| 7516 |
2021-04-23 09:57
|
ethm17041.exe 2f1115241a8d2d0400d01cec49f12d8b
VirusTotal Malware buffers extracted Creates executable files WriteConsoleW crashed |
|
2
somekindiff.com(172.67.192.164)
172.67.192.164
|
|
|
4.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7517 |
2021-04-23 09:59
|
 lv.exe 297e038695f55e61638f2555b0fb0b80
Glupteba AgentTesla Malicious Library VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
fclwcwlTRSbVFzDnFGwWnfynPx.fclwcwlTRSbVFzDnFGwWnfynPx()
|
|
|
8.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7518 |
2021-04-23 09:59
|
 catalog-1605179562.xlsm 082645e6b13d4cdd417b3d82c15a8c83Check memory unpack itself Tofsee crashed |
|
4
eletrocoghi.com.br(192.185.216.95)
ozmontelectrical.com(162.144.12.242)
162.144.12.242
192.185.216.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7519 |
2021-04-23 09:59
|
 catalog-1605517361.xlsm bf83672739e7a17d2851279684a73ad0Check memory unpack itself Tofsee DNS crashed |
|
4
ozmontelectrical.com(162.144.12.242)
eletrocoghi.com.br(192.185.216.95)
192.185.216.95 - malware
162.144.12.242
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7520 |
2021-04-23 10:01
|
 clip.exe 24b6fa846f9d1e068e55654ab7ab451bVirusTotal Malware Check memory Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7521 |
2021-04-23 10:07
|
 Ra.exe 01b6e74634db81acecadb5fcc20932e9
Library Malware unpack itself Remote Code Execution |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7522 |
2021-04-23 10:09
|
check.dll 19cf698a9ec21bb5a1b12c9c462e2d3dDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.54.41.193/che1/TEST22-PC_W617601.B3E19DB41C770B4F9DA6BB1D235F02FF/5/kps/
|
6
103.54.41.193
115.73.211.230
117.252.68.211
181.176.161.143
103.66.72.217
102.176.221.78
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7523 |
2021-04-23 10:10
|
soft.exe 7c41e064f77799275788d55d09d1ff3eBrowser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Email ComputerName DNS Software Downloader |
6
http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678
http://hirezz.com/test/includes/image.php
https://up.ufile.io/v1/upload/finalise
https://iplogger.org/1ib2a7
https://up.ufile.io/v1/upload/create_session
https://up.ufile.io/v1/upload/chunk
|
6
up.ufile.io(104.27.194.88)
hirezz.com(162.144.12.143)
iplogger.org(88.99.66.31) - mailcious
104.27.194.88
88.99.66.31 - mailcious
162.144.12.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Unk Downloader CnC Activity
|
|
11.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7524 |
2021-04-23 10:10
|
 askinstall36.exe 9f2a48592d3ce0632f1ecca2c34567b9
Trojan_PWS_Stealer Credential User Data Emotet Gen2 Antivirus AsyncRAT backdoor SQLite Cookie Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481
http://www.fddnice.pw/ - rule_id: 482
http://www.kenuot.com/Home/Index/lkdinl
https://iplogger.org/1s4qp7
|
8
www.kenuot.com(188.225.87.175)
iplogger.org(88.99.66.31) - mailcious
www.fddnice.pw(103.155.92.58) - mailcious
www.cncode.pw(144.202.76.47) - mailcious
88.99.66.31 - mailcious
144.202.76.47
188.225.87.175 - mailcious
103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.pw domain
|
2
http://www.cncode.pw/
http://www.fddnice.pw/
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7525 |
2021-04-23 10:12
|
fw3.exe c3d59d08b1f437df8fd17ec4c7e5ce6cVirusTotal Malware DNS |
|
5
github.xn--comthtest22-pc-fhb7147u0j3kwl0f()
103.54.41.193
102.176.221.78
115.73.211.230
117.252.68.211
|
|
|
2.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7526 |
2021-04-23 10:13
|
 request1.exe 71832d24f95c424d77fd887d9abbb0f0
Gen1 Browser Info Stealer VirusTotal Malware PDB Creates executable files unpack itself WriteConsoleW installed browsers check Windows Browser Remote Code Execution DNS |
3
http://www.cif96be750.com/pkasdq/parse.exe
http://35.220.235.49:8070/cookie/useStatistics/count?username=customer1
http://www.cif96be750.com/pkasdq/curl.exe
|
5
www.cif96be750.com(35.220.162.170)
get.geojs.io(104.26.0.100)
35.220.235.49
172.67.70.233
35.220.162.170 - mailcious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Packed Executable Download
|
|
8.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7527 |
2021-04-23 10:54
|
kitten 60b5637b9b22819fab90982f01a36d25VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
3.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7528 |
2021-04-23 10:54
|
clr.exe 1adc9f803f891d4e17075a18e0aab339
Antivirus VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7529 |
2021-04-23 10:56
|
regasm.exe bc342f9679aeab723916338bce061ae5Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://meirback.co.uk/Bn1/fre.php
|
2
meirback.co.uk(172.67.156.147)
104.21.8.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7530 |
2021-04-23 10:59
|
 drunk.exe 18b2971b63e6f27f7ebdf32f62544f5d
PWS .NET framework VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces IP Check ComputerName DNS crashed |
1
|
2
icanhazip.com(172.67.9.138)
104.22.19.188
|
1
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
10.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|