8251 |
2021-05-23 10:15
|
lv.exe 2809de5c1d9de29a85dcd05e179b70e4 AgentTesla Glupteba NPKI Gen1 Gen2 Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug Ant VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
LrSfxvUGrKDUSKClHcvcmajDA.LrSfxvUGrKDUSKClHcvcmajDA()
|
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8252 |
2021-05-23 10:15
|
scr.dll 7a77bc3281be4a356defa637d2d70014 Amadey DLL PE File PE32 JPEG Format ENERGETIC BEAR VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.57//1dEr2nYffd/index.php?scr=up
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
|
|
4.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8253 |
2021-05-23 10:15
|
cred.dll 1606294ef66c020a6585301620aeb440 PWS Loki[b] Loki[m] DLL PE File PE32 FTP Client Info Stealer ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.57//1dEr2nYffd/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
|
|
6.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8254 |
2021-05-23 10:20
|
lv.exe e5e087b4c90602abb32b2464449c5c43 Emotet Glupteba Gen1 Gen2 PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8255 |
2021-05-23 10:21
|
bin.exe edb386d29730158b61b5212b9b922a5a Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8256 |
2021-05-23 10:23
|
hbggg.exe e6f6fd13001b8df1af345df56caba5de Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
5
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/?sid=210725&key=72674f7accaa137688c0ad545432594d - rule_id: 1396 http://ip-api.com/json/ https://iplogger.org/18hh57 https://www.facebook.com/
|
8
www.facebook.com(157.240.215.35) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ip-api.com(208.95.112.1) iplogger.org(88.99.66.31) - mailcious 88.99.66.31 - mailcious 208.95.112.1 88.218.92.148 - malware 157.240.215.35
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
7.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8257 |
2021-05-23 10:23
|
index.exe 21f942eb973340f0b1948d929ff5fc6e PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS Cryptographic key |
|
|
|
|
10.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8258 |
2021-05-23 10:23
|
att.exe a119eaea434c7e0c58663c605e9c0ac6 Raccoon Stealer Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8259 |
2021-05-23 10:46
|
kakashi_cry.exe 62c59ba0375eebf49b4d80c290e69646 AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows |
1
|
3
www.google.com(172.217.161.36) 142.250.199.68 142.250.207.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8260 |
2021-05-23 10:55
|
Setup.exe d69ad8d2f432e57d4f5ecf5d7e7f9300 Emotet AsyncRAT backdoor PWS .NET framework Gen1 Glupteba BitCoin Generic Malware Anti_VM VMProtect AntiDebug AntiVM PE File PE32 DLL .NET DLL .NET EXE GIF Format OS Processor Check PE64 Browser Info Stealer VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VMware IP Check VM Disk Size Check installed browsers check Tofsee Ransomware GameoverP2P Zeus Windows Browser ComputerName Trojan Banking Amazon DNS Cryptographic key crashed keylogger |
28
http://ol.gamegame.info/report7.4.php http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe http://iw.gamegame.info/report7.4.php http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe http://87.251.71.193// - rule_id: 1393 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://www.google.com/ http://ipinfo.io/ip http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe http://ip-api.com/json/?fields=8198 http://ipinfo.io/country http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2 - rule_id: 1396 https://iplogger.org/18hh57 https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150 https://www.facebook.com/ https://api.ip.sb/geoip https://connectini.net/Series/SuperNitou.php https://news-systems.xyz/?user=barret2 https://news-systems.xyz/?user=barret1 https://iplogger.org/1Hpxd7 https://ipinfo.io/country https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
|
39
news-systems.xyz(104.21.33.129) iw.gamegame.info(104.21.21.221) www.google.com(216.58.197.228) c.pycharm3.ru(217.107.34.191) b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com(52.219.106.138) - malware email.yg9.me(198.13.62.186) google.com(172.217.25.78) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ol.gamegame.info(104.21.21.221) global-sc-ltd.com(199.188.201.83) connectini.net(162.0.210.44) ipinfo.io(34.117.59.81) limesfile.com(198.54.126.101) ip-api.com(208.95.112.1) www.facebook.com(157.240.215.35) api.ip.sb(172.67.75.172) iplogger.org(88.99.66.31) - mailcious reportyuwt4sbackv97qarke3.com(162.0.220.187) ipqualityscore.com(104.26.2.60) 87.251.71.193 - mailcious 162.0.220.187 52.219.84.224 216.58.197.196 - suspicious 88.218.92.148 - malware 104.26.3.60 198.13.62.186 104.21.33.129 - mailcious 199.188.201.83 157.240.215.35 88.99.66.31 - mailcious 104.21.21.221 162.0.210.44 34.117.59.81 217.107.34.191 - mailcious 198.54.126.101 216.58.197.206 - mailcious 208.95.112.1 172.67.200.215 104.26.13.31
|
10
ET POLICY External IP Lookup ip-api.com ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET POLICY PE EXE or DLL Windows file download HTTP ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY Possible External IP Lookup ipinfo.io ET POLICY Executable served from Amazon S3 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SURICATA HTTP unable to match response to request
|
3
http://87.251.71.193/ http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
25.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8261 |
2021-05-23 17:12
|
Server.txt 68a0c1efdcd6fa5a6f08327b40afa394 Anti_VM ScreenShot AntiDebug AntiVM VirusTotal Malware Check memory unpack itself DNS |
|
|
|
|
2.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8262 |
2021-05-23 17:31
|
ALL.txt a140c5bb18fc4adb4a2f5d2a907de048VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8263 |
2021-05-23 17:38
|
PicturesLab.exe 02398f9746a8cdebb2bc1cb9ccb40e70 .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8264 |
2021-05-23 17:38
|
I-Record.exe 6f80701718727602e7196b1bba7fac1b .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8265 |
2021-05-23 17:40
|
f3kmkuwbdpgytdc5.exe ae4a8c201b070ee94488bb8862ed4ec5 .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|