8326 |
2021-05-26 09:25
|
%E5%A4%A9%E9%99%8D%E6%BF%80%E5... 81df021fd7a1275df23a861bb0dd436a Anti_VM PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS crashed |
|
|
|
|
3.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8327 |
2021-05-26 09:26
|
vbc.exe 9fda9bae06e1705bc0baafb7ae723257 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8328 |
2021-05-26 09:26
|
ConsoleApp1.exe 17b32d5270a778baa555f13bb3c25b14 AsyncRAT backdoor Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName Trojan DNS Downloader Password |
11
http://45.133.1.47/7.jpg http://45.133.1.47/5.jpg http://46.101.81.223/t.exe http://45.133.1.47/ http://45.133.1.47/4.jpg http://45.133.1.47/6.jpg http://46.101.81.223/origin.exe http://45.133.1.47/2.jpg http://45.133.1.47/main.php http://45.133.1.47/3.jpg http://45.133.1.47/1.jpg
|
4
ieaspk.com(67.220.184.98) 46.101.81.223 67.220.184.98 - malware 45.133.1.47
|
15
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
13.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8329 |
2021-05-26 09:27
|
lv.exe 8463e69ee4b0e16c4942d27175a00135 AgentTesla Gen1 Gen2 Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
WtzBPWYqDxvfg.WtzBPWYqDxvfg() 104.128.188.74
|
|
|
7.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8330 |
2021-05-26 09:27
|
IMG_010436088.exe 5551d898c7b1d405bec3f8bb14d9c87b AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
6.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8331 |
2021-05-26 09:31
|
%E6%9A%97%E5%B7%B7%E8%A7%86%E9... dab5d970f5261b346185007f25d3e5db Gen1 Gen2 Emotet PE File PE32 OS Processor Check VirusTotal Malware Check memory buffers extracted unpack itself AppData folder sandbox evasion |
|
|
|
|
5.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8332 |
2021-05-26 09:32
|
ahk.jpg 4a5f8a1e40fb9eab2b8bd55efbe61a83 Gen2 Antivirus PE File OS Processor Check PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://paste.ee/r/EhrU
https://paste.ee/r/CxpZK
|
2
paste.ee(104.26.5.223) - mailcious 104.26.5.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8333 |
2021-05-26 09:34
|
ConsoleApp2.exe 89c52df7d4bf97d0f9913dc89f6527b2 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
10.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8334 |
2021-05-26 09:34
|
IMG_085_163_771.exe 719fad1c99b366347fabab8b752a1826 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8335 |
2021-05-26 09:36
|
%E5%88%9B%E8%BE%89%E4%BC%81%E4... b002b1aef58889242163dba60b7d6a47 Gen2 Emotet PE File OS Processor Check PE32 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Tofsee Windows Remote Code Execution crashed |
2
http://hi.baidu.com/8youyu8888/item/eb4fbac9be30f77389ad9e99 https://infoflow.baidu.com/
|
4
hi.baidu.com(183.232.231.225) - mailcious infoflow.baidu.com(124.237.176.132) 220.181.107.148 124.237.176.132
|
2
ET POLICY Unsupported/Fake Windows NT Version 5.0 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8336 |
2021-05-26 09:37
|
tendsoleApp2.exe c7619cc4826449419e212b8bef448e4e AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder DNS crashed |
|
1
|
|
|
10.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8337 |
2021-05-26 09:39
|
gg5f2.exe 2bb5676bd130e5516733682dc75da8df AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
9.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8338 |
2021-05-26 09:40
|
0551038.exe c43aa3df483f13d1690fa6d26b38c203 PWS Loki[b] Loki[m] AsyncRAT backdoor Gen1 Gen2 DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Browser Email ComputerName Software |
1
http://ahsanulalam.buet.ac.bd/bvyukiu/index.php
|
2
ahsanulalam.buet.ac.bd(103.94.135.216) 103.94.135.216 - phishing
|
1
ET MALWARE AZORult v3.3 Server Response M1
|
|
10.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8339 |
2021-05-26 09:40
|
IMG_3615_763_8.exe 87eb69c0cf08d284c76acc6666749a91 AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.blueridgeholisticdental.com/nke/?8pdPzj6X=beluo/A3x1wk0axcPPYLRI6VL5KZoBZCIza2nCls1jNtqOSK3OGdLiR1PhbzTLTJ4aTYYmbD&_FNHAt=tVBl4PYHXHBx - rule_id: 1527 http://www.3556a.com/nke/?_FNHAt=tVBl4PYHXHBx&8pdPzj6X=Bu2S3uDiR9mXo57lDy6P1wh5eo8lJZxkJjBrRWLCJOJBpLyy7hXoE5ZXA8FCgXkaMfNP2bVp
|
4
www.blueridgeholisticdental.com(34.102.136.180) - mailcious www.3556a.com(104.233.238.207) 104.233.238.207 - mailcious 34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.blueridgeholisticdental.com/nke/
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8340 |
2021-05-26 09:40
|
jexi_cry.exe 6245b34a94512b3f2a8b753e7b8dd24f AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows DNS |
1
|
5
www.google.com(172.217.175.68) 142.250.66.68 13.107.21.200 172.217.163.228 104.21.19.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|