8086 |
2021-05-18 09:08
|
proof of payment.exe 7238cb41274f63e1d5463d9259facb19 AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
10.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8087 |
2021-05-18 09:09
|
file2.exe dba20ac697952657e4daee957e10a805 Raccoon Stealer Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8088 |
2021-05-18 09:11
|
file1.exe 7aadd46ba3b6e23aca20677ac281c03b Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8089 |
2021-05-18 09:13
|
setup.exe b749832e5d6ebfc73a61cde48a1b890b Process Kill PE File OS Processor Check PE32 Device_File_Check Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted ICMP traffic Windows utilities suspicious process AppData folder anti-virtualization Windows Browser |
2
http://www.wws23dfwe.com/index.php/api/fb http://www.wws23dfwe.com/index.php/api/a
|
2
www.wws23dfwe.com(45.76.53.14) 45.76.53.14 - mailcious
|
|
|
7.2 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8090 |
2021-05-18 09:14
|
lhtr7x1pv.zip 283398a30cd7505b780c113d1838fc40 DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
1.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8091 |
2021-05-18 09:18
|
a7xsbjsf.zip afd9013de89b0b5ae549599c9afba03d DLL PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8092 |
2021-05-18 09:18
|
jooyu.exe aed57d50123897b0012c35ef5dec4184 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
5
http://uyg5wye.2ihsfa.com/api/fbtime http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928 https://iplogger.org/18hh57 https://www.facebook.com/
|
8
uyg5wye.2ihsfa.com(88.218.92.148) www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) iplogger.org(88.99.66.31) - mailcious 157.240.215.35 208.95.112.1 88.218.92.148 - malware 88.99.66.31 - mailcious
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8093 |
2021-05-18 09:19
|
file4.exe 3795c43b2e06e15edb01a8a237243b08 AgentTesla PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework BitCoin browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal cr VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows ComputerName DNS crashed |
16
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ - rule_id: 836 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN - rule_id: 836 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe
|
9
ocsp.digicert.com(117.18.237.29) api.faceit.com(104.17.63.50) ipinfo.io(34.117.59.81) cdn.discordapp.com(162.159.129.233) - malware 117.18.237.29 162.159.129.233 - malware 82.146.59.236 - mailcious 104.17.62.50 34.117.59.81
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php http://82.146.59.236/processorDefault.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8094 |
2021-05-18 09:23
|
toolspab2.exe eb3585c3f3e6b3b7ac66c9a41724534b Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution DNS crashed |
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8095 |
2021-05-18 09:24
|
app.exe 49dd88ce21471d18eb1048358a37ab98 Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8096 |
2021-05-18 09:27
|
customer2.exe 6d7603e4fd4d633cae7eaee0f1029a17 Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
4
http://uyg5wye.2ihsfa.com/api/fbtime http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc http://ip-api.com/json/ https://www.facebook.com/
|
6
uyg5wye.2ihsfa.com(88.218.92.148) www.facebook.com(157.240.215.35) ip-api.com(208.95.112.1) 157.240.215.35 208.95.112.1 88.218.92.148 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8097 |
2021-05-18 09:28
|
Setup2.exe 46fcb8a8f7db4f6e098f1213b1955498 Gen2 Emotet Glupteba VMProtect PE File PE32 DLL GIF Format OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS crashed |
7
http://ol.gamegame.info/report7.4.php http://iw.gamegame.info/report7.4.php http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=293289&key=0b72a8497029bcfa3fd924f33ac1d264 http://uyg5wye.2ihsfa.com/api/fbtime http://ip-api.com/json/?fields=8198 https://www.facebook.com/
|
13
www.facebook.com(157.240.215.35) email.yg9.me(198.13.62.186) uyg5wye.2ihsfa.com(88.218.92.148) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) iw.gamegame.info(172.67.200.215) 117.18.237.29 208.95.112.1 172.67.200.215 104.21.21.221 88.218.92.148 - malware 157.240.215.35 198.13.62.186
|
3
ET POLICY External IP Lookup ip-api.com ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8098 |
2021-05-18 09:38
|
Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28 PE File OS Processor Check PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8099 |
2021-05-18 09:38
|
Trinity-Miner_1.exe 3db9825a26cbb1f4bffd62194c5c52cc AsyncRAT backdoor .NET EXE PE File OS Processor Check PE32 PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Auto service Check virtual network interfaces Windows ComputerName Firmware DNS |
|
2
pool.supportxmr.com(94.23.23.52) - mailcious 37.187.95.110
|
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8100 |
2021-05-18 09:55
|
diagram-553418662.xls 62c064e08d3aef1d97e64068583345d1 MSOffice File Check memory unpack itself Tofsee crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|