8101 |
2021-05-18 09:56
|
diagram-58650286.xls a8f34f2a8de7b470c474c50c8cd4b15f MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
3
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious 172.67.200.215
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8102 |
2021-05-18 09:56
|
diagram-58895225.xls 16ec6ae1941a5f788d18aa6673be5fee MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
2.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8103 |
2021-05-18 09:56
|
27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16 PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check DNS |
3
http://ol.gamegame.info/report7.4.php http://ip-api.com/json/?fields=8198 http://iw.gamegame.info/report7.4.php
|
7
email.yg9.me(198.13.62.186) iw.gamegame.info(172.67.200.215) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) 198.13.62.186 208.95.112.1 172.67.200.215
|
2
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8104 |
2021-05-18 09:56
|
diagram-58392516.xls 3e58b8987074c6d6b6725e2cbdb0494d MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
5
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092 https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
8
www.microsoft.com(23.201.37.168) definitionupdates.microsoft.com(23.40.44.112) incoming.telemetry.mozilla.org(44.240.8.189) hermescomm.net(162.241.27.24) - mailcious 52.33.45.66 23.40.44.112 162.241.27.24 - suspicious 23.201.37.168
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8105 |
2021-05-18 09:57
|
CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193// https://iplogger.org/1uP9s7 https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082 https://iplogger.org/favicon.ico https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172) 42nn.hellomir.ru(217.107.34.191) iplogger.org(88.99.66.31) - mailcious 87.251.71.193 88.99.66.31 - mailcious 104.26.13.31 37.187.95.110 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8106 |
2021-05-18 10:08
|
cvhost.exe 5db833b014cd9a4b96d3e780543eaea6 Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8107 |
2021-05-18 10:13
|
SunLabsPlayer.exe 8639e05b36f6a6ecbc33e819d3654daa Gen1 Antivirus Anti_VM PE File PE32 DLL PNG Format PE64 OS Processor Check GIF Format powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://moonlabmediacompany.com/data/data.7z
|
2
moonlabmediacompany.com(89.221.213.3) 89.221.213.3 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8108 |
2021-05-18 16:20
|
27364cdfec04f571117b8425e85134... a1acc4e7065d4eb28cdf9e85973cba16 Generic Malware PE File OS Processor Check PE32 PE64 DLL GIF Format VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check |
3
http://ol.gamegame.info/report7.4.php http://ip-api.com/json/?fields=8198 http://iw.gamegame.info/report7.4.php
|
8
email.yg9.me(198.13.62.186) iw.gamegame.info(172.67.200.215) ol.gamegame.info(104.21.21.221) ip-api.com(208.95.112.1) 198.13.62.186 208.95.112.1 104.21.21.221 172.67.200.215
|
1
ET POLICY External IP Lookup ip-api.com
|
|
8.4 |
M |
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8109 |
2021-05-18 17:37
|
Optimize.facebook.ads.exe a5292f2ae50ae5ca63dd1ae659548c28 Generic Malware PE File OS Processor Check PE32 VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8110 |
2021-05-18 17:48
|
zamad.exe 3c2482a62a3b2b09cf1f8006acc0e636 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8111 |
2021-05-18 17:48
|
phantom.exe 9b7ba71c5d9e3d1e8ccc6848333f45ae Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8112 |
2021-05-18 17:58
|
diagram-1596364538.xls a3b0860623b4c70ff15d97fa2df88662 MSOffice File Check memory unpack itself Tofsee DNS crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8113 |
2021-05-18 18:10
|
phantom2.exe a12c221bddb208f0b79e22adfe4be45d Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8114 |
2021-05-19 13:20
|
Purchase ORDER For Corugated ... 6eb844dc579b96afa6c2f361e2f7a410 AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 njRAT NetWireRC VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
erunski.duckdns.org(79.134.225.73) 79.134.225.73 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8115 |
2021-05-19 13:22
|
Steel Purchase Order 2092 Docu... 848fbb355f37ec33342174ba62cd0233 AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
weretogoto.ddns.net(194.5.97.248) 194.5.97.248 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|