| 11536 |
2021-08-19 19:15
|
 rob122DzjsdFA.dll 1ad0ef26e95163677b3dc9cc45a707c1
UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName Remote Code Execution DNS crashed |
20
http://icanhazip.com/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-CatZZJZJ1%5Cpbrob122DzjsdFAjl.dmo/0/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/LCK2ejUfmsC9jBPIK/
https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/networkDll64/ - rule_id: 3682
https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/networkDll64/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/NLRTJPZNNBPFNPJ/7/
https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1H1RppdDhXfj7PjNJdPR9J/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/DNSBL/listed/0/
https://221.147.172.5/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabb64/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/PFDXLJBFTVVVN/7/
https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/FWOIp5kh3DLMcjCKxTuunRF9rlqyeE/
https://5.152.175.57/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabc64/
https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VBrxbxVtzflnZFntVrvDrbhh9DpxNP91/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/23/100019/
https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/WPBOZJHPCMRBXGGRBGT/7/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/1/Mjbaz7MK73OqbffW9ilztlcg/
|
14
icanhazip.com(104.18.6.156)
150.134.208.175.cbl.abuseat.org()
150.134.208.175.zen.spamhaus.org()
150.134.208.175.b.barracudacentral.org(127.0.0.2)
46.99.175.217 - mailcious
104.18.7.156
46.99.175.149 - mailcious
179.189.229.254 - mailcious
5.152.175.57 - mailcious
221.147.172.5
216.166.148.187 - mailcious
182.253.210.130 - mailcious
181.129.167.82 - mailcious
62.99.79.77
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
1
|
11.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11537 |
2021-08-19 19:17
|
 ifeanyizx.exe 24122b4238300a247b93bcca000ba531
NPKI Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
1
|
|
|
10.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11538 |
2021-08-19 19:17
|
 insta.exe 11a79a566d71be64898643e5d9c47d1f
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11539 |
2021-08-19 19:20
|
 msword.exe 389c1a165c6169966cee944569e9ad35
email stealer Generic Malware Admin Tool (Sysinternals etc ...) DNS Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
2
104.18.7.156
20.150.137.35
|
|
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11540 |
2021-08-19 19:22
|
 redtank.png 1618f8ae8ee070d71010a20d21b5e856
AntiDebug AntiVM PE File DLL PE32 Dridex TrickBot Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName Remote Code Execution DNS crashed |
19
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/23/100019/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/1/hziJCxHymvb2gHXq6TiBkB8T/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/TYtN4uS9vzAQl4jbxpHvhP3TRn1fv/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/HNFXZPJHLZVXLFBRPVF/7/ - rule_id: 4161
https://221.147.172.5/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/pwgrabc64/
https://105.27.205.34/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/pwgrabb64/ - rule_id: 4162
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/user/test22/0/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/TZVNJHBFVZX/7/ - rule_id: 4161
https://60.51.47.65/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VfcG57GJVdJPXjUbD/ - rule_id: 4163
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/2ZPXt9YscNmrMG1rVFPmfY08/ - rule_id: 4161
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/file/ - rule_id: 4161
https://ident.me/
https://5.152.175.57/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/5/networkDll64/
https://179.189.229.254/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/b6LNAyociBwuWyQPTryUfUogSUQp0QA/
https://179.189.229.254/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-Cat8CLSDN%5Cwfredtankmf.dmo/0/
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/DNSBL/listed/0/ - rule_id: 4161
https://60.51.47.65/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/10/62/DTHXTBVHNHHFNTTPH/7/ - rule_id: 4163
https://185.56.175.122/rob122/TEST22-PC_W617601.B23CDF3A63F73C73BEBFBB32BF39432B/14/NAT%20status/client%20is%20behind%20NAT/0/ - rule_id: 4161
|
14
150.134.208.175.b.barracudacentral.org(127.0.0.2)
150.134.208.175.cbl.abuseat.org()
ident.me(176.58.123.25)
150.134.208.175.zen.spamhaus.org()
105.27.205.34 - mailcious
221.147.172.5
179.189.229.254 - mailcious
194.146.249.137 - mailcious
5.152.175.57 - mailcious
176.58.123.25
185.56.175.122 - mailcious
65.152.201.203 - mailcious
216.166.148.187 - mailcious
60.51.47.65 - mailcious
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
|
14
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://105.27.205.34/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://60.51.47.65/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://185.56.175.122/rob122/
https://60.51.47.65/rob122/
https://185.56.175.122/rob122/
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11541 |
2021-08-19 19:22
|
 sureboizx.exe 0740ebf29c02a6f39536c40cd318e3ba
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11542 |
2021-08-19 19:22
|
 templezx.exe ff3570efe3c65339988cab633a78c030
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
11
freegeoip.app(172.67.188.154)
mail.alliedhealthga.com(107.180.56.180)
checkip.dyndns.org(132.226.8.169)
105.27.205.34 - mailcious
5.152.175.57 - mailcious
221.147.172.5
185.56.175.122 - mailcious
107.180.56.180 - malware
216.146.43.70 - suspicious
60.51.47.65 - mailcious
172.67.188.154
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SURICATA Applayer Detect protocol only one direction
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11543 |
2021-08-19 19:24
|
 vbc.exe 1ba29471321f0be5a3064e6c226fb80d
PE File OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://185.227.139.5/sxisodifntose.php/XjjuWy0TVqjre - rule_id: 3949
|
2
107.180.56.180 - malware
185.227.139.5 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.5/sxisodifntose.php
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11544 |
2021-08-19 19:26
|
 22.exe 8dcb2324f286af46e7127586f36c9c09
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
4.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11545 |
2021-08-20 05:42
|
CERT.RSA 03b2afe6c95dbc9b5f1082002f363414
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11546 |
2021-08-20 07:52
|
 invoice.wbk 26b33f4a460b096e9840af920f18547f
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS DDNS crashed |
|
4
newmeforever.3utilities.com(79.134.225.25) - mailcious
newmeforever12.3utilities.com() - mailcious
107.174.224.202 - malware
79.134.225.25 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11547 |
2021-08-20 07:52
|
 fish.exe 820abc3428b3155ad6aaeb767ea561e0
Generic Malware Admin Tool (Sysinternals etc ...) UPX DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
newmeforever.3utilities.com(79.134.225.25) - mailcious
newmeforever12.3utilities.com() - mailcious
79.134.225.25 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
14.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11548 |
2021-08-20 07:54
|
saint.xlsx 39c183d75831c185a6ca1459f8b6fb49
Generic Malware Anti_VM MSOffice File Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed |
1
http://107.174.224.202/saint.exe
|
4
newmeforever.3utilities.com(79.134.225.25) - mailcious
newmeforever12.3utilities.com() - mailcious
107.174.224.202 - malware
79.134.225.25 - mailcious
|
6
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11549 |
2021-08-20 07:56
|
 nass.exe 12cf41794cd41156c4f43c26cff1c740
Generic Malware UPX DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
newmeforever.3utilities.com(79.134.225.25) - mailcious
newmeforever12.3utilities.com() - mailcious
79.134.225.25 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
14.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11550 |
2021-08-20 09:15
|
 147162461.exe 48686c7f0d51dd91141ce266623a3941
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|