| 9001 |
2021-06-18 09:07
|
 z7ggs.exe 6b7554c5f2b7a246639156524fb86a78
AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
4
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/e077b412e4e9b04043dfc595bae6abb1966ac987
http://34.76.8.115//l/f/W2VtHHoBuI_ccNKoibAG/a4bf8575ff58234bbfb45ede44543896e556da37
http://34.76.8.115/
https://tttttt.me/hellobroprocreate
|
3
tttttt.me(95.216.186.40) - mailcious
95.216.186.40 - mailcious
34.76.8.115
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9002 |
2021-06-18 09:07
|
vidarses.exe 7283347ba70004a56396caa0a2de7bb0
Gen1 PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName Remote Code Execution Firmware DNS Software crashed Password |
9
http://159.69.20.131/mozglue.dll
http://159.69.20.131/softokn3.dll
http://159.69.20.131/vcruntime140.dll
http://159.69.20.131/ - rule_id: 1881
http://159.69.20.131/898 - rule_id: 1882
http://159.69.20.131/freebl3.dll
http://159.69.20.131/msvcp140.dll
http://159.69.20.131/nss3.dll
https://bandakere.tumblr.com/
|
3
bandakere.tumblr.com(74.114.154.22)
159.69.20.131 - mailcious
74.114.154.22 - mailcious
|
6
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://159.69.20.131/
http://159.69.20.131/898
|
16.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9003 |
2021-06-18 09:12
|
 aim-2043102860.xlsb 2cdecf145abc952da288222aadb77c35Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9004 |
2021-06-18 09:12
|
 aim-2042502358.xlsb 3cde67faa456fb5019f7ce2b163bee1dCheck memory Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9005 |
2021-06-18 09:12
|
 aim-2044108491.xlsb 6c8a2cdc722922d6e468d1d151a24333Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://tattoo-thailand.com/cvAMN0orV9b/moon.html
https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html
|
3
roadtopassiveincomeonline.com(192.185.51.79)
tattoo-thailand.com(192.185.51.79)
192.185.51.79
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9006 |
2021-06-18 09:41
|
 test.exe d57237560c25aff34850ab1980a0fb04
PE File PE32 Dridex TrickBot VirusTotal Malware unpack itself Kovter DNS |
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
2.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9007 |
2021-06-18 09:46
|
 relvo.exe 3f891f4ea01741d664416c3b34f64208
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.6 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9008 |
2021-06-18 09:46
|
 cmd.exe 63dcb28db1ff4d702e97a1fa3e9ac02d
PE File .NET EXE OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AppData folder Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
5.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9009 |
2021-06-18 09:48
|
 mmm.exe 32e3f8a1ab7698ec5b0644a8ac1d34b8
PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9010 |
2021-06-18 09:49
|
 file.exe fb4bd33f89ac6417468bb1d4729f8b75
Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
3.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9011 |
2021-06-18 09:52
|
 redbutton.png 1a5f3ca6597fcccd3295ead4d22ce70b
PE File OS Processor Check PE32 Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
4
http://detectportal.firefox.com/success.txt?ipv4
https://27.72.107.215/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
https://190.110.179.139/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
https://186.97.172.178/tot112/TEST22-PC_W617601.B83B71A0873C68B5D06BB278310EAB3F/5/kps/
|
8
mozilla.org(44.236.48.31)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
detectportal.firefox.com(34.107.221.82)
190.110.179.139
27.72.107.215
186.66.15.10
34.107.221.82
186.97.172.178
|
5
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9012 |
2021-06-18 09:53
|
 god.exe e5a571a66090b1a9c61ab60f41abc465
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9013 |
2021-06-18 09:56
|
 asd.exe 8b7f7f3857dd6194924c982d97fd13ce
PWS Loki[b] Loki[m] PE File PE32 DLL JPEG Format Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process AppData folder suspicious TLD WriteConsoleW VMware anti-virtualization Tofsee Windows Email ComputerName Firmware DNS Software crashed |
5
http://x-vpn.ug//hfV3vDtt/index.php
http://f.hiterima.ru/87435972.exe
http://x-vpn.ug/hfV3vDtt/plugins/cred.dll
http://x-vpn.ug/hfV3vDtt/index.php
http://x-vpn.ug/hfV3vDtt/index.php?scr=1
|
4
f.hiterima.ru(217.107.34.191) - malware
x-vpn.ug(193.164.16.141)
193.164.16.141
217.107.34.191 - mailcious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE Amadey CnC Check-In
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
15.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9014 |
2021-06-18 09:58
|
 87435972.exe 75cb80f790fc91926ba1d90a0bb6e09e
PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware DNS crashed |
1
http://detectportal.firefox.com/success.txt?ipv4
|
5
mozilla.org(44.236.72.93)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
detectportal.firefox.com(34.107.221.82)
193.164.16.141
34.107.221.82
|
|
|
7.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9015 |
2021-06-18 10:01
|
 TNWKX9Z3WCY9YXCB.jar 082a3c07f697e6b1cd18ca2840f3a4dfVirusTotal Malware Check memory heapspray unpack itself Java DNS |
|
|
|
|
3.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|