| 11416 |
2021-08-17 17:55
|
 8098nz2.exe 0d035197b133e068ebc338a99f994c54
AgentTesla(IN) Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11417 |
2021-08-17 17:56
|
 file7.exe 8c69181e218d120c2222c285f73f3434
RAT Generic Malware Themida Packer UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://193.56.146.22:47861/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
193.56.146.22
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11418 |
2021-08-17 17:58
|
 03da82f27a042bb21948e80c788097... 445dfcd1f7f35099093f7320d467c76d
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware Check memory Windows crashed |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11419 |
2021-08-17 18:00
|
 tooltipred.png 6d477a8502a9d2f05e587b2073b086cf
Emotet Gen1 UPX Malicious Library PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://181.129.167.82/top115/TEST22-PC_W617601.D77311C718433BB88B57C4AF73BE1FD6/5/file/
|
3
46.99.175.217 - mailcious
181.129.167.82
46.99.175.149 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11420 |
2021-08-17 18:02
|
 dow-4.exe 6ed87aec021b3fb313ccb925de4985b2
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11421 |
2021-08-17 18:04
|
 1508.exe aa5c3aa529d2ad5bf85d45e21408717d
RAT Generic Malware Anti_VM UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
2
http://46.28.204.54:27605/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.13.31
46.28.204.54
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
9.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11422 |
2021-08-18 09:42
|
 PROG8300_projectExecutable.exe dba25831a9434a39e84717c9f8f6ba57
Gen2 Gen1 UPX Malicious Library PE File OS Processor Check PE32 PE64 DLL VirusTotal Malware Malicious Traffic Creates executable files WriteConsoleW |
1
http://www.securityresearch.ca/infected/8K3F19/ServiceUpdater.exe
|
2
www.securityresearch.ca(64.235.108.186)
64.235.108.186
|
|
|
2.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11423 |
2021-08-18 09:44
|
Has US policy toward the Pales... 5711989af8510851baf4fec63d67d1e3
Admin Tool (Sysinternals etc ...) UPX Malicious Library Malicious Packer PDF PE File OS Processor Check PE32 GIF Format VirusTotal Malware suspicious privilege MachineGuid Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS crashed |
|
1
|
1
ET INFO Observed DNS Query to .work TLD
|
|
8.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11424 |
2021-08-18 10:56
|
 installs3.exe 30d75d7d5fe9cea029423a625f4e7802
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
5.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11425 |
2021-08-18 10:56
|
 Proliv12345.exe 37682e0e7a16ecef1a19f44177e8b583
PWS .NET framework NPKI Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
|
2
ns3.ru.web.msk.host(194.226.139.38)
194.226.139.38
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11426 |
2021-08-18 10:59
|
 sunnyzx.exe 799c3c52ef032c42c3bb3eb8cad03e95
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
132.226.8.169
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11427 |
2021-08-18 10:59
|
 formbookzx.exe 168d0c902497a9cbf6281aca78482cb3
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.ubique.works/m3n0/?kxl0drr=XY3fYCvwORbGPxtSxSQVDy8D/DgP/Q6U0jLqL/9Ze9Gbp745YUdIHr8LMFFepVyh6OzcG5cB&jBZ4=KneX-
http://www.yourvert.com/m3n0/?kxl0drr=p+Rf1CG7FauHpJE9Y14QZTSs7HiMaFYzpVM6h2kAD3Nie/rbK1Hom73EVwMq0sJBPNaGWXc5&jBZ4=KneX-
http://www.terrasombrafarms.com/m3n0/?kxl0drr=Lll3djfmpqf4gVsKwJ7EBNIIhBMOoCJsh2K73HLJEVynFnO3uZpJKx+f/nkW8ApCIX9e9JyW&jBZ4=KneX-
|
6
www.yourvert.com(13.58.168.69)
www.terrasombrafarms.com(104.21.45.157)
www.ubique.works(52.220.193.16)
172.67.216.104
178.128.124.245
3.133.163.136
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11428 |
2021-08-18 11:00
|
 whesilozx.exe 15ff0a4c0f9b8083b0fee0ddb8a8ceb3
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11429 |
2021-08-18 11:03
|
 vbc.exe a9c17b30c3c8d1ab73368929ce6a9ccd
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
14
http://www.delhibudokankarate.com/6mam/?P48tW=Dhv3NEq6R5NPQZs0dIik/SqBuvIY1/ydOcIgQc1Go12Tt/gNYl4yWQ2VA57WdGuU8YdfRGOR&KR-LRr=VTW8eX4xAtX - rule_id: 4168
http://www.mobiessence.com/6mam/?P48tW=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&KR-LRr=VTW8eX4xAtX - rule_id: 3578
http://www.lawmetricssolicitors.com/6mam/?P48tW=4Gj0yn3nr4YWFpZH4qn2bQ/Mf+Y/K54EnXCw/FRHgkyWUNrW3vdYTE+qdBaiGkNQ4kKGGQ8H&KR-LRr=VTW8eX4xAtX - rule_id: 3575
http://www.kykyryky.art/6mam/?P48tW=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&KR-LRr=VTW8eX4xAtX - rule_id: 3577
http://www.adenxsdesign.com/6mam/?P48tW=tU44klL44EKqmodFv/jg5nrIY8m9SPufik0gg789I5xKoKlf2FGRw1yhbPhqQNhokqqERcg/&KR-LRr=VTW8eX4xAtX - rule_id: 4003
http://www.cannamalism.com/6mam/?P48tW=kn71xoO9iU2mX4j71h7bz8HHhkUEjJyTF2/azklG2erytyCHrh0zJMDeYoghQinFk6RtaMTe&KR-LRr=VTW8eX4xAtX - rule_id: 3576
http://www.bransolute.com/6mam/?P48tW=3lOIhqUq6P+U3Pv+KiDZArCwgFDmfekdTy2Nm2rSf3PvYUYfwCDamY7ww9DFIoj1y02HC7Ks&KR-LRr=VTW8eX4xAtX - rule_id: 3581
http://www.riveraitc.com/6mam/?P48tW=SnhjisI499lOsf3YfO532EwcXneBDaw7KeLS1bDcRf/9DFIScc8FKAxpINBYBIfoUHjDmPpQ&KR-LRr=VTW8eX4xAtX - rule_id: 4005
http://www.ilovemehoodie.com/6mam/?P48tW=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&KR-LRr=VTW8eX4xAtX - rule_id: 4001
http://www.fuzhourexian.com/6mam/?P48tW=qbpZFH7voKbXHHWLfMfEAiwyGaz4A1Dlq6aJ6MnbqPgDgfYDR2UnLoNROh/k48NFxcmn1xi3&KR-LRr=VTW8eX4xAtX - rule_id: 3580
http://www.envirotechpropertiesltd.com/6mam/?P48tW=YBYrB5Ucm7S+XdfKOAf3sqA5fkKZ062k5RXT8xg/v1kRVTyEaAKCnyzwvrlUA7NS++0u+6AB&KR-LRr=VTW8eX4xAtX
https://dkbp0q.sn.files.1drv.com/y4mrMcJrhX3NS3j0HI9CmsynkzscYSv_j_iG0h1PkCA9fSFqb31FN3Rs9U3ozYt6s-bL6yaEBA40CFCVyBRNoGmZW36gpV5owlcwq84wnAx4ukteCnDJGxxxHu63HyYNZRKJcWZAwikI9GXq1HYzdM6wwnfUeQX2C2Y_qVBMmz8chgIp_VSAgovTegxBpZnAsqnKG78TUBNMSGY3aMVVAVSbw/Gvxbhgpirujajjglqjoceyevinvvtyb?download&psid=1
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21121&authkey=AITqAZYmBhxHYRs
https://dkbp0q.sn.files.1drv.com/y4mk8x3V8lsTnH8fK4NVgwbdpZN0dVecv_1w63fnJBjVOBdbbs9xAIxConjlhOTx--JIrGvI4C6u6Dq1yELyHvd8es9OWD5BwXQFcph34vaRWCvKPVZdKsOO_drRSM8a4gUZ0nq7ZBEh2CPvo3VcDxQQx05VyisqlgR3EszThf8bYuIoASeUj90xT4LP-cDr0TrvDU43fyT7RZrqWuxq94B9w/Gvxbhgpirujajjglqjoceyevinvvtyb?download&psid=1
|
29
www.opticatervisof.com() - mailcious
www.delhibudokankarate.com(154.215.87.120)
www.cannamalism.com(34.102.136.180)
onedrive.live.com(13.107.42.13) - mailcious
www.fuzhourexian.com(47.245.33.84)
www.mobiessence.com(52.58.78.16)
www.adenxsdesign.com(217.160.0.46)
www.geekotronic.com()
www.riveraitc.com(23.227.38.74)
www.envirotechpropertiesltd.com(198.49.23.144)
www.apacshift.support() - mailcious
www.bransolute.com(192.185.236.169)
dkbp0q.sn.files.1drv.com(13.107.42.12)
www.candlewooddmc.com() - mailcious
www.ilovemehoodie.com(23.227.38.74)
www.lawmetricssolicitors.com(173.214.172.82)
www.kykyryky.art(194.67.71.40)
154.215.87.120 - mailcious
52.58.78.16 - mailcious
47.245.33.84 - mailcious
173.214.172.82
194.67.71.40
13.107.42.13 - mailcious
13.107.42.12 - malware
192.185.236.169 - mailcious
34.102.136.180 - mailcious
217.160.0.46 - mailcious
23.227.38.74 - mailcious
198.185.159.144 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
10
http://www.delhibudokankarate.com/6mam/
http://www.mobiessence.com/6mam/
http://www.lawmetricssolicitors.com/6mam/
http://www.kykyryky.art/6mam/
http://www.adenxsdesign.com/6mam/
http://www.cannamalism.com/6mam/
http://www.bransolute.com/6mam/
http://www.riveraitc.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.fuzhourexian.com/6mam/
|
10.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11430 |
2021-08-18 11:03
|
 tmt.exe c12b9137c5ceccee311215cbd5a8d7b2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|