| 10786 |
2021-08-02 10:00
|
 6.exe 598c53bfef81e489375f09792e487f1a
DarkMatter Ransomware PE File PE32 VirusTotal Malware MachineGuid Check memory unpack itself AntiVM_Disk VM Disk Size Check Ransomware ComputerName crashed |
|
2
paymenthacks.com(206.188.197.206)
206.188.197.206
|
|
|
8.4 |
|
47 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10787 |
2021-08-02 10:24
|
 content.dotm 23a471d956410bc80dc0cabc006252f6
VBA_macro VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee ComputerName |
1
https://donattelli.com/test/ssi/1.dll
|
2
donattelli.com(185.92.244.225)
185.92.244.225
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10788 |
2021-08-02 10:26
|
 1.dll 1ea7d46d94299fa8bad4043c13100df0
PWS Loki[b] Loki[m] Kpot stealer Malicious Library PE File DLL PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
|
2
donattelli.com(185.92.244.225)
185.92.244.225
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10789 |
2021-08-02 17:49
|
SYNAPSE X.exe 8bad491fd5bd7142871b1815c24305bc
Generic Malware Themida Packer Anti_VM Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware Cryptographic key crashed |
|
|
|
|
10.8 |
|
45 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10790 |
2021-08-02 17:54
|
 XCT.exe fb8944b1bba155b25253fb21a246b735
Generic Malware Malicious Packer UPX DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
xp18.ddns.net(103.167.85.148) - mailcious
103.167.85.148
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10791 |
2021-08-02 17:54
|
 fontWinRuntimecrtNetrefruntime... 2ee557a2195e41069889ecbc983a87b1
RAT Generic Malware Malicious Packer UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File OS Processor Check .NET VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
4
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&9cb2beefe30f08fd6b229bb65bdf14a5=cbe8ead4e58ebaeb2d1f8262e2b19694&847db2de527380cc6f80ef60ca65913d=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&KmCgE=RmlX1zOMlkMdAM5jwvjI - rule_id: 3573
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W&ffd8a3463ee88805d4304008f2eca47a=QX9JiI6IyM3kTYmBTNjJTO5kjMyMjYmVWY2QDO4EmN5MGO2MWN1ICLiMWY0IGO3YGNjNDNihjNhBjM3UTN0AjYlVmYzQWN2MTZldDNldDNzYmI6IiY1ETZ4gTM0MGO3cDMwAjNwYGO2cTMzYWNwQzNkVWY5ICLiQDMzYWZwADNjBTYykDZ1czY5gDZ0QmYklDNzMDNxAzYjVGM0QzMxYjI6ICMkV2Y4YzNjRDNzITZkVGMzgTM5YWOhNWNzYWY0MmYxIyes0nIw4WS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplUV5sWUp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMzN5EmZwUzYykTO5IjMzImZlFmN0gDOhZTOjhjNjVTNiwiI3ATY2IjZkZjY2MWYzM2N2YDZzkDM2ImMmFWNhF2MhVWM2MmZyIzYhJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W - rule_id: 3573
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIyYGN5EDN1MGNkdjZ1QmZyYjZ3QmZzITYxUzY1MDN0cDM2QWM1gDO4IiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W - rule_id: 3573
https://ipinfo.io/json
|
5
ipinfo.io(34.117.59.81)
api.telegram.org(149.154.167.220)
34.117.59.81
78.24.217.56 - mailcious
149.154.167.220
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
3
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php
|
10.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10792 |
2021-08-02 17:56
|
 .smss.exe f5463dbb6131a4c2643af3700f14095b
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS crashed |
|
2
78.24.217.56 - mailcious
149.154.167.220
|
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10793 |
2021-08-02 17:57
|
 .svchost.exe 9318cd06a9a0b788dc043a63c97d4fce
Generic Malware Malicious Packer UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself DNS |
|
1
|
|
|
2.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10794 |
2021-08-02 17:59
|
 vbc.exe ae8b4b2b933da9181e0291f12d917dbf
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10795 |
2021-08-02 17:59
|
 .audiodg.exe b8b8f8d19a603555ddd886a77c751211
PWS Loki[b] Loki[m] .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx - rule_id: 2584
|
1
185.227.139.18 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
14.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10796 |
2021-08-02 18:00
|
 allparts.exe 4c10c29f43c09ee1abacf83fa03bbbc7
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
9.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10797 |
2021-08-02 18:03
|
 ADV.exe 325fb848ba8b93295817fff534bd1a75
Generic Malware Malicious Packer UPX SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(193.122.6.168)
172.67.188.154
132.226.247.73
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
13.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10798 |
2021-08-03 07:38
|
 d.doc ffc171671b298066a3640509219d9038
RTF File doc FormBook Malware download Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://www.qcprimeproperties.com/d6b4/?Ez=iUvziqoRLVQP4x4VYF2Zy1OZa8T9up5z2yg+XgExv6fOIaCDxIhQQAC5BKzEz2OD4O7+7gDd&lhuL=Sxo4ZRH
http://192.3.122.133/dubem/win.exe
http://www.1089konstanzter.com/d6b4/?Ez=+/REqqX1Mwr1IQxu1a0kaXfhn+o/BryxvLbATw+muhIadlwyJ66qhvKB/1QyG36wqFicOEFI&lhuL=Sxo4ZRH
|
5
www.1089konstanzter.com(54.159.4.226)
www.qcprimeproperties.com(34.102.136.180)
54.159.4.226
192.3.122.133
34.102.136.180 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10799 |
2021-08-03 07:48
|
 downloaddocument.do 4667f2ac85f21d40d87302b19415acef
Emotet Gen1 Malicious Packer UPX Malicious Library AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
16
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/vrvjnLXDTHh7rxb7xb/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
https://105.27.205.34/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabc64/
https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/SPYVhO46b0DEThQMydS2Zfd4e8/
https://www.myexternalip.com/raw
https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/VVFTRPXNNPLIHFMHFQF/7/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/hzJfcDAclgRsE45qcKUZSccHLZoSl/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/BPPXFPXZDBXTTXN/7/
https://182.253.210.130/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabb64/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/THBJBHXZZHFTFFNVJ/7/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/23/100019/
https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsHN1H3H%5Cftdownloaddocumenthn.grf/0/
https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/RguEiTZB8CRul1FpJkUlRGDdx8/
|
13
www.myexternalip.com(34.117.59.81)
150.134.208.175.b.barracudacentral.org(127.0.0.2)
150.134.208.175.cbl.abuseat.org()
150.134.208.175.zen.spamhaus.org()
105.27.205.34
46.99.175.217
194.146.249.137
184.74.99.214 - mailcious
185.56.175.122
182.253.210.130
216.166.148.187
34.117.59.81
5.152.175.57
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 10
|
|
11.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10800 |
2021-08-03 07:55
|
 win.exe d77ca8ffc57b9dd974928a09fe6722b0
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
2
http://www.5gusaphones.com/d6b4/?BZR8DR=TVsDFMPATNjElIxDQdFdIJ7pI7RNJco0RSJv47bENHhP3SgsFs3eKGTcOpqZrd+87WRONrAg&VRKt=vBZhY2d0ZnJDbt
http://www.drraass.com/d6b4/?BZR8DR=ZFjiT42y6P0728e7zdpBA4KxoCmBCCb5Al/LhO89P4sgCaouJTXqFiYZc9VykBwhS3eZep96&VRKt=vBZhY2d0ZnJDbt
|
4
www.5gusaphones.com(64.190.62.111)
www.drraass.com(160.121.199.48)
160.121.199.48
64.190.62.111 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|