| 11506 |
2021-08-19 10:03
|
 angelzx.exe 5a5826ecc44cc5190e75860e10f96292
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11507 |
2021-08-19 10:03
|
 cop.exe 977a62444517295a0cfeb9e6e6f8e27a
Emotet UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
3
https://a2q8ua.sn.files.1drv.com/y4mHv4FC3w4vu3xhBTq24EbcDs_9Ff-44ScNZJQarXQBccz-PruP8ExelHSqV4xuSj1PR_PPwAx83eslXEvSVPGJLAx6jbxr7NiKLVWjGnwSEAmq2CXsMYx6tAOhpM0N3OVm_TRtfBK4MGUWRaG-J5vdfrM8n39Zd-XWT_D5HNE8x7r8KtWZtkxAPGKBZg38Lwz5ZErWoxPxmYyqtRxi0UCYg/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
https://a2q8ua.sn.files.1drv.com/y4mOQSKY3HPgDKYEXuiiOOPH_9t-Ca0UvsxWDvkH7aAj7bxUE5NIow9fuBaFmI_887wuFZq2k6AIwvtuiX8o9KIpSbJDgwZDGsdHbrqfxj8jwNBYfdzbt8FbH-8WRSR9Ls1NSB1vsywWLgE1mrKIB_6nU-4-b-B30748uy5_cdIKS7LL8B1hpZszZnzhW3gmiUITmMhVByGnEZSQYv5LDwGbQ/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21124&authkey=AAvFfFUNaaPX5xg
|
6
a2q8ua.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
twistednerd.dvrlists.com(62.102.148.152) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
62.102.148.152
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11508 |
2021-08-19 10:05
|
 @Crocodile_O1.exe ce32331eefc0fd2380cb98027944a0ce
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.224.132.232:64354/ - rule_id: 4143
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
172.67.75.172
185.224.132.232 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://185.224.132.232:64354/
|
7.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11509 |
2021-08-19 10:08
|
 unknown.exe 88b2d854215fd08289e8ef659f063da9
RAT PWS .NET framework NPKI Generic Malware UPX Malicious Library Antivirus PE File OS Processor Check .NET EXE PE32 PE64 .NET DLL DLL Browser Info Stealer Malware download Malware Phishing powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed Downloader |
4
http://talueratas.xyz/
http://5.252.176.81/clr.exe
https://2no.co/SVK43 - rule_id: 3551
https://api.ip.sb/geoip
|
7
talueratas.xyz(93.189.40.76)
2no.co(88.99.66.31) - mailcious
api.ip.sb(172.67.75.172)
93.189.40.76
88.99.66.31 - mailcious
172.67.75.172
5.252.176.81
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
|
1
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11510 |
2021-08-19 10:10
|
 hzz111.exe 83d8510a16c90341a32ddee68f0a8eee
UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 PE64 VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName |
1
http://tj.gogo2021.xyz/tongji.php?os=6.1.7601&userid=hzz222&mac=94DE278C3274&ver=&xiezai=0&wb=&az=0&uid=
|
2
tj.gogo2021.xyz(202.79.175.12)
202.79.175.12
|
|
|
7.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11511 |
2021-08-19 10:12
|
 word.exe 05057af2091a89b9e8493804e4d0551f
email stealer Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11512 |
2021-08-19 10:14
|
 ECHEZONA.exe da05ccf8157f5567b50545e58635f96e
AgentTesla backdoor RemcosRAT browser info stealer Google Chrome User Data UPX Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows DNS DDNS |
|
2
echox12.ddns.net(18.118.135.36)
18.118.135.36
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
7.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11513 |
2021-08-19 10:16
|
 Finest_.exe 0f63a1200f5bbec0624b86ff2b6e3e51
RAT PWS .NET framework BitCoin Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://149.28.252.135:26948/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
149.28.252.135
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11514 |
2021-08-19 10:18
|
 installzo.exe 95af4263b7597d1688801b8fcf6b1df9
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.186.142.245:1778/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
185.186.142.245
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11515 |
2021-08-19 10:21
|
 file3.exe 6980597a4822f4cadea9ac264711ebd2
RAT BitCoin Generic Malware UPX Malicious Library AntiDebug AntiVM PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://212.192.246.73:10854/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
212.192.246.73
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11516 |
2021-08-19 10:23
|
 win32c.exe de9d4c9c1009d24b1fb38205a5277beb
AgentTesla backdoor RemcosRAT browser info stealer Google Chrome User Data UPX Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows DNS DDNS keylogger |
|
2
tobi12345.hopto.org(18.118.55.110)
18.118.55.110
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
9.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11517 |
2021-08-19 10:25
|
 office.exe 3c06ef80548abdb452c885502503df1e
email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Cryptographic key crashed |
|
|
|
|
11.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11518 |
2021-08-19 10:27
|
 bonloggzx.exe c6ccf3dcfe56fbc118b46cc54120b852
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11519 |
2021-08-19 10:29
|
 RAR.exe f1ce5c3870e9206af22fcf1d156d55ac
AgentTesla backdoor RemcosRAT browser info stealer Google Chrome User Data UPX Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows DNS DDNS |
|
2
tobi12345.hopto.org(18.118.55.110)
18.118.55.110
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
7.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11520 |
2021-08-19 10:31
|
 @desssiredd.exe 0d6c91905b7d593f2ac9b035bf517d4c
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.224.132.232:64354/ - rule_id: 4143
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.13.31
185.224.132.232 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://185.224.132.232:64354/
|
7.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|