8776 |
2021-06-11 12:26
|
ruzzzki.exe cbb62490f144ce119dcbe5d1ef7f4ff6 AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://37.1.219.52:6534/ https://api.ip.sb/geoip
|
5
hitechplanet.it(193.164.132.3) api.ip.sb(104.26.12.31) 104.26.12.31 193.164.132.3 37.1.219.52
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
8.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8777 |
2021-06-11 12:28
|
MATiXBR.exe 53eb52950fafc1d73f38e6cc298dca5f PE File OS Processor Check PE32 VirusTotal Malware suspicious privilege unpack itself Windows DNS keylogger |
|
1
|
|
|
6.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8778 |
2021-06-11 12:28
|
Vlcplayer.exe 6b2715b3c6ce4879c41ea44a261bbdd0 AgentTesla Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:3122773252&cup2hreq=d65fe03203611d900d495030da7afb81ea941212d698a6445b2076fc504e44c5
|
4
edgedl.me.gvt1.com(34.104.35.123) jhGStadDFeXWZzqBmhvvvUESkDWy.jhGStadDFeXWZzqBmhvvvUESkDWy() 34.104.35.123 142.250.204.67
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
15.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8779 |
2021-06-11 12:30
|
main.exe 94d266e338b8c8b9ea84cd9c03439032 AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces ComputerName Firmware crashed |
2
http://matixx.xyz/panel/login.php http://matixx.xyz/panel/
|
2
matixx.xyz(212.192.241.97) - malware 212.192.241.97 - malware
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8780 |
2021-06-11 12:30
|
HAiL.exe 90b78dd5da157605f08463bffa996219 AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
1
http://transfer.sh/get/1IwRlTk/iLOVE.exe
|
2
transfer.sh(144.76.136.153) - malware 144.76.136.153 - mailcious
|
|
|
4.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8781 |
2021-06-11 12:30
|
miner.bin 9559bcadf47a53f861b8fc7769a5ba9f Malicious Packer PE File .NET EXE PE32 VirusTotal Malware PDB |
|
|
|
|
1.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8782 |
2021-06-11 12:32
|
vbc.exe 6c425cf25da766d3d98597a9be4e7300 PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder sandbox evasion Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
7.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8783 |
2021-06-11 12:32
|
research-453468889.xlsm 11465058b522cd71f419238bd897a2f1Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://keema.tk/SrJfCix7DHn/zv.html
https://birliklpgotogaz.com/05JQwseTb/zv.html
|
5
keema.tk(207.174.212.247)
birliklpgotogaz.com(46.31.79.106) 46.31.79.106
142.250.204.67
207.174.212.247 - phishing
|
5
ET DNS Query to a .tk domain - Likely Hostile ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8784 |
2021-06-11 12:34
|
research-454358124.xlsm c37e6721c280cfd1623479232567f16eCreates executable files unpack itself suspicious process Tofsee DNS |
2
https://keema.tk/SrJfCix7DHn/zv.html
https://birliklpgotogaz.com/05JQwseTb/zv.html
|
4
birliklpgotogaz.com(46.31.79.106)
keema.tk(207.174.212.247) 207.174.212.247 - phishing
46.31.79.106
|
5
ET DNS Query to a .tk domain - Likely Hostile ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8785 |
2021-06-11 12:36
|
DiSCOFi.exe 74043ea9857ed1b12d551357ed3b5ca3 AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder ComputerName |
|
|
|
|
5.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8786 |
2021-06-11 12:42
|
ConsoleApp4.exe c4050e6bdd335e319ca7b848d53b9108 AsyncRAT backdoor Code injection AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName crashed |
1
https://cdn-101.anonfiles.com/P1hemdxeu9/ea968049-1621548401/cmd.exe
|
3
cdn-101.anonfiles.com(217.64.149.169)
botboyz.online() 217.64.149.169
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8787 |
2021-06-11 12:52
|
p.exe a2fd68fa16fa572100cc5c7f9ec6af5a PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Firmware DNS crashed |
1
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
|
4
edgedl.me.gvt1.com(34.104.35.123) plexic.xyz() - mailcious 142.250.204.131 34.104.35.123
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
8.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8788 |
2021-06-11 12:55
|
t.exe 27cbe7dd25fcf34f9fdf55db0c55b1a4 PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Firmware DNS crashed |
2
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1623379959&mv=u&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com
|
4
matix.cf() - mailcious r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 142.250.207.67 211.114.66.77
|
5
ET INFO DNS Query for Suspicious .cf Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
8.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8789 |
2021-06-11 13:04
|
research-454091161.xlsm 6f59d4e021f3792927f8260947c5e422Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://keema.tk/SrJfCix7DHn/zv.html
https://birliklpgotogaz.com/05JQwseTb/zv.html
|
4
keema.tk(207.174.212.247)
birliklpgotogaz.com(46.31.79.106) 46.31.79.106
207.174.212.247 - phishing
|
5
ET DNS Query to a .tk domain - Likely Hostile ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8790 |
2021-06-11 13:12
|
research-465435183.xlsm 15974008521b37da4005366256485d1aCreates executable files unpack itself suspicious process Tofsee DNS |
2
https://keema.tk/SrJfCix7DHn/zv.html
https://birliklpgotogaz.com/05JQwseTb/zv.html
|
4
keema.tk(207.174.212.247)
birliklpgotogaz.com(46.31.79.106) 46.31.79.106
207.174.212.247 - phishing
|
5
ET DNS Query to a .tk domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|