9046 |
2021-06-19 10:13
|
aim-386818343.xlsm 5a55625270351cd035ffff122fcae85e Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://beartoothkawasaki.com/QJT19jhtwHt/gg.html
https://biopaten.no/xeBP8Oj5/gg.html
|
4
beartoothkawasaki.com(192.185.71.128) - mailcious
biopaten.no(5.249.227.109) - mailcious 192.185.71.128 - malware
5.249.227.109 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9047 |
2021-06-19 10:13
|
aim-386827314.xlsm 4b2be2409dbf11d8e43eb6784ecc258f Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://beartoothkawasaki.com/QJT19jhtwHt/gg.html
https://biopaten.no/xeBP8Oj5/gg.html
|
4
biopaten.no(5.249.227.109) - mailcious
beartoothkawasaki.com(192.185.71.128) - mailcious 192.185.71.128 - malware
5.249.227.109 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9048 |
2021-06-19 10:15
|
aim-386037884.xlsm 5e8b78d60a546712a68abedb64f3a455 Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://beartoothkawasaki.com/QJT19jhtwHt/gg.html
https://biopaten.no/xeBP8Oj5/gg.html
|
4
beartoothkawasaki.com(192.185.71.128) - mailcious
biopaten.no(5.249.227.109) - mailcious 192.185.71.128 - malware
5.249.227.109 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9049 |
2021-06-19 10:16
|
aim-387176491.xlsm 11acc8a0e82823aff2bc5753ba941369 Check memory Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://beartoothkawasaki.com/QJT19jhtwHt/gg.html
https://biopaten.no/xeBP8Oj5/gg.html
|
4
biopaten.no(5.249.227.109) - mailcious
beartoothkawasaki.com(192.185.71.128) - mailcious 192.185.71.128 - malware
5.249.227.109 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9050 |
2021-06-19 19:00
|
Toner-RecoverSetup.exe b1ca84cb3ebb2c3ecc6bc4707130c98b PWS .NET framework Emotet BitCoin AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
8
http://ynabrdosmc.xyz/ https://www.google.com/favicon.ico https://www.google.com/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png https://ssl.gstatic.com/gb/images/i1_1967ca6a.png https://www.google.com/ https://api.ip.sb/geoip https://iplogger.org/2qJhq6 https://www.google.com/images/hpp/Chrome_Owned_96x96.png
|
10
api.ip.sb(104.26.12.31) ssl.gstatic.com(172.217.174.99) www.google.com(172.217.161.36) ynabrdosmc.xyz(178.57.217.111) iplogger.org(88.99.66.31) - mailcious 172.217.175.68 178.57.217.111 88.99.66.31 - mailcious 216.58.220.99 104.26.13.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA HTTP unable to match response to request
|
|
13.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9051 |
2021-06-19 19:01
|
Setup.exe 5499fd2b9a83a2de834ba2539d2d210d PWS .NET framework Emotet Gen1 AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL PE64 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk WriteConsoleW VMware IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key crashed |
11
http://ynabrdosmc.xyz/ http://yaklalau.xyz/ http://ipinfo.io/ip http://ipinfo.io/country https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150 https://ssl.gstatic.com/gb/images/i1_1967ca6a.png https://www.google.com/ https://api.ip.sb/geoip https://iplogger.org/2qJhq6 https://www.google.com/images/hpp/Chrome_Owned_96x96.png https://ipinfo.io/country
|
18
ynabrdosmc.xyz(178.57.217.111) www.google.com(172.217.161.36) ssl.gstatic.com(172.217.31.163) yaklalau.xyz(141.136.0.74) iplogger.org(88.99.66.31) - mailcious everestsoftrade.com(68.65.120.87) - malware ipinfo.io(34.117.59.81) api.ip.sb(172.67.75.172) ipqualityscore.com(172.67.72.12) 172.67.75.172 178.57.217.111 141.136.0.74 88.99.66.31 - mailcious 142.250.66.36 68.65.120.87 - malware 142.250.66.99 34.117.59.81 172.67.72.12
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup ipinfo.io ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure SURICATA HTTP unable to match response to request
|
|
19.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9052 |
2021-06-21 12:40
|
jaws 04b3c04aa965443963cbe30966ff9d04 AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
3.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9053 |
2021-06-21 12:44
|
file.exe 58e5562209d50978efd614dd040ef4ca PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9054 |
2021-06-21 12:45
|
ferrari.exe d7cf6a60f9b30ae5ae5e0124b88f5b90 Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
4.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9055 |
2021-06-21 12:51
|
file20.exe 350d120fa10b2400fd108dbb87577d3c Themida Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://185.215.113.107:47059/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 185.215.113.107 104.26.13.31
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 26 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9056 |
2021-06-21 12:51
|
puredw.exe 00c99ac957aafe7a9edcfb94cdf51b4c AsyncRAT backdoor Antivirus AntiDebug AntiVM PE File .NET EXE PE32 PE64 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
3
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-81514251FABDE2F99CFEBD586080FAC5.html - rule_id: 2096 http://adda.net.in/pure.exe http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0584004D03FC69E0105F907305046667.html - rule_id: 2096
|
4
apdocroto.gq(172.67.158.27) - mailcious adda.net.in(103.20.214.241) - malware 104.21.14.60 - mailcious 103.20.214.241 - malware
|
5
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
14.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9057 |
2021-06-21 12:53
|
file3s.exe 856cf6ed735093f5fe523f0d99e18424 Raccoon Stealer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
4.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9058 |
2021-06-21 12:54
|
Server.exe 3efecc6d6ddfb3d62fb8e9b6496287d9 AsyncRAT backdoor Antivirus KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-153E31DBDD1ACDF382491ECDBE37689C.html - rule_id: 2096 http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B8A00046C7A941058E012A87473EB342.html - rule_id: 2096
|
5
apdocroto.gq(104.21.14.60) - mailcious dontreachme.duckdns.org(46.102.106.151) 104.21.14.60 - mailcious 46.102.106.151 172.67.158.27
|
4
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
17.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9059 |
2021-06-21 12:55
|
temp.exe d89c813bf46d01f144a20592d371f0cc PE File PE64 Dridex TrickBot VirusTotal Malware AutoRuns Malicious Traffic unpack itself Windows utilities suspicious process Tofsee Kovter Windows ComputerName DNS |
5
http://61.135.169.121/ http://date-flash.com/temp.exe https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w https://103.72.4.166:8443/images/logo_max.png https://103.72.4.166:8443/images/logo.png
|
4
date-flash.com(103.209.101.233) - malware 103.72.4.166 103.209.101.233 - malware 61.135.169.121
|
4
ET USER_AGENTS Go HTTP Client User-Agent ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
8.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9060 |
2021-06-21 12:57
|
install.exe c47acd5194f2a60666811ac9a14f768d Anti_VM Antivirus AntiDebug AntiVM PE File PE32 OS Processor Check powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios powershell.exe wrote suspicious process AppData folder WriteConsoleW anti-virtualization Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|