9076 |
2021-06-21 20:29
|
HostStartups.exe 6640bb72348963f486a0e0fb7a221587 AgentTesla AsyncRAT backdoor Eredel Stealer Extended email stealer browser info stealer Google Chrome User Data Antivirus DNS Socket KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C1900454F8C1F17DAFA268D4AC67120F.html - rule_id: 2096 http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C311B505088D4AC5F97AC7A0C3EA6538.html - rule_id: 2096
|
4
apdocroto.gq(172.67.158.27) - mailcious dontreachme3.ddns.net(95.90.186.169) 95.90.186.169 172.67.158.27
|
4
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
18.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9077 |
2021-06-21 21:03
|
wMaiUQzBqvXzMnnb.jpg.ps1 52a065ddfaa997a46ae7ac35d9abdfaf Antivirus GIF Format Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
https://perfectionscommunication.com/wp-content/languages/firefox.lnk
https://perfectionscommunication.com/wp-content/languages/Microsoft.jpg
https://perfectionscommunication.com/wp-content/languages/bHA6E6GTarMBgLEd.jpg
|
2
perfectionscommunication.com(132.148.131.53) - malware 132.148.131.53 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9078 |
2021-06-22 08:01
|
oki.exe fb2d85e3503b99fffcb9d2892a5af896 AsyncRAT backdoor Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6FEFDB4D5C1D411D177D75771792D61.html - rule_id: 2096 http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AF112CDD77AAF014CB96EAE02F666573.html - rule_id: 2096
|
3
apdocroto.gq(172.67.158.27) - mailcious 104.21.14.60 - mailcious 172.67.158.27
|
3
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
17.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9079 |
2021-06-22 09:17
|
Document%2063653957.xls dfb500a801d3cd450e7f54af9ccb8c4d VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee DNS |
10
https://cryptoexpert.work/core/vendor/doctrine/lexer/lib/cpf9PlDnI8yT4tE.php
https://EsteticaCanina.gruporampant.com/wp-content/themes/twentyseventeen/template-parts/footer/w3vaYV8KPKBV2P.php
https://hartlepooltaxi.co.uk/TaxiShop/modules/coreupdater/views/js/bbKt3OpktVRAFni.php
https://www.vidroboxbirigui.com.br/posts/GqlwMINB3GC.php
https://galaxybrindes.com.br/wp-content/plugins/elementor/data/base/F43npljSP.php
https://tricomenergy.com.pk/fonts/font-awesome-4.7.0/css/QblbClNi.php
https://kapraywala.ga/website/wp-includes/js/jquery/ui/kk919Q3Ead7kgFQ.php
https://yourcodeliberdade.com/mail/PHPMailer_5.2.0/test_script/images/ySc5emgn6yieudo.php
https://www.eloyfestas.com.br/posts/EwyU0Hv3aBAST.php
https://games.mobileadsit.com/__MACOSX/paper-panel-all-files/paper-panel/WT3nZjIP.php
|
19
www.eloyfestas.com.br(191.252.105.201)
hartlepooltaxi.co.uk(149.202.90.163)
tricomenergy.com.pk(18.136.132.202)
esteticacanina.gruporampant.com(162.241.61.218)
galaxybrindes.com.br(107.161.183.42)
games.mobileadsit.com(162.241.87.244)
cryptoexpert.work(103.253.212.34)
kapraywala.ga(67.227.152.156)
yourcodeliberdade.com(200.98.245.52)
www.vidroboxbirigui.com.br(191.252.105.201) 107.161.183.42 - mailcious
200.98.245.52 - mailcious
191.252.105.201 - mailcious
149.202.90.163
162.241.87.244
67.227.152.156
162.241.61.218
103.253.212.34
18.136.132.202 - phishing
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO DNS Query for Suspicious .ga Domain ET INFO Suspicious Domain (*.ga) in TLS SNI ET INFO Observed DNS Query to .work TLD
|
|
5.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9080 |
2021-06-22 09:19
|
lv.exe 25d8cefcd47eafa6fe575b02c3c65bcc Gen1 Gen2 Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 DLL OS P VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
kDoIQjFlLFrVeWWsmaHGNGDXOZWPB.kDoIQjFlLFrVeWWsmaHGNGDXOZWPB()
|
|
|
9.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9081 |
2021-06-22 09:20
|
smss.exe db07493f8abf7e85974575aa9ad30406 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Backdoor DNS Cryptographic key crashed |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B6781E2429DB6B1FF3ABE17966B385A1.html - rule_id: 2096 http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-68C0D222E1912789D5842E1FDB050046.html - rule_id: 2096
|
2
apdocroto.gq(104.21.14.60) - mailcious 172.67.158.27
|
3
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
10.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9082 |
2021-06-22 09:20
|
YEl6CLKPENwsgLHt.txt.vbs 62ee88ba7a87c42b8e493f9a8646d5ee VBScript PowerShell Obfuscated File VirusTotal Malware DNS crashed |
|
|
|
|
1.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9083 |
2021-06-22 09:22
|
vbc.exe 5beae2f6cea2c9f92ab4e2b34dfac0d4 PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9084 |
2021-06-22 09:24
|
dw5eq7r.bmp 2be4acc4b6eaa713a7a90a49d95c5541VirusTotal Malware |
|
|
|
|
0.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9085 |
2021-06-22 09:26
|
file.exe e0c4171c0bb82cf52647b0ccbfd6f3e3 PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9086 |
2021-06-22 09:28
|
lk.exe bd82e968846ab3d7b35b0f49a2522494 PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://exinmbakala.xyz/Panel/five/fre.php
|
2
exinmbakala.xyz(172.67.147.114) 172.67.147.114
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response
|
|
8.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9087 |
2021-06-22 09:29
|
Inquiry pdf.exe a8135bc40e7ed54bb2f77697477df14b AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9088 |
2021-06-22 09:32
|
W0rld cup_QATAR 2022 STADIUM P... 338ffcaf3397eb562228788f41c0268a AgentTesla AsyncRAT backdoor browser info stealer Google Chrome User Data Socket Sniff Audio Escalate priviledges KeyLogger Code injection Internet API Downloader persistence DGA DNS Create Service HTTP FTP Http API Steal credential ScreenShot P2P AntiD VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS Cryptographic key crashed keylogger |
2
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F95A7A48E436A29E2F90064424C79AC7.html - rule_id: 2096 http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F4E006F474BFC99D1182EAD4118326E5.html - rule_id: 2096
|
3
apdocroto.gq(172.67.158.27) - mailcious 185.19.85.134 - mailcious 104.21.14.60 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain SURICATA HTTP Request unrecognized authorization method ET INFO HTTP Request to a *.gq domain
|
2
http://apdocroto.gq/liverpool-fc-news/features/ http://apdocroto.gq/liverpool-fc-news/features/
|
14.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9089 |
2021-06-22 09:32
|
cancel_sub_KT901234567890123.x... 6901ee3cdccb4f65c18375d2a31d8a25 VBA_macro VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
8.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9090 |
2021-06-22 09:33
|
GT2pFbB.dll 4e5fc6111da7ec4512257864ded2f43b PE File PE64 DLL VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|