| 11626 |
2021-08-21 09:17
|
 file3.exe 20e9069cee1f45478ad701e6591959c3
RAT PWS .NET framework BitCoin Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Cryptographic key crashed |
2
http://jekorikani.xyz/
https://api.ip.sb/geoip
|
4
jekorikani.xyz(185.117.75.123)
api.ip.sb(104.26.13.31)
104.26.12.31
185.117.75.123 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11627 |
2021-08-21 09:18
|
Android_Guncelleme.apk 3f44e53892fe1ea4abb5eb537ca347f7
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11628 |
2021-08-21 09:19
|
 msedge_web.exe 7c6e0622a03d8f1d062757882987dd2d
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11629 |
2021-08-21 09:20
|
 file6.exe 446637e3ae69f3bc221b8be9c410f3b5
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.14.49.232:6811/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
45.14.49.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11630 |
2021-08-21 09:21
|
 msedge.exe 9fa656e46f3e5936261d1c9ea1b4952f
RAT Generic Malware Malicious Packer Antivirus PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11631 |
2021-08-21 09:26
|
 @TrippieLZT.exe b0cdc459012aae2a5210da376f5df3e0
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
3
http://185.250.206.82:21330/ - rule_id: 3929
http://a0570895.xsph.ru/rnd.exe - rule_id: 4309
https://api.ip.sb/geoip
|
5
a0570895.xsph.ru(141.8.192.58) - malware
api.ip.sb(172.67.75.172)
141.8.192.58 - malware
104.26.12.31
185.250.206.82 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
SURICATA HTTP unable to match response to request
|
2
http://185.250.206.82:21330/
http://a0570895.xsph.ru/rnd.exe
|
7.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11632 |
2021-08-21 12:16
|
 simple.png 4fb0ee16540b1779fce8c502e6d877dc
Emotet Gen1 Malicious Library Malicious Packer AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware Report suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
18
https://185.56.175.122/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/DJS6KJsl65V5nFwMo9/
https://97.83.40.67/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZLPtp9fdjfjlx9ZD5bp9/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/DNSBL/listed/0/
https://97.83.40.67/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/JXHVHPLBDXXPH/7/
https://105.27.205.34/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/pwgrabc64/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/file/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/NAT%20status/client%20is%20behind%20NAT/0/
https://105.27.205.34/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/5/pwgrabb64/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
https://184.74.99.214/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-Cat79LLHL%5Cflsimplexl.dmo/0/
https://184.74.99.214/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/9zPGdBbjwEq5eaKruQEKQYx942/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/23/100019/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/RJPPTNNBRBB/7/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/1/B9JFNbxl9dJZrzdrz3zH/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/5lzwvmMIa5aD7Tu2g5FCNaV1WJ31/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/14/user/test22/0/
https://179.189.229.254/rob125/TEST22-PC_W617601.1100CBB80BDD7ACB7F603DD3F53BB42F/10/62/JRBLETMWAPMIABTIG/7/
https://api.ip.sb/ip
|
13
150.134.208.175.b.barracudacentral.org(127.0.0.2)
150.134.208.175.cbl.abuseat.org()
150.134.208.175.zen.spamhaus.org()
api.ip.sb(104.26.12.31)
105.27.205.34 - mailcious
172.67.75.172
179.189.229.254 - mailcious
194.146.249.137 - mailcious
184.74.99.214 - mailcious
185.56.175.122 - mailcious
97.83.40.67 - mailcious
216.166.148.187 - mailcious
79.106.115.107 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 25
ET CNC Feodo Tracker Reported CnC Server group 10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11633 |
2021-08-21 12:17
|
 mac.dotm d9b583dae1c7d4bdef40a58e084651f8
VBA_macro VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11634 |
2021-08-21 12:26
|
 2021.xls 56675c71fc4d24043b4e985a8b08110a
MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.4 |
|
16 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11635 |
2021-08-21 12:57
|
 Mango.exe 743ba3d2c39e49ea72a76d58f60e9532
RAT PWS .NET framework BitCoin Generic Malware Antivirus HTTP Internet API Http API Downloader SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
5
http://185.167.97.37:30900/
http://iplogger.org/1m2Kd7
https://iplogger.org/1m2Kd7
https://cdn.discordapp.com/attachments/878150731209781310/878336470941847652/AudioMD.exe
https://api.ip.sb/geoip
|
9
api.ip.sb(104.26.12.31)
cdn.discordapp.com(162.159.133.233) - malware
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.26.13.31
162.159.135.233 - malware
104.192.141.1 - mailcious
185.167.97.37
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11636 |
2021-08-21 12:57
|
 bildak.exe 74462c471a8c9dffed8b89f945c95175
PWS Loki[b] Loki.m AgentTesla RAT .NET framework Gen1 browser info stealer Generic Malware Malicious Library Malicious Packer SMTP ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check DLL JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software Password |
9
http://188.34.200.103/softokn3.dll
http://188.34.200.103/msvcp140.dll
http://188.34.200.103/948
http://188.34.200.103/freebl3.dll
http://188.34.200.103/nss3.dll
http://188.34.200.103/vcruntime140.dll
http://188.34.200.103/
http://188.34.200.103/mozglue.dll
https://eduarroma.tumblr.com/
|
3
eduarroma.tumblr.com(74.114.154.18)
74.114.154.22 - mailcious
188.34.200.103
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
16.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11637 |
2021-08-21 12:58
|
 maijn.exe 61da94be84700b3011e522e60a3c2c0b
RAT PWS .NET framework Generic Malware SMTP HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Windows Browser Cryptographic key |
2
http://iplogger.org/1ZrVd7
https://iplogger.org/1ZrVd7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11638 |
2021-08-23 10:01
|
 ffff.exe d35e7ff5f6287ff8b7fcf92ea41bf684
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
4.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11639 |
2021-08-23 10:08
|
 b0e4f7e89442b09ac387d141968818... f206ba06dfdef9c5233fcf2a85a0732a
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware Check memory crashed |
|
|
|
|
1.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11640 |
2021-08-23 10:09
|
 5Yt9sCiDJCsigNC.exe 5e02008227eca0fcf1fe8aeeb4c98e19
RAT PWS .NET framework Generic Malware HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows Browser Cryptographic key |
2
http://iplogger.org/1bUgq7
https://iplogger.org/1bUgq7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|