| 11806 |
2021-08-26 09:19
|
 loader2.exe fbae05d8fbfbb56b2a96afabfcaab501
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/VcDkZic
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.2 |
M |
15 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11807 |
2021-08-26 09:19
|
 loader1.exe 6cd0a4f10dabb456456d0b7336f13116
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/CSkrqnLH
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.4 |
M |
21 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11808 |
2021-08-26 09:22
|
 vbc.bin 24c4788a737cda143d0edac9c711994d
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/PBjmKcXj
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.4 |
|
24 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11809 |
2021-08-27 15:29
|
 AjSo.exe 8d0467b08d8e576fa8c5150285a83456
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11810 |
2021-08-27 15:29
|
 Bitcrave.exe 415869c1ab4d22fdc26b5618672d793f
RAT Generic Malware Antivirus DGA DNS Socket Create Service SMTP Sniff Audio Escalate priviledges KeyLogger Code injection Internet API ScreenShot Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion installed browsers check BitRAT Windows Browser ComputerName Cryptographic key crashed keylogger |
|
2
postal-26.ioomoo.xyz(79.134.225.103)
79.134.225.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
|
|
17.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11811 |
2021-08-27 15:31
|
 68.exe c67c410c4be756c6bf3b0995f4fbb283
Emotet RAT Gen1 Malicious Library UPX PE File PE32 PE64 DLL OS Processor Check Malware download VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName crashed |
1
http://gillyou.info/soft/68.exe
|
2
gillyou.info(172.67.209.85)
172.67.209.85
|
1
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
|
|
4.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11812 |
2021-08-27 15:31
|
 Client.exe 26597663fcdb8fc32e2076bd5834889a
RAT PWS .NET framework Generic Malware Antivirus Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 Check memory Checks debugger unpack itself DNS |
|
1
79.134.225.103 - mailcious
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11813 |
2021-08-27 15:34
|
 petrol.exe 700a021908885c05ef227a55452d9ffe
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11814 |
2021-08-27 15:34
|
 XMR.exe 0f23f1451e66b86bc3e56dbb714da989
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11815 |
2021-08-27 15:36
|
 ETC.exe 01b6e15274bdff55dd725ed01ad2ba23
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11816 |
2021-08-27 15:36
|
 petrols.exe 95a5feae6a76ea65d0c9fe06053788b5
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.247.73)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11817 |
2021-08-27 15:38
|
 playstore.apk f85f6697dbc42c8cb034716dccfe1371VirusTotal Malware |
|
|
|
|
0.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11818 |
2021-08-27 15:38
|
 shef1.exe 842124b4ed12ad2f1bddb4360d69fdbb
Lazarus Family Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
172.67.75.172 - mailcious
95.181.157.213
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11819 |
2021-08-27 15:40
|
 file9.exe 397081993526f201da9b0045b6cb6736
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
135.181.134.27 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11820 |
2021-08-27 15:42
|
 bigshoezx.exe 61e17d354f8529a203207e491cab779e
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library SSL DNS Socket SMTP Escalate priviledges KeyLogger Internet API ScreenShot Dynamic Dns persistence AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs IP Check Tofsee Windows Browser Advertising Google Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://xred.site50.net/syn/SSLLibrary.dll
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://www.dropbox.com/s/dl/fzj752whr3ontsm/SSLLibrary.dll
https://www.000webhost.com/migrate?static=true
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
|
18
mail.nclanka.lk(162.214.77.81)
www.000webhost.com(104.19.185.120)
checkip.dyndns.org(132.226.247.73)
freedns.afraid.org(69.42.215.252)
freegeoip.app(104.21.19.200)
xred.site50.net(153.92.0.100)
docs.google.com(172.217.26.46) - mailcious
xred.mooo.com()
www.dropbox.com(162.125.84.18) - mailcious
95.181.157.213
162.214.77.81
153.92.0.100 - mailcious
172.217.26.46 - mailcious
104.19.185.120
69.42.215.252
172.67.188.154
158.101.44.242
162.125.84.18
|
8
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SURICATA SMTP invalid reply
ET POLICY Dropbox.com Offsite File Backup in Use
ET HUNTING Suspicious User-Agent Containing .exe
|
|
21.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|