11656 |
2021-08-23 12:11
|
Operon.exe 871cba396875673097c170edb571a972 RAT PWS .NET framework BitCoin Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.147.231.225:40668/ - rule_id: 3368 https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 45.147.231.225 - mailcious 104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
1
http://45.147.231.225:40668/
|
11.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11657 |
2021-08-23 12:11
|
credit.exe 4338aca68fbaab846ec6345a7b85c15c Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
2
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1629687681&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DD6676A9A61E841F3%26resid%3DD6676A9A61E841F3%2521129%26authkey%3DALgOfs5uX8ML6NU&lc=1033&id=250206&cbcxt=sky&cbcxt=sky https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21129&authkey=ALgOfs5uX8ML6NU
|
4
login.live.com(40.126.35.129) onedrive.live.com(13.107.42.13) - mailcious 13.107.42.13 - mailcious 40.126.52.1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11658 |
2021-08-23 12:13
|
UhWxIznbHOIvjE2.exe 37c00a568eef6447fdd49dd5d1cf31b4 RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 Malware download Malware IoC AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Cryptographic key |
3
http://dll1221.eternalhost.info//cisCheckerstroke.php http://dll1221.eternalhost.info//loader.txt http://dll1221.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
2
dll1221.eternalhost.info(194.61.0.8) 194.61.0.8 - malware
|
2
ET MALWARE Generic gate[.].php GET with minimal headers ET HUNTING Suspicious GET To gate.php with no Referer
|
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11659 |
2021-08-23 12:15
|
fbtc-client.exe 7a9a32c45303b7bef1651551799bb68f Lazarus Family Gen2 RAT BitCoin Generic Malware Themida Packer WebCam UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential D Browser Info Stealer Malware download NetWireRC VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed Downloader |
7
http://bingoroll6.net/new.exe http://bingoroll6.net/bld.exe http://bingoroll15.net/update.php?id=315021678&stat=91e2f106dc042be7fe29ceda1c1236d8&cmd=1 http://45.138.72.167:25882/ http://bingoroll6.net/me.exe http://bingoroll15.net/update.php?id=315021678&stat=91e2f106dc042be7fe29ceda1c1236d8 https://api.ip.sb/geoip
|
12
master11.teamviewer.com(185.188.32.21) bingoroll15.net(104.21.80.70) ping3.teamviewer.com(37.252.229.190) bingoroll6.net(104.21.24.107) api.ip.sb(104.26.13.31) 45.138.72.167 104.26.12.31 188.172.201.158 172.67.218.85 104.21.80.70 185.188.32.21 161.156.67.100
|
7
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY TeamViewer Keep-alive inbound ET MALWARE Win32.Spy/TVRat Checkin SURICATA HTTP unable to match response to request
|
|
19.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11660 |
2021-08-23 12:15
|
lv.exe 527aafb84de77dc3fe50995fa50b7e4b NPKI Emotet Gen1 Gen2 Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS |
|
2
qRmNqPJdKzYHaZpOLsQVpJpKPpa.qRmNqPJdKzYHaZpOLsQVpJpKPpa() 194.61.0.8 - malware
|
|
|
6.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11661 |
2021-08-23 12:17
|
12345_protected.exe e38762223f23dd3373ba4bff00f94c7a RAT ILProtector Packer Generic Malware PE File OS Processor Check .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName |
|
|
|
|
6.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11662 |
2021-08-23 12:19
|
Windows.exe c74a54611729be7c00a42b47d4d41e00 Themida Packer Anti_VM PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
1
http://135.181.134.27:54477/ - rule_id: 4328
|
1
135.181.134.27 - mailcious
|
|
1
http://135.181.134.27:54477/
|
6.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11663 |
2021-08-23 12:21
|
file.exe d4c03c86b24c6b5a83c0524e1a9af692 Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11664 |
2021-08-23 12:23
|
1664879191.exe 96d3ef5ec108f2534df06d39ab70aac1 Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11665 |
2021-08-23 12:27
|
GodK6jam0J2bDZkC.exe 80be083d6e199ea9ac0391d791379440 Gen1 Malicious Library Malicious Packer PE File OS Processor Check PE32 DLL JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
9
http://188.34.200.103/softokn3.dll http://188.34.200.103/msvcp140.dll http://188.34.200.103/903 http://188.34.200.103/freebl3.dll http://188.34.200.103/nss3.dll http://188.34.200.103/vcruntime140.dll http://188.34.200.103/ http://188.34.200.103/mozglue.dll https://eduarroma.tumblr.com/
|
3
eduarroma.tumblr.com(74.114.154.18) 74.114.154.22 - mailcious 188.34.200.103
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Vidar/Arkei Stealer Client Data Upload ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
12.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11666 |
2021-08-23 12:28
|
Dran.exe 224b8bb42508de25bd73489dc6e8ac32 RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11667 |
2021-08-23 12:32
|
vaccine appointment according ... f1680aa55c88220bcf83e24d89628cc9VirusTotal Malware ComputerName |
|
|
|
|
0.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11668 |
2021-08-23 12:33
|
cx2.crt.html c44f8602e3cd5a5f1e720873713df67d Antivirus AntiDebug AntiVM powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
1
https://brasilnativopousada.com.br/jefin1.txt
|
2
brasilnativopousada.com.br(209.126.1.255) - malware 209.126.1.255 - malware
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11669 |
2021-08-23 12:39
|
me.exe b4b7ec0373ca6105c4450a1763365496 RAT BitCoin Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://45.138.72.167:25882/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 104.26.12.31 45.138.72.167
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11670 |
2021-08-23 12:41
|
new.exe 57f881c03e3b77a572bf422f2b255b4f Lazarus Family Themida Packer Malicious Library PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://45.138.72.167:25882/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 45.138.72.167 172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
9.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|