| 8416 |
2021-05-31 09:35
|
 jaja.exe 54262706e573614d224fec09edb4f7cf
Malicious Library Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8417 |
2021-05-31 09:37
|
 Ls_Droid_v1.1.9.0.exe a1459b6cd648d10da05707b69166d2f6
Anti_VM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows Firmware crashed |
1
https://tinywebdb.ls-droid.com/testme.php
|
3
tinywebdb.ls-droid.com(109.106.250.191)
www.ls-droid.com(109.106.250.191)
109.106.250.191 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8418 |
2021-05-31 11:05
|
 ao.exe b1d319888860b7a6400c5e5099d59e48
Amadey PWS Loki[b] Loki[m] Admin Tool Sysinternals Antivirus HTTP Code injection Http API Internet API AntiDebug AntiVM PE File .NET EXE PE32 DLL JPEG Format Malware download Amadey FTP Client Info Stealer ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows Email ComputerName DNS Cryptographic key Software crashed |
3
http://185.215.113.38/fT5YhO/index.php
http://185.215.113.38//fT5YhO/index.php?scr=up
http://185.215.113.38//fT5YhO/index.php
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey CnC Check-In
|
|
20.2 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8419 |
2021-05-31 11:15
|
 NmX.txt.html f69a35821e442a111ebbe08c7fc22060
VBScript PowerShell Obfuscated File VirusTotal Malware crashed |
|
|
|
|
0.8 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8420 |
2021-05-31 11:25
|
 qv55b3lqjXhJQckX.jpg.ps1 6ee03a2d6b4558fa09cdf1e33dcaa897
Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat - rule_id: 1678
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk - rule_id: 1677
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
4
lavishcuisine.com(192.169.204.60) - mailcious
cdn.discordapp.com(162.159.134.233) - malware
192.169.204.60 - mailcious
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8421 |
2021-05-31 18:05
|
 asd80.exe b7c53f778e82c1594d8a1a27ebb65af0
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8422 |
2021-05-31 18:06
|
 svchost.exe d850f8d4823240e54f834f85e09bd9e7
PE File PE32 VirusTotal Malware Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
|
|
|
|
3.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8423 |
2021-05-31 18:07
|
 dllhost.exe 10aad0ae040c9fbde27793e1cb213d73
PE File PE32 VirusTotal Malware Creates executable files DNS |
35
http://194.26.29.184:8888/gw?worker=magentoBrt
http://194.26.29.184:8888/gw?worker=bitrixChk&v=newback
http://194.26.29.184:8888/gw?worker=cp_chk
http://194.26.29.184:8888/gw?worker=backup&v=newback
http://194.26.29.184:8888/gw?worker=wpMagOcart
http://194.26.29.184:8888/gw?worker=joomlaBrt
http://194.26.29.184:8888/gw?worker=wpBrt
http://194.26.29.184:8888/gw?worker=joomlaChk
http://194.26.29.184:8888/gw?worker=mysql_b
http://194.26.29.184:8888/gw?worker=php_chk
http://194.26.29.184:8888/gw?worker=drupalChk
http://194.26.29.184:8888/project/active
http://194.26.29.184:8888/gw?worker=php_b
http://194.26.29.184:8888/gw?worker=postgres_b
http://194.26.29.184:8888/gw?worker=drupalBrt
http://194.26.29.184:8888/gw?worker=OCartBrt&v=newback
http://194.26.29.184:8888/gw?worker=htpasswdChk
http://194.26.29.184:8888/gw?worker=qnapChk
http://194.26.29.184:8888/gw?worker=OCartChk&v=newback
http://194.26.29.184:8888/gw?worker=Woo
http://194.26.29.184:8888/bots/knock?worker=Universal&os=Windows&version=3.13
http://194.26.29.184:8888/gw?worker=whm_b
http://194.26.29.184:8888/bots/chkVersion?currVers=3.13&arch=win
http://194.26.29.184:8888/gw?worker=qnapBrt
http://194.26.29.184:8888/gw?worker=whm_chk
http://194.26.29.184:8888/gw?worker=cp_b
http://194.26.29.184:8888/gw?worker=wpInst
http://194.26.29.184:8888/gw?worker=ftp_b
http://194.26.29.184:8888/gw?worker=admfind
http://194.26.29.184:8888/gw?worker=ftpChk
http://194.26.29.184:8888/gw?worker=htpasswdBrt
http://194.26.29.184:8888/gw?worker=magentoChk
http://194.26.29.184:8888/gw?worker=bitrixBrt&v=newback
http://194.26.29.184:8888/gw?worker=ssh_b
http://194.26.29.184:8888/gw?worker=wpChk&v=new
|
1
|
|
|
3.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8424 |
2021-05-31 18:10
|
 svchost.exe 10d1dc044b4f546c7e1c29f40d364a77
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process anti-virtualization DNS |
|
|
|
|
3.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8425 |
2021-05-31 18:14
|
 ConsoleApp9.exe 74e874bb14c48f4d33153798bb166edc
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.shootingstarsilver.com/nke/?iJE=zuk3YapxJyeS5yDfl4TPA09nInGwECJBlDdHUcMZwWsxT52AulIJdvBxa6+BAMGrKnOC+lM0&wXO=OZNlib
http://www.serenablackcreatives.com/nke/?iJE=EqsjWoDY/paPxbVQO8NthjbeDBl1OlPkKN2BHxM5LB9s4oLQ1ZRC2+hvSz2Y2gm/xFUb9BHt&wXO=OZNlib
|
4
www.serenablackcreatives.com(154.0.175.80)
www.shootingstarsilver.com(34.102.136.180)
154.0.175.80 - malware
34.102.136.180 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
|
8.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8426 |
2021-06-01 09:25
|
 Yx3PBY9RC15I0sLk.jpg.ps1 18fd76d1d31e0833d26a36729842c5f7
Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://cdn.discordapp.com/attachments/808540577594736675/848370661323702282/firefox.lnk
https://cdn.discordapp.com/attachments/808540577594736675/848370352207691826/gO9BxdwXEaBmHAS2.jpg
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8427 |
2021-06-01 09:28
|
 book.jpg 1db8ea99d5b3309e68f5bc941c3cb738
AsyncRAT backdoor PE File DLL .NET DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8428 |
2021-06-01 09:28
|
 QUAConsoleApp5.exe 51ee29d68a7aefead4a82af353bab78c
PWS Loki[b] Loki[m] AsyncRAT backdoor DNS KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic IP Check Tofsee |
2
http://ip-api.com/json/
https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll
|
6
ip-api.com(208.95.112.1)
cdn.discordapp.com(162.159.134.233) - malware
yz.videomarket.eu(185.157.161.205) - mailcious
208.95.112.1
162.159.129.233 - malware
185.157.161.205
|
2
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8429 |
2021-06-01 09:32
|
 firefox.bat 0133dbb43454830e50e7540b52e5c59f
AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8430 |
2021-06-01 09:33
|
 d234.exe 4d502f30155e5f6215ed32de99c4ca14
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|