10201 |
2021-07-19 10:51
|
0694b1714768f441a6827c5776da3c... 7a7c47733423a46f83eab77d230a0e12 Gen2 Gen1 Generic Malware UPX PE File OS Processor Check PE32 DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder sandbox evasion IP Check ComputerName |
3
http://ol.gamegame.info/report7.4.php - rule_id: 1518 http://ip-api.com/json/?fields=8198 http://by.dirfgame.com/report7.4.php - rule_id: 2900
|
8
ip-api.com(208.95.112.1) google.vrthcobj.com(34.97.69.225) - mailcious by.dirfgame.com(104.21.78.28) - mailcious ol.gamegame.info(172.67.200.215) - mailcious 34.97.69.225 - mailcious 208.95.112.1 104.21.21.221 - mailcious 104.21.78.28 - mailcious
|
1
ET POLICY External IP Lookup ip-api.com
|
2
http://ol.gamegame.info/report7.4.php http://by.dirfgame.com/report7.4.php
|
7.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10202 |
2021-07-19 10:55
|
build.exe e6bf9a1d8f14d2e1f07976f93dfc554e PWS Loki[b] Loki[m] AgentTesla Gen1 RedLine Stealer browser info stealer UPX Malicious Packer DGA DNS Socket Http API Internet API ScreenShot AntiDebug AntiVM PE File OS Processor Check PE32 DLL JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei Dridex VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs suspicious TLD sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
10
http://116.202.183.50/mozglue.dll http://116.202.183.50/nss3.dll http://116.202.183.50/vcruntime140.dll http://116.202.183.50/ - rule_id: 2743 http://116.202.183.50/softokn3.dll http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 2546 http://116.202.183.50/msvcp140.dll http://116.202.183.50/517 - rule_id: 2744 http://116.202.183.50/freebl3.dll https://sslamlssa1.tumblr.com/ - rule_id: 2745
|
9
sslamlssa1.tumblr.com(74.114.154.22) - mailcious astdg.top(211.170.70.237) - mailcious api.2ip.ua(77.123.139.190) securebiz.org(187.212.182.122) - malware 77.123.139.190 115.91.217.231 74.114.154.22 - mailcious 61.36.14.230 116.202.183.50 - mailcious
|
13
ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO TLS Handshake Failure ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET DNS Query to a *.top domain - Likely Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET INFO HTTP Request to a *.top domain ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
4
http://116.202.183.50/ http://astdg.top/nddddhsspen6/get.php http://116.202.183.50/517 https://sslamlssa1.tumblr.com/
|
20.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10203 |
2021-07-19 11:00
|
id27315002.php 291192d5184d78dc4f49972a092598d8 BitCoin Process Kill Generic Malware UPX FindFirstVolume CryptGenKey AntiDebug AntiVM PE File Device_File_Check OS Processor Check PE32 PNG Format .NET EXE MSOffice File JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed |
12
http://usa01.info/app/files/ap/id27315002.php http://densalenge.xyz/ http://usa01.info/users/content/id03084901/mmow.txt - rule_id: 2934 http://usa01.info/users/content/id03084901/mmow.txt http://usa01.info/books/userpaths/birbik/harrypotter2.txt http://tstamore.info/ - rule_id: 2931 http://tstamore.info/ http://usa01.info/function/v2tmp/momomoomomom.php - rule_id: 2936 http://usa01.info/function/v2tmp/momomoomomom.php https://iplogger.com/1Fd397 https://api.ip.sb/geoip https://iplogger.com/1Fs397
|
13
tstamore.info(45.139.184.124) api.ip.sb(104.26.12.31) usa01.info(45.139.184.124) iplogger.com(88.99.66.31) densalenge.xyz(85.192.56.21) www.binance.com(52.84.150.4) 88.99.66.31 - mailcious 52.84.150.20 172.67.75.172 85.192.56.21 104.21.21.221 - mailcious 104.21.78.28 - mailcious 45.139.184.124 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User-Agent (Installed OK) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure SURICATA Applayer Detect protocol only one direction SURICATA HTTP unable to match response to request
|
3
http://usa01.info/users/content/id03084901/mmow.txt http://tstamore.info/ http://usa01.info/function/v2tmp/momomoomomom.php
|
16.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10204 |
2021-07-19 11:07
|
zxcv.EXE e0ee46172e94ab9aaed4f27dc2aab72a PWS Loki[b] Loki[m] .NET framework Gen1 Gen2 Generic Malware UPX Malicious Packer Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenSho Browser Info Stealer Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware Zeus OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger Downloader Password |
21
http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/92d554b38e1cae759d4c0d30ca20cfdc6cde1f5f - rule_id: 2583 http://185.215.113.77/rc.exe - rule_id: 1809 http://34.89.184.90//l/f/K-R3vHoBagrSXdgRybk2/41412bfae75d7e94b63598d20cc59c28b5b0423e - rule_id: 2583 http://erolasa.ac.ug/ac.exe http://erolbasa.ac.ug/vcruntime140.dll http://erolbasa.ac.ug/ - rule_id: 2882 http://185.215.113.77/cc.exe - rule_id: 1812 http://185.215.113.77/ac.exe - rule_id: 1807 http://erolbasa.ac.ug/msvcp140.dll http://erolbasa.ac.ug/sqlite3.dll http://erolbasa.ac.ug/freebl3.dll http://erolbasa.ac.ug/mozglue.dll http://erolasa.ac.ug/index.php http://185.215.113.77/ds1.exe - rule_id: 1810 http://erolbasa.ac.ug/softokn3.dll http://185.215.113.77/ds2.exe - rule_id: 1811 http://erolbasa.ac.ug/nss3.dll http://34.89.184.90/ - rule_id: 2583 http://erolbasa.ac.ug/main.php - rule_id: 2883 https://cdn.discordapp.com/attachments/854297276549169165/865183364520345620/Ghvhklnnbujpcdbcuiamjnfnpsbioew https://cdn.discordapp.com/attachments/854297276549169165/865182381597786132/Rtzvmiumkiajmdtugitkgokalwbndbk
|
12
telete.in(195.201.225.248) - mailcious erolbasa.ac.ug(185.215.113.77) - mailcious erolasa.ac.ug(185.215.113.77) - malware icando.ug() - suspicious cdn.discordapp.com(162.159.130.233) - malware icacxndo.ac.ug() - suspicious arsaxa.ac.ug(79.134.225.25) - mailcious 195.201.225.248 - mailcious 162.159.130.233 - malware 79.134.225.25 - mailcious 34.89.184.90 - mailcious 185.215.113.77 - malware
|
11
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 25 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE AZORult v3.3 Server Response M2 ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
10
http://34.89.184.90/ http://185.215.113.77/rc.exe http://34.89.184.90/ http://erolbasa.ac.ug/ http://185.215.113.77/cc.exe http://185.215.113.77/ac.exe http://185.215.113.77/ds1.exe http://185.215.113.77/ds2.exe http://34.89.184.90/ http://erolbasa.ac.ug/main.php
|
32.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10205 |
2021-07-19 11:29
|
ComparePlus.dll b3a8c88297daecdb9b0ac54a3c107797 UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
1.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10206 |
2021-07-19 13:27
|
ComparePlus.dll b3a8c88297daecdb9b0ac54a3c107797 UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10207 |
2021-07-19 14:50
|
V-aim.dll 68d7d6f7f4c22abe217d12cc42be689f IcedID VMProtect PE File PE64 DLL VirusTotal Malware |
|
|
|
|
1.6 |
|
11 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10208 |
2021-07-19 15:23
|
리스펙.exe db9f97abc6cd7564e1c8bc4d1da6edf9 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE File OS Processor Check PE32 DLL .NET EXE VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself sandbox evasion |
|
|
|
|
5.4 |
|
20 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10209 |
2021-07-19 16:30
|
http://redirector.gvt1.com/edg... 1c8529a4577541f11238a25ce76c343e DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://r1---sn-3u-bh2ly.gvt1.com/edgedl/release2/chrome_component/fp54i2dusearlozqtsnasgv6xa_2659/jflookgnkcckhobaglndicnbbgbonegd_2659_all_mxdmmez5xo4y35xwfdotsvn5um.crx3?cms_redirect=yes&mh=iD&mip=175.208.134.150&mm=28&mn=sn-3u-bh2ly&ms=nvh&mt=1626679216&mv=m&mvi=1&pl=18&rmhost=r6---sn-3u-bh2ly.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sr.gvt1.com http://redirector.gvt1.com/edgedl/release2/chrome_component/fp54i2dusearlozqtsnasgv6xa_2659/jflookgnkcckhobaglndicnbbgbonegd_2659_all_mxdmmez5xo4y35xwfdotsvn5um.crx3
|
2
r1---sn-3u-bh2ly.gvt1.com(59.18.31.12) 59.18.31.12
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10210 |
2021-07-19 16:52
|
OW AUTO 1.bat 8002cedb6df333b9b8c7e89fde1873f1 DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM WriteConsoleW |
|
|
|
|
0.6 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10211 |
2021-07-19 16:58
|
OW AUTO 1 (2).bat 8002cedb6df333b9b8c7e89fde1873f1 DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM WriteConsoleW |
|
|
|
|
0.6 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10212 |
2021-07-19 17:25
|
G402.dll d37da4af6a94771d51d995d8683afed4 UPX PE File PE64 DLL Checks debugger unpack itself Auto service DNS |
|
1
|
|
|
2.8 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10213 |
2021-07-19 17:29
|
DefenderControl.ini 62516ed108e319cf929b64a8cf4cfa93 ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10214 |
2021-07-19 17:54
|
rere.exe 734b3fcc06d0a0eda6b83de9165636ac PWS Loki[b] Loki[m] UPX PE File PE64 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
3 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10215 |
2021-07-20 08:04
|
vbc.exe 97ee10e7b9b299b04c83d12eaf6dc5f5 RedLine Stealer UPX PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|