8761 |
2021-06-10 22:42
|
s.doc f3fe5ec3a9f5656e03621e5d573a7c48 RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8762 |
2021-06-10 22:43
|
doc-985.exe dca6e8fb2c04552a2a9e3ed7f2688a0b AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
2.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8763 |
2021-06-10 22:46
|
sat1_0609_2.dll 1e2385b6c669ba98831b97915f6aceba PE File DLL OS Processor Check PE32 Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://180.178.106.50/sat1/TEST22-PC_W617601.5D67FB324A9D0823B317377F32B3F2A7/5/file/
|
3
178.72.192.20 180.178.106.50 114.7.240.222
|
3
ET CNC Feodo Tracker Reported CnC Server group 8 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
9.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8764 |
2021-06-10 22:46
|
lv.exe 2bfc43520b982fee79d73b9e052b85d2 AgentTesla Gen1 Gen2 Generic Malware Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persis VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
xrNsGxREeZNXdNtLyIUStGJxq.xrNsGxREeZNXdNtLyIUStGJxq() 104.23.99.190 - mailcious
|
|
|
8.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8765 |
2021-06-10 22:47
|
doc-08.exe 16657fa097cd334973a5489eeff8bafe PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8766 |
2021-06-10 22:47
|
HM5Y9tET7OqUXErV.jpg.ps1 e52ee922fdec2fd99d7e1e65523f5561 Antivirus VirusTotal Malware powershell Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk - rule_id: 1918 https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat - rule_id: 1919 https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat
|
5
vaughnojonesmemorialcenter.com(72.167.34.23) cdn.discordapp.com(162.159.130.233) - malware 162.159.134.233 - malware 180.178.106.50 72.167.34.23
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat
|
6.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8767 |
2021-06-11 10:59
|
crisat.exe 349097f5dd8a72464613c37dfce9f017 AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows Remote Code Execution Cryptographic key |
|
1
|
|
|
3.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8768 |
2021-06-11 10:59
|
UnpackChromeEU.exe 2d2f33da036cf7945401ec14ae9ff6ca UltraVNC PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
1
https://p6701.softemstore.xyz/?insert_install=v1857
|
2
p6701.softemstore.xyz(104.21.10.13) 172.67.162.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8769 |
2021-06-11 10:59
|
iKmuRjOfjI1V.exe 86c9cddc86f2f3e40c8316eafacfc62a AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://116.202.18.132:38563/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 116.202.18.132 172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8770 |
2021-06-11 11:02
|
nerik.exe 6803ee8f500080b6a72a7e391bc4778e Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8771 |
2021-06-11 11:09
|
Document1 - Microsoft Word.doc... 55a8f69da427110755203118b875f9a0 AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 PNG Format MSOffice File GIF Format JPEG Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
28
https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-watch-page-skeleton.css https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg=%EA%B0%9C%EC%B2%B4%EA%B0%80%20%ED%95%84%EC%9A%94%ED%95%A9%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fweb-animations-next-lite.min.vflset%2Fweb-animations-next-lite.min.js&line=68 https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://www.youtube.com/s/desktop/8cab6c66/jsbin/network.vflset/network.js https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff https://www.youtube.com/s/desktop/8cab6c66/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js https://www.youtube.com/s/desktop/8cab6c66/jsbin/desktop_polymer_legacy_browsers.vflset/desktop_polymer_legacy_browsers.js https://www.youtube.com/s/desktop/8cab6c66/jsbin/spf.vflset/spf.js https://www.youtube.com/s/player/a0094ae9/player_ias.vflset/ko_KR/base.js https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/s/desktop/8cab6c66/jsbin/www-i18n-constants-ko_KR.vflset/www-i18n-constants.js https://i.ytimg.com/generate_204 https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmSU5fBBc-.woff https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='Uint8Array'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fplayer%2Fa0094ae9%2Fplayer_ias.vflset%2Fko_KR%2Fbase.js&line=5663 https://www.youtube.com/s/desktop/8cab6c66/img/favicon.ico https://r2---sn-3u-bh2le.googlevideo.com/generate_204?conn2 https://fonts.googleapis.com/css?family=Roboto:500,300,700,400|YouTube+Sans:400,500,700 https://www.youtube.com/s/player/a0094ae9/www-player.css https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-onepick.css https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-player-skeleton.css https://www.youtube.com/s/desktop/8cab6c66/jsbin/fetch-polyfill.vflset/fetch-polyfill.js https://www.youtube.com/watch?v=Ml5L20bWCts https://www.youtube.com/watch?v=Z1nufRLDQMU https://www.youtube.com/s/desktop/8cab6c66/jsbin/scheduler.vflset/scheduler.js https://www.youtube.com/watch?v=ZO2GU7cRrA8 https://www.youtube.com/s/desktop/8cab6c66/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='MutationObserver'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fwebcomponents-all-noPatch.vflset%2Fwebcomponents-all-noPatch.js&line=67 https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=ko
|
18
ssl.gstatic.com(172.217.27.67) r6---sn-3u-bh2lr.googlevideo.com(59.18.30.209) www.youtube.com(172.217.25.110) fonts.googleapis.com(216.58.220.138) r2---sn-3u-bh2le.googlevideo.com(59.18.35.205) i.ytimg.com(172.217.25.118) r8---sn-3u-bh2el.googlevideo.com(59.18.49.83) accounts.google.com(172.217.161.77) fonts.gstatic.com(172.217.26.3) 142.250.204.109 172.217.174.202 59.18.49.83 216.58.220.206 - suspicious 59.18.30.209 142.250.199.67 59.18.35.205 172.217.161.182 142.250.204.99
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8772 |
2021-06-11 12:09
|
soft.dll 5ba7ac7fa4f9e831679832b6cc22aee8 Gen1 Gen2 PE File DLL OS Processor Check PE32 VirusTotal Malware PDB MachineGuid unpack itself ComputerName DNS |
|
|
|
|
2.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8773 |
2021-06-11 12:09
|
PassPrm.exe a8bad974ed7bdca87535e3676de4f48d AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
|
1
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
3.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8774 |
2021-06-11 12:25
|
f7jk8uisdfkh.exe 270c3859591599642bd15167765246e3 Ficker Stealer PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(107.22.233.72) pospvisis.com(185.66.15.228) 107.22.233.72 185.66.15.228
|
3
ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY External IP Lookup (ipify .org)
|
|
9.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8775 |
2021-06-11 12:25
|
cmd.exe bbcb6f6fdf6a96a19d47dc05f30b1d8c PE File .NET EXE OS Processor Check PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
2
https://cdn.discordapp.com/attachments/829281619470712862/849290836800700426/t.exe https://cdn.discordapp.com/attachments/829281619470712862/849291451929329674/p.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|