| 8971 |
2021-06-17 13:37
|
 xtMLjbxLmstVb.exe 1af4b28e44d75b4fe50ae509798a626c
AsyncRAT backdoor PE File .NET EXE PE32 Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F96789FFADCFBAAB043B0B1CAC3A6BA.html
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0888AC06C4BB79819B8606F45881FF61.html
|
2
apdocroto.gq(172.67.158.27)
104.21.14.60
|
3
ET INFO DNS Query for Suspicious .gq Domain
SURICATA HTTP Request unrecognized authorization method
ET INFO HTTP Request to a *.gq domain
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8972 |
2021-06-17 13:38
|
 lv.exe 4ae50cbb1eb34f2ab6880f25519504a4
NPKI Gen1 Gen2 Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
2
PMRAugABGJTWHUKmKnKBzLPg.PMRAugABGJTWHUKmKnKBzLPg()
detectportal.firefox.com(34.107.221.82)
|
|
|
9.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8973 |
2021-06-17 13:38
|
http://srand04rf.ru/f7juhkryu4... 270c3859591599642bd15167765246e3
AgentTesla Ficker Stealer browser info stealer Google Chrome User Data DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persist Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications AppData folder malicious URLs suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Exploit Browser Tor ComputerName DNS Software crashed |
2
http://api.ipify.org/?format=xml
http://www.bing.com/favicon.ico
|
7
api.ipify.org(54.243.175.83)
pospvisis.com(185.66.15.228) - mailcious
srand04rf.ru(8.209.119.208) - malware
13.107.21.200
50.19.92.227
92.62.115.177 - mailcious
8.209.119.208 - malware
|
5
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
16.0 |
M |
55 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8974 |
2021-06-17 13:39
|
 ctrlxPWVtmxJrb.exe 66f348f54eb3cf9d2fc3a91058bf3bb8
PE File PE32 VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
3.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8975 |
2021-06-17 13:42
|
 Document%20185781.xls aae5b4c8eb3968b6bf06074865070a4e
VBA_macro MSOffice File VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
10
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
https://speechelo-online.com/wp-content/plugins/wordpress-seo-premium/vendor/composer/Xx8PRnR69.php
https://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.php
https://courieradmin.phebsoft-team.com/svg/ot0fUe27YMmQ.php
https://secaudit.e-m2.net/wp-content/themes/finvision-child/template-parts/blog-regular/Rib3TgWd3v.php
https://steriglass.stigmatinesafrica.org/wp-includes/sodium_compat/namespaced/Core/ChaCha20/KITDlCQHVyI.php
https://ahdmsport.com/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php
https://teste.sitiodoastronauta.com.br/wp-includes/js/tinymce/plugins/charmap/M19jooPri8Tq.php
https://adamjeecommodities.com/wp-content/themes/adamjeecom/inc/options/kUQIZCFicsJ.php
https://steijnborg.mobilitum.com/wp-content/themes/twentytwentyone/template-parts/content/WjovFkpG3.php
|
20
secaudit.e-m2.net(94.124.84.11)
steijnborg.mobilitum.com(51.68.175.88)
fitzgeraldstreet.com(162.253.125.64)
courieradmin.phebsoft-team.com(144.91.77.124)
steriglass.stigmatinesafrica.org(154.0.164.210)
dev1.whoatemylunch.org(70.39.250.160)
teste.sitiodoastronauta.com.br(138.68.235.11)
ahdmsport.com(104.255.169.179)
adamjeecommodities.com(18.136.132.202)
speechelo-online.com(88.99.209.173)
88.99.209.173
144.91.77.124
154.0.164.210
138.68.235.11
70.39.250.160
104.255.169.179 - mailcious
162.253.125.64 - mailcious
94.124.84.11 - mailcious
51.68.175.88
18.136.132.202 - phishing
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
5.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8976 |
2021-06-17 13:44
|
 Document%202519711.xls c64202fc6e89fc1c49cde536894ed99d
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://es.e-m2.net/wp-includes/js/tinymce/themes/inlite/8S7qnln7.php
https://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.php
https://teste.sitiodoastronauta.com.br/wp-includes/js/tinymce/plugins/charmap/M19jooPri8Tq.php
https://adamjeecommodities.com/wp-content/themes/adamjeecom/inc/options/kUQIZCFicsJ.php
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
https://santorinitravel.naturalgraphic.hu/wp-content/plugins/cookie-law-info/public/css/l5e7I9bjYqmEQ.php
https://consultadom.e-m2.net/wp-content/themes/mondom/visual-composer/elements/twYd7y9xpAo.php
https://ahdmsport.com/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php
https://monarchmedical.co.uk/vendor/bootstrap/css/xrKVZy8sh5ri.php
https://courieradmin.phebsoft-team.com/svg/ot0fUe27YMmQ.php
|
18
santorinitravel.naturalgraphic.hu(87.229.72.45)
ahdmsport.com(104.255.169.179)
fitzgeraldstreet.com(162.253.125.64)
courieradmin.phebsoft-team.com(144.91.77.124)
dev1.whoatemylunch.org(70.39.250.160)
teste.sitiodoastronauta.com.br(138.68.235.11)
es.e-m2.net(94.124.84.11)
monarchmedical.co.uk(18.136.132.202)
adamjeecommodities.com(18.136.132.202)
consultadom.e-m2.net(94.124.84.11)
144.91.77.124
138.68.235.11
70.39.250.160
104.255.169.179 - mailcious
162.253.125.64 - mailcious
94.124.84.11 - mailcious
87.229.72.45 - mailcious
18.136.132.202 - phishing
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
5.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8977 |
2021-06-17 13:45
|
 gfers.exe dbf34c56d244279f0e989540fbd6cda2
Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8978 |
2021-06-17 13:47
|
 infostati.exe 00ca5d98e8244569f3e07def869fb291
Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
mozilla.org(44.235.246.155)
detectportal.firefox.com(34.107.221.82)
34.107.221.82
|
|
|
3.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8979 |
2021-06-17 13:47
|
 log.exe f72277eebaf6b7e2891b7ba24188ebda
AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CC63E54262373453B19DBF613B3334DE.html
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0B579F7D05D398DAB455F9EFDAAC3695.html
|
2
apdocroto.gq(172.67.158.27)
172.67.158.27
|
3
SURICATA HTTP Request unrecognized authorization method
ET INFO HTTP Request to a *.gq domain
ET INFO DNS Query for Suspicious .gq Domain
|
|
3.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8980 |
2021-06-17 13:48
|
PubSafe.rar 2e7e9709f9538f01e3761efba44c7c1e
Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8981 |
2021-06-17 13:50
|
 PC.txt 5688c69c4379841eee42dcaec2dbf55a
AsyncRAT backdoor DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS crashed |
1
|
5
wealthybillionaire.ddns.net(154.118.68.80) - mailcious
www.google.com(172.217.175.4)
142.250.204.132
154.118.68.80
185.140.53.154
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8982 |
2021-06-17 13:51
|
 regasm.exe a56883a8c35dcf0ba1ab8263afa220e4
PWS Loki[b] Loki[m] .NET framework Admin Tool (Sysinternals etc ...) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://63.141.228.141/32.php/S4wFP8QBww9Tp - rule_id: 1900
http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
detectportal.firefox.com(34.107.221.82)
63.141.228.141 - mailcious
34.107.221.82
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.141.228.141/32.php
|
14.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8983 |
2021-06-17 14:30
|
 ctrlxPWVtmxJrb.exe 66f348f54eb3cf9d2fc3a91058bf3bb8
Generic Malware Malicious Packer PE File PE32 VirusTotal Malware RWX flags setting unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
2.8 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8984 |
2021-06-17 15:26
|
http://2.indexsinas.me:811/ser... e8fb243e4a198c6d940b9f829ef0b79a
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
4
2.indexsinas.me(210.90.186.195) - malware
124.217.251.93
210.90.186.195
121.78.116.76
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.6 |
|
56 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8985 |
2021-06-17 15:32
|
 f7juhkryu4.exe 270c3859591599642bd15167765246e3
Ficker Stealer PE File PE32 VirusTotal Malware ICMP traffic IP Check DNS |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(23.21.205.229)
pospvisis.com(185.66.15.228) - mailcious
185.66.15.228
23.21.245.0
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
4.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|