| 9466 |
2021-06-29 09:30
|
 1.txt.ps1 291290980ec45b24bdcbbd5beff36708
Anti_VM Antivirus AntiDebug AntiVM GIF Format Malware download njRAT VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself WriteConsoleW Windows ComputerName DNS DDNS crashed |
|
2
alphamaeh.duckdns.org(103.155.81.167)
103.155.81.167
|
2
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
10.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9467 |
2021-06-29 09:30
|
 3.txt.ps1 11d26b2407f4f7f83625070686274028
Anti_VM Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9468 |
2021-06-29 09:32
|
 ukkni.jpg 61d22e224696022ef807a5acc02fd1d0DNS |
|
1
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9469 |
2021-06-29 09:40
|
 plan-1811813221.xlsb 1143afd65ac5876fa4e793850ab89704Check memory Creates executable files unpack itself suspicious process Tofsee |
2
https://carpascapital.com/gBPg8MtsGbv/ka.html
https://gruasphenbogota.com/C74hwGGxi/ka.html
|
3
gruasphenbogota.com(50.116.92.246)
carpascapital.com(50.116.92.246)
50.116.92.246 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9470 |
2021-06-29 09:42
|
 plan-1811162309.xlsb e489a06471cbbe594a1ff7c306db410eVirusTotal Malware Check memory Creates executable files unpack itself suspicious process Tofsee DNS |
2
https://carpascapital.com/gBPg8MtsGbv/ka.html
https://gruasphenbogota.com/C74hwGGxi/ka.html
|
3
gruasphenbogota.com(50.116.92.246)
carpascapital.com(50.116.92.246)
50.116.92.246 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9471 |
2021-06-29 09:58
|
 idu9A98.exe 16493223940cd99199a672e44dec05d6
Escalate priviledges KeyLogger Code injection ScreenShot AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE Code Injection Check memory buffers extracted sandbox evasion ComputerName DNS |
|
1
|
|
|
8.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9472 |
2021-06-29 10:03
|
유튜브_영상(jobt).js 7daf20ca3c13dca88bf55c928bd3a0ba |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9473 |
2021-06-29 10:10
|
유튜브_영상(jobt).js 7daf20ca3c13dca88bf55c928bd3a0ba |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9474 |
2021-06-29 10:31
|
 9804787b31e0025dd2ae9344ca1bea... 145e3c224e4ecaf26d4638efb9d622a7
Netfilter rootkit UPX AntiDebug AntiVM OS Processor Check PE32 PE File PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection WriteConsoleW Windows Advertising DNS |
1
http://45.113.202.180:608/d6
|
1
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.8 |
|
59 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9475 |
2021-06-29 10:42
|
 97e6dac4.exe 8bf00ef4dd6bb308c76849901b03ccbd
Netfilter rootkit AntiDebug AntiVM PE32 PE File PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection WriteConsoleW Windows Advertising DNS |
1
http://45.113.202.180:608/d6
|
1
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
|
56 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9476 |
2021-06-29 10:43
|
 d6 530f12f8058199964d0b41f1856185ec
PE64 PE File VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9477 |
2021-06-29 11:18
|
 d6 530f12f8058199964d0b41f1856185ec
Netfilter rootkit PE64 PE File VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9478 |
2021-06-29 13:48
|
 92d8c89e8dc92d61a9ff78a3047117... 92d8c89e8dc92d61a9ff78a304711791
PE32 PE File VirusTotal Malware Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
1
|
|
|
4.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9479 |
2021-06-29 13:51
|
 A94970A63494DE9EECB666DD6A91B4... a94970a63494de9eecb666dd6a91b43d
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) .NET EXE PE32 PE File Malware download VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
8
http://34.227.13.244/receive.php?command=UGluZ2Vk&vicID=cm1Zd2xhXzdDNjAyNEFE
http://34.227.13.244/receive.php?command=TmV3TG9nfEJOfFN1Y2N8Qk58Q2xpZW50IGlzIENvbm5lY3RlZA&vicID=cm1Zd2xhXzdDNjAyNEFE
http://34.227.13.244/
http://34.227.13.244/getCommand.php?id=cm1Zd2xhXzdDNjAyNEFE
http://34.227.13.244/connection.php
http://34.227.13.244/check_panel.php
http://34.227.13.244/login.php
http://34.227.13.244/receive.php?command=T25saW5l&vicID=cm1Zd2xhXzdDNjAyNEFE
|
1
|
1
ET MALWARE Win32/BlackNET CnC Keep-Alive
|
|
5.0 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9480 |
2021-06-29 13:58
|
 microsoftedgecps.exe b2600237508f0a8e5ca2c5c80018eaca
email stealer PSW Bot LokiBot ZeusBot Antivirus Steal credential ScreenShot Escalate priviledges Code injection KeyLogger AntiDebug AntiVM PE32 PE File JPEG Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware IoC powershell Microsoft Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Ransomware DiamondFox Windows Browser Email ComputerName Trojan DNS Cryptographic key Software crashed |
28
http://diamond.serivice.com/panel/files/1624810178_ConsoleApp14.exe
http://diamond.serivice.com/panel/gate.php?f27=7723E01305C6
http://diamond.serivice.com/panel/gate.php?gpb=18
http://diamond.serivice.com/panel/gate.php?gpb=14
http://diamond.serivice.com/panel/gate.php?gpb=12
http://diamond.serivice.com/panel/gate.php?lpc=18
http://diamond.serivice.com/panel/gate.php?gpp=22
http://diamond.serivice.com/panel/gate.php?ct=1
http://diamond.serivice.com/panel/gate.php?lp=1
http://diamond.serivice.com/panel/gate.php?gpp=12
http://diamond.serivice.com/panel/gate.php?pcn=22
http://diamond.serivice.com/panel/gate.php?gpp=4
http://diamond.serivice.com/panel/gate.php?gpp=1
http://diamond.serivice.com/panel/gate.php?gpp=3
http://diamond.serivice.com/panel/gate.php?gpp=2
http://diamond.serivice.com/panel/gate.php?gpp=18
http://diamond.serivice.com/panel/gate.php?pl=1
http://diamond.serivice.com/panel/gate.php?gpb=22
http://diamond.serivice.com/panel/gate.php?gpp=14
http://diamond.serivice.com/panel/gate.php?lpc=12
http://diamond.serivice.com/panel/gate.php?p=4
http://diamond.serivice.com/panel/gate.php?p=1
http://diamond.serivice.com/panel/gate.php?p=2
http://diamond.serivice.com/panel/gate.php?p=3
http://diamond.serivice.com/panel/gate.php?pcn=14
http://diamond.serivice.com/panel/gate.php?pcn=12
http://diamond.serivice.com/panel/gate.php?pcn=18
http://diamond.serivice.com/panel/gate.php?prf=1
|
3
diamond.serivice.com(195.133.40.146) - mailcious
34.227.13.244 - mailcious
195.133.40.146 - mailcious
|
6
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE DiamondFox HTTP Post CnC Checkin M3
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
23.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|