| 11026 |
2021-08-09 02:58
|
 hbggg.exe e6f6fd13001b8df1af345df56caba5de
Gen2 Emotet UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory buffers extracted Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution |
5
http://uyg5wye.2ihsfa.com/api/?sid=19422&key=1e40e303a338d1de3cb36619da169749 - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1968
http://ip-api.com/json/
https://iplogger.org/18hh57
https://www.facebook.com/
|
8
uyg5wye.2ihsfa.com(207.246.94.159) - mailcious
www.facebook.com(157.240.215.35)
ip-api.com(208.95.112.1)
iplogger.org(88.99.66.31) - mailcious
157.240.215.35
208.95.112.1
207.246.94.159 - mailcious
88.99.66.31 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/fbtime
|
6.8 |
M |
60 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11027 |
2021-08-09 09:17
|
 free-mega-vip-roblox.pdf bd2cde8cfd6faa5405a6d3b337cd1543
PDF Suspicious Link PDF Check memory unpack itself |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
2
swupmf.adobe.com(23.212.12.57)
23.212.12.57
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11028 |
2021-08-09 09:28
|
 file.exe 8472ae9fabd1a6ed08801c724d1f7370
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11029 |
2021-08-09 09:28
|
 askinstall52.exe 6e75a32d17c8525011ca4411b81d0ce4
UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11030 |
2021-08-09 09:37
|
 file.exe 5da49486bd575bd66fe58d3d08965b61
RAT PWS .NET framework Generic Malware UPX .NET EXE PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://95.217.140.34:18653/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
95.217.140.34
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11031 |
2021-08-09 09:37
|
 lv.exe 9619ad1fdc2d4b6ce19567be0a47b6f9
Emotet Gen1 Gen2 Themida Packer Malicious Library UPX Malicious Packer PE File PE32 DLL GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check human activity check Windows ComputerName Firmware crashed |
|
1
BgABegmSFyMxWuKGR.BgABegmSFyMxWuKGR()
|
|
|
9.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11032 |
2021-08-09 09:37
|
 lv.exe 3f57c68e243e816198400b579a6f8d93
Gen1 Emotet Gen2 Themida Packer Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persist VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Windows ComputerName Firmware crashed |
|
1
QXXeUyzuDuIxPFLVPNbwDZBBB.QXXeUyzuDuIxPFLVPNbwDZBBB()
|
|
|
10.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11033 |
2021-08-09 09:38
|
 file.exe 5c9bc69219f434c0d872aa764bd8e624
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11034 |
2021-08-09 09:38
|
 rollerkind.exe 1b21c1f50ede14f843a7de34f6a2130e
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11035 |
2021-08-09 09:45
|
 file.exe b9d0201d96bf236e37d58605857b6879
UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11036 |
2021-08-09 09:48
|
 xvpn.exe d26ecad2f1da070dbdde7a3a36109175
RAT PWS .NET framework Generic Malware UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.237.165.126:25598/ - rule_id: 3617
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
185.237.165.126 - mailcious
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://185.237.165.126:25598/
|
7.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11037 |
2021-08-09 09:49
|
 wintask.exe fa730d83b4be4c873039dc585f958d7c
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW BitRAT Windows ComputerName Cryptographic key crashed keylogger |
|
2
storage.nsupdate.info(213.152.161.117)
213.152.161.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
13.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11038 |
2021-08-09 09:53
|
 zxcv.EXE 7fb10b8ea68c1e0064730018fca3cb39
PWS Loki[b] Loki[m] Raccoon Stealer RAT .NET framework Gen1 Gen2 Generic Malware UPX Malicious Packer Malicious Library Antivirus DNS Socket KeyLogger HTTP Internet API ScreenShot Http API Steal credential DGA Create Service Sniff Audio Es Browser Info Stealer Emotet Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Downloader Password |
20
http://185.215.113.77/ac.exe - rule_id: 1807
http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/6ba72ceafccb01eee167d7aa09187085192abe6a
http://185.215.113.77/ds2.exe - rule_id: 1811
http://danielmax.ac.ug/msvcp140.dll
http://danielmax.ac.ug/softokn3.dll
http://danielmax.ac.ug/ - rule_id: 3350
http://185.215.113.77/cc.exe - rule_id: 1812
http://danielmi.ac.ug/index.php - rule_id: 3349
http://74.119.195.134//l/f/K-R3vHoBagrSXdgRybk2/1e6e1f91bf2fd97f39bb3794f23f972b62daf99d
http://danielmax.ac.ug/sqlite3.dll
http://danielmax.ac.ug/mozglue.dll
http://185.215.113.77/rc.exe - rule_id: 1809
http://danielmax.ac.ug/freebl3.dll
http://185.215.113.77/ds1.exe - rule_id: 1810
http://danielmax.ac.ug/main.php - rule_id: 3358
http://74.119.195.134/
http://danielmax.ac.ug/nss3.dll
http://danielmax.ac.ug/vcruntime140.dll
https://cdn.discordapp.com/attachments/873891971998036042/873892704155742258/Bdojytwvbcgagbvmwkdspythmuhhgvq
https://cdn.discordapp.com/attachments/873891971998036042/873892046249799720/Jjdsdprkpedcmpxtmnbemyveeqogpvi
|
16
danielmi.ac.ug(185.215.113.77) - malware
telete.in(195.201.225.248) - mailcious
sergio.ac.ug(79.134.225.25)
heartdoaz.ac.ug()
aertdfvaz.ac.ug()
ramosasdj.ac.ug()
parhatcsafxz.ac.ug()
danielmax.ac.ug(185.215.113.77) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
icacxndo.ac.ug(194.5.98.107) - suspicious
195.201.225.248 - mailcious
162.159.134.233 - malware
74.119.195.134
79.134.225.25 - mailcious
194.5.98.107 - mailcious
185.215.113.77 - malware
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
8
http://185.215.113.77/ac.exe
http://185.215.113.77/ds2.exe
http://danielmax.ac.ug/
http://185.215.113.77/cc.exe
http://danielmi.ac.ug/index.php
http://185.215.113.77/rc.exe
http://185.215.113.77/ds1.exe
http://danielmax.ac.ug/main.php
|
29.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11039 |
2021-08-09 09:53
|
 123.exe f13f55759c52347f534717c888701fc2
RAT PWS .NET framework Generic Malware UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.82.176.76:43679/
https://api.ip.sb/geoip
|
4
api.ip.sb(104.26.13.31)
213.152.161.117
45.82.176.76
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11040 |
2021-08-09 09:54
|
 32c96ec2c8d3bf05761aef2c8fd76b... be7c117282243faa1f8071798ca554e4
UPX Malicious Library PE File PE32 VirusTotal Malware Check memory Windows crashed |
|
|
|
|
2.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|