| 12121 |
2021-09-06 18:15
|
 ghjkl.exe b23d6c569893579789695f3d05accbe1
Gen1 Gen2 Generic Malware Malicious Library Malicious Packer ASPack UPX Antivirus ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check GIF Format JPEG Format Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
4
http://45.142.215.237/
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/e1f57414f8caba2ca5e4d8fa52512fb00d1a14f8
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/38f584651402b87b6e658beea19bc3711efb647c
https://telete.in/brikitiki - rule_id: 4181
|
5
google.com(172.217.175.78)
telete.in(195.201.225.248) - mailcious
216.58.197.238 - mailcious
195.201.225.248 - mailcious
45.142.215.237
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://telete.in/brikitiki
|
21.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12122 |
2021-09-06 18:18
|
 Users-Progress-072021-1.doc d60b6a8310373c9b84e6760c24185535
Generic Malware VBA_macro Admin Tool (Sysinternals etc ...) Malicious Packer MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
3.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12123 |
2021-09-06 18:27
|
 ghjkl.exe b23d6c569893579789695f3d05accbe1
PWS Loki[b] Loki.m Gen1 Gen2 Generic Malware Malicious Library Malicious Packer ASPack UPX Antivirus DNS Socket KeyLogger HTTP Internet API ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check GIF Format J Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
14
http://mazooyaar.ac.ug/mozglue.dll
http://mazooyaar.ac.ug/softokn3.dll
http://45.142.215.237/ - rule_id: 4923
http://45.142.215.237/
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6936a2712329bb51d12294e3b6891e6d95b1d2d6 - rule_id: 4923
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6936a2712329bb51d12294e3b6891e6d95b1d2d6
http://mazooyaar.ac.ug/freebl3.dll
http://mazooyaar.ac.ug/nss3.dll
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6177c830445f6d0494ffcd9e25a157ee4342b34a - rule_id: 4923
http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/6177c830445f6d0494ffcd9e25a157ee4342b34a
http://mazoyer.ac.ug/index.php
http://mazooyaar.ac.ug/msvcp140.dll
http://mazooyaar.ac.ug/sqlite3.dll
https://telete.in/brikitiki - rule_id: 4181
|
8
google.com(172.217.175.78)
mazooyaar.ac.ug(185.215.113.77)
mazoyer.ac.ug(185.215.113.77) - malware
telete.in(195.201.225.248) - mailcious
142.250.196.110 - suspicious
195.201.225.248 - mailcious
45.142.215.237
185.215.113.77 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE AZORult v3.3 Server Response M3
|
4
http://45.142.215.237/
http://45.142.215.237/
http://45.142.215.237/
https://telete.in/brikitiki
|
26.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12124 |
2021-09-07 08:18
|
 blackmatter.exe 18c7c940bc6a4e778fbdf4a3e28151a8
PE File PE32 VirusTotal Email Client Info Stealer Malware MachineGuid Check memory unpack itself AntiVM_Disk VM Disk Size Check Ransomware Email ComputerName crashed |
|
2
nowautomation.com()
mojobiden.com() - mailcious
|
|
|
7.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12125 |
2021-09-07 08:33
|
 SmartPDF.exe 194566000b641a6a1df824c6dbf3d7b7
Generic Malware PE File PE64 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName |
1
https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer - rule_id: 4430
|
4
sanctam.net(185.65.135.234) - mailcious
bitbucket.org(104.192.141.1) - malware
185.65.135.234
104.192.141.1 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer
|
6.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12126 |
2021-09-07 08:33
|
 dyno.exe 973c74057f1054e07a98170568bb9bc9
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization Remote Code Execution DNS DDNS crashed |
1
http://dyn-bin.duckdns.org/remcos_d_fIqfwC80.bin
|
4
dyn-bin.duckdns.org(23.146.242.85)
d-wave.duckdns.org(156.96.119.123) - mailcious
156.96.119.123 - mailcious
23.146.242.85 - malware
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12127 |
2021-09-07 08:34
|
 wealthzx.exe bd26bbf79c82f44d6017c89c2e273e78
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.faks-allied-health.com(107.180.56.180)
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
107.180.56.180 - malware
132.226.247.73
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12128 |
2021-09-07 08:35
|
 Launcher.exe 6557d0d59d2e4dee77c7960695ac8969
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
5
104.21.33.188
104.21.59.252 - malware
172.67.158.82 - malware
154.38.97.90
104.21.31.210 - mailcious
|
|
|
9.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12129 |
2021-09-07 08:36
|
 explorer.exe 754cae6c58cfb857c870d38ef49e2959
AgentTesla browser info stealer Generic Malware Google Chrome User Data Malicious Library Malicious Packer Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware AutoRuns Code Injection Check memory buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder WriteConsoleW Windows DNS |
|
2
107.180.56.180 - malware
46.8.211.72
|
|
|
17.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12130 |
2021-09-07 08:36
|
 eth.exe 383ebcffd99777dbc7a2d7b81f0216cd
Emotet Gen1 Malicious Library UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution DNS crashed |
|
2
jOduIfTqIUBGLbliyqGnb.jOduIfTqIUBGLbliyqGnb()
23.67.53.11
|
|
|
12.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12131 |
2021-09-07 08:37
|
 Semt.exe fbce6a70198854557fbeca0f09587758
GhostRAT NSIS Malicious Library PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Creates executable files ICMP traffic RWX flags setting unpack itself Detects VMWare sandbox evasion VMware Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
|
5
103.119.1.139
34.97.69.225 - mailcious
154.38.97.90
154.38.97.86 - malware
139.155.178.173 - malware
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
9.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12132 |
2021-09-07 08:38
|
 TXGJ.exe 99d66cd7da25f37b13936ce6f0f939d7
Gen1 Gen2 Generic Malware Malicious Library Malicious Packer ASPack PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger RWX flags setting unpack itself AppData folder sandbox evasion Browser Remote Code Execution |
|
|
|
|
4.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12133 |
2021-09-07 08:43
|
 solex.exe cd46dbf532b047ca67d19ea025e88051
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization Remote Code Execution DNS DDNS |
1
http://sol-bin.duckdns.org/Remcos_S_tGNeLX139.bin
|
5
slx-wave.duckdns.org(23.146.242.71)
sol-bin.duckdns.org(23.146.242.85)
23.146.242.85 - malware
23.146.242.71
104.21.19.200
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12134 |
2021-09-07 08:54
|
 Server2.txt 25cadf6feefa9079e88ad685989c2ff9
Anti_VM ScreenShot AntiDebug AntiVM VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12135 |
2021-09-07 09:23
|
 11.txt bd181467a7ca114a05034e7a84f45857
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|