| 8086 |
2021-05-18 09:08
|
proof of payment.exe 7238cb41274f63e1d5463d9259facb19
AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
10.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8087 |
2021-05-18 09:09
|
 file2.exe dba20ac697952657e4daee957e10a805
Raccoon Stealer Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8088 |
2021-05-18 09:11
|
 file1.exe 7aadd46ba3b6e23aca20677ac281c03b
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8089 |
2021-05-18 09:13
|
 setup.exe b749832e5d6ebfc73a61cde48a1b890b
Process Kill PE File OS Processor Check PE32 Device_File_Check Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted ICMP traffic Windows utilities suspicious process AppData folder anti-virtualization Windows Browser |
2
http://www.wws23dfwe.com/index.php/api/fb
http://www.wws23dfwe.com/index.php/api/a
|
2
www.wws23dfwe.com(45.76.53.14)
45.76.53.14 - mailcious
|
|
|
7.2 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8090 |
2021-05-18 09:14
|
 lhtr7x1pv.zip 283398a30cd7505b780c113d1838fc40
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
1.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8091 |
2021-05-18 09:18
|
 a7xsbjsf.zip afd9013de89b0b5ae549599c9afba03d
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8092 |
2021-05-18 09:18
|
 jooyu.exe aed57d50123897b0012c35ef5dec4184
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
5
http://uyg5wye.2ihsfa.com/api/fbtime
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928
https://iplogger.org/18hh57
https://www.facebook.com/
|
8
uyg5wye.2ihsfa.com(88.218.92.148)
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
iplogger.org(88.99.66.31) - mailcious
157.240.215.35
208.95.112.1
88.218.92.148 - malware
88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8093 |
2021-05-18 09:19
|
 file4.exe 3795c43b2e06e15edb01a8a237243b08
AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D
https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe
https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29)
api.faceit.com(104.17.63.50)
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
117.18.237.29
162.159.129.233 - malware
82.146.59.236 - mailcious
104.17.62.50
34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8094 |
2021-05-18 09:23
|
 toolspab2.exe eb3585c3f3e6b3b7ac66c9a41724534b
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution DNS crashed |
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8095 |
2021-05-18 09:24
|
 app.exe 49dd88ce21471d18eb1048358a37ab98
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8096 |
2021-05-18 09:27
|
 customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
4
http://uyg5wye.2ihsfa.com/api/fbtime
http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc
http://ip-api.com/json/
https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148)
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
157.240.215.35
208.95.112.1
88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8097 |
2021-05-18 09:28
|
 Setup2.exe 46fcb8a8f7db4f6e098f1213b1955498
Gen2 Emotet Glupteba VMProtect PE File PE32 DLL GIF Format OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS crashed |
7
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=293289&key=0b72a8497029bcfa3fd924f33ac1d264
http://uyg5wye.2ihsfa.com/api/fbtime
http://ip-api.com/json/?fields=8198
https://www.facebook.com/
|
13
www.facebook.com(157.240.215.35)
email.yg9.me(198.13.62.186)
uyg5wye.2ihsfa.com(88.218.92.148)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
iw.gamegame.info(172.67.200.215)
117.18.237.29
208.95.112.1
172.67.200.215
104.21.21.221
88.218.92.148 - malware
157.240.215.35
198.13.62.186
|
3
ET POLICY External IP Lookup ip-api.com
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8098 |
2021-05-18 09:38
|
 Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28
PE File OS Processor Check PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8099 |
2021-05-18 09:38
|
 Trinity-Miner_1.exe 3db9825a26cbb1f4bffd62194c5c52cc
AsyncRAT backdoor .NET EXE PE File OS Processor Check PE32 PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Auto service Check virtual network interfaces Windows ComputerName Firmware DNS |
|
2
pool.supportxmr.com(94.23.23.52) - mailcious
37.187.95.110
|
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8100 |
2021-05-18 09:55
|
 diagram-553418662.xls 62c064e08d3aef1d97e64068583345d1
MSOffice File Check memory unpack itself Tofsee crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|