7381 |
2021-04-20 07:39
|
Nnojr.exe 0223c7c933d538790ea29c9975490088 PWS .NET framework Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.70) 131.186.113.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7382 |
2021-04-20 07:41
|
Fsbey.exe 8ab4c430e65defdd7b9975db28d3c92dFormBook Malware download Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows crashed |
14
http://www.my-watch-strap.com/spj6/?LZhP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX&U4kp=Ntx4ZhIXOh7XQrX http://www.89xs.xyz/spj6/ http://www.shopjrock.com/spj6/?LZhP=qhnezQWTxjg/HbuTmF+cfz/AJC4nUSxVCtyRe9tzOWPiX7YfE01VM4G2EIPySa5O/Ai5gOof&U4kp=Ntx4ZhIXOh7XQrX http://www.89xs.xyz/spj6/?LZhP=ChhDJUZ34acyioRDxU0I1eGwFTExh6t3ojTWkZgGpRLxdY0skGw1NzhaR82eRSGOOqXjwiEQ&U4kp=Ntx4ZhIXOh7XQrX http://www.preciousvessel.com/spj6/?LZhP=AF++6DW1ZB7b6v+G1k1B+DYsQETFO/sfcexAS4/+ytZ88TDwDfNbFwA03zmQ8kbNf+vM1WkW&U4kp=Ntx4ZhIXOh7XQrX http://www.shopjrock.com/spj6/ http://www.beautybar.sucks/spj6/ http://www.ourforms.net/spj6/ http://www.3thaiph.com/spj6/?LZhP=WELcilCtPEVEBOtiTM/sV79+dBkJlHKpkw1Y165Vpka6sd6WRde01ttFnmDHNGdBy+pSbyUZ&U4kp=Ntx4ZhIXOh7XQrX http://www.beautybar.sucks/spj6/?LZhP=/RvMM/n/jqwCaC65EoynYgHRCQVKYKWSUzaDLW3VbuGWvlmwwixnAdJlTChBxsV8Vf/7elXq&U4kp=Ntx4ZhIXOh7XQrX http://www.3thaiph.com/spj6/ http://www.my-watch-strap.com/spj6/ http://www.ourforms.net/spj6/?LZhP=b6QgBSz9IsgTBrSxM1TpvmYRkuJztgbn0YznHbeB8Xc6Pticprr/H1NbfIFannWFjAB+Rs5D&U4kp=Ntx4ZhIXOh7XQrX http://www.preciousvessel.com/spj6/
|
13
www.3thaiph.com(104.161.87.55) www.89xs.xyz(107.149.249.12) www.shopjrock.com(34.102.136.180) www.my-watch-strap.com(192.0.78.24) www.preciousvessel.com(34.102.136.180) www.beautybar.sucks(54.147.194.143) www.ourforms.net(184.168.139.151) 184.168.139.151 107.149.249.12 54.147.194.143 34.102.136.180 - mailcious 104.161.87.55 192.0.78.25 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7383 |
2021-04-20 07:41
|
Ddsfrkgc.pdf 764abd8daf6dddba262e3bbae25fdbf5 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
8
www.yoursite.com(104.21.14.15) freegeoip.app(172.67.188.154) yoursite.com(172.67.133.191) checkip.dyndns.org(131.186.161.70) 172.67.133.191 131.186.161.70 104.21.14.15 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7384 |
2021-04-20 07:46
|
7tg4gI0X1rZJQv4.exe 58985086d10dfa3409f29940e0d74453Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser ComputerName Cryptographic key crashed |
|
|
|
|
12.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7385 |
2021-04-20 07:49
|
Pvcjjru.exe 6581f25476a8e4009877ba7498489ef6 Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
9
http://novget.com/3.jpg http://novget.com/ - rule_id: 986 http://novget.com/main.php http://novget.com/7.jpg http://novget.com/5.jpg http://novget.com/6.jpg http://novget.com/4.jpg http://novget.com/2.jpg https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15) novget.com(45.144.225.201) - mailcious yoursite.com(104.21.14.15) 45.144.225.201 172.67.133.191
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7386 |
2021-04-20 07:51
|
qtPrQU1KxWmlfKW.exe 2462f3500619d7caeb9ad8bc02e6bf0cBrowser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
16.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7387 |
2021-04-20 07:52
|
MqE94TGiHwDIxvk.exe 99b38cc4fbd844a51c826c406fe31921Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
12.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7388 |
2021-04-20 07:54
|
K5wSxlyIcuJsAzY.exe f246fcdfbc29f0f80d54f7cd8f99b8f7Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key crashed keylogger |
|
|
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7389 |
2021-04-20 09:02
|
catalog-134300255.xlsm c1bbead8915e662c20f05437a1966028Check memory unpack itself suspicious TLD Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 103.50.162.157 - mailcious 92.53.96.120 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7390 |
2021-04-20 09:03
|
catalog-1356110994.xlsm 8b7f402856f3d80cb0d041a26f35ec99Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 92.53.96.120 - mailcious 103.50.162.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7391 |
2021-04-20 09:04
|
catalog-1321576138.xlsm 0b6cef78cf09fe70881452faab47918fCheck memory unpack itself Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 103.50.162.157 - mailcious 92.53.96.120 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7392 |
2021-04-20 09:05
|
catalog-1301901571.xlsm b7a0b0ca21ea1ec602751681d5c60b11Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 92.53.96.120 - mailcious 103.50.162.157 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7393 |
2021-04-20 09:18
|
iTTtz8O2sCqf.php b1f4f7c4f2839fccc054552041944d72VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7394 |
2021-04-20 09:20
|
juv2ijivv.tar 98c9f60ca8a6fe5d149e8b103b254cee Gen2 Gen1 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7395 |
2021-04-20 09:20
|
uiatx1wc.zip 17d87654aea66ba8a0d416be95fac1b4 Gen2 Gen1 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
2.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|