7591 |
2021-04-26 18:06
|
regasm.exe 0f41166bff09ec4b0c4491140da6951b Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7592 |
2021-04-26 18:09
|
win32.exe 560e45ff31ce9ea0446afa5e85fb0f97 AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7593 |
2021-04-26 18:11
|
DFI_0451_587_032.pdf 2e85f22e8e3436b38af2299a04f0cad8 AgentTesla KeyBase Keylogger malicious URLs ComputerName |
|
2
vtqt.xyz(45.85.90.14) - mailcious 45.85.90.14
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7594 |
2021-04-26 18:12
|
win32.exe 6fb264671c6043faa04905eb607b9b17 Malicious Library VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
7.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7595 |
2021-04-26 18:12
|
IMG_608943011.pdf 5f0e74e8c039c771ec8c2fa77981c7dd AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.71 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7596 |
2021-04-26 18:13
|
jazzyx.scr 9016909878ac1ad68e35ec83aa6988d7 AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
4
http://www.quickpanservice.com/sdh/?SX=y5cqxa77+AzBROKzMsTrIDm1XGDKnAIMB97uCo/qYIumddtded2s56bPIwzEZhPk3ULMotqK&iN=-ZOdphi8CHVl http://www.zuhut.com/sdh/?SX=ectCVgCES89nnfH8J8iYd77qN2c4e7jLJtv7I+uZeVKHXsuWgpUE3WypoBoF7cwZqoELbi2G&iN=-ZOdphi8CHVl http://www.presidentbyedon.com/sdh/?SX=KdJhW/ysedK9xREwvCkMpge8LXzGTauJG371skuO2KFaPP8o3bVYyAWgdfSH3bziwWoQaaql&iN=-ZOdphi8CHVl http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F0B9031A116A776EF4F18E20AECDBB2E.html
|
9
www.zuhut.com(64.190.62.111) www.presidentbyedon.com(34.102.136.180) www.sdrcdhxy.club() xwjhdjylqeypyltby.ml(104.21.88.107) www.quickpanservice.com(148.72.212.87) 64.190.62.111 - mailcious 104.21.88.107 34.102.136.180 - mailcious 148.72.212.87
|
2
ET INFO DNS Query for Suspicious .ml Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7597 |
2021-04-26 18:14
|
shedyphx.scr 65f19f528b41da6b1b11e894ed20d877 AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows DNS Cryptographic key |
5
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-998AD455AE20AC4E10E6C6B9224D736E.html http://www.gitaffiliate.com/blm/?CP=uGGFK5UhCUKCnxC8Ud3ctgC6smvju6fhPlsyozAq6N0+YsN3Ijt/fdCkzzIRsY7zE/Ms1iOw&nN=Sxl0iBPp_L-dz http://www.earthnetic.com/blm/?CP=KzhYmWwGBnJd9H2lHorqD8QKOlNsse9QX1sd99Ls1hbzoykJM+qEq+3dk7Q4isYsubov0k0A&nN=Sxl0iBPp_L-dz http://www.bikesofthefuture.com/blm/?CP=/F5EKGShKdzfOo6rJYC+yT+3/JcfBVJwv5RL9ncNjH3yKsLZXD1n5t9v2CeczytC3Ib20Ua8&nN=Sxl0iBPp_L-dz http://www.checkoutmyimages.com/blm/?CP=Q/TZM269arV1IgVCnNh5odBPYQN+T2CQDjPOdzfx5C4l4+ZW41HZ5pGmZWA/UFRbxZr4YpCv&nN=Sxl0iBPp_L-dz
|
9
www.checkoutmyimages.com(156.252.105.54) www.gitaffiliate.com(34.102.136.180) www.earthnetic.com(103.228.50.241) xwjhdjylqeypyltby.ml(172.67.176.229) www.bikesofthefuture.com(34.102.136.180) 156.252.105.54 104.21.88.107 34.102.136.180 - mailcious 103.228.50.241
|
2
ET INFO DNS Query for Suspicious .ml Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7598 |
2021-04-26 18:15
|
shedyx.scr a1bf6457c196da3311ec2bb5d6a3dd93 AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows DNS Cryptographic key crashed |
4
http://www.chuyensuacuasat.com/hsd/?GVW8=dwSUQeNDSCch504RvWDP9MDBCdi0TMn6ht2P9jbHhkFz+AIKYC+Gjjsmw4VUd0oW1YuPBdDe&uzuD=Zld0rPDHNj http://www.xin-zong.com/hsd/?GVW8=l9NNfcs8gV38WLNdwwM4MrwWlwMPHZMgRluEmFVCm/U2i1JlW36Q4mMzDwS7eZqBb3yaC0Fn&uzuD=Zld0rPDHNj http://www.riseinitiativellc.com/hsd/?GVW8=S7S7gnEF/SB8sQS1wIlqnp1Ofu7tBBDrW++s6v81ELS9tYHecr3PVg7JMS1bWvKVLvtxdrl4&uzuD=Zld0rPDHNj http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DC99786D69273EFAB2BE036B79EA07C9.html
|
9
www.chuyensuacuasat.com(116.193.69.130) www.xin-zong.com(45.38.9.8) www.luxbeds.info() xwjhdjylqeypyltby.ml(172.67.176.229) www.riseinitiativellc.com(198.49.23.145) 116.193.69.130 45.38.9.8 198.185.159.145 - mailcious 172.67.176.229
|
2
ET INFO DNS Query for Suspicious .ml Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7599 |
2021-04-26 18:19
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://superomline.com/chief/dv2/mcee/fre.php
|
1
|
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7600 |
2021-04-26 18:20
|
regasm.exe d7a120c277d010f9757a22fab6cc6d29 Raccoon Stealer Glupteba VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7601 |
2021-04-26 18:23
|
FLP_1037850047.pdf d32bc982566fbb8d81d3012779d3c320 AgentTesla KeyBase Keylogger Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7602 |
2021-04-26 18:27
|
IMG_5023075401.pdf 427e21ef958ea63e6a12ce4d8d5a3e55 AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 131.186.113.70 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7603 |
2021-04-26 18:27
|
IMG_106_680_74_80.pdf e05e738dcb98a9f8c125138b492f82e5 AgentTesla KeyBase Keylogger Gen1 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://osiq.icu/main.php http://osiq.icu/2.jpg http://osiq.icu/1.jpg http://osiq.icu/ http://osiq.icu/3.jpg http://osiq.icu/5.jpg http://osiq.icu/7.jpg http://osiq.icu/4.jpg http://osiq.icu/6.jpg
|
2
osiq.icu(45.15.143.157) 45.15.143.157
|
7
ET INFO DNS Query for Suspicious .icu Domain ET POLICY Data POST to an image file (jpg) ET INFO HTTP POST Request to Suspicious *.icu domain ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Possible EXE Download From Suspicious TLD ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7604 |
2021-04-27 07:34
|
zNxilDNA8KXhDwA.exe 5570cf1f7f13401060e437441383b17f PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7605 |
2021-04-27 07:34
|
YJsq7ClO2MJYRAz.exe d99fa385d6238fb480c064c8785a0c83 PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|