| 7396 |
2021-04-20 09:22
|
 4100_13_oui_ws1001477830.exe e90dc89b4ec18cf428631a8902749f1b
Emotet VirusTotal Malware Code Injection buffers extracted RWX flags setting unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check |
|
|
|
|
9.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7397 |
2021-04-20 09:23
|
g1mrfi.rar 340994098deb6bf6fa91f73350af7c15
Gen2 Gen1 VirusTotal Malware PDB Malicious Traffic unpack itself Tofsee Windows DNS crashed |
3
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:4227462757&cup2hreq=368373e8187af8080730cb1ca102e99c23fa418c238c3586be44d3f46bbd62cd
|
2
edgedl.gvt1.com(142.250.34.2)
142.250.34.2
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7398 |
2021-04-20 09:24
|
 lisa_sit_ws1013353207.exe 9c89a1186cd51f70ab038dd96d9bb741Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection Checks debugger buffers extracted unpack itself Detects VMWare sandbox evasion VMware Windows DNS DDNS crashed |
|
2
lisasamir.no-ip.biz()
dcsimon.zapto.org()
|
3
ET POLICY DNS Query to DynDNS Domain *.zapto .org
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
ET INFO Observed DNS Query to .biz TLD
|
|
10.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7399 |
2021-04-20 09:26
|
 zuPrmTisZ3pMewf.exe 93675693e8fcb6b339a5529f49fadf6fVirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed |
4
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618877781&mv=m&mvi=3&pl=18&shardbypass=yes
http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=639d202355e668bd9c14c78151e1a3454c42a124f2d3580ede034472a7c3977a
|
5
r3---sn-3u-bh26.gvt1.com(59.18.44.14)
142.250.204.35
142.250.66.110
59.18.44.14
142.250.66.99
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
14.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7400 |
2021-04-20 09:27
|
 SSI.exe 4d5b5f2b73cac7e717493db793a9ac0dVirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself AntiVM_Disk VM Disk Size Check human activity check Windows ComputerName |
8
http://api.admatching.co.kr/admatching/urlmatchlist_coworker.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/except_domain.php
http://api.admatching.co.kr/admatching/urlmatchlist_merchant.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/ico/11st.ico
http://api.thessi.net/ssi/ico/auction.ico
http://api.thessi.net/ssi/ici.php?pid=%CLIENTID&mac=%MACADDR
http://api.thessi.net/ssi/beg.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/ico/gmarket.ico
|
3
api.admatching.co.kr(3.35.144.12) - advertising
api.thessi.net(3.35.144.12) - malware
3.35.144.12 - malware
|
|
|
7.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7401 |
2021-04-20 09:28
|
invoice_115521.doc 10ea6889fd7ca096c9b307b276a03b99LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed |
2
http://bncoporations.tk/Bn2/fre.php
https://pxlme.me/r4K_NukV
|
7
bncoporations.tk(172.67.185.63)
stdytheviejupcazfekr.dns.army(103.133.108.6) - mailcious
pxlme.me(51.15.139.10)
59.18.44.14
104.21.19.52
103.133.108.6 - mailcious
51.15.139.10
|
12
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
ET DNS Query to a .tk domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7402 |
2021-04-20 09:29
|
 Famtf.pdf a4326b69873c799207e4c9d30c2ed3ac
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15)
freegeoip.app(172.67.188.154)
yoursite.com(172.67.133.191)
checkip.dyndns.org(216.146.43.71)
104.21.14.15
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7403 |
2021-04-20 09:30
|
 DqPW3xsn1NfCPt4.exe fb9576c5e5f4cbfc8c4a754c6ffdfb81VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
13.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7404 |
2021-04-20 09:31
|
IMG_503_78_16.pdf 325348683cd373d4e39a1dfdfeea7cceVirusTotal Malware |
|
|
|
|
0.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7405 |
2021-04-20 09:31
|
 Hyjgyn.pdf 1ceae4d45ed09a9ed4d5c392a7654fa9
AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
3
www.yoursite.com(104.21.14.15)
yoursite.com(172.67.133.191)
172.67.133.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7406 |
2021-04-20 09:33
|
 SSI.exe 8e19c14de9d1c2b656d3f4c739debb4bVirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check human activity check Windows ComputerName DNS |
10
http://api.thessi.net/ssi/df/criteosynd.ini
http://api.admatching.co.kr/admatching/urlmatchlist_coworker.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/except_domain.php
http://api.admatching.co.kr/admatching/urlmatchlist_merchant.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/ico/11st.ico
http://api.thessi.net/ssi/ico/auction.ico
http://api.thessi.net/ssi/beg.php?pid=defapp&cid=94de278c3274
http://api.thessi.net/ssi/df/criteo.toast
http://api.thessi.net/ssi/ici.php?pid=defapp&mac=94de278c3274
http://api.thessi.net/ssi/ico/gmarket.ico
|
3
api.admatching.co.kr(3.35.144.12) - advertising
api.thessi.net(3.35.144.12) - malware
3.35.144.12 - malware
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
8.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7407 |
2021-04-20 09:34
|
 Dtiqyjksq.pdf f800c3f06fc079a0b96c979a887c4000
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15)
freegeoip.app(104.21.19.200)
yoursite.com(172.67.133.191)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
172.67.188.154
172.67.133.191
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7408 |
2021-04-20 09:35
|
 Uekonhzz.pdf d4d8ef44275700e1b44a4c82fa18a7e7
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://yoursite.com/
|
8
www.yoursite.com(172.67.133.191)
freegeoip.app(172.67.188.154)
yoursite.com(104.21.14.15)
checkip.dyndns.org(131.186.161.70)
172.67.133.191
216.146.43.70 - suspicious
104.21.14.15
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7409 |
2021-04-20 09:37
|
 Dmdckvjtg.pdf 46ddcd557521e886e2548e72097e01d6
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://orisinlog.com/main.php
http://orisinlog.com/5.jpg
http://orisinlog.com/7.jpg
http://orisinlog.com/1.jpg
http://orisinlog.com/3.jpg
http://orisinlog.com/2.jpg
http://orisinlog.com/ - rule_id: 108
http://orisinlog.com/4.jpg
http://orisinlog.com/6.jpg
https://yoursite.com/
|
6
orisinlog.com(45.144.225.201) - mailcious
www.yoursite.com(172.67.133.191)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.188.154
45.144.225.201 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
18.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7410 |
2021-04-20 09:37
|
klpn1cz.tar 494162d41f8b5736c05505476686fae5VirusTotal Malware PDB unpack itself DNS crashed |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
2.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|