRrOnv+oUag4Twmrtuvhrxt2CMlpwUGrAnij+KJOReM/QwbT5AkOAlKhIJqC19xE8EW23&D81h=O2MHdPkXY
|
25
www.theflesolay.com(66.96.162.144)
www.adassadelacruz.com(198.185.159.144)
www.kundanbangles.com() - mailcious
www.spinningx.com(198.185.159.145)
www.cnhongzu.com(156.241.53.137)
www.technicaljanu.com(154.219.150.138)
www.maquinagsmlb.net(98.124.204.16)
www.fionafrenchic.com(23.227.38.74)
www.6116merrittdrive.com(75.2.89.28)
www.hayalimofen.net(109.232.217.72)
www.xyfs360.com(156.235.228.19)
www.disinfectmylawofficeindy.com(104.16.14.194)
www.fountainhead410.com(34.102.136.180)
156.235.228.19
98.124.204.16 - mailcious
66.96.162.144
75.2.89.28 - mailcious
154.219.150.138 - mailcious
34.102.136.180 - mailcious
109.232.217.72
104.16.16.194 - mailcious
23.227.38.74 - mailcious
198.185.159.145 - mailcious
198.185.159.144 - mailcious
156.241.53.137
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6611 |
2021-03-29 17:58
|
 xls.exe c0615abb7bf663bed3b32f2c1b3808e1
Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
5.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6612 |
2021-03-29 17:58
|
 jan11.exe 5368930e073889874745e520be58b06d
AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows ComputerName DNS crashed keylogger |
|
1
|
|
|
12.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6613 |
2021-03-29 17:59
|
 745584778.js 65f5e916c44ce0e15b66dc940c1e70c1Malware AutoRuns Creates executable files Windows utilities suspicious process WriteConsoleW Windows ComputerName |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6614 |
2021-03-29 18:00
|
 org.exe 53cbb91272801963c8a1939f01533edb
Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
11.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6615 |
2021-03-29 18:02
|
 OaZ1lioRycGNrN3.exe 283ebf143882c80ebe4f5f1d906546de
AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
12.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|