7846 |
2021-05-04 11:13
|
700223.exe 0f1616761218cc9712dcd268f4bb2d3f AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
2.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7847 |
2021-05-04 11:15
|
p.exe ee0a1ec859b753abc30847157d81f37c PE File PE32 VirusTotal Malware AutoRuns PDB Disables Windows Security Firewall state off Windows Tor DNS crashed |
1
|
3
api.wipmania.com(212.83.168.196) 212.83.168.196 149.56.45.200 - mailcious
|
2
ET POLICY External IP Lookup Attempt To Wipmania ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181
|
|
6.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7848 |
2021-05-04 11:15
|
rtd0t1.exe 080f3430fa1c166d755ade6b9f21f08f PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/PV/300/pin.php - rule_id: 1246
|
2
209.141.50.70 - mailcious 104.21.19.200
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.50.70/PV/300/pin.php
|
8.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7849 |
2021-05-04 11:18
|
LFI_874_103_116.exe 090148a4d527120eaaa7d5d2f0aa5bf1 AsyncRAT backdoor PWS .NET framework AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
9
http://205.185.120.57/3.jpg http://205.185.120.57/1.jpg http://205.185.120.57/2.jpg http://205.185.120.57/6.jpg http://205.185.120.57/4.jpg http://205.185.120.57/7.jpg http://205.185.120.57/main.php - rule_id: 1232 http://205.185.120.57/5.jpg http://205.185.120.57/ - rule_id: 1233
|
1
205.185.120.57 - mailcious
|
6
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://205.185.120.57/main.php http://205.185.120.57/
|
12.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7850 |
2021-05-04 11:21
|
46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key |
5
http://193.11.164.243:9030/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z http://23.129.64.201/tor/status-vote/current/consensus.z - rule_id: 1277 http://api.wipmania.com/ http://185.215.113.93/cc22 http://185.215.113.93/cc11 - rule_id: 1276
|
11
api.wipmania.com(212.83.168.196) 23.129.64.201 - mailcious 130.185.250.214 173.75.39.61 212.83.168.196 46.105.121.228 141.255.162.34 193.11.164.243 185.215.113.93 - malware 131.188.40.189 - mailcious 149.56.45.200 - mailcious
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET TOR Known Tor Exit Node Traffic group 74 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 ET COMPROMISED Known Compromised or Hostile Host Traffic group 109 ET INFO Executable Download from dotted-quad Host SURICATA HTTP gzip decompression failed ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P TOR 1.0 Server Key Retrieval ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225
|
2
http://23.129.64.201/ http://185.215.113.93/cc11
|
12.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7851 |
2021-05-04 11:22
|
Ihxpuxr.exe 015f45de6bf81ded8c921435c471d087 AsyncRAT backdoor AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS Password |
10
http://205.185.120.57/3.jpg http://205.185.120.57/1.jpg http://205.185.120.57/2.jpg http://205.185.120.57/6.jpg http://205.185.120.57/4.jpg http://205.185.120.57/7.jpg http://205.185.120.57/main.php - rule_id: 1232 http://205.185.120.57/5.jpg http://launcher.worldofwarcraft.com/alert http://205.185.120.57/ - rule_id: 1233
|
4
launcher.worldofwarcraft.com(137.221.106.103) 205.185.120.57 - mailcious 46.105.121.228 137.221.106.103
|
7
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://205.185.120.57/main.php http://205.185.120.57/
|
11.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7852 |
2021-05-04 11:24
|
Upafbvbme.exe 386e843ddabe44f203acc35788b5c749 AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Tor Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 173.75.39.61 216.146.43.71 104.21.19.200
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225 ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7853 |
2021-05-04 13:50
|
46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS |
5
http://api.wipmania.com/ http://185.215.113.93/pepwn.exe - rule_id: 1282 http://185.215.113.93/cc11 - rule_id: 1276 http://86.59.21.38/tor/status-vote/current/consensus.z - rule_id: 1278 http://131.188.40.189:443/tor/server/fp/00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+022a5535f42b1a9f9aa755c4eab5f36fef9781d8+023ebbc57beb7f45473b3dc2aa811fb3aaba4466+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+03910f285a33f365838ec66ef2c2ef754d046760+03c3069e814e296eb18776eb61b1ecb754ed89fe+0512fe6be9cca0ed133152e64010b2fba141eb10+0516085d6cac40ed4cdcefdfc5ccf6b00de61ded+07623013c3361fe566b71c8cfcc6483d7587a827+0a2366980a2842d770ef8e136a7da14876360447+0ac4c4d8bca8da7bae6be3fea87442e724353cbf+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0cf8f3e6590f45d50b70f2f7da6605eca6cd408f+0d5bf9c0b7b3605a610eee2c43aeae366576cbc5.z - rule_id: 1280
|
12
api.wipmania.com(212.83.168.196) 212.83.168.196 95.217.42.50 45.66.156.176 51.195.253.209 141.255.162.34 83.212.103.129 185.215.113.93 - malware 131.188.40.189 - mailcious 86.59.21.38 - mailcious 5.196.71.24 149.56.45.200 - mailcious
|
18
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET INFO Executable Download from dotted-quad Host ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET P2P TOR 1.0 Server Key Retrieval ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578 ET POLICY PE EXE or DLL Windows file download HTTP SURICATA HTTP gzip decompression failed ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P Tor Get Server Request ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723 ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140
|
4
http://185.215.113.93/pepwn.exe http://185.215.113.93/cc11 http://86.59.21.38/ http://131.188.40.189:443/
|
12.4 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7854 |
2021-05-04 14:13
|
p.exe ee0a1ec859b753abc30847157d81f37c Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic ICMP traffic Disables Windows Security Check virtual network interfaces Firewall state off Kovter Windows Tor DNS Cryptographic key |
4
http://api.wipmania.com/ http://94.16.114.105:8080/tor/status-vote/current/consensus.z http://185.215.113.93/cc11 - rule_id: 1276 http://199.58.81.140/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z
|
11
api.wipmania.com(212.83.168.196) 212.83.168.196 144.217.207.3 95.217.42.50 213.32.71.116 199.58.81.140 51.15.42.19 195.176.3.20 185.215.113.93 - malware 154.35.175.225 - mailcious 94.16.114.105
|
11
ET POLICY External IP Lookup Attempt To Wipmania ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185 SURICATA HTTP gzip decompression failed ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332 ET POLICY TOR Consensus Data Requested ET TOR Known Tor Exit Node Traffic group 52 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52
|
1
http://185.215.113.93/cc11
|
10.8 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7855 |
2021-05-04 18:20
|
ss.vbs 98f69749329ccb2ee8d69288e04f2332 Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7856 |
2021-05-04 18:20
|
all.bat d4c2856e8c22e984a62bcc8b3fcdc505 AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
lax007.hawkhost.com(198.252.98.7) - mailcious 198.252.98.7 - mailcious
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7857 |
2021-05-04 18:22
|
arinzex.exe b61fa321f22d56553ab37916d973cf4e Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7858 |
2021-05-04 18:23
|
win32.exe 62c0acfc18a80a6132a3e8d8baacc90a PE File PE32 DLL OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://dyjcgvdfgdzgzdzzf.cf/Bn3/fre.php
|
2
dyjcgvdfgdzgzdzzf.cf(104.21.21.140) 104.21.21.140
|
9
ET INFO DNS Query for Suspicious .cf Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.cf Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7859 |
2021-05-04 18:24
|
scr.dll 31980c9b17f61c5f808cb882e41083af DLL PE File PE32 JPEG Format ENERGETIC BEAR VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.74//4dcYcWsw3/index.php?scr=up
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
|
|
4.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7860 |
2021-05-04 18:27
|
Sample.exe ee7c05c530262450d2c5ace98ebbf8bc PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
8.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|