| 11746 |
2021-08-24 16:53
|
 toolspab2.exe eb7b5911cfc0a95a5066f39ed22aee0a
Malicious Library AntiDebug AntiVM PE File PE32 VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself Remote Code Execution |
|
|
|
|
7.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11747 |
2021-08-24 16:53
|
 pl.exe 1f6e49e83b13758948915b43fb388a94
RAT Generic Malware Themida Packer PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
188.124.36.242 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11748 |
2021-08-24 16:53
|
 tpzx.exe 1125affa1b6019121459177922270303
PWS .NET framework Gen1 Gen2 Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer ASPack UPX ScreenShot Http API Steal credential AntiDebug AntiVM PE File OS Processor Check .NET EXE PE32 DLL VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key |
4
http://188.119.112.104//l/f/VBAid3sBPvGyIjkLf2Nw/742118b82ff74305984a7e59870122d8a9d4dfc5
http://188.119.112.104//l/f/VBAid3sBPvGyIjkLf2Nw/9ab15261acd699b63cbb2fd30e8437e27387589f
http://188.119.112.104/
https://telete.in/timkamrstones
|
3
telete.in(195.201.225.248) - mailcious
188.119.112.104
195.201.225.248 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11749 |
2021-08-24 16:55
|
 gazx.exe 5be66e805ea10740668331c26a4591ee
PWS Loki[b] Loki.m Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
|
2
manvim.co(176.32.32.199) - mailcious
176.32.32.199
|
|
|
14.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11750 |
2021-08-24 16:55
|
 fdthirteenzx.exe 9c819f10b05b46e5363479fd47c2ff4d
PWS Loki[b] Loki.m Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
|
2
manvim.co(176.32.32.199) - mailcious
176.32.32.199
|
|
|
14.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11751 |
2021-08-24 16:57
|
 pub1.exe 8adf73ac6b7cab5e86b1f456b0651de4
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11752 |
2021-08-24 16:57
|
 fileT.exe 29903569f45cc9979551427cc5d9fd99
RAT PWS .NET framework Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
1
|
3
api.ip.sb(172.67.75.172)
172.67.75.172 - mailcious
135.148.139.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11753 |
2021-08-24 16:59
|
 filename.exe fc316a48dadfc20ef46f52d892a9c365
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11754 |
2021-08-24 17:17
|
 401k-statement.PDF.jar 00c6403b831a9a510743b7cb1f3edc62
NPKI Malicious Library Malicious Packer PE File OS Processor Check DLL PE32 Malware download NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Windows Java Email ComputerName DNS crashed |
1
|
9
github-releases.githubusercontent.com(185.199.110.154)
repo1.maven.org(199.232.192.209)
github.com(52.78.231.108) - mailcious
ip-api.com(208.95.112.1)
193.142.146.203
15.164.81.167 - malware
185.199.109.154
208.95.112.1
151.101.52.209
|
3
ET JA3 Hash - Possible Malware - Java Based RAT
ET MALWARE STRRAT CnC Checkin
ET POLICY External IP Lookup ip-api.com
|
|
9.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11755 |
2021-08-24 17:19
|
 dyno.exe 256876a198e1b3f8e579ab00a4615e73
Gorgon Group Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization Remote Code Execution DNS DDNS crashed |
1
http://d-bins.duckdns.org/remcos_d_fIqfwC80.bin
|
4
d-wave.duckdns.org(156.96.119.123)
d-bins.duckdns.org(23.146.242.94)
156.96.119.123
23.146.242.94 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.0 |
M |
13 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11756 |
2021-08-24 17:21
|
 ab.exe 3f5998401e2da3c62b4ef0114b8a27a4
Generic Malware PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
41 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11757 |
2021-08-24 17:22
|
 vbc.exe 252cae0537d8c3aa42d8e69ad802b966
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.2 |
M |
25 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11758 |
2021-08-24 17:35
|
 vbc.exe 252cae0537d8c3aa42d8e69ad802b966
Generic Malware PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.2 |
M |
25 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11759 |
2021-08-24 17:45
|
NEW ORDER QUOTATION.exe 6221fb8862acad8fb5d543d70c7af953
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
booka11.ddns.net(194.5.98.11)
37.235.1.174 - mailcious
194.5.98.11 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.2 |
|
30 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11760 |
2021-08-24 17:45
|
Scan HP Jet 371302-83.exe d703b3cc46820009bb6c4ab14666ea9e
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces human activity check Tofsee Windows DNS Cryptographic key DDNS crashed |
1
|
5
rebornx.duckdns.org(194.5.98.5)
www.google.com(172.217.174.100)
194.5.98.5
13.107.21.200
172.217.31.132
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|