| 7816 |
2021-05-03 16:55
|
 shedyx.exe eef95dc191a017e573233a95dc280409
Malicious Library Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7817 |
2021-05-03 16:56
|
 calc.txt 59e1199f32a8f13b0efbdd092b02b165
AgentTesla AsyncRAT backdoor PWS .NET framework email stealer browser info stealer Google Chrome User Data DNS Socket KeyLogger ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.31.132)
216.58.220.196
79.134.225.52 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7818 |
2021-05-03 16:57
|
 vbc.exe 3f1ef1dd98cc11a613f80bfbc728adfe
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
79.134.225.52 - mailcious
|
|
|
9.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7819 |
2021-05-03 16:57
|
 prosperx.exe aa6168d4e41ced2091baee9f5d59e11e
PE File PE32 DLL OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.mamapacho.com/xcl/?mJExMd=rRF6wUI3ZhpfbZgF2Y+3InukcIVyWBz1vsPJWbFlIMo0SBfoPh+8CYvjkPbPIFulITKe8rBE&_joT_=Zfdl70hxJB
http://www.crystalwiththecrystalz.com/xcl/?mJExMd=22pQot5QhP0reu3QutJgiv1bb8fa3vwFu9urOUpD05nkspV5DBFZiUUJP7Fmb0DNUG1du7Kn&_joT_=Zfdl70hxJB
http://www.print12580.com/xcl/?mJExMd=5aEa/bF6qdarcChzQR50qpWbd544aitgDS9a2klJHHN/Qgk1YZlctc871lRMm/sbN3yYYw6h&_joT_=Zfdl70hxJB
|
7
www.crystalwiththecrystalz.com(151.101.193.211)
www.print12580.com(23.81.96.159)
www.mamapacho.com(34.102.136.180)
www.amarak-uniform.com()
23.81.96.159
151.101.77.211
34.102.136.180 - mailcious
|
|
|
4.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7820 |
2021-05-03 17:00
|
 GtHkNHOJptpVTx0.exe f88f2eddb129a1ca98655d76ed0524af
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7821 |
2021-05-03 17:00
|
 kdotx.exe c7ac2a1e30b01678d51973aa253ff546
.NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself suspicious process WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
6.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7822 |
2021-05-03 17:02
|
 CGOCsebqORMb3Bo.exe cc27a3a4c648f4a7f5e5449c1dacd802
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7823 |
2021-05-03 17:02
|
 lYS9YwR5POvhiaO.exe 6eafc7f23e078fbef788d517dd2c0114
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7824 |
2021-05-03 17:04
|
 yourlocallotto.exe 7564bb42086def493a6e8f27bf923647
PE File PE32 DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself Remote Code Execution DNS |
|
|
|
|
3.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7825 |
2021-05-03 17:04
|
 17hff.exe a5b17ac04b70cc12107229c7e3a92842
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103)
31.210.21.71
137.221.106.103
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7826 |
2021-05-03 17:06
|
 Ll2LxWOagynlSgJ.exe 9f029c1ba7e42f78dcbe210b978961cf
Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7827 |
2021-05-03 17:08
|
 pepwn.exe ee0a1ec859b753abc30847157d81f37c
PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key |
7
http://185.215.113.93/cc22
http://api.wipmania.com/
http://95.143.193.125/tor/status-vote/current/consensus.z
http://193.11.164.243:9030/tor/status-vote/current/consensus.z
http://185.215.113.93/cc11
http://23.129.64.201/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e+005079a42356183cea5a3add239303f44f12e7ea+00cc4ac22501360c541185ee7e4466efb7032cae+00cce6a84e6d63a1a42e105839bc8ed5d4b16669+00e1649e69ff91d7f01e74a5e62ef14f7d9915e4+019feb22ce04cbd0489b7f24be038518b64fa223+034168fa4180b8662439fc714e4bdd7c6b39f5df+041646640ab306ea74b001966e86169b04cc88d2+05051aa95fb65c64e6a99fc0963cedeb211c88ba+05499507da8b381370e0858a784c3afe13dc927f+0a3c9ebb64ee062aa170bb9bf2b84ffb02da88c9+0a4ed4c74020740a904f3a9936030b7a4c6170bb+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0d2d4b1d27468806bb1edfb02715eee91e1ab94e.z
http://86.59.21.38/tor/server/fp/d5f09497548a39071d14ac9e9aa926a0f8a748f2+d5f5502c1762a0b737a81a6bdb78ddbf7efc7725+d60c2d85ead93d23f1c00874d334bbf8a96cd529.z
|
14
api.wipmania.com(212.83.168.196)
95.217.42.50
212.83.168.196
213.32.71.116
23.129.64.201
195.201.103.59
95.217.229.211
45.66.156.176
95.143.193.125
162.247.74.201
141.255.162.34
193.11.164.243
185.215.113.93 - malware
86.59.21.38 - mailcious
|
20
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578
ET TOR Known Tor Exit Node Traffic group 74
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75
ET COMPROMISED Known Compromised or Hostile Host Traffic group 109
ET POLICY External IP Lookup Attempt To Wipmania
ET TOR Known Tor Exit Node Traffic group 105
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY TLS possible TOR SSL traffic
SURICATA HTTP gzip decompression failed
ET P2P Tor Get Server Request
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Exit Node Traffic group 16
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16
ET COMPROMISED Known Compromised or Hostile Host Traffic group 61
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303
|
|
12.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7828 |
2021-05-04 08:11
|
 ew.dot 64dd92f97bf7b9752f124ed0b75762c5
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself IP Check Tofsee Windows Exploit DNS DDNS crashed Downloader |
3
http://107.173.191.48/ewa/vbc.exe
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
216.146.43.70 - suspicious
172.67.188.154
107.173.191.48 - malware
|
10
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO Executable Download from dotted-quad Host
ET POLICY DynDNS CheckIp External IP Address Server Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7829 |
2021-05-04 09:04
|
 aes.js 78a66859739b0c9e18bc5b4538c03bf9 |
|
|
|
|
|
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7830 |
2021-05-04 09:13
|
 explorer.exe 01c087629a99a6cb94700ae1f8f4d894
PE File PE32 VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser DNS |
|
2
62.234.113.47
106.52.15.123 - malware
|
|
|
7.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|