| 10711 |
2021-07-30 11:15
|
 faktura-77_2021-3.pdf.exe f7ba0f7a61b8b51a5e1823d5fd274d12
PWS .NET framework Gen1 Gen2 Generic Malware UPX Malicious Library Malicious Packer ScreenShot Http API Steal credential AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File DLL VirusTotal Email Client Info Stealer Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key |
4
http://185.234.247.75/
http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/147c164f57246ff52d187892d033ff5af5d2df92
http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/e9bed5f88e62036906900574f1e28599a7f8d5d3
https://telete.in/uidesopencardtop
|
3
telete.in(195.201.225.248) - mailcious
185.234.247.75
195.201.225.248 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10712 |
2021-07-30 11:45
|
economic relations.doc 9b1ca0408e33c43970b87c4c380b134f
VBA_macro Generic Malware Antivirus MSOffice File PE32 DLL .NET DLL PE File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://taketodjnfnei898.ueuo.com/?t=1
http://takemetoyouheart.c1.biz/index.php?user_id=319
|
4
taketodjnfnei898.ueuo.com(162.253.155.226)
takemetoyouheart.c1.biz(185.176.43.106)
185.176.43.106 - malware
162.253.155.226 - malware
|
1
ET INFO Observed DNS Query to .biz TLD
|
|
11.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10713 |
2021-07-30 11:48
|
documentation_67198.vbs 30634e6b16ac0cce95c017ce9dc6e9a0 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10714 |
2021-07-30 11:49
|
 JPM_Payment_Remittance_505693.... b2633a1d702957694bb470b202ba032c
VBA_macro Antivirus UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 PE File Emotet VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
https://zya3ig.sn.files.1drv.com/y4mhGDkKmL3VDLSUrEWHAJjnel-AVhbdeVNYyQnBqeWWrlxrQZ9NszEAsvT8XGLPe7mkz9QTC2UI2gLMghScHsnFP_Z6_KMpHHOIsKBYLdy8Z_oB67tIlMC6eqSbrKMSaRvkdLdJNSecdujzF4iBhESi-AinVSWep0qzarT4IY-QFmPWqsXK9v3smoVL9-Ky_SUCQSiGojuKkheE7LkfMcRgw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
https://zya3ig.sn.files.1drv.com/y4mOTz_QAR6NiYt2v34fuSPi5mluFwXvFkGg8tgtdufNHC3Zp9FIYVKG-COsmBXTAwBxjc8xosZ0KnX7YbZwmx2gL8VpE8j5-03OKW0BG2tczyDzTjZtpuri4UXT7gVUL5_4LtiWlB8bzeQv8EGyVBirb0QKQzgVoopEqx_2Y5-ilTcGCMR2XMNsrjj0y-XdrvdZ12IIfBEs2MBrH5lxUUseg/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
|
7
zya3ig.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
twistednerd.dvrlists.com(185.189.112.27) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
192.227.158.111 - malware
185.189.112.27
|
5
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
18.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10715 |
2021-07-30 11:51
|
 credit.exe 821e75318f291ec08bafe26ceb1eeeff
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 PE File Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
3
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
https://zya3ig.sn.files.1drv.com/y4md6gQPdIz35OSr1CP2N4-V0otIFa4eVa0izCLdmOuJBlLjvqOKL1As6rYQnYlPRdOKogUyQE7YlWy1lWOD4q-yUycJQpPxTSjhLp1ipDwl2VxJzzfz4_HgHLeaZnxv5_IXieI4bUFSOayiOt7gTLafGswW8XOo0GN6ewIHl1Xv5d3ZoJJCQW6vuIZ2DO7Z-CXZhd8Pay1cNIMOtYXsZ6jSw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
https://zya3ig.sn.files.1drv.com/y4mJJ5fYOJj8MPGeOKGqQ1KM13fmel2Ir5INpKatMQNhtn-MFo22uJXG-NxHGQW_rIE_QimVyEKqc1UAQnleBjY5UihcDrpL6Eb2Ifa9I_Ol5syVmMwJVuBJjBf1MYv7UrCewNZWHZNelLV4zk5t7MMv7dryPakEqTM3AMwvnh0KRMGP3mPCri2oJ3PakOXO5685tSRfDtd09gIy5zXW-F5cA/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
|
4
zya3ig.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10716 |
2021-07-30 15:06
|
 vbc.exe c85ee9fe0a4d346432307651cb4357a1
CryptBot PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
2.2 |
M |
21 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10717 |
2021-07-30 15:55
|
 lv.exe e606e3bbeb846d4ef17eca787b09c728
Emotet Gen1 NPKI Gen2 Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiD VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows crashed |
|
1
nULmPlSLTBiT.nULmPlSLTBiT()
|
|
|
6.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10718 |
2021-07-30 20:49
|
 29.exe ab99e71c87f024b99c10c02f88b3e40b
Gen2 UPX Malicious Library PE32 PE File OS Processor Check DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion IP Check Tofsee ComputerName |
5
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://ip-api.com/json/?fields=8198
http://by.dirfgame.com/report7.4.php - rule_id: 2900
https://live.goatgame.live/userf/dat/29/sqlite.dat
https://live.goatgame.live/userf/dat/sqlite.dll - rule_id: 3376
|
10
ol.gamegame.info(172.67.200.215) - mailcious
live.goatgame.live(104.21.70.98) - malware
google.vrthcobj.com(34.97.69.225) - mailcious
by.dirfgame.com(172.67.215.92) - mailcious
ip-api.com(208.95.112.1)
104.21.21.221 - mailcious
34.97.69.225 - mailcious
208.95.112.1
104.21.78.28 - mailcious
172.67.222.125 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
3
http://ol.gamegame.info/report7.4.php
http://by.dirfgame.com/report7.4.php
https://live.goatgame.live/userf/dat/sqlite.dll
|
8.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10719 |
2021-07-30 20:49
|
 2201.exe 52303e3dc2b3b9ad36ba6169418c5bd2
Gen2 UPX Malicious Library PE32 PE File OS Processor Check DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder sandbox evasion IP Check Tofsee ComputerName |
5
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://ip-api.com/json/?fields=8198
http://by.dirfgame.com/report7.4.php - rule_id: 2900
https://live.goatgame.live/userf/dat/2201/sqlite.dat
https://live.goatgame.live/userf/dat/sqlite.dll - rule_id: 3376
|
10
ol.gamegame.info(104.21.21.221) - mailcious
live.goatgame.live(172.67.222.125) - malware
google.vrthcobj.com(34.97.69.225) - mailcious
by.dirfgame.com(104.21.78.28) - mailcious
ip-api.com(208.95.112.1)
172.67.215.92 - mailcious
172.67.200.215
34.97.69.225 - mailcious
208.95.112.1
172.67.222.125 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
3
http://ol.gamegame.info/report7.4.php
http://by.dirfgame.com/report7.4.php
https://live.goatgame.live/userf/dat/sqlite.dll
|
7.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10720 |
2021-07-30 20:50
|
 .audiodg.exe d8e32ab45623cf6631abc3a271d4e183
PWS .NET framework RAT Generic Malware UPX Admin Tool (Sysinternals etc ...) .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10721 |
2021-07-30 20:51
|
 lv.exe 075ba8e35c73b895b107baad6b85bb82
NPKI Emotet Gen1 Gen2 Malicious Library UPX Malicious Packer PE32 PE File DLL OS Processor Check VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
GgdtfkaEHdAzKOSzI.GgdtfkaEHdAzKOSzI()
|
|
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10722 |
2021-07-30 20:53
|
 vbc.exe 4a1051bd16e2fd2e017ba346059572a0
PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic ICMP traffic unpack itself DNS |
3
http://www.szkuyaju.com/dd2v/?-Z=lG6ol55azlMD4hADWE4Pp39Kr+4CexCIFBDa0fMIOIXyuuva5ACX5IfAn9qJYQlkH2gKlOKe&sBZ4Hv=X48HRfjp
http://www.sitepew.life/dd2v/?-Z=of3sSQro2+0Ix8g5lNnoK0O+g6AGUtNJd9jg1OU6HPbGpKYh3LbwCB0Ah6pem80nKxS4m6GH&sBZ4Hv=X48HRfjp
http://www.travelature.com/dd2v/?-Z=7X/3abfwvNhDzU8xX7zzoSYCubj2617zMLKfswG/6RMQDsBwWzNFhPRZ83qpvH2Jw3XtkhJw&sBZ4Hv=X48HRfjp
|
7
www.szkuyaju.com(154.221.227.194)
www.sitepew.life(162.251.4.219)
www.travelature.com(104.21.28.139)
www.bttjagalan.xyz()
154.221.227.194
162.251.4.156
172.67.170.217
|
3
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to Suspicious *.life Domain
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10723 |
2021-07-30 20:55
|
 .csrss.exe b4e65ed28277c81bc487a30b282b88a1
PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
2
104.21.21.221 - mailcious
104.21.78.28 - mailcious
|
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10724 |
2021-07-31 09:50
|
 vbc.exe 4a1051bd16e2fd2e017ba346059572a0
Formbook PE32 PE File VirusTotal Malware suspicious privilege unpack itself |
|
|
|
|
2.8 |
M |
20 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10725 |
2021-07-31 13:26
|
 huh.exe 932cb9ca236e1e8c6740d9db01410778
PWS .NET framework njRAT backdoor RAT Generic Malware Malicious Packer UPX OS Processor Check .NET EXE OS Name Check PE32 PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder anti-virtualization Windows ComputerName Cryptographic key crashed keylogger |
|
|
|
|
9.8 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|