7396 |
2021-04-20 09:22
|
4100_13_oui_ws1001477830.exe e90dc89b4ec18cf428631a8902749f1b Emotet VirusTotal Malware Code Injection buffers extracted RWX flags setting unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check |
|
|
|
|
9.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7397 |
2021-04-20 09:23
|
g1mrfi.rar 340994098deb6bf6fa91f73350af7c15 Gen2 Gen1 VirusTotal Malware PDB Malicious Traffic unpack itself Tofsee Windows DNS crashed |
3
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:4227462757&cup2hreq=368373e8187af8080730cb1ca102e99c23fa418c238c3586be44d3f46bbd62cd
|
2
edgedl.gvt1.com(142.250.34.2) 142.250.34.2
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7398 |
2021-04-20 09:24
|
lisa_sit_ws1013353207.exe 9c89a1186cd51f70ab038dd96d9bb741Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection Checks debugger buffers extracted unpack itself Detects VMWare sandbox evasion VMware Windows DNS DDNS crashed |
|
2
lisasamir.no-ip.biz() dcsimon.zapto.org()
|
3
ET POLICY DNS Query to DynDNS Domain *.zapto .org ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain ET INFO Observed DNS Query to .biz TLD
|
|
10.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7399 |
2021-04-20 09:26
|
zuPrmTisZ3pMewf.exe 93675693e8fcb6b339a5529f49fadf6fVirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed |
4
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618877781&mv=m&mvi=3&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=639d202355e668bd9c14c78151e1a3454c42a124f2d3580ede034472a7c3977a
|
5
r3---sn-3u-bh26.gvt1.com(59.18.44.14) 142.250.204.35 142.250.66.110 59.18.44.14 142.250.66.99
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
14.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7400 |
2021-04-20 09:27
|
SSI.exe 4d5b5f2b73cac7e717493db793a9ac0dVirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself AntiVM_Disk VM Disk Size Check human activity check Windows ComputerName |
8
http://api.admatching.co.kr/admatching/urlmatchlist_coworker.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/except_domain.php http://api.admatching.co.kr/admatching/urlmatchlist_merchant.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/ico/11st.ico http://api.thessi.net/ssi/ico/auction.ico http://api.thessi.net/ssi/ici.php?pid=%CLIENTID&mac=%MACADDR http://api.thessi.net/ssi/beg.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/ico/gmarket.ico
|
3
api.admatching.co.kr(3.35.144.12) - advertising api.thessi.net(3.35.144.12) - malware 3.35.144.12 - malware
|
|
|
7.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7401 |
2021-04-20 09:28
|
invoice_115521.doc 10ea6889fd7ca096c9b307b276a03b99LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed |
2
http://bncoporations.tk/Bn2/fre.php https://pxlme.me/r4K_NukV
|
7
bncoporations.tk(172.67.185.63) stdytheviejupcazfekr.dns.army(103.133.108.6) - mailcious pxlme.me(51.15.139.10) 59.18.44.14 104.21.19.52 103.133.108.6 - mailcious 51.15.139.10
|
12
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download ET DNS Query to a .tk domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to a *.tk domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7402 |
2021-04-20 09:29
|
Famtf.pdf a4326b69873c799207e4c9d30c2ed3ac AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15) freegeoip.app(172.67.188.154) yoursite.com(172.67.133.191) checkip.dyndns.org(216.146.43.71) 104.21.14.15 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7403 |
2021-04-20 09:30
|
DqPW3xsn1NfCPt4.exe fb9576c5e5f4cbfc8c4a754c6ffdfb81VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
13.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7404 |
2021-04-20 09:31
|
IMG_503_78_16.pdf 325348683cd373d4e39a1dfdfeea7cceVirusTotal Malware |
|
|
|
|
0.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7405 |
2021-04-20 09:31
|
Hyjgyn.pdf 1ceae4d45ed09a9ed4d5c392a7654fa9 AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
3
www.yoursite.com(104.21.14.15) yoursite.com(172.67.133.191) 172.67.133.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7406 |
2021-04-20 09:33
|
SSI.exe 8e19c14de9d1c2b656d3f4c739debb4bVirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check human activity check Windows ComputerName DNS |
10
http://api.thessi.net/ssi/df/criteosynd.ini http://api.admatching.co.kr/admatching/urlmatchlist_coworker.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/except_domain.php http://api.admatching.co.kr/admatching/urlmatchlist_merchant.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/ico/11st.ico http://api.thessi.net/ssi/ico/auction.ico http://api.thessi.net/ssi/beg.php?pid=defapp&cid=94de278c3274 http://api.thessi.net/ssi/df/criteo.toast http://api.thessi.net/ssi/ici.php?pid=defapp&mac=94de278c3274 http://api.thessi.net/ssi/ico/gmarket.ico
|
3
api.admatching.co.kr(3.35.144.12) - advertising api.thessi.net(3.35.144.12) - malware 3.35.144.12 - malware
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
8.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7407 |
2021-04-20 09:34
|
Dtiqyjksq.pdf f800c3f06fc079a0b96c979a887c4000 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15) freegeoip.app(104.21.19.200) yoursite.com(172.67.133.191) checkip.dyndns.org(216.146.43.70) 131.186.113.70 172.67.188.154 172.67.133.191
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7408 |
2021-04-20 09:35
|
Uekonhzz.pdf d4d8ef44275700e1b44a4c82fa18a7e7 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
8
www.yoursite.com(172.67.133.191) freegeoip.app(172.67.188.154) yoursite.com(104.21.14.15) checkip.dyndns.org(131.186.161.70) 172.67.133.191 216.146.43.70 - suspicious 104.21.14.15 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7409 |
2021-04-20 09:37
|
Dmdckvjtg.pdf 46ddcd557521e886e2548e72097e01d6 Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://orisinlog.com/main.php http://orisinlog.com/5.jpg http://orisinlog.com/7.jpg http://orisinlog.com/1.jpg http://orisinlog.com/3.jpg http://orisinlog.com/2.jpg http://orisinlog.com/ - rule_id: 108 http://orisinlog.com/4.jpg http://orisinlog.com/6.jpg https://yoursite.com/
|
6
orisinlog.com(45.144.225.201) - mailcious www.yoursite.com(172.67.133.191) yoursite.com(104.21.14.15) 104.21.14.15 172.67.188.154 45.144.225.201 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
18.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7410 |
2021-04-20 09:37
|
klpn1cz.tar 494162d41f8b5736c05505476686fae5VirusTotal Malware PDB unpack itself DNS crashed |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
2.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|