6631 |
2021-03-30 09:24
|
n7duez.zip 44dcdfd1873198f50c5dd4dbb1fe8f44 Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Tofsee Kovter Windows Browser ComputerName DNS crashed |
4
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:1063268346&cup2hreq=aeb1fd103607563a549a6ba2077d24749f8c33da6854c0de7ef1993f7b40cbea https://210.65.244.176/ - rule_id: 598
|
3
edgedl.gvt1.com(142.250.34.2) 142.250.34.2 210.65.244.176 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6632 |
2021-03-30 10:15
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501 Check memory unpack itself |
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6633 |
2021-03-30 10:19
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501 Check memory unpack itself |
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6634 |
2021-03-30 10:34
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501 Check memory unpack itself |
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6635 |
2021-03-30 10:37
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501 Check memory unpack itself |
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6636 |
2021-03-30 10:40
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501 Check memory unpack itself |
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6637 |
2021-03-30 10:48
|
om.dot 2cc05a1c5eddac8787d2aba98ba1fdc6 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.23.174.104/om.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6638 |
2021-03-30 10:48
|
om.exe a5cef6534e6f1347419ce386ba477c3e Azorult .NET framework VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
9.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6639 |
2021-03-30 10:50
|
qtjlj8.tar 538ec258e88dd53cb7f1e97936f4c9b9Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
1
https://210.65.244.176/ - rule_id: 598
|
1
210.65.244.176 - mailcious
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
1
|
5.4 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6640 |
2021-03-30 10:51
|
requirement.txt 61c79da0f94843294be6de0a0f9f8501Check memory unpack itself |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
1.0 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6641 |
2021-03-30 10:53
|
count.php 35994b0f330dac6e145ebed16e77ddecDridex TrickBot VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
20
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://wtfismyip.com/text https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/ https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CNetDownloadMng5575191179%5Cxzcountlb.dwn/0/ https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/pxPtLlVV7rz3hFHPxXVH9ntpH3/ - rule_id: 530 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab64/reload1/0/ https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/jdtzrTn7D1fhJNbBNVH7NJBPBDzrN/ https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/23/2000027/ - rule_id: 530 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/4j4pxaBWesD3gH7yYCXrlLdHM/ https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JXX9LFPNtFT75Htn3nVXhlnxNLP/ https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab/sTart%20Run%20D%20failed/0/ https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1jdJTPhNJftt9llb5HDzBt1d1t3/ - rule_id: 530 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/ - rule_id: 530 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/ https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/QHAVHUMUVKIZYSUYVK/7/ - rule_id: 530 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/707854/0/ https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/ https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/DNSBL/listed/0/ - rule_id: 530
|
15
150.134.208.175.b.barracudacentral.org(127.0.0.2) 150.134.208.175.cbl.abuseat.org() wtfismyip.com(95.217.228.176) 150.134.208.175.zen.spamhaus.org() 67.79.117.70 - mailcious 95.217.228.176 67.212.241.127 75.87.15.158 72.180.57.176 12.158.156.51 103.26.251.214 98.6.170.206 137.27.167.58 24.182.101.64 45.164.80.94
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET POLICY IP Check wtfismyip.com ET POLICY curl User-Agent Outbound
|
6
https://67.79.117.70/ https://67.79.117.70/ https://67.79.117.70/ https://67.79.117.70/ https://67.79.117.70/ https://67.79.117.70/
|
12.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6642 |
2021-03-30 10:53
|
pp83bzm9.zip 609c12160bee83a946014ce663f7bd1eDridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f https://210.65.244.176/ - rule_id: 598
|
1
210.65.244.176 - mailcious
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
1
|
5.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6643 |
2021-03-30 10:53
|
rlpsrwkf.rar e304592773f40ae15360ee26f7e771f3Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
1
https://210.65.244.176/ - rule_id: 598
|
5
67.79.117.70 - mailcious 210.65.244.176 - mailcious 137.27.167.58 24.182.101.64 45.164.80.94
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
1
|
5.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6644 |
2021-03-30 10:55
|
ret5er1.exe 741151649d1b412fc1bfd480d18f4e84VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6645 |
2021-03-30 10:57
|
................................. c774c3df375b0d8ad7cb452595ce6df6FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
16
http://www.scott-re.online/nnmd/?MZg=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&D6k8=O2MXWx4h7 http://www.sinisviaggi.com/nnmd/?MZg=VIGwM4kLsPBjVwVxvG2DVcz31VwkVNmuqeVQt9KCh+zpFxQw+aB3w1K1fbmQla60FC8rcdUK&D6k8=O2MXWx4h7 http://www.vr-club.site/nnmd/ http://www.likehowto.com/nnmd/?MZg=vRs6n4JRqe7Dt1ePX7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWm4G1cXUL/JYAaDcAVpU&D6k8=O2MXWx4h7 http://www.likehowto.com/nnmd/ http://www.samanthataylordesigns.com/nnmd/ http://www.elticrecruit.com/nnmd/ http://www.phillydroneservices.com/nnmd/?MZg=bjiCut6zOJdcdeJ/f4cAa/A2emNgaa+sY9XNa+K3VUrydaUd5ZH/1emzue+w5vYKBDFGo+zh&D6k8=O2MXWx4h7 http://www.elticrecruit.com/nnmd/?MZg=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&D6k8=O2MXWx4h7 http://www.samanthataylordesigns.com/nnmd/?MZg=sVCsP3nYsNXlW4I2EqS3kB52HqjY7ZxXgFnkWYmWMO+p6LFBhhCa6Vg5Ah+KszLMV8i2Kccl&D6k8=O2MXWx4h7 http://www.scott-re.online/nnmd/ http://www.vr-club.site/nnmd/?MZg=PWz62rtZjeojhOkFcCqBVXu8rEu/adWxBjkYhVKdUPhCPZNYbrsWWb643PkmL53QhEqlNSfQ&D6k8=O2MXWx4h7 http://www.phillydroneservices.com/nnmd/ http://www.7985699.com/nnmd/?MZg=5eMcWOIRhRBDg7AFbH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV2U654U3C4UMb8hOzpd5&D6k8=O2MXWx4h7 http://www.sinisviaggi.com/nnmd/ http://www.7985699.com/nnmd/
|
21
www.vr-club.site(163.44.185.224) www.7985699.com(45.142.156.44) www.scott-re.online(34.102.136.180) www.phillydroneservices.com(52.58.78.16) www.samanthataylordesigns.com(198.49.23.144) www.pjsgsc.com() www.sinisviaggi.com(81.88.52.101) www.elticrecruit.com(216.239.34.21) www.likehowto.com(203.76.236.103) www.xpddwrfj.icu() www.gatewaygaurdians.com() www.papofabri.com() 163.44.185.224 216.239.38.21 - phishing 81.88.52.101 198.23.251.121 - mailcious 52.58.78.16 - mailcious 34.102.136.180 - mailcious 45.142.156.44 - mailcious 198.185.159.145 - mailcious 203.76.236.103
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) ET INFO DNS Query for Suspicious .icu Domain
|
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|