7726 |
2021-04-29 10:31
|
vbc.exe 52b2d5053a85993dd987973c80489356 Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7727 |
2021-04-29 10:32
|
smartpc.exe 51ef8f866755aeade1626e3c14b8ec21 Antivirus PE File PE32 OS Processor Check VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
drdreamer.ddns.net(198.46.142.215) 198.46.142.215
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
11.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7728 |
2021-04-29 10:33
|
mnesotta.exe 88d1770a52e372a6bfa4526406701e60 AsyncRAT backdoor Malicious Library PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7729 |
2021-04-29 10:33
|
IMG_0501_765_013.exe 716e89179126809cc5a4b476a03dda11 AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://31.210.21.154/4.jpg http://31.210.21.154/6.jpg http://31.210.21.154/2.jpg http://31.210.21.154/1.jpg http://31.210.21.154/3.jpg http://31.210.21.154/main.php http://31.210.21.154/5.jpg http://31.210.21.154/7.jpg http://31.210.21.154/
|
1
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7730 |
2021-04-29 10:35
|
PUKfyFHG2AWXj1W.exe 1c24719aaa1f1a844cda4bc2ae526f89 PWS .NET framework AsyncRAT backdoor Malicious Library PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
2.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7731 |
2021-04-29 10:36
|
hATsvlnsX4Ox4qP.exe 0a719c4a0920d961681bb1bf298f20cb PWS .NET framework AsyncRAT backdoor Malicious Library PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
3.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7732 |
2021-04-29 10:38
|
IMG_850_007_630.exe 378c246b3278f0343eb02a5f6dd63263 AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://vpsthree.xyz/ http://vpsthree.xyz/6.jpg http://vpsthree.xyz/4.jpg http://vpsthree.xyz/2.jpg http://vpsthree.xyz/3.jpg http://vpsthree.xyz/1.jpg http://vpsthree.xyz/main.php http://vpsthree.xyz/7.jpg http://vpsthree.xyz/5.jpg
|
2
vpsthree.xyz(95.181.164.213) 95.181.164.213
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7733 |
2021-04-29 10:44
|
kellyx.exe d6593adf011c7683f63a0a4cd86b44f4 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7B3CB491E69F14DD03AE67C19E9537DE.html - rule_id: 1176 http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5EFD3570C629C1296C13C331574DEE53.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious 104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/ http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
14.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7734 |
2021-04-29 10:45
|
z77BwJ1HRskq4Rt.exe bac325b105737193d6a70fdf897ebb4b PWS .NET framework AsyncRAT backdoor Malicious Library PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7735 |
2021-04-29 10:46
|
IMG_001263082.exe 6e18d889d1ecbd6bc5e1adf9d92ad8c4 AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7736 |
2021-04-29 10:49
|
IMG_650_617_250.exe b08a05459460a65935839eedb7f36569 AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
9
http://203.159.80.206/4.jpg http://203.159.80.206/6.jpg http://203.159.80.206/2.jpg http://203.159.80.206/1.jpg http://203.159.80.206/3.jpg http://203.159.80.206/main.php http://203.159.80.206/5.jpg http://203.159.80.206/7.jpg http://203.159.80.206/
|
1
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
16.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7737 |
2021-04-29 10:52
|
Pkstfvgdp.exe 13a8ca17d4b77f65052f928f39ef46b8 AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Discord Browser Email ComputerName DNS Cryptographic key crashed Password |
11
http://5llion.com/5.jpg http://5llion.com/main.php http://5llion.com/7.jpg http://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe http://5llion.com/1.jpg http://5llion.com/3.jpg http://5llion.com/2.jpg http://5llion.com/ http://5llion.com/6.jpg http://5llion.com/4.jpg https://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
|
4
5llion.com(31.210.20.99) cdn.discordapp.com(162.159.135.233) - malware 31.210.20.99 162.159.129.233 - malware
|
6
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET POLICY EXE File Downloaded from Discord SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7738 |
2021-04-29 15:44
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839 RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious 45.61.136.72 - mailcious
|
|
|
3.8 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7739 |
2021-04-29 15:48
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839 RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious 45.61.136.72 - mailcious
|
|
|
3.8 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7740 |
2021-04-29 16:21
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839 RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious 45.61.136.72 - mailcious
|
|
|
3.4 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|