| 8101 |
2021-05-18 09:56
|
 diagram-58650286.xls a8f34f2a8de7b470c474c50c8cd4b15f
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
3
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
172.67.200.215
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8102 |
2021-05-18 09:56
|
 diagram-58895225.xls 16ec6ae1941a5f788d18aa6673be5fee
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8103 |
2021-05-18 09:56
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check DNS |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
7
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
172.67.200.215
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8104 |
2021-05-18 09:56
|
 diagram-58392516.xls 3e58b8987074c6d6b6725e2cbdb0494d
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
5
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
8
www.microsoft.com(23.201.37.168)
definitionupdates.microsoft.com(23.40.44.112)
incoming.telemetry.mozilla.org(44.240.8.189)
hermescomm.net(162.241.27.24) - mailcious
52.33.45.66
23.40.44.112
162.241.27.24 - suspicious
23.201.37.168
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8105 |
2021-05-18 09:57
|
 CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193//
https://iplogger.org/1uP9s7
https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172)
42nn.hellomir.ru(217.107.34.191)
iplogger.org(88.99.66.31) - mailcious
87.251.71.193
88.99.66.31 - mailcious
104.26.13.31
37.187.95.110
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8106 |
2021-05-18 10:08
|
 cvhost.exe 5db833b014cd9a4b96d3e780543eaea6
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8107 |
2021-05-18 10:13
|
 SunLabsPlayer.exe 8639e05b36f6a6ecbc33e819d3654daa
Gen1 Antivirus Anti_VM PE File PE32 DLL PNG Format PE64 OS Processor Check GIF Format powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://moonlabmediacompany.com/data/data.7z
|
2
moonlabmediacompany.com(89.221.213.3)
89.221.213.3 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8108 |
2021-05-18 16:20
|
 27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16
Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php
http://ip-api.com/json/?fields=8198
http://iw.gamegame.info/report7.4.php
|
8
email.yg9.me(198.13.62.186)
iw.gamegame.info(172.67.200.215)
ol.gamegame.info(104.21.21.221)
ip-api.com(208.95.112.1)
198.13.62.186
208.95.112.1
104.21.21.221
172.67.200.215
|
1
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8109 |
2021-05-18 17:37
|
 Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28
Generic Malware PE File OS Processor Check PE32 VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8110 |
2021-05-18 17:48
|
 zamad.exe 3c2482a62a3b2b09cf1f8006acc0e636
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8111 |
2021-05-18 17:48
|
 phantom.exe 9b7ba71c5d9e3d1e8ccc6848333f45ae
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8112 |
2021-05-18 17:58
|
 diagram-1596364538.xls a3b0860623b4c70ff15d97fa2df88662
MSOffice File Check memory unpack itself Tofsee DNS crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8113 |
2021-05-18 18:10
|
 phantom2.exe a12c221bddb208f0b79e22adfe4be45d
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8114 |
2021-05-19 13:20
|
Purchase ORDER For Corugated ... 6eb844dc579b96afa6c2f361e2f7a410
AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 njRAT NetWireRC VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
erunski.duckdns.org(79.134.225.73)
79.134.225.73 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8115 |
2021-05-19 13:22
|
Steel Purchase Order 2092 Docu... 848fbb355f37ec33342174ba62cd0233
AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
weretogoto.ddns.net(194.5.97.248)
194.5.97.248 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|