8671 |
2021-06-08 13:29
|
file31.exe 76c0ff15fb4bc456ed615f6227549ef1 PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
9
http://159.69.20.131/mozglue.dll http://159.69.20.131/softokn3.dll http://159.69.20.131/vcruntime140.dll http://159.69.20.131/ http://159.69.20.131/898 http://159.69.20.131/freebl3.dll http://159.69.20.131/msvcp140.dll http://159.69.20.131/nss3.dll https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.18) 159.69.20.131 74.114.154.18 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8672 |
2021-06-08 13:30
|
excel 4024e3a79b01981ce7e8c42c8c815d30 PE File OS Processor Check PE32 VirusTotal Malware DNS |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8673 |
2021-06-08 13:32
|
setup.exe 9490fb5373a092dd67ca4e5c1fb7d747 Emotet AsyncRAT backdoor Gen1 PE File PE32 PE64 DLL OS Processor Check Malware download VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check crashed Downloader |
1
http://net-man.info/age3.exe
|
2
net-man.info(104.21.46.17) 172.67.222.138
|
1
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
3.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8674 |
2021-06-08 13:33
|
JNB.exe 5f4b0a0fc9e6d760a09f5b87826e6212 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself ComputerName |
|
|
|
|
1.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8675 |
2021-06-08 13:36
|
HBN.exe 0da7c74ea5d4521529b9c921529082b2 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization ComputerName DNS |
|
|
|
|
3.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8676 |
2021-06-08 13:36
|
file31.exe 76c0ff15fb4bc456ed615f6227549ef1 PWS Loki[b] Loki[m] AgentTesla .NET framework Gen1 browser info stealer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll http://159.69.20.131/softokn3.dll http://159.69.20.131/vcruntime140.dll http://159.69.20.131/ http://159.69.20.131/898 http://159.69.20.131/freebl3.dll http://159.69.20.131/msvcp140.dll http://159.69.20.131/nss3.dll https://dimashub.tumblr.com/
|
3
dimashub.tumblr.com(74.114.154.22) 159.69.20.131 74.114.154.18 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8677 |
2021-06-08 13:37
|
br.exe 1c85f40e4abe47f93982099c8d9753c1 AsyncRAT backdoor PWS .NET framework Anti_VM Malicious Library DGA DNS SMTP Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Internet API ScreenShot Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
|
1
79.134.225.73 - mailcious
|
|
|
13.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8678 |
2021-06-08 13:40
|
AAA.exe abdd03cef2d854d4caa2b633d633bfe1 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization ComputerName DNS |
|
|
|
|
3.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8679 |
2021-06-08 13:42
|
FNM.exe bde0289473fa5ed70ff343254bbb5c76 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization ComputerName DNS |
|
|
|
|
3.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8680 |
2021-06-08 13:42
|
EBN.exe cbca03f7d4b73b42caf9d613050dc414 Generic Malware PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization ComputerName |
|
|
|
|
2.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8681 |
2021-06-08 16:03
|
RFL_0731_60_127.exe 52757942734a95026f4499e2747f8007 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8682 |
2021-06-08 16:04
|
IMG_0001_205_60_37.exe c222dad25c8ba8ab2af48692ad261bcf SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
10.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8683 |
2021-06-08 16:06
|
spc 0600368dd5cd4cf1fc90f41827518b29 AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
3.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8684 |
2021-06-08 16:06
|
BLI_0610_36_31.exe a8ad861ef6877f243bdfbb00ddf2f37b SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8685 |
2021-06-08 16:08
|
BLI_057702308.exe 6f86775cd014c339e3c8b25563fd51d9 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|