| 12256 |
2021-09-09 16:36
|
 mix07092.exe ceee3b5981e743a66cd818320564298f
Themida Packer Anti_VM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
65.21.77.163
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12257 |
2021-09-09 20:02
|
Documents new.xlsb e2c5c7d099745fa74d4653b6d49338d2VirusTotal Malware Creates executable files RWX flags setting unpack itself suspicious process |
1
https://pawevi.com/lch5.dll
|
1
|
|
|
4.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12258 |
2021-09-09 20:03
|
Protected Client.js b2c47a2918eef35baf623e2e42c5b694
AgentTesla browser info stealer Generic Malware Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection ScreenShot Downloader AntiDebug AntiVM Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
1
http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg
|
6
google.com(172.217.175.238)
dreamwatchevent.com(144.208.125.220) - malware
freightmgmt.duckdns.org(194.5.98.207) - mailcious
144.208.125.220 - malware
216.58.200.78
194.5.98.207 - mailcious
|
3
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
17.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12259 |
2021-09-09 20:27
|
 linesloters.png 03328209b7e90eb369be9ea61e397fce
Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32 Dridex TrickBot VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
12
http://checkip.amazonaws.com/
https://105.27.205.34/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/5/pwgrabc64/ - rule_id: 5031
https://75.176.235.182/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/5/pwgrabb64/
https://181.129.167.82/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/LbVFVPVfb5LZ5LHJthlplTtHtr/
https://128.201.76.252/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/qCnOnFqZFemSxYDtFyOhK0/
https://179.189.229.254/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/14/user/test22/0/ - rule_id: 5030
https://179.189.229.254/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/5/file/ - rule_id: 5030
https://128.201.76.252/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGames1UKR%5Clinesloters.exe/0/
https://179.189.229.254/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/ - rule_id: 5030
https://179.189.229.254/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/14/NAT%20status/client%20is%20behind%20NAT/0/ - rule_id: 5030
https://179.189.229.254/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VPl9TPtfLZnjvttj5LTTZzTF/ - rule_id: 5030
https://181.129.167.82/rob129/TEST22-PC_W617601.F97E9F96FBBCAFF12D1BFF629355E03B/10/62/UCMKGRRKSBMWO/7/
|
8
checkip.amazonaws.com(54.197.238.169)
105.27.205.34 - mailcious
128.201.76.252 - mailcious
23.22.217.86
179.189.229.254 - mailcious
194.146.249.137 - mailcious
181.129.167.82 - mailcious
75.176.235.182
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
|
6
https://105.27.205.34/rob129/
https://179.189.229.254/rob129/
https://179.189.229.254/rob129/
https://179.189.229.254/rob129/
https://179.189.229.254/rob129/
https://179.189.229.254/rob129/
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12260 |
2021-09-09 21:10
|
 detalhes_atualizacao.doc a02cfacbf32e9ff66464de27faa58543
VBA_macro Generic Malware Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
10.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12261 |
2021-09-09 21:15
|
 CSD_AppLaunch.exe 039c162d7fcd8640b337173e323f94d8
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12262 |
2021-09-09 21:18
|
 court.docx 55998cb43459159a5ed4511f00ff3fc8VirusTotal Malware RWX flags setting |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12263 |
2021-09-10 03:40
|
 PolarisBiosEditor.exe 450d54f0dfae9bf0d947142bd2043345
Generic Malware PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
3.0 |
|
34 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12264 |
2021-09-10 09:01
|
ACH Payment advice.xls 32c5a46b56efa1bf2f1725e010a2fc60
AgentTesla browser info stealer Generic Malware VBA_macro Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection ScreenShot Downloader AntiDebug AntiVM MSOffice File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
2
http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg - rule_id: 5053
http://dreamwatchevent.com/.well-known/pki-validation/Protected%20Client.js
|
6
google.com(172.217.175.238)
dreamwatchevent.com(144.208.125.220) - malware
freightmgmt.duckdns.org(194.5.98.207) - mailcious
142.250.207.78
144.208.125.220 - malware
194.5.98.207 - mailcious
|
3
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
1
http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg
|
19.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12265 |
2021-09-10 09:04
|
0909_2427575404904.doc 167b1314b18f45b5bb79bcc6f975a822
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://calloyean.ru/8/forum.php
http://api.ipify.org/
|
4
calloyean.ru(185.49.68.111)
api.ipify.org(54.243.51.135)
50.16.244.183
185.49.68.111 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12266 |
2021-09-10 09:10
|
0909_3451428758904.doc 3ee23248727895122d5f3d43fb3b3813
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://calloyean.ru/8/forum.php
http://api.ipify.org/
|
4
calloyean.ru(185.49.68.111)
api.ipify.org(50.16.244.183)
50.17.229.70
185.49.68.111 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12267 |
2021-09-10 09:14
|
 falsh%20update!.exe 8562340b6ba907f77a6beb7b3a297fd5
Gen2 Malicious Library PE File PE64 OS Processor Check VirusTotal Malware Check memory Checks debugger Remote Code Execution DNS |
|
1
|
|
|
4.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12268 |
2021-09-10 09:14
|
 InterviewScheduler.exe ee8c3bbddd0f11aed64ca4d3ae167da8
Generic Malware Malicious Packer UPX Malicious Library PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12269 |
2021-09-10 09:16
|
 Pluton.exe b147f58ffee25ee8ef9cdae4198fed71
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12270 |
2021-09-10 09:17
|
 Mars.exe 0c9ccbdb84f67bdedec3e9bfd0809cf1
RAT Generic Malware Malicious Packer Antivirus PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process sandbox evasion WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://discord.com/api/webhooks/879386891068256349/bvEK4gAVFnRBb9sg3YV7yiiYRziQj7jLUdVKqAImI0PeKJ90iPJWMn4wivvwSYJ0o9WN
https://httpbin.org/ip
|
4
httpbin.org(3.209.149.47)
discord.com(162.159.135.232) - mailcious
162.159.128.233
3.209.207.48
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|