8416 |
2021-05-31 09:35
|
jaja.exe 54262706e573614d224fec09edb4f7cf Malicious Library Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8417 |
2021-05-31 09:37
|
Ls_Droid_v1.1.9.0.exe a1459b6cd648d10da05707b69166d2f6 Anti_VM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows Firmware crashed |
1
https://tinywebdb.ls-droid.com/testme.php
|
3
tinywebdb.ls-droid.com(109.106.250.191) www.ls-droid.com(109.106.250.191) 109.106.250.191 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8418 |
2021-05-31 11:05
|
ao.exe b1d319888860b7a6400c5e5099d59e48 Amadey PWS Loki[b] Loki[m] Admin Tool Sysinternals Antivirus HTTP Code injection Http API Internet API AntiDebug AntiVM PE File .NET EXE PE32 DLL JPEG Format Malware download Amadey FTP Client Info Stealer ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows Email ComputerName DNS Cryptographic key Software crashed |
3
http://185.215.113.38/fT5YhO/index.php http://185.215.113.38//fT5YhO/index.php?scr=up http://185.215.113.38//fT5YhO/index.php
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Amadey CnC Check-In
|
|
20.2 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8419 |
2021-05-31 11:15
|
NmX.txt.html f69a35821e442a111ebbe08c7fc22060 VBScript PowerShell Obfuscated File VirusTotal Malware crashed |
|
|
|
|
0.8 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8420 |
2021-05-31 11:25
|
qv55b3lqjXhJQckX.jpg.ps1 6ee03a2d6b4558fa09cdf1e33dcaa897 Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat - rule_id: 1678 https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk - rule_id: 1677 https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
4
lavishcuisine.com(192.169.204.60) - mailcious cdn.discordapp.com(162.159.134.233) - malware 192.169.204.60 - mailcious 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8421 |
2021-05-31 18:05
|
asd80.exe b7c53f778e82c1594d8a1a27ebb65af0 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8422 |
2021-05-31 18:06
|
svchost.exe d850f8d4823240e54f834f85e09bd9e7 PE File PE32 VirusTotal Malware Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
|
|
|
|
3.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8423 |
2021-05-31 18:07
|
dllhost.exe 10aad0ae040c9fbde27793e1cb213d73 PE File PE32 VirusTotal Malware Creates executable files DNS |
35
http://194.26.29.184:8888/gw?worker=magentoBrt http://194.26.29.184:8888/gw?worker=bitrixChk&v=newback http://194.26.29.184:8888/gw?worker=cp_chk http://194.26.29.184:8888/gw?worker=backup&v=newback http://194.26.29.184:8888/gw?worker=wpMagOcart http://194.26.29.184:8888/gw?worker=joomlaBrt http://194.26.29.184:8888/gw?worker=wpBrt http://194.26.29.184:8888/gw?worker=joomlaChk http://194.26.29.184:8888/gw?worker=mysql_b http://194.26.29.184:8888/gw?worker=php_chk http://194.26.29.184:8888/gw?worker=drupalChk http://194.26.29.184:8888/project/active http://194.26.29.184:8888/gw?worker=php_b http://194.26.29.184:8888/gw?worker=postgres_b http://194.26.29.184:8888/gw?worker=drupalBrt http://194.26.29.184:8888/gw?worker=OCartBrt&v=newback http://194.26.29.184:8888/gw?worker=htpasswdChk http://194.26.29.184:8888/gw?worker=qnapChk http://194.26.29.184:8888/gw?worker=OCartChk&v=newback http://194.26.29.184:8888/gw?worker=Woo http://194.26.29.184:8888/bots/knock?worker=Universal&os=Windows&version=3.13 http://194.26.29.184:8888/gw?worker=whm_b http://194.26.29.184:8888/bots/chkVersion?currVers=3.13&arch=win http://194.26.29.184:8888/gw?worker=qnapBrt http://194.26.29.184:8888/gw?worker=whm_chk http://194.26.29.184:8888/gw?worker=cp_b http://194.26.29.184:8888/gw?worker=wpInst http://194.26.29.184:8888/gw?worker=ftp_b http://194.26.29.184:8888/gw?worker=admfind http://194.26.29.184:8888/gw?worker=ftpChk http://194.26.29.184:8888/gw?worker=htpasswdBrt http://194.26.29.184:8888/gw?worker=magentoChk http://194.26.29.184:8888/gw?worker=bitrixBrt&v=newback http://194.26.29.184:8888/gw?worker=ssh_b http://194.26.29.184:8888/gw?worker=wpChk&v=new
|
1
|
|
|
3.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8424 |
2021-05-31 18:10
|
svchost.exe 10d1dc044b4f546c7e1c29f40d364a77 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process anti-virtualization DNS |
|
|
|
|
3.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8425 |
2021-05-31 18:14
|
ConsoleApp9.exe 74e874bb14c48f4d33153798bb166edc AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.shootingstarsilver.com/nke/?iJE=zuk3YapxJyeS5yDfl4TPA09nInGwECJBlDdHUcMZwWsxT52AulIJdvBxa6+BAMGrKnOC+lM0&wXO=OZNlib http://www.serenablackcreatives.com/nke/?iJE=EqsjWoDY/paPxbVQO8NthjbeDBl1OlPkKN2BHxM5LB9s4oLQ1ZRC2+hvSz2Y2gm/xFUb9BHt&wXO=OZNlib
|
4
www.serenablackcreatives.com(154.0.175.80) www.shootingstarsilver.com(34.102.136.180) 154.0.175.80 - malware 34.102.136.180 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) SURICATA HTTP Unexpected Request body SURICATA HTTP unable to match response to request
|
|
8.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8426 |
2021-06-01 09:25
|
Yx3PBY9RC15I0sLk.jpg.ps1 18fd76d1d31e0833d26a36729842c5f7 Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://cdn.discordapp.com/attachments/808540577594736675/848370661323702282/firefox.lnk https://cdn.discordapp.com/attachments/808540577594736675/848370352207691826/gO9BxdwXEaBmHAS2.jpg
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8427 |
2021-06-01 09:28
|
book.jpg 1db8ea99d5b3309e68f5bc941c3cb738 AsyncRAT backdoor PE File DLL .NET DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8428 |
2021-06-01 09:28
|
QUAConsoleApp5.exe 51ee29d68a7aefead4a82af353bab78c PWS Loki[b] Loki[m] AsyncRAT backdoor DNS KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic IP Check Tofsee |
2
http://ip-api.com/json/ https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll
|
6
ip-api.com(208.95.112.1) cdn.discordapp.com(162.159.134.233) - malware yz.videomarket.eu(185.157.161.205) - mailcious 208.95.112.1 162.159.129.233 - malware 185.157.161.205
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8429 |
2021-06-01 09:32
|
firefox.bat 0133dbb43454830e50e7540b52e5c59f AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8430 |
2021-06-01 09:33
|
d234.exe 4d502f30155e5f6215ed32de99c4ca14 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
|
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|