7816 |
2021-05-03 16:55
|
shedyx.exe eef95dc191a017e573233a95dc280409 Malicious Library Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7817 |
2021-05-03 16:56
|
calc.txt 59e1199f32a8f13b0efbdd092b02b165 AgentTesla AsyncRAT backdoor PWS .NET framework email stealer browser info stealer Google Chrome User Data DNS Socket KeyLogger ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.31.132) 216.58.220.196 79.134.225.52 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7818 |
2021-05-03 16:57
|
vbc.exe 3f1ef1dd98cc11a613f80bfbc728adfe Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
79.134.225.52 - mailcious
|
|
|
9.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7819 |
2021-05-03 16:57
|
prosperx.exe aa6168d4e41ced2091baee9f5d59e11e PE File PE32 DLL OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.mamapacho.com/xcl/?mJExMd=rRF6wUI3ZhpfbZgF2Y+3InukcIVyWBz1vsPJWbFlIMo0SBfoPh+8CYvjkPbPIFulITKe8rBE&_joT_=Zfdl70hxJB http://www.crystalwiththecrystalz.com/xcl/?mJExMd=22pQot5QhP0reu3QutJgiv1bb8fa3vwFu9urOUpD05nkspV5DBFZiUUJP7Fmb0DNUG1du7Kn&_joT_=Zfdl70hxJB http://www.print12580.com/xcl/?mJExMd=5aEa/bF6qdarcChzQR50qpWbd544aitgDS9a2klJHHN/Qgk1YZlctc871lRMm/sbN3yYYw6h&_joT_=Zfdl70hxJB
|
7
www.crystalwiththecrystalz.com(151.101.193.211) www.print12580.com(23.81.96.159) www.mamapacho.com(34.102.136.180) www.amarak-uniform.com() 23.81.96.159 151.101.77.211 34.102.136.180 - mailcious
|
|
|
4.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7820 |
2021-05-03 17:00
|
GtHkNHOJptpVTx0.exe f88f2eddb129a1ca98655d76ed0524af Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7821 |
2021-05-03 17:00
|
kdotx.exe c7ac2a1e30b01678d51973aa253ff546 .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself suspicious process WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
6.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7822 |
2021-05-03 17:02
|
CGOCsebqORMb3Bo.exe cc27a3a4c648f4a7f5e5449c1dacd802 Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7823 |
2021-05-03 17:02
|
lYS9YwR5POvhiaO.exe 6eafc7f23e078fbef788d517dd2c0114 Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7824 |
2021-05-03 17:04
|
yourlocallotto.exe 7564bb42086def493a6e8f27bf923647 PE File PE32 DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself Remote Code Execution DNS |
|
|
|
|
3.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7825 |
2021-05-03 17:04
|
17hff.exe a5b17ac04b70cc12107229c7e3a92842 AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103) 31.210.21.71 137.221.106.103
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7826 |
2021-05-03 17:06
|
Ll2LxWOagynlSgJ.exe 9f029c1ba7e42f78dcbe210b978961cf Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7827 |
2021-05-03 17:08
|
pepwn.exe ee0a1ec859b753abc30847157d81f37c PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key |
7
http://185.215.113.93/cc22 http://api.wipmania.com/ http://95.143.193.125/tor/status-vote/current/consensus.z http://193.11.164.243:9030/tor/status-vote/current/consensus.z http://185.215.113.93/cc11 http://23.129.64.201/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e+005079a42356183cea5a3add239303f44f12e7ea+00cc4ac22501360c541185ee7e4466efb7032cae+00cce6a84e6d63a1a42e105839bc8ed5d4b16669+00e1649e69ff91d7f01e74a5e62ef14f7d9915e4+019feb22ce04cbd0489b7f24be038518b64fa223+034168fa4180b8662439fc714e4bdd7c6b39f5df+041646640ab306ea74b001966e86169b04cc88d2+05051aa95fb65c64e6a99fc0963cedeb211c88ba+05499507da8b381370e0858a784c3afe13dc927f+0a3c9ebb64ee062aa170bb9bf2b84ffb02da88c9+0a4ed4c74020740a904f3a9936030b7a4c6170bb+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0d2d4b1d27468806bb1edfb02715eee91e1ab94e.z http://86.59.21.38/tor/server/fp/d5f09497548a39071d14ac9e9aa926a0f8a748f2+d5f5502c1762a0b737a81a6bdb78ddbf7efc7725+d60c2d85ead93d23f1c00874d334bbf8a96cd529.z
|
14
api.wipmania.com(212.83.168.196) 95.217.42.50 212.83.168.196 213.32.71.116 23.129.64.201 195.201.103.59 95.217.229.211 45.66.156.176 95.143.193.125 162.247.74.201 141.255.162.34 193.11.164.243 185.215.113.93 - malware 86.59.21.38 - mailcious
|
20
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578 ET TOR Known Tor Exit Node Traffic group 74 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 ET COMPROMISED Known Compromised or Hostile Host Traffic group 109 ET POLICY External IP Lookup Attempt To Wipmania ET TOR Known Tor Exit Node Traffic group 105 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY TLS possible TOR SSL traffic SURICATA HTTP gzip decompression failed ET P2P Tor Get Server Request ET POLICY TOR Consensus Data Requested ET TOR Known Tor Exit Node Traffic group 16 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16 ET COMPROMISED Known Compromised or Hostile Host Traffic group 61 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
|
|
12.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7828 |
2021-05-04 08:11
|
ew.dot 64dd92f97bf7b9752f124ed0b75762c5 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself IP Check Tofsee Windows Exploit DNS DDNS crashed Downloader |
3
http://107.173.191.48/ewa/vbc.exe http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.70 - suspicious 172.67.188.154 107.173.191.48 - malware
|
10
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO Executable Download from dotted-quad Host ET POLICY DynDNS CheckIp External IP Address Server Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7829 |
2021-05-04 09:04
|
aes.js 78a66859739b0c9e18bc5b4538c03bf9 |
|
|
|
|
|
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7830 |
2021-05-04 09:13
|
explorer.exe 01c087629a99a6cb94700ae1f8f4d894 PE File PE32 VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser DNS |
|
2
62.234.113.47 106.52.15.123 - malware
|
|
|
7.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|