8686 |
2021-06-08 16:08
|
BLI_0617851034.exe 5346c6935008b47b700b97482463099c SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
9.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8687 |
2021-06-08 16:10
|
RFL_06601287.exe d87d1faa4c23aa64e915d4d4f269e105 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
5.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8688 |
2021-06-08 16:11
|
9011.exe ed4a90d8b23e1ca80bb595a9d9630be8 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 131.186.161.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
10.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8689 |
2021-06-08 16:12
|
11222.exe cf7421633145edb90fbcac702fb4603a AgentTesla browser info stealer Google Chrome User Data Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself suspicious process Windows |
|
|
|
|
6.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8690 |
2021-06-08 16:12
|
IMG_52_67_21_33.exe becc9c4709bbee070275cd42acfc02c9 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8691 |
2021-06-08 16:13
|
BTL_01880433.exe bdccbcaabf832a0a2b0f74afcc3ba8a1 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
10.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8692 |
2021-06-08 16:14
|
RFT_056_17_30_81.exe c1f2b32fc6c1f69190516de627f9fa43 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.70 - suspicious 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8693 |
2021-06-08 16:14
|
ewa.exe e177b9ddfcae8d13fe94d04395ea920e PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
10.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8694 |
2021-06-08 16:16
|
BLI_05110637.exe bae1820a589c3c2a3d76bb6984e155ef Gen1 AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
9
http://212.192.241.220/main.php http://212.192.241.220/5.jpg http://212.192.241.220/ http://212.192.241.220/7.jpg http://212.192.241.220/1.jpg http://212.192.241.220/3.jpg http://212.192.241.220/4.jpg http://212.192.241.220/6.jpg http://212.192.241.220/2.jpg
|
2
172.67.188.154 212.192.241.220
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8695 |
2021-06-08 16:17
|
nanno1.exe d44345634f9dbc3d9cda94370dc66203 DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself human activity check Windows ComputerName |
|
2
rej.rejgroups.com(185.222.57.254) - suspicious 185.222.57.254 - suspicious
|
|
|
6.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8696 |
2021-06-08 16:17
|
Inv%20799146.xls c72b5321c62c54829b3300ee5d9441e1 VBA_macro MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
3
https://main.bgsr.site/wp-includes/sodium_compat/src/Core32/ChaCha20/d68Tou3ui1RoUA.php
https://cliente13.vetcarebahia.com/midias/anexos/3/4/0WfGc83H0Y.php
https://makolet.nsmatrix3.com/wp-content/plugins/woocommerce/templates/auth/gnq4mYeZYgL4dN.php
|
6
main.bgsr.site() - mailcious
makolet.nsmatrix3.com(185.104.45.26)
cliente13.vetcarebahia.com(107.161.183.42) 107.161.183.42
185.104.45.26
104.21.19.200
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8697 |
2021-06-08 16:19
|
RFL_0570103064.exe ea5b036e25672815c17e85213586f118 SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 216.146.43.71 185.222.57.254 - suspicious 172.67.188.154 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
10.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8698 |
2021-06-08 16:21
|
vbc.exe 5313f320a680a992243c59f38561ba9a PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key keylogger |
2
http://www.iptrackeronline.com/ https://www.iptrackeronline.com/
|
4
www.iptrackeronline.com(104.26.1.222) immzonenorthbellmorexxx.mangospot.net(194.5.97.61) - mailcious 104.26.0.222 194.5.97.61 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8699 |
2021-06-08 16:24
|
lv.exe dba9d5c211d728da4b92e0064a445ecd AgentTesla Gen1 Gen2 Generic Malware Malicious Packer Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persis VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
rYHtYHrEKqvv.rYHtYHrEKqvv() 194.5.97.61 - mailcious
|
|
|
8.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8700 |
2021-06-08 16:40
|
dootakim.vbs 7bf15c10dd4e523a1338d054c0ace9d9Malware Malicious Traffic WMI wscript.exe payload download Creates shortcut Creates executable files Windows ComputerName |
16
http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEFDtZ0JVYUv07T7UI8yTyn0%3D http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEADzAwdvBip42MYbURaknTY%3D http://sv.symcb.com/sv.crl http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://crl.verisign.com/pca3.crl http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files - rule_id: 1871 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA3etT%2BVczf76vmMSmFbFJ0%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEDA2ePYtKPWPCdFq3RW5wHE%3D http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j%2BApJVk%3D http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBLwJ34PIzs5%2BUGbBujN41I%3D
|
13
csc3-2004-crl.verisign.com() sv.symcb.com(117.18.237.29) ocsp.digicert.com(117.18.237.29) evcs-ocsp.ws.symantec.com(23.4.43.27) crl.verisign.com(117.18.237.29) s2.symcb.com(23.4.43.27) alyssalove.getenjoyment.net(185.176.43.98) - mailcious ocsp.verisign.com(23.4.43.27) sv.symcd.com(23.4.43.27) 23.37.139.27 117.18.237.29 23.74.19.27 185.176.43.98 - mailcious
|
1
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
1
http://alyssalove.getenjoyment.net/0423/v.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|