7516 |
2021-04-23 09:57
|
ethm17041.exe 2f1115241a8d2d0400d01cec49f12d8b VirusTotal Malware buffers extracted Creates executable files WriteConsoleW crashed |
|
2
somekindiff.com(172.67.192.164) 172.67.192.164
|
|
|
4.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7517 |
2021-04-23 09:59
|
lv.exe 297e038695f55e61638f2555b0fb0b80 Glupteba AgentTesla Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
fclwcwlTRSbVFzDnFGwWnfynPx.fclwcwlTRSbVFzDnFGwWnfynPx()
|
|
|
8.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7518 |
2021-04-23 09:59
|
catalog-1605179562.xlsm 082645e6b13d4cdd417b3d82c15a8c83Check memory unpack itself Tofsee crashed |
|
4
eletrocoghi.com.br(192.185.216.95) ozmontelectrical.com(162.144.12.242) 162.144.12.242 192.185.216.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7519 |
2021-04-23 09:59
|
catalog-1605517361.xlsm bf83672739e7a17d2851279684a73ad0Check memory unpack itself Tofsee DNS crashed |
|
4
ozmontelectrical.com(162.144.12.242) eletrocoghi.com.br(192.185.216.95) 192.185.216.95 - malware 162.144.12.242
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7520 |
2021-04-23 10:01
|
clip.exe 24b6fa846f9d1e068e55654ab7ab451bVirusTotal Malware Check memory Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7521 |
2021-04-23 10:07
|
Ra.exe 01b6e74634db81acecadb5fcc20932e9 Library Malware unpack itself Remote Code Execution |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7522 |
2021-04-23 10:09
|
check.dll 19cf698a9ec21bb5a1b12c9c462e2d3dDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.54.41.193/che1/TEST22-PC_W617601.B3E19DB41C770B4F9DA6BB1D235F02FF/5/kps/
|
6
103.54.41.193 115.73.211.230 117.252.68.211 181.176.161.143 103.66.72.217 102.176.221.78
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET INFO TLS Handshake Failure ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7523 |
2021-04-23 10:10
|
soft.exe 7c41e064f77799275788d55d09d1ff3eBrowser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Email ComputerName DNS Software Downloader |
6
http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678 http://hirezz.com/test/includes/image.php https://up.ufile.io/v1/upload/finalise https://iplogger.org/1ib2a7 https://up.ufile.io/v1/upload/create_session https://up.ufile.io/v1/upload/chunk
|
6
up.ufile.io(104.27.194.88) hirezz.com(162.144.12.143) iplogger.org(88.99.66.31) - mailcious 104.27.194.88 88.99.66.31 - mailcious 162.144.12.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Unk Downloader CnC Activity
|
|
11.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7524 |
2021-04-23 10:10
|
askinstall36.exe 9f2a48592d3ce0632f1ecca2c34567b9 Trojan_PWS_Stealer Credential User Data Emotet Gen2 Antivirus AsyncRAT backdoor SQLite Cookie Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481 http://www.fddnice.pw/ - rule_id: 482 http://www.kenuot.com/Home/Index/lkdinl https://iplogger.org/1s4qp7
|
8
www.kenuot.com(188.225.87.175) iplogger.org(88.99.66.31) - mailcious www.fddnice.pw(103.155.92.58) - mailcious www.cncode.pw(144.202.76.47) - mailcious 88.99.66.31 - mailcious 144.202.76.47 188.225.87.175 - mailcious 103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.pw domain
|
2
http://www.cncode.pw/ http://www.fddnice.pw/
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7525 |
2021-04-23 10:12
|
fw3.exe c3d59d08b1f437df8fd17ec4c7e5ce6cVirusTotal Malware DNS |
|
5
github.xn--comthtest22-pc-fhb7147u0j3kwl0f() 103.54.41.193 102.176.221.78 115.73.211.230 117.252.68.211
|
|
|
2.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7526 |
2021-04-23 10:13
|
request1.exe 71832d24f95c424d77fd887d9abbb0f0 Gen1 Browser Info Stealer VirusTotal Malware PDB Creates executable files unpack itself WriteConsoleW installed browsers check Windows Browser Remote Code Execution DNS |
3
http://www.cif96be750.com/pkasdq/parse.exe http://35.220.235.49:8070/cookie/useStatistics/count?username=customer1 http://www.cif96be750.com/pkasdq/curl.exe
|
5
www.cif96be750.com(35.220.162.170) get.geojs.io(104.26.0.100) 35.220.235.49 172.67.70.233 35.220.162.170 - mailcious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Packed Executable Download
|
|
8.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7527 |
2021-04-23 10:54
|
kitten 60b5637b9b22819fab90982f01a36d25VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
3.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7528 |
2021-04-23 10:54
|
clr.exe 1adc9f803f891d4e17075a18e0aab339 Antivirus VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7529 |
2021-04-23 10:56
|
regasm.exe bc342f9679aeab723916338bce061ae5Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://meirback.co.uk/Bn1/fre.php
|
2
meirback.co.uk(172.67.156.147) 104.21.8.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
9.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7530 |
2021-04-23 10:59
|
drunk.exe 18b2971b63e6f27f7ebdf32f62544f5d PWS .NET framework VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces IP Check ComputerName DNS crashed |
1
|
2
icanhazip.com(172.67.9.138) 104.22.19.188
|
1
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
10.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|