| 11821 |
2021-08-27 15:42
|
 build_2021-08-25_11-30.exe b27c38cb9a8a55bf5f24051bf8c39e91
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11822 |
2021-08-27 15:44
|
 tooltipred.png 4f907ddbf3e599e3d4f6687dcf69e747
Emotet Malicious Library AntiDebug AntiVM PE File PE32 Dridex TrickBot Malware Report suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
12
http://icanhazip.com/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/b5Jb57X3TvfZJdxFT53d/
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabb64/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/8uMoLXFfUKElAG6M7lPr/
https://5.152.175.57/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/pwgrabc64/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/10/62/CETDHVSBTPT/7/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/5/file/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/NAT%20status/client%20is%20behind%20NAT/0/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Ctooltipred.png/0/
https://97.83.40.67/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/14/user/test22/0/
https://179.189.229.254/top119/TEST22-PC_W617601.F7F5DEE33983115D7B3F09AF9950BB62/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/W86mMKPIM801nj2bSV6zifCFnf/
|
8
icanhazip.com(104.18.6.156)
104.18.6.156
179.189.229.254 - mailcious
194.146.249.137 - mailcious
5.152.175.57 - mailcious
97.83.40.67 - mailcious
62.99.79.77
104.21.19.200
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 25
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11823 |
2021-08-27 15:45
|
 Adobe-GenP-2.7.exe 6467e9dd5d86c741aed49060e6d3fcd2
Malicious Library PE File PE64 OS Processor Check VirusTotal Malware Report Check memory Checks debugger unpack itself sandbox evasion human activity check DNS |
|
3
179.189.229.254 - mailcious
5.152.175.57 - mailcious
97.83.40.67 - mailcious
|
1
ET CNC Feodo Tracker Reported CnC Server group 25
|
|
3.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11824 |
2021-08-27 15:46
|
 resizebar.png b4e0bc4b97c1ff7dc3964293fd10fa5a
Emotet Malicious Library AntiDebug AntiVM PE File PE32 Dridex TrickBot Malware suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
11
http://ipinfo.io/ip
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
https://105.27.205.34/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/pwgrabb64/
https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Cresizebar.png/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/z1RfvZD1vvtrtJVrhxtnnRnLXLxp397/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/10/62/UPAVJRPOIHULLMOEWW/7/
https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/nV95LdBjzHxVvvN9bbjL1B91hj9f3TTl/
https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/AHvzHrFQV1MQSv8aoTWrUcl1PKGXJRyJ/
|
9
ipinfo.io(34.117.59.81)
105.27.205.34 - mailcious
46.99.175.149 - mailcious
216.166.148.187 - mailcious
46.99.188.223 - mailcious
221.147.172.5 - mailcious
179.189.229.254 - mailcious
65.152.201.203 - mailcious
34.117.59.81
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY Possible External IP Lookup ipinfo.io
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11825 |
2021-08-27 15:47
|
 vbc.exe 97c2aecf2380200fc50b84d72af34480
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger buffers extracted ICMP traffic unpack itself Tofsee DNS |
1
https://a.tmp.ninja/aWRwMVU
|
6
a.tmp.ninja(198.251.89.86)
46.99.175.149 - mailcious
179.189.229.254 - mailcious
198.251.89.86
221.147.172.5 - mailcious
172.67.188.154
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11826 |
2021-08-27 15:48
|
 Sonytec.exe 9f131b2c9238dec27437d330d4b2b872
RAT Generic Malware Antivirus KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Check virtual network interfaces suspicious process AppData folder sandbox evasion VMware anti-virtualization IP Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
5
http://ip-api.com/line/?fields=hosting
http://ifconfig.me/ip
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm&sb=1
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm&sd=1
https://whatsmyipaddress.biz/?address=6dd8da1fb15460cf6fd20f30217fcc4d9b15c671&format=92&type=235dOXMm
|
8
ifconfig.me(34.117.59.81)
ip-api.com(208.95.112.1)
whatsmyipaddress.biz(111.90.156.84)
ftp.pfsbankgroup.com(185.239.243.112)
111.90.156.84
185.239.243.112 - malware
208.95.112.1
34.117.59.81
|
5
ET POLICY External IP Lookup ip-api.com
ET INFO Observed DNS Query to .biz TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup Domain (ifconfig .me)
|
|
25.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11827 |
2021-08-27 15:49
|
 Sensys_DSign_FY_2021_2022Setup... b919eae6a85535797d58048b45c8df00
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11828 |
2021-08-27 15:49
|
 jetbaksaz.dll 47b7c6480b6f17e7f084584f04cf5440
Generic Malware PE File .NET DLL DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11829 |
2021-08-27 15:50
|
 NvidiaShare1.exe 814f22a67e6d2046f532f973f197c649
RAT PWS .NET framework Generic Malware DGA DNS Socket Create Service SMTP Sniff Audio Escalate priviledges KeyLogger Code injection Internet API ScreenShot Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs Tofsee BitRAT Windows ComputerName DNS Cryptographic key crashed keylogger |
1
https://cdn.discordapp.com/attachments/875152353035157555/880421379307089940/Chrome.exe
|
5
cdn.discordapp.com(162.159.135.233) - malware
104.18.6.156
162.159.134.233 - malware
179.43.141.103
208.95.112.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
|
|
13.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11830 |
2021-08-27 15:51
|
 mixer.exe 63b84dcd1b3804bcb9daeca03e14bfc6
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
4
api.ip.sb(172.67.75.172)
135.181.134.27 - mailcious
104.26.13.31
179.43.141.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11831 |
2021-08-27 15:52
|
 DC.exe eb847438f988c2a2d52bcf0f0b439980
RAT PWS .NET framework Generic Malware Antivirus Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11832 |
2021-08-27 15:53
|
 0fd9ce44914b3beda3c86ba2163945... 6d3d857dce2ce88c250574619f6a2f0a
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11833 |
2021-08-27 15:54
|
 nputty.exe 1b726484bea3d11852e96ef2494cce24
Generic Malware Malicious Packer PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself human activity check Windows ComputerName DNS DDNS |
|
4
dertrefg.duckdns.org(37.0.10.40)
hhjhtggfr.duckdns.org(192.169.69.26) - mailcious
192.169.69.26 - phishing
37.0.10.40
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11834 |
2021-08-27 15:57
|
 .svchost.exe 2644b63346379dd60b63309ff086eeef
UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11835 |
2021-08-27 15:57
|
 odinakazx.exe 8e6f8cd375efaba9d88c2930af3dc10e
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.saradiba.com/9t6k/?Q2M=SaAIu3lDcv+vsCPEIS9ktArTHiKz1YFeYbUTdQKH4UquSylUrUTL+fcGQi1rQUC7DYHomt5O&D81d7=Abihu4dh7n2x1dkp
http://www.urne24.online/9t6k/?Q2M=XEZUsmhefmfw3QKQE5ZrpuI8N7oVWrtY0zr9qFGtaUataE1TE0DCRND7FOKibblEWaB5niCz&D81d7=Abihu4dh7n2x1dkp
http://www.schoolphysician.com/9t6k/?Q2M=aZxCmALwA5R5+eIwzrzpi1QpWfsvyjuzp/cxNNZ9Jwezj0NN8vNJ2pHGntbNv+WmK2oIJIQQ&D81d7=Abihu4dh7n2x1dkp
http://www.prosgra.com/9t6k/?Q2M=YfuNKs3Bp4F47rpu49Idp1lfSZU1BgghPs0n2TaEVn9WjWyXIXXb35zMgdSBzSSQ/y+/7+Gc&D81d7=Abihu4dh7n2x1dkp
http://www.duancanhoastralcity.com/9t6k/?Q2M=1USpb1Bk7NLatI5NohBEA9PujVfNP1PKGiDc81iHBltTqKOkZ5Hh2NRwQh24DsrsAEaWcebH&D81d7=Abihu4dh7n2x1dkp
http://www.bergenfiel.com/9t6k/?Q2M=s8oaEA8cRNw5vMBu8Wk/8KdaqRJ5o00PvD4f6j6ZUxj7LCZqhH83R1BxbYpwJodvEKoz6erO&D81d7=Abihu4dh7n2x1dkp
http://www.gsmits.com/9t6k/?Q2M=DHXsxYVj36jYo9XSI0k8aBI122PK8jbY2KWdAli3CiKs+89pIe70JNlIpSp++nfgfBz+S8aX&D81d7=Abihu4dh7n2x1dkp
http://www.360453.com/9t6k/?Q2M=MXszZjiL5m8KYwVoSSySw2FqEqiBnWUcZ0I4A0KIaxlfgU1OBx983PfdxSJageOZ61F/gpnc&D81d7=Abihu4dh7n2x1dkp
http://www.aattonline.com/9t6k/?Q2M=aJf7vz7Dx/mfgwFQoEPDi39K9rl7e15T/XCFbiUDsI43rh1ubaT7oKUwDh9OfXBPQgY/TkJX&D81d7=Abihu4dh7n2x1dkp
http://www.dheeclinical.com/9t6k/?Q2M=zn2Kb1z3vtYkfsTCUqtcWPMExFY7OxSYFyUydnPl9DXioHsibwlGw2F9p0OONFz0CLg9SXRH&D81d7=Abihu4dh7n2x1dkp
|
22
www.duancanhoastralcity.com(54.169.219.94)
www.saradiba.com(156.225.32.15)
www.schoolphysician.com(208.109.65.254)
www.gsmits.com(34.98.99.30)
www.dheeclinical.com(172.67.129.175)
www.urne24.online(89.31.143.1)
www.cpsolivera.com(166.88.88.81)
www.360453.com(103.110.62.64)
www.bergenfiel.com(192.187.111.219)
www.prosgra.com(47.89.240.186)
www.aattonline.com(165.3.91.100)
166.88.88.81
208.109.65.254
89.31.143.1 - mailcious
103.110.62.64
54.169.219.94
165.3.91.100
47.89.240.186
192.187.111.219 - mailcious
156.225.32.15
104.21.1.179
34.98.99.30 - phishing
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|