8041 |
2021-05-14 09:46
|
iphm.exe 87c9dc7668997cc52d2efa0597a44be0 Malicious Packer PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself Remote Code Execution crashed |
|
|
|
|
3.8 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8042 |
2021-05-14 09:47
|
windows.exe 58aff04befbd69ffcf33a9c0867c8685 AsyncRAT backdoor PWS .NET framework Malicious Library SMTP AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
8.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8043 |
2021-05-14 09:50
|
OctodadSetup.exe 8860fecf9a64e193bfde8808889f7e48 AntiDebug AntiVM PE File PE32 DLL MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows Exploit ComputerName DNS crashed |
7
http://www.freegamer.info/join/ http://www.freegamer.info/_Incapsula_Resource?SWKMTFSR=1&e=0.16526160572090975 http://www.freegamer.info/favicon.ico http://bat.bing.com/bat.js http://www.freegamer.info/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1751958704 https://bat.bing.com/p/action/4022064 https://s.yimg.com/wi/ytc.js
|
9
www.demtxr.com(64.111.117.81) ge.tt() - mailcious s.yimg.com(119.161.5.252) bat.bing.com(13.107.21.200) www.freegamer.info(107.154.230.90) - malware 204.79.197.200 64.111.117.81 119.161.14.18 - suspicious 107.154.230.90 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP invalid response field folding SURICATA HTTP response header invalid ET INFO TLS Handshake Failure
|
|
9.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8044 |
2021-05-14 09:50
|
ProDriverUpdate.exe 4ffff1939b4c9b85140de256a42dc44b Emotet Gen1 Anti_VM Antivirus AntiDebug AntiVM PE File PE32 OS Processor Check PNG Format DLL GIF Format PE64 MSOffice File JPEG Format VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Detects VirtualBox suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://service.smartpcupdate.com/rpc/getdatabasecxw?arch=64&os=7 http://prodriverupdate.com/afterinstall http://prodriverupdate.com/welcome1 http://d2.smartpcupdate.com/dbs/current_7_64_cxw.7z?partner=ProDriverUpdate&version=4.0&nocache=34177250 http://service.smartpcupdate.com/rpc/sendinstall?partner=ProDriverUpdate&build=4.0 https://prodriverupdate.com/afterinstall https://prodriverupdate.com/welcome1 https://www.google.com/
|
9
service.smartpcupdate.com(94.130.13.99) prodriverupdate.com(52.21.251.178) my-safe-registration.com(34.98.99.30) d2.smartpcupdate.com(94.130.13.99) www.google.com(172.217.161.68) 94.130.13.99 142.250.66.68 34.98.99.30 - phishing 52.21.251.178
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8045 |
2021-05-14 09:50
|
dualize.exe a82c3f7955c265092be10babfe8d3e39 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8046 |
2021-05-14 09:51
|
SupremeSpySetup.exe d5caa26ca65ca5e2c8921030993afcd2 Emotet Gen1 PE File PE32 PE64 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder DNS |
|
|
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8047 |
2021-05-14 09:54
|
MyScrapNook.ae7511959fd54ddea2... 83f74ee6b711883bda7d2ce03795afef Gen2 PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder sandbox evasion Tofsee DNS |
3
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-16&errorType=nsisError&errorDetails=ae7511959fd54ddea28e0558b6cda8e4&platform=vicinio&anxv=2.7.1.1000&anxd=2017-04-03&coid=ae7511959fd54ddea28e0558b6cda8e4&refPartner=^9N^mni000^S20990&refSub=&anxl=en-US&anxr=2022722323&refCobrand=9N&refCampaign=mni000&refTrack=S20990&refCountry= http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-11&errorType=nsisError&errorDetails=File+Not+Found+%28404%29&platform=vicinio&anxv=2.7.1.1000&anxd=2017-04-03&coid=ae7511959fd54ddea28e0558b6cda8e4&refPartner=^9N^mni000^S20990&refSub=&anxl=en-US&anxr=2075128396&refCobrand=9N&refCampaign=mni000&refTrack=S20990&refCountry= https://dp.tb.ask.com/installerParams.jhtml?coId=ae7511959fd54ddea28e0558b6cda8e4
|
4
dp.tb.ask.com(34.107.128.118) anx.mindspark.com(34.102.222.207) 34.107.128.118 34.102.222.207
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8048 |
2021-05-14 09:58
|
origin.exe 92bd99870c4e2829f3e6d1b3b512067d AsyncRAT backdoor PWS .NET framework Malicious Library SMTP AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows Cryptographic key |
|
|
|
|
9.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8049 |
2021-05-14 10:00
|
taskhost.exe 3e2c09542e0f1d51896694ed1f43db8d HTTP Http API Internet API ScreenShot persistence AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted RWX flags setting unpack itself DNS crashed |
|
|
|
|
9.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8050 |
2021-05-14 15:45
|
http://www.moninediy.com/data/... b66d8fe119418a8a69d1276b36eb2fc0 AgentTesla VBA_macro DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
www.moninediy.com(192.74.225.113) - mailcious 192.74.225.113 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8051 |
2021-05-14 17:42
|
768f3c029cc79ae2_7q2tjgey0ti3e... b66d8fe119418a8a69d1276b36eb2fc0 VBA_macro MSOffice File Vulnerability VirusTotal Malware unpack itself DNS |
|
|
|
|
3.6 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8052 |
2021-05-14 18:11
|
1.doc af7ee4f20a624c4d7b5cfc7adde79332VirusTotal Malware powershell Malicious Traffic Tofsee |
3
http://facextrade.com.br/0A.txt http://facextrade.com.br/z.mp3 http://facextrade.com.br/0C.txt
|
4
facextrade.com.br(187.45.240.69) nyc008.hawkhost.com(172.96.187.2) - mailcious 187.45.240.69 - mailcious 172.96.187.2 - mailcious
|
4
ET INFO PowerShell DownloadFile Command Common In Powershell Stagers SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8053 |
2021-05-14 18:14
|
z.mp3.html 3d3ea24f9acb0312134706a5bd8ffd72 AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8054 |
2021-05-15 10:47
|
Mainsetupv1.0.exe 689b7bfb1424aa69046653e635ecb9ac AgentTesla Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows |
|
1
iBFBxuLonchVeJiTrbJe.iBFBxuLonchVeJiTrbJe()
|
|
|
6.4 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8055 |
2021-05-15 16:31
|
pazam.exe 0183f08264facac51ae01795147d8cc7 PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://173.208.204.37/k.php/LY0xuvgkjMA3b - rule_id: 1372
|
1
173.208.204.37 - mailcious
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://173.208.204.37/k.php
|
14.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|