| 8041 |
2021-05-14 09:46
|
 iphm.exe 87c9dc7668997cc52d2efa0597a44be0
Malicious Packer PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself Remote Code Execution crashed |
|
|
|
|
3.8 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8042 |
2021-05-14 09:47
|
 windows.exe 58aff04befbd69ffcf33a9c0867c8685
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
8.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8043 |
2021-05-14 09:50
|
 OctodadSetup.exe 8860fecf9a64e193bfde8808889f7e48
AntiDebug AntiVM PE File PE32 DLL MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows Exploit ComputerName DNS crashed |
7
http://www.freegamer.info/join/
http://www.freegamer.info/_Incapsula_Resource?SWKMTFSR=1&e=0.16526160572090975
http://www.freegamer.info/favicon.ico
http://bat.bing.com/bat.js
http://www.freegamer.info/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1751958704
https://bat.bing.com/p/action/4022064
https://s.yimg.com/wi/ytc.js
|
9
www.demtxr.com(64.111.117.81)
ge.tt() - mailcious
s.yimg.com(119.161.5.252)
bat.bing.com(13.107.21.200)
www.freegamer.info(107.154.230.90) - malware
204.79.197.200
64.111.117.81
119.161.14.18 - suspicious
107.154.230.90 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP invalid response field folding
SURICATA HTTP response header invalid
ET INFO TLS Handshake Failure
|
|
9.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8044 |
2021-05-14 09:50
|
 ProDriverUpdate.exe 4ffff1939b4c9b85140de256a42dc44b
Emotet Gen1 Anti_VM Antivirus AntiDebug AntiVM PE File PE32 OS Processor Check PNG Format DLL GIF Format PE64 MSOffice File JPEG Format VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Detects VirtualBox suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://service.smartpcupdate.com/rpc/getdatabasecxw?arch=64&os=7
http://prodriverupdate.com/afterinstall
http://prodriverupdate.com/welcome1
http://d2.smartpcupdate.com/dbs/current_7_64_cxw.7z?partner=ProDriverUpdate&version=4.0&nocache=34177250
http://service.smartpcupdate.com/rpc/sendinstall?partner=ProDriverUpdate&build=4.0
https://prodriverupdate.com/afterinstall
https://prodriverupdate.com/welcome1
https://www.google.com/
|
9
service.smartpcupdate.com(94.130.13.99)
prodriverupdate.com(52.21.251.178)
my-safe-registration.com(34.98.99.30)
d2.smartpcupdate.com(94.130.13.99)
www.google.com(172.217.161.68)
94.130.13.99
142.250.66.68
34.98.99.30 - phishing
52.21.251.178
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8045 |
2021-05-14 09:50
|
 dualize.exe a82c3f7955c265092be10babfe8d3e39
Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8046 |
2021-05-14 09:51
|
 SupremeSpySetup.exe d5caa26ca65ca5e2c8921030993afcd2
Emotet Gen1 PE File PE32 PE64 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder DNS |
|
|
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8047 |
2021-05-14 09:54
|
 MyScrapNook.ae7511959fd54ddea2... 83f74ee6b711883bda7d2ce03795afef
Gen2 PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder sandbox evasion Tofsee DNS |
3
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-16&errorType=nsisError&errorDetails=ae7511959fd54ddea28e0558b6cda8e4&platform=vicinio&anxv=2.7.1.1000&anxd=2017-04-03&coid=ae7511959fd54ddea28e0558b6cda8e4&refPartner=^9N^mni000^S20990&refSub=&anxl=en-US&anxr=2022722323&refCobrand=9N&refCampaign=mni000&refTrack=S20990&refCountry=
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-11&errorType=nsisError&errorDetails=File+Not+Found+%28404%29&platform=vicinio&anxv=2.7.1.1000&anxd=2017-04-03&coid=ae7511959fd54ddea28e0558b6cda8e4&refPartner=^9N^mni000^S20990&refSub=&anxl=en-US&anxr=2075128396&refCobrand=9N&refCampaign=mni000&refTrack=S20990&refCountry=
https://dp.tb.ask.com/installerParams.jhtml?coId=ae7511959fd54ddea28e0558b6cda8e4
|
4
dp.tb.ask.com(34.107.128.118)
anx.mindspark.com(34.102.222.207)
34.107.128.118
34.102.222.207
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8048 |
2021-05-14 09:58
|
 origin.exe 92bd99870c4e2829f3e6d1b3b512067d
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows Cryptographic key |
|
|
|
|
9.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8049 |
2021-05-14 10:00
|
 taskhost.exe 3e2c09542e0f1d51896694ed1f43db8d
HTTP Http API Internet API ScreenShot persistence AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted RWX flags setting unpack itself DNS crashed |
|
|
|
|
9.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8050 |
2021-05-14 15:45
|
http://www.moninediy.com/data/... b66d8fe119418a8a69d1276b36eb2fc0
AgentTesla VBA_macro DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
www.moninediy.com(192.74.225.113) - mailcious
192.74.225.113 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8051 |
2021-05-14 17:42
|
 768f3c029cc79ae2_7q2tjgey0ti3e... b66d8fe119418a8a69d1276b36eb2fc0
VBA_macro MSOffice File Vulnerability VirusTotal Malware unpack itself DNS |
|
|
|
|
3.6 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8052 |
2021-05-14 18:11
|
 1.doc af7ee4f20a624c4d7b5cfc7adde79332VirusTotal Malware powershell Malicious Traffic Tofsee |
3
http://facextrade.com.br/0A.txt
http://facextrade.com.br/z.mp3
http://facextrade.com.br/0C.txt
|
4
facextrade.com.br(187.45.240.69)
nyc008.hawkhost.com(172.96.187.2) - mailcious
187.45.240.69 - mailcious
172.96.187.2 - mailcious
|
4
ET INFO PowerShell DownloadFile Command Common In Powershell Stagers
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8053 |
2021-05-14 18:14
|
 z.mp3.html 3d3ea24f9acb0312134706a5bd8ffd72
AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8054 |
2021-05-15 10:47
|
 Mainsetupv1.0.exe 689b7bfb1424aa69046653e635ecb9ac
AgentTesla Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows |
|
1
iBFBxuLonchVeJiTrbJe.iBFBxuLonchVeJiTrbJe()
|
|
|
6.4 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8055 |
2021-05-15 16:31
|
 pazam.exe 0183f08264facac51ae01795147d8cc7
PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://173.208.204.37/k.php/LY0xuvgkjMA3b - rule_id: 1372
|
1
173.208.204.37 - mailcious
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://173.208.204.37/k.php
|
14.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|