| 11566 |
2021-08-20 09:40
|
 2009601830.exe db1629d2b1951b62e2d77a69dbc22750
RAT PWS .NET framework Generic Malware UPX SMTP AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11567 |
2021-08-20 09:41
|
 skin.exe 35d246695f2bca9c07c187a2b41ca7e3
UPX PE File OS Processor Check PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11568 |
2021-08-20 09:46
|
 sefile2.exe 46153e33a9297cec0237938991f4f3d0
UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11569 |
2021-08-20 09:46
|
 @seefeld_logs.exe d973a9816427d0da020942830752185a
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
3
http://185.250.206.82:21330/ - rule_id: 3929
http://a0570895.xsph.ru/rnd.exe
https://api.ip.sb/geoip
|
5
a0570895.xsph.ru(141.8.192.58)
api.ip.sb(104.26.13.31)
141.8.192.58 - malware
185.250.206.82 - mailcious
172.67.75.172
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
1
http://185.250.206.82:21330/
|
7.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11570 |
2021-08-20 09:52
|
 BIN.exe 4eb2be32690511a45844f521fa273dcb
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11571 |
2021-08-20 09:52
|
 @fezyXZ.exe 5f63bc0d54eef42f51aa2f124b1971b1
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
3
http://185.250.206.82:21330/ - rule_id: 3929
http://a0570895.xsph.ru/rnd.exe
https://api.ip.sb/geoip
|
5
a0570895.xsph.ru(141.8.192.58)
api.ip.sb(104.26.13.31)
141.8.192.58 - malware
185.250.206.82 - mailcious
104.26.13.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
SURICATA HTTP unable to match response to request
|
1
http://185.250.206.82:21330/
|
7.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11572 |
2021-08-20 09:54
|
 2084414845.exe af23965c3e2673940b70f436bb45f766
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11573 |
2021-08-20 09:54
|
 HZUWUM5pprq6yKV.exe 3616925290acd4f40efd5a3889f3d3f1
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself sandbox evasion WriteConsoleW Tofsee Windows Browser Cryptographic key |
2
http://iplogger.org/1bUgq7
https://iplogger.org/1bUgq7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11574 |
2021-08-20 09:56
|
 rollerkind.exe b6b054b0a63ed8e89b4a55c1679b8743
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11575 |
2021-08-20 09:58
|
 vbc.exe 26d0904528843324f3ea49ff05e530e2
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself human activity check Windows ComputerName |
|
2
marriesortanoneline.ddnsgeek.com(79.134.225.29)
79.134.225.29
|
|
|
8.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11576 |
2021-08-20 10:08
|
 photo.png 042d6a2c08376d3cb1860a74383a5e58
Emotet Gen1 UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware Report suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
23
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/289684/0/
https://221.147.172.5/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/pwgrabc64/
https://105.27.205.34/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/networkDll64/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/t4t3CS0jQMS9UI5SNoHrkbjtx6cei9l/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1ovoQnL1dPUqTI9l/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/23/100019/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/networkDll64/reload1/0/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/FMVZUWJFLMMODQWN/7/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/ZFNFZNFXBVRTP/7/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/user/test22/0/
https://46.99.175.149/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/OI3LyOOUmuYHFL26IAylrWkdSWcs/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/pwgrabc/sTart%20Run%20D%20failed/0/
https://46.99.175.149/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-CatT0VKPD%5Cscphotorg.dmo/0/
https://221.147.172.5/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/pwgrabb64/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/1/nX5MSl1KKv9sNLfeSGF6AS1KHeuzdV/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/DNSBL/listed/0/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/10/62/MLVBSVIBGGSLCETYA/7/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/1/9g3K3Gh8vChwthBQuAfCr6lURUHfovZ/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/9h1FTJ3vRTD3jjtJPF91V1nNR3XHLTHR/
https://185.56.175.122/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ldtPZdTFpdDVL1rN/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://46.99.175.217/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/14/NAT%20status/client%20is%20behind%20NAT/0/
https://45.36.99.184/rob124/TEST22-PC_W617601.33A5997458BBAA6F33F33FF551B198D3/5/file/
|
13
150.134.208.175.b.barracudacentral.org(127.0.0.2)
150.134.208.175.cbl.abuseat.org()
ipecho.net(34.117.59.81) - mailcious
150.134.208.175.zen.spamhaus.org()
105.27.205.34 -
46.99.175.217 - mailcious
46.99.175.149 - mailcious
216.166.148.187 - mailcious
194.146.249.137 - mailcious
221.147.172.5 - mailcious
185.56.175.122 - mailcious
45.36.99.184 - mailcious
34.117.59.81
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY External IP Lookup - ipecho.net
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
10.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11577 |
2021-08-20 10:09
|
 @anzLZT.exe 5fbdb67d70370031243a318db2299252
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
3
http://185.250.206.82:21330/ - rule_id: 3929
http://a0570895.xsph.ru/rnd.exe
https://api.ip.sb/geoip
|
5
a0570895.xsph.ru(141.8.192.58)
api.ip.sb(172.67.75.172)
141.8.192.58 - malware
104.26.12.31
185.250.206.82 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
SURICATA HTTP unable to match response to request
|
1
http://185.250.206.82:21330/
|
7.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11578 |
2021-08-20 11:38
|
 skin.exe 35d246695f2bca9c07c187a2b41ca7e3
Admin Tool (Sysinternals etc ...) UPX Malicious Library ASPack PE File OS Processor Check PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11579 |
2021-08-20 11:43
|
 skin.exe 35d246695f2bca9c07c187a2b41ca7e3
Admin Tool (Sysinternals etc ...) Malicious Library ASPack PE File OS Processor Check PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11580 |
2021-08-20 16:15
|
 .dllhost.exe 2d7c454c7dc1b5a3222cb313e46cb031
Loki PWS Loki[b] Loki.m Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd3/fre.php - rule_id: 2518
|
2
manvim.co(193.162.143.197) - mailcious
193.162.143.197 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd3/fre.php
|
12.6 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|