8971 |
2021-06-17 13:37
|
xtMLjbxLmstVb.exe 1af4b28e44d75b4fe50ae509798a626c AsyncRAT backdoor PE File .NET EXE PE32 Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F96789FFADCFBAAB043B0B1CAC3A6BA.html http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0888AC06C4BB79819B8606F45881FF61.html
|
2
apdocroto.gq(172.67.158.27) 104.21.14.60
|
3
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8972 |
2021-06-17 13:38
|
lv.exe 4ae50cbb1eb34f2ab6880f25519504a4 NPKI Gen1 Gen2 Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
PMRAugABGJTWHUKmKnKBzLPg.PMRAugABGJTWHUKmKnKBzLPg() detectportal.firefox.com(34.107.221.82)
|
|
|
9.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8973 |
2021-06-17 13:38
|
http://srand04rf.ru/f7juhkryu4... 270c3859591599642bd15167765246e3 AgentTesla Ficker Stealer browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persist Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications AppData folder malicious URLs suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Exploit Browser Tor ComputerName DNS Software crashed |
2
http://api.ipify.org/?format=xml http://www.bing.com/favicon.ico
|
7
api.ipify.org(54.243.175.83) pospvisis.com(185.66.15.228) - mailcious srand04rf.ru(8.209.119.208) - malware 13.107.21.200 50.19.92.227 92.62.115.177 - mailcious 8.209.119.208 - malware
|
5
ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY External IP Lookup (ipify .org) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP
|
|
16.0 |
M |
55 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8974 |
2021-06-17 13:39
|
ctrlxPWVtmxJrb.exe 66f348f54eb3cf9d2fc3a91058bf3bb8 PE File PE32 VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
3.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8975 |
2021-06-17 13:42
|
Document%20185781.xls aae5b4c8eb3968b6bf06074865070a4e VBA_macro MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
10
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
https://speechelo-online.com/wp-content/plugins/wordpress-seo-premium/vendor/composer/Xx8PRnR69.php
https://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.php
https://courieradmin.phebsoft-team.com/svg/ot0fUe27YMmQ.php
https://secaudit.e-m2.net/wp-content/themes/finvision-child/template-parts/blog-regular/Rib3TgWd3v.php
https://steriglass.stigmatinesafrica.org/wp-includes/sodium_compat/namespaced/Core/ChaCha20/KITDlCQHVyI.php
https://ahdmsport.com/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php
https://teste.sitiodoastronauta.com.br/wp-includes/js/tinymce/plugins/charmap/M19jooPri8Tq.php
https://adamjeecommodities.com/wp-content/themes/adamjeecom/inc/options/kUQIZCFicsJ.php
https://steijnborg.mobilitum.com/wp-content/themes/twentytwentyone/template-parts/content/WjovFkpG3.php
|
20
secaudit.e-m2.net(94.124.84.11)
steijnborg.mobilitum.com(51.68.175.88)
fitzgeraldstreet.com(162.253.125.64)
courieradmin.phebsoft-team.com(144.91.77.124)
steriglass.stigmatinesafrica.org(154.0.164.210)
dev1.whoatemylunch.org(70.39.250.160)
teste.sitiodoastronauta.com.br(138.68.235.11)
ahdmsport.com(104.255.169.179)
adamjeecommodities.com(18.136.132.202)
speechelo-online.com(88.99.209.173) 88.99.209.173
144.91.77.124
154.0.164.210
138.68.235.11
70.39.250.160
104.255.169.179 - mailcious
162.253.125.64 - mailcious
94.124.84.11 - mailcious
51.68.175.88
18.136.132.202 - phishing
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
5.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8976 |
2021-06-17 13:44
|
Document%202519711.xls c64202fc6e89fc1c49cde536894ed99d VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://es.e-m2.net/wp-includes/js/tinymce/themes/inlite/8S7qnln7.php
https://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.php
https://teste.sitiodoastronauta.com.br/wp-includes/js/tinymce/plugins/charmap/M19jooPri8Tq.php
https://adamjeecommodities.com/wp-content/themes/adamjeecom/inc/options/kUQIZCFicsJ.php
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
https://santorinitravel.naturalgraphic.hu/wp-content/plugins/cookie-law-info/public/css/l5e7I9bjYqmEQ.php
https://consultadom.e-m2.net/wp-content/themes/mondom/visual-composer/elements/twYd7y9xpAo.php
https://ahdmsport.com/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php
https://monarchmedical.co.uk/vendor/bootstrap/css/xrKVZy8sh5ri.php
https://courieradmin.phebsoft-team.com/svg/ot0fUe27YMmQ.php
|
18
santorinitravel.naturalgraphic.hu(87.229.72.45)
ahdmsport.com(104.255.169.179)
fitzgeraldstreet.com(162.253.125.64)
courieradmin.phebsoft-team.com(144.91.77.124)
dev1.whoatemylunch.org(70.39.250.160)
teste.sitiodoastronauta.com.br(138.68.235.11)
es.e-m2.net(94.124.84.11)
monarchmedical.co.uk(18.136.132.202)
adamjeecommodities.com(18.136.132.202)
consultadom.e-m2.net(94.124.84.11) 144.91.77.124
138.68.235.11
70.39.250.160
104.255.169.179 - mailcious
162.253.125.64 - mailcious
94.124.84.11 - mailcious
87.229.72.45 - mailcious
18.136.132.202 - phishing
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
5.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8977 |
2021-06-17 13:45
|
gfers.exe dbf34c56d244279f0e989540fbd6cda2 Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8978 |
2021-06-17 13:47
|
infostati.exe 00ca5d98e8244569f3e07def869fb291 Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) mozilla.org(44.235.246.155) detectportal.firefox.com(34.107.221.82) 34.107.221.82
|
|
|
3.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8979 |
2021-06-17 13:47
|
log.exe f72277eebaf6b7e2891b7ba24188ebda AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CC63E54262373453B19DBF613B3334DE.html http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0B579F7D05D398DAB455F9EFDAAC3695.html
|
2
apdocroto.gq(172.67.158.27) 172.67.158.27
|
3
SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain ET INFO DNS Query for Suspicious .gq Domain
|
|
3.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8980 |
2021-06-17 13:48
|
PubSafe.rar 2e7e9709f9538f01e3761efba44c7c1e Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8981 |
2021-06-17 13:50
|
PC.txt 5688c69c4379841eee42dcaec2dbf55a AsyncRAT backdoor DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS crashed |
1
|
5
wealthybillionaire.ddns.net(154.118.68.80) - mailcious www.google.com(172.217.175.4) 142.250.204.132 154.118.68.80 185.140.53.154
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8982 |
2021-06-17 13:51
|
regasm.exe a56883a8c35dcf0ba1ab8263afa220e4 PWS Loki[b] Loki[m] .NET framework Admin Tool (Sysinternals etc ...) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://63.141.228.141/32.php/S4wFP8QBww9Tp - rule_id: 1900 http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) detectportal.firefox.com(34.107.221.82) 63.141.228.141 - mailcious 34.107.221.82
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.141.228.141/32.php
|
14.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8983 |
2021-06-17 14:30
|
ctrlxPWVtmxJrb.exe 66f348f54eb3cf9d2fc3a91058bf3bb8 Generic Malware Malicious Packer PE File PE32 VirusTotal Malware RWX flags setting unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
2.8 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8984 |
2021-06-17 15:26
|
http://2.indexsinas.me:811/ser... e8fb243e4a198c6d940b9f829ef0b79a AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
4
2.indexsinas.me(210.90.186.195) - malware 124.217.251.93 210.90.186.195 121.78.116.76
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.6 |
|
56 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8985 |
2021-06-17 15:32
|
f7juhkryu4.exe 270c3859591599642bd15167765246e3 Ficker Stealer PE File PE32 VirusTotal Malware ICMP traffic IP Check DNS |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(23.21.205.229) pospvisis.com(185.66.15.228) - mailcious 185.66.15.228 23.21.245.0
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
4.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|