| 7381 |
2021-04-20 07:39
|
 Nnojr.exe 0223c7c933d538790ea29c9975490088
PWS .NET framework Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7382 |
2021-04-20 07:41
|
 Fsbey.exe 8ab4c430e65defdd7b9975db28d3c92dFormBook Malware download Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows crashed |
14
http://www.my-watch-strap.com/spj6/?LZhP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX&U4kp=Ntx4ZhIXOh7XQrX
http://www.89xs.xyz/spj6/
http://www.shopjrock.com/spj6/?LZhP=qhnezQWTxjg/HbuTmF+cfz/AJC4nUSxVCtyRe9tzOWPiX7YfE01VM4G2EIPySa5O/Ai5gOof&U4kp=Ntx4ZhIXOh7XQrX
http://www.89xs.xyz/spj6/?LZhP=ChhDJUZ34acyioRDxU0I1eGwFTExh6t3ojTWkZgGpRLxdY0skGw1NzhaR82eRSGOOqXjwiEQ&U4kp=Ntx4ZhIXOh7XQrX
http://www.preciousvessel.com/spj6/?LZhP=AF++6DW1ZB7b6v+G1k1B+DYsQETFO/sfcexAS4/+ytZ88TDwDfNbFwA03zmQ8kbNf+vM1WkW&U4kp=Ntx4ZhIXOh7XQrX
http://www.shopjrock.com/spj6/
http://www.beautybar.sucks/spj6/
http://www.ourforms.net/spj6/
http://www.3thaiph.com/spj6/?LZhP=WELcilCtPEVEBOtiTM/sV79+dBkJlHKpkw1Y165Vpka6sd6WRde01ttFnmDHNGdBy+pSbyUZ&U4kp=Ntx4ZhIXOh7XQrX
http://www.beautybar.sucks/spj6/?LZhP=/RvMM/n/jqwCaC65EoynYgHRCQVKYKWSUzaDLW3VbuGWvlmwwixnAdJlTChBxsV8Vf/7elXq&U4kp=Ntx4ZhIXOh7XQrX
http://www.3thaiph.com/spj6/
http://www.my-watch-strap.com/spj6/
http://www.ourforms.net/spj6/?LZhP=b6QgBSz9IsgTBrSxM1TpvmYRkuJztgbn0YznHbeB8Xc6Pticprr/H1NbfIFannWFjAB+Rs5D&U4kp=Ntx4ZhIXOh7XQrX
http://www.preciousvessel.com/spj6/
|
13
www.3thaiph.com(104.161.87.55)
www.89xs.xyz(107.149.249.12)
www.shopjrock.com(34.102.136.180)
www.my-watch-strap.com(192.0.78.24)
www.preciousvessel.com(34.102.136.180)
www.beautybar.sucks(54.147.194.143)
www.ourforms.net(184.168.139.151)
184.168.139.151
107.149.249.12
54.147.194.143
34.102.136.180 - mailcious
104.161.87.55
192.0.78.25 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7383 |
2021-04-20 07:41
|
 Ddsfrkgc.pdf 764abd8daf6dddba262e3bbae25fdbf5
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
8
www.yoursite.com(104.21.14.15)
freegeoip.app(172.67.188.154)
yoursite.com(172.67.133.191)
checkip.dyndns.org(131.186.161.70)
172.67.133.191
131.186.161.70
104.21.14.15
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7384 |
2021-04-20 07:46
|
7tg4gI0X1rZJQv4.exe 58985086d10dfa3409f29940e0d74453Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser ComputerName Cryptographic key crashed |
|
|
|
|
12.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7385 |
2021-04-20 07:49
|
 Pvcjjru.exe 6581f25476a8e4009877ba7498489ef6
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
9
http://novget.com/3.jpg
http://novget.com/ - rule_id: 986
http://novget.com/main.php
http://novget.com/7.jpg
http://novget.com/5.jpg
http://novget.com/6.jpg
http://novget.com/4.jpg
http://novget.com/2.jpg
https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15)
novget.com(45.144.225.201) - mailcious
yoursite.com(104.21.14.15)
45.144.225.201
172.67.133.191
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7386 |
2021-04-20 07:51
|
qtPrQU1KxWmlfKW.exe 2462f3500619d7caeb9ad8bc02e6bf0cBrowser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
16.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7387 |
2021-04-20 07:52
|
MqE94TGiHwDIxvk.exe 99b38cc4fbd844a51c826c406fe31921Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
12.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7388 |
2021-04-20 07:54
|
K5wSxlyIcuJsAzY.exe f246fcdfbc29f0f80d54f7cd8f99b8f7Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key crashed keylogger |
|
|
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7389 |
2021-04-20 09:02
|
 catalog-134300255.xlsm c1bbead8915e662c20f05437a1966028Check memory unpack itself suspicious TLD Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120)
heavensabode.in(103.50.162.157)
scientia-ti.com.br(108.179.192.222)
108.179.192.222 - malware
103.50.162.157 - mailcious
92.53.96.120 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7390 |
2021-04-20 09:03
|
 catalog-1356110994.xlsm 8b7f402856f3d80cb0d041a26f35ec99Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120)
heavensabode.in(103.50.162.157)
scientia-ti.com.br(108.179.192.222)
108.179.192.222 - malware
92.53.96.120 - mailcious
103.50.162.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7391 |
2021-04-20 09:04
|
 catalog-1321576138.xlsm 0b6cef78cf09fe70881452faab47918fCheck memory unpack itself Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120)
heavensabode.in(103.50.162.157)
scientia-ti.com.br(108.179.192.222)
108.179.192.222 - malware
103.50.162.157 - mailcious
92.53.96.120 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7392 |
2021-04-20 09:05
|
 catalog-1301901571.xlsm b7a0b0ca21ea1ec602751681d5c60b11Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120)
heavensabode.in(103.50.162.157)
scientia-ti.com.br(108.179.192.222)
108.179.192.222 - malware
92.53.96.120 - mailcious
103.50.162.157 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7393 |
2021-04-20 09:18
|
iTTtz8O2sCqf.php b1f4f7c4f2839fccc054552041944d72VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7394 |
2021-04-20 09:20
|
juv2ijivv.tar 98c9f60ca8a6fe5d149e8b103b254cee
Gen2 Gen1 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7395 |
2021-04-20 09:20
|
uiatx1wc.zip 17d87654aea66ba8a0d416be95fac1b4
Gen2 Gen1 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
2.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|