| 8761 |
2021-06-10 22:42
|
 s.doc f3fe5ec3a9f5656e03621e5d573a7c48
RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8762 |
2021-06-10 22:43
|
 doc-985.exe dca6e8fb2c04552a2a9e3ed7f2688a0b
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
2.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8763 |
2021-06-10 22:46
|
 sat1_0609_2.dll 1e2385b6c669ba98831b97915f6aceba
PE File DLL OS Processor Check PE32 Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://180.178.106.50/sat1/TEST22-PC_W617601.5D67FB324A9D0823B317377F32B3F2A7/5/file/
|
3
178.72.192.20
180.178.106.50
114.7.240.222
|
3
ET CNC Feodo Tracker Reported CnC Server group 8
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
9.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8764 |
2021-06-10 22:46
|
 lv.exe 2bfc43520b982fee79d73b9e052b85d2
AgentTesla Gen1 Gen2 Generic Malware Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persis VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
xrNsGxREeZNXdNtLyIUStGJxq.xrNsGxREeZNXdNtLyIUStGJxq()
104.23.99.190 - mailcious
|
|
|
8.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8765 |
2021-06-10 22:47
|
 doc-08.exe 16657fa097cd334973a5489eeff8bafe
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8766 |
2021-06-10 22:47
|
 HM5Y9tET7OqUXErV.jpg.ps1 e52ee922fdec2fd99d7e1e65523f5561
Antivirus VirusTotal Malware powershell Malicious Traffic Check memory Creates shortcut Creates executable files unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk - rule_id: 1918
https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk
https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat - rule_id: 1919
https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat
|
5
vaughnojonesmemorialcenter.com(72.167.34.23)
cdn.discordapp.com(162.159.130.233) - malware
162.159.134.233 - malware
180.178.106.50
72.167.34.23
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk
https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat
|
6.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8767 |
2021-06-11 10:59
|
 crisat.exe 349097f5dd8a72464613c37dfce9f017
AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows Remote Code Execution Cryptographic key |
|
1
|
|
|
3.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8768 |
2021-06-11 10:59
|
 UnpackChromeEU.exe 2d2f33da036cf7945401ec14ae9ff6ca
UltraVNC PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
1
https://p6701.softemstore.xyz/?insert_install=v1857
|
2
p6701.softemstore.xyz(104.21.10.13)
172.67.162.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8769 |
2021-06-11 10:59
|
 iKmuRjOfjI1V.exe 86c9cddc86f2f3e40c8316eafacfc62a
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://116.202.18.132:38563/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
116.202.18.132
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8770 |
2021-06-11 11:02
|
 nerik.exe 6803ee8f500080b6a72a7e391bc4778e
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8771 |
2021-06-11 11:09
|
Document1 - Microsoft Word.doc... 55a8f69da427110755203118b875f9a0
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 PNG Format MSOffice File GIF Format JPEG Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
28
https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-watch-page-skeleton.css
https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg=%EA%B0%9C%EC%B2%B4%EA%B0%80%20%ED%95%84%EC%9A%94%ED%95%A9%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fweb-animations-next-lite.min.vflset%2Fweb-animations-next-lite.min.js&line=68
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://www.youtube.com/s/desktop/8cab6c66/jsbin/network.vflset/network.js
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.youtube.com/s/desktop/8cab6c66/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js
https://www.youtube.com/s/desktop/8cab6c66/jsbin/desktop_polymer_legacy_browsers.vflset/desktop_polymer_legacy_browsers.js
https://www.youtube.com/s/desktop/8cab6c66/jsbin/spf.vflset/spf.js
https://www.youtube.com/s/player/a0094ae9/player_ias.vflset/ko_KR/base.js
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/s/desktop/8cab6c66/jsbin/www-i18n-constants-ko_KR.vflset/www-i18n-constants.js
https://i.ytimg.com/generate_204
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmSU5fBBc-.woff
https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='Uint8Array'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fplayer%2Fa0094ae9%2Fplayer_ias.vflset%2Fko_KR%2Fbase.js&line=5663
https://www.youtube.com/s/desktop/8cab6c66/img/favicon.ico
https://r2---sn-3u-bh2le.googlevideo.com/generate_204?conn2
https://fonts.googleapis.com/css?family=Roboto:500,300,700,400|YouTube+Sans:400,500,700
https://www.youtube.com/s/player/a0094ae9/www-player.css
https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-onepick.css
https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-player-skeleton.css
https://www.youtube.com/s/desktop/8cab6c66/jsbin/fetch-polyfill.vflset/fetch-polyfill.js
https://www.youtube.com/watch?v=Ml5L20bWCts
https://www.youtube.com/watch?v=Z1nufRLDQMU
https://www.youtube.com/s/desktop/8cab6c66/jsbin/scheduler.vflset/scheduler.js
https://www.youtube.com/watch?v=ZO2GU7cRrA8
https://www.youtube.com/s/desktop/8cab6c66/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js
https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='MutationObserver'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fwebcomponents-all-noPatch.vflset%2Fwebcomponents-all-noPatch.js&line=67
https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=ko
|
18
ssl.gstatic.com(172.217.27.67)
r6---sn-3u-bh2lr.googlevideo.com(59.18.30.209)
www.youtube.com(172.217.25.110)
fonts.googleapis.com(216.58.220.138)
r2---sn-3u-bh2le.googlevideo.com(59.18.35.205)
i.ytimg.com(172.217.25.118)
r8---sn-3u-bh2el.googlevideo.com(59.18.49.83)
accounts.google.com(172.217.161.77)
fonts.gstatic.com(172.217.26.3)
142.250.204.109
172.217.174.202
59.18.49.83
216.58.220.206 - suspicious
59.18.30.209
142.250.199.67
59.18.35.205
172.217.161.182
142.250.204.99
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8772 |
2021-06-11 12:09
|
 soft.dll 5ba7ac7fa4f9e831679832b6cc22aee8
Gen1 Gen2 PE File DLL OS Processor Check PE32 VirusTotal Malware PDB MachineGuid unpack itself ComputerName DNS |
|
|
|
|
2.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8773 |
2021-06-11 12:09
|
 PassPrm.exe a8bad974ed7bdca87535e3676de4f48d
AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
|
1
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
3.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8774 |
2021-06-11 12:25
|
 f7jk8uisdfkh.exe 270c3859591599642bd15167765246e3
Ficker Stealer PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(107.22.233.72)
pospvisis.com(185.66.15.228)
107.22.233.72
185.66.15.228
|
3
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
|
|
9.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8775 |
2021-06-11 12:25
|
 cmd.exe bbcb6f6fdf6a96a19d47dc05f30b1d8c
PE File .NET EXE OS Processor Check PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
2
https://cdn.discordapp.com/attachments/829281619470712862/849290836800700426/t.exe
https://cdn.discordapp.com/attachments/829281619470712862/849291451929329674/p.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|