8011 |
2021-05-12 17:55
|
c4da0137cbb99626fd44da707ae1bc... c4da0137cbb99626fd44da707ae1bca8 PE File PE32 VirusTotal Malware MachineGuid |
|
|
|
|
2.4 |
|
43 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8012 |
2021-05-12 17:55
|
r1oo.exe 85725f2ce8ff2e36e9a3849e512e8db5 BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132// - rule_id: 1354 https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 185.215.113.54 - malware 104.26.12.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 24 SURICATA HTTP unable to match response to request
|
1
http://185.215.113.54:62132/
|
16.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8013 |
2021-05-12 17:57
|
c4da0137cbb99626fd44da707ae1bc... c4da0137cbb99626fd44da707ae1bca8 PE File PE32 VirusTotal Malware MachineGuid DNS |
|
|
|
|
3.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8014 |
2021-05-12 17:58
|
generated order 257404.xlsm 77838fe56970ec040ea084f6c5b3def6 VBA_macro VirusTotal Malware unpack itself Tofsee |
8
https://bhuttangill.com/wp-includes/js/tinymce/themes/inlite/Agk5yxu6D3SEW.php
https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/SFMm6Qoe.php
https://traffickerdigital.guru/wp-content/plugins/stops-core-theme-and-plugin-updates/templates/notices/3RKTmgwCIosO1Q.php
https://wickerconsultingllc.com/wp-content/plugins/force-regenerate-thumbnails/jquery-ui/redmond/MGggfHzY0QH0Cp3.php
https://italmaps.com/nuovo/wp-includes/js/jquery/ui/vUYhCCeCNKQoEk.php
https://bitfore.co.uk/wp-content/plugins/elementor/includes/admin-templates/1WiStiiT.php
https://senalgrafsac.com/prueba/vendor/bootstrap/css/Z1Oeq1XQhEC.php
https://darkmattercompany.com/billing/templates/orderforms/comparison/images/OMqNCOuk.php
|
20
bhuttangill.com(95.216.246.100) - mailcious
multigranos.com.bo(64.37.56.40) - mailcious
traffickerdigital.guru(185.61.154.27) - mailcious
grupoakrabu.com(67.222.131.40) - mailcious
darkmattercompany.com(192.185.171.227) - mailcious
wickerconsultingllc.com(192.185.115.105) - mailcious
vipecotton.com(172.67.138.115) - mailcious
italmaps.com(185.116.60.7) - mailcious
bitfore.co.uk(162.241.85.241) - mailcious
senalgrafsac.com(162.241.190.216) - mailcious 64.37.56.40 - mailcious
192.185.171.227 - mailcious
185.61.154.27 - mailcious
162.241.190.216 - mailcious
104.21.56.243 - mailcious
162.241.85.241 - mailcious
95.216.246.100 - mailcious
192.185.115.105 - mailcious
185.116.60.7 - mailcious
67.222.131.40 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8015 |
2021-05-12 18:15
|
c4da0137cbb99626fd44da707ae1bc... c4da0137cbb99626fd44da707ae1bca8 PE File PE32 VirusTotal Malware MachineGuid DNS |
|
|
|
|
3.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8016 |
2021-05-12 18:21
|
id1.dotm 71e480edcb51a02b8460ccc9b2dfa272 VBA_macro Vulnerability Malware ICMP traffic unpack itself |
3
http://kr2959.atwebpages.com/report.php?key=ABA99C9B-8F3C59F5-84EA9C78-A49209D4&rnd=41 http://kr2959.atwebpages.com/view.php?id=21504 http://kr2959.atwebpages.com/view.php?id=2
|
2
kr2959.atwebpages.com(185.176.43.98) 185.176.43.98 - mailcious
|
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8017 |
2021-05-12 18:21
|
id2.dotm 7f8a4e0dca2e18121af505d9198d81d1DNS |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8018 |
2021-05-12 18:24
|
21504.dotm 523b3401b0fb0e8aec9be70f57686840 |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8019 |
2021-05-13 08:21
|
knnnn.exe 62e8b40ed70c64fbd25a070a0c8b78f7 PWS Loki[b] Loki[m] AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://173.208.204.37/k.php/dbePePYEJ6qJn
|
1
173.208.204.37 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8020 |
2021-05-13 08:23
|
XNAFrameworkClassLibrary.pdf eac4870e667458a95da0b52ed6457331 AsyncRAT backdoor DLL PE File .NET DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8021 |
2021-05-13 08:23
|
kn.exe 167f0a829df709cc4107369ed23fbdfb Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:554636579&cup2hreq=f1e8358d230c769ebdd30f8b65f8e5e943940b09e34e48f61ef8e622dae553a6
|
5
edgedl.me.gvt1.com(34.104.35.123) wespeaktruthtoman.sytes.net(79.134.225.47) - mailcious 79.134.225.47 - mailcious 34.104.35.123 142.250.204.99
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8022 |
2021-05-13 08:23
|
Asyn_gracet.exe a111a4a9058473075bea557a2ff2dfd6 AsyncRAT backdoor PWS .NET framework Malicious Library .NET EXE OS Processor Check PE File PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware Kovter DNS DDNS |
|
2
sipex2021.ddns.net(79.134.225.7) - mailcious 79.134.225.7 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
1.6 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8023 |
2021-05-13 08:26
|
update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679 PE File PE32 UPX VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows Remote Code Execution DNS |
3
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2 https://update.googleapis.com/service/update2
|
4
edgedl.me.gvt1.com(34.104.35.123) 142.250.207.67 34.104.35.123 142.250.66.35
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8024 |
2021-05-13 09:44
|
update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679 UPX PE File PE32 VirusTotal Malware Check memory unpack itself Remote Code Execution |
|
|
|
|
2.8 |
M |
27 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8025 |
2021-05-13 09:46
|
update201703280212.exe 3ccd1b5d4ea318d18cde4f03a6624679 UPX PE File PE32 VirusTotal Malware Check memory unpack itself Remote Code Execution |
|
|
|
|
2.8 |
M |
27 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|