| 8386 |
2021-05-28 08:07
|
336601.7z f958bdca722740cdb24e86b349be4f96
Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8387 |
2021-05-28 08:09
|
 ConsoleApp10.exe d2470e33e04e12bdc2acf475f40da080
AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
131.186.113.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
9.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8388 |
2021-05-28 08:11
|
 vuga.exe 6a5d0132df698a0743d0a5a8a1515cfc
AsyncRAT backdoor AgentTesla(IN) Malicious Packer .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8389 |
2021-05-28 08:20
|
 vbc.exe ca1cad0dfeee9119a7bef5911c8f194e
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
1
|
|
|
13.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8390 |
2021-05-28 08:21
|
 file3.exe 4fbb9246662af8c36caf102eccf4bff0
AsyncRAT backdoor BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.244.181.187:57969//
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
185.244.181.187
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8391 |
2021-05-28 08:22
|
 test.exe 0e24059570f9655711ba4454c21c9e2e
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows |
1
http://vunachiimpex.xyz/buta/vuga.exe
|
4
vunachiimpex.xyz() - malware
ieaspk.com(67.220.184.98) - mailcious
185.239.243.112 - malware
67.220.184.98 - malware
|
8
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8392 |
2021-05-28 08:22
|
Delivery Order 92281186.xls 7967d491dfb9148f1bb51cdb3acedbab
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php
https://ntf.gov.sb/components/com_acysms/views/unsubscribe/tmpl/8Wa80ysYUv6Klh.php
https://brandsites.gunwebhosting.com.au/site/wp-includes/Text/Diff/Engine/eUhebviTSOzDZ.php
https://bellaloveboutique.com/wp-content/themes/salient/includes/partials/tgTzKdqzGivuZ9.php
https://prediction2020.com/wp-content/plugins/really-simple-ssl/testssl/cloudflare/jDN6wmFidG65.php
https://ootashop.com/catalog/language/ar/extension/captcha/Iz40CaCFx.php
https://ourcomm.co.uk/wp-content/plugins/buddyboss-platform/bp-moderation/classes/SXDetkgsnPP.php
https://srivinaysalian.com/wp-content/plugins/catch-instagram-feed-gallery-widget/public/css/jYfe4b9imB.php
https://marcoislandguidebook.com/wp-includes/js/tinymce/plugins/charmap/xltGrJWiK.php
https://alpax.elcanotradingcorp.com/public/bower_components/jquery/src/ajax/oAIZxkctW.php
|
20
marcoislandguidebook.com(192.185.79.55) - mailcious
brandsites.gunwebhosting.com.au(122.201.118.64) - mailcious
ootashop.com(199.188.205.57) - mailcious
ntf.gov.sb(192.185.32.234) - mailcious
alpax.elcanotradingcorp.com(108.167.181.248) - mailcious
ourcomm.co.uk(217.160.0.196) - mailcious
surustore.com(192.158.238.23) - mailcious
prediction2020.com(107.160.244.54) - mailcious
bellaloveboutique.com(107.180.58.44) - mailcious
srivinaysalian.com(216.37.42.46) - mailcious
192.185.32.234 - mailcious
108.167.181.248 - mailcious
216.37.42.46 - mailcious
107.160.244.54 - mailcious
192.158.238.23 - mailcious
122.201.118.64 - mailcious
107.180.58.44 - mailcious
199.188.205.57 - mailcious
192.185.79.55 - mailcious
217.160.0.196 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
1
https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8393 |
2021-05-28 08:24
|
 vMGUvT6JSOA3UIz.exe d08412601dc64d6dc5e3945d550ad9a9
AsyncRAT backdoor PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8394 |
2021-05-28 08:26
|
 seleja.exe 38976248b5751e588795a5c9c4ca0327
PE File OS Processor Check PE32 VirusTotal Malware PDB Malicious Traffic unpack itself Tofsee Windows DNS crashed |
3
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1622157617&mv=m&mvi=2&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:1895035685&cup2hreq=72915f2a185bd04d4a4507b96e78435e1e4d450e3fccbcf7802dca34e4dee720
|
2
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
211.114.66.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8395 |
2021-05-28 08:28
|
 covid.exe 5bcb9ac769b8c069e202b42b16773af7
Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:2210899602&cup2hreq=4af8a317c8f3b4f0e5cc0232ccdfe81ee58927156e4e3612666c5b15dbc1ee68
|
6
edgedl.me.gvt1.com(34.104.35.123)
wekeepworking.sytes.net(185.140.53.40) - mailcious
34.104.35.123
142.250.66.99
211.114.66.77
185.140.53.40 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
16.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8396 |
2021-05-28 09:43
|
 seleja.exe 38976248b5751e588795a5c9c4ca0327
PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.8 |
M |
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8397 |
2021-05-28 09:47
|
 seleja.exe 38976248b5751e588795a5c9c4ca0327
Malicious Library Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.8 |
M |
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8398 |
2021-05-28 10:09
|
 vbc.exe ca1cad0dfeee9119a7bef5911c8f194e
Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8399 |
2021-05-28 10:57
|
 PKL.exe b375d47d63b41b7e1aca548742b01382
Generic Malware PE File PE32 VirusTotal Malware RWX flags setting unpack itself anti-virtualization crashed |
|
|
|
|
2.6 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8400 |
2021-05-28 11:05
|
 file.exe 7a2f5bc93c259322c16e5a94f7139031
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
24 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|