| 7591 |
2021-04-26 18:06
|
regasm.exe 0f41166bff09ec4b0c4491140da6951b
Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7592 |
2021-04-26 18:09
|
win32.exe 560e45ff31ce9ea0446afa5e85fb0f97
AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7593 |
2021-04-26 18:11
|
 DFI_0451_587_032.pdf 2e85f22e8e3436b38af2299a04f0cad8
AgentTesla KeyBase Keylogger malicious URLs ComputerName |
|
2
vtqt.xyz(45.85.90.14) - mailcious
45.85.90.14
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7594 |
2021-04-26 18:12
|
win32.exe 6fb264671c6043faa04905eb607b9b17
Malicious Library VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
7.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7595 |
2021-04-26 18:12
|
 IMG_608943011.pdf 5f0e74e8c039c771ec8c2fa77981c7dd
AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
216.146.43.71
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7596 |
2021-04-26 18:13
|
jazzyx.scr 9016909878ac1ad68e35ec83aa6988d7
AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
4
http://www.quickpanservice.com/sdh/?SX=y5cqxa77+AzBROKzMsTrIDm1XGDKnAIMB97uCo/qYIumddtded2s56bPIwzEZhPk3ULMotqK&iN=-ZOdphi8CHVl
http://www.zuhut.com/sdh/?SX=ectCVgCES89nnfH8J8iYd77qN2c4e7jLJtv7I+uZeVKHXsuWgpUE3WypoBoF7cwZqoELbi2G&iN=-ZOdphi8CHVl
http://www.presidentbyedon.com/sdh/?SX=KdJhW/ysedK9xREwvCkMpge8LXzGTauJG371skuO2KFaPP8o3bVYyAWgdfSH3bziwWoQaaql&iN=-ZOdphi8CHVl
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F0B9031A116A776EF4F18E20AECDBB2E.html
|
9
www.zuhut.com(64.190.62.111)
www.presidentbyedon.com(34.102.136.180)
www.sdrcdhxy.club()
xwjhdjylqeypyltby.ml(104.21.88.107)
www.quickpanservice.com(148.72.212.87)
64.190.62.111 - mailcious
104.21.88.107
34.102.136.180 - mailcious
148.72.212.87
|
2
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7597 |
2021-04-26 18:14
|
shedyphx.scr 65f19f528b41da6b1b11e894ed20d877
AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows DNS Cryptographic key |
5
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-998AD455AE20AC4E10E6C6B9224D736E.html
http://www.gitaffiliate.com/blm/?CP=uGGFK5UhCUKCnxC8Ud3ctgC6smvju6fhPlsyozAq6N0+YsN3Ijt/fdCkzzIRsY7zE/Ms1iOw&nN=Sxl0iBPp_L-dz
http://www.earthnetic.com/blm/?CP=KzhYmWwGBnJd9H2lHorqD8QKOlNsse9QX1sd99Ls1hbzoykJM+qEq+3dk7Q4isYsubov0k0A&nN=Sxl0iBPp_L-dz
http://www.bikesofthefuture.com/blm/?CP=/F5EKGShKdzfOo6rJYC+yT+3/JcfBVJwv5RL9ncNjH3yKsLZXD1n5t9v2CeczytC3Ib20Ua8&nN=Sxl0iBPp_L-dz
http://www.checkoutmyimages.com/blm/?CP=Q/TZM269arV1IgVCnNh5odBPYQN+T2CQDjPOdzfx5C4l4+ZW41HZ5pGmZWA/UFRbxZr4YpCv&nN=Sxl0iBPp_L-dz
|
9
www.checkoutmyimages.com(156.252.105.54)
www.gitaffiliate.com(34.102.136.180)
www.earthnetic.com(103.228.50.241)
xwjhdjylqeypyltby.ml(172.67.176.229)
www.bikesofthefuture.com(34.102.136.180)
156.252.105.54
104.21.88.107
34.102.136.180 - mailcious
103.228.50.241
|
2
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7598 |
2021-04-26 18:15
|
shedyx.scr a1bf6457c196da3311ec2bb5d6a3dd93
AsyncRAT backdoor FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows DNS Cryptographic key crashed |
4
http://www.chuyensuacuasat.com/hsd/?GVW8=dwSUQeNDSCch504RvWDP9MDBCdi0TMn6ht2P9jbHhkFz+AIKYC+Gjjsmw4VUd0oW1YuPBdDe&uzuD=Zld0rPDHNj
http://www.xin-zong.com/hsd/?GVW8=l9NNfcs8gV38WLNdwwM4MrwWlwMPHZMgRluEmFVCm/U2i1JlW36Q4mMzDwS7eZqBb3yaC0Fn&uzuD=Zld0rPDHNj
http://www.riseinitiativellc.com/hsd/?GVW8=S7S7gnEF/SB8sQS1wIlqnp1Ofu7tBBDrW++s6v81ELS9tYHecr3PVg7JMS1bWvKVLvtxdrl4&uzuD=Zld0rPDHNj
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DC99786D69273EFAB2BE036B79EA07C9.html
|
9
www.chuyensuacuasat.com(116.193.69.130)
www.xin-zong.com(45.38.9.8)
www.luxbeds.info()
xwjhdjylqeypyltby.ml(172.67.176.229)
www.riseinitiativellc.com(198.49.23.145)
116.193.69.130
45.38.9.8
198.185.159.145 - mailcious
172.67.176.229
|
2
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7599 |
2021-04-26 18:19
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://superomline.com/chief/dv2/mcee/fre.php
|
1
|
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7600 |
2021-04-26 18:20
|
 regasm.exe d7a120c277d010f9757a22fab6cc6d29
Raccoon Stealer Glupteba VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7601 |
2021-04-26 18:23
|
 FLP_1037850047.pdf d32bc982566fbb8d81d3012779d3c320
AgentTesla KeyBase Keylogger Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7602 |
2021-04-26 18:27
|
 IMG_5023075401.pdf 427e21ef958ea63e6a12ce4d8d5a3e55
AgentTesla KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
162.88.193.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7603 |
2021-04-26 18:27
|
 IMG_106_680_74_80.pdf e05e738dcb98a9f8c125138b492f82e5
AgentTesla KeyBase Keylogger Gen1 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://osiq.icu/main.php
http://osiq.icu/2.jpg
http://osiq.icu/1.jpg
http://osiq.icu/
http://osiq.icu/3.jpg
http://osiq.icu/5.jpg
http://osiq.icu/7.jpg
http://osiq.icu/4.jpg
http://osiq.icu/6.jpg
|
2
osiq.icu(45.15.143.157)
45.15.143.157
|
7
ET INFO DNS Query for Suspicious .icu Domain
ET POLICY Data POST to an image file (jpg)
ET INFO HTTP POST Request to Suspicious *.icu domain
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7604 |
2021-04-27 07:34
|
zNxilDNA8KXhDwA.exe 5570cf1f7f13401060e437441383b17f
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7605 |
2021-04-27 07:34
|
YJsq7ClO2MJYRAz.exe d99fa385d6238fb480c064c8785a0c83
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|