| 12346 |
2021-09-13 09:03
|
 soft.exe 2a6e41a9ee4f93036a0a2d614510c6ff
Gen1 Gen2 Malicious Library Malicious Packer ASPack UPX PE File PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted Creates executable files Windows utilities Collect installed applications suspicious process AppData folder installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS |
4
http://5.181.156.77//l/f/S4ty3HsB3dP17SpztiCF/05464af9e92727debe47772767b166c2c2f9e61c - rule_id: 5071
http://5.181.156.77//l/f/S4ty3HsB3dP17SpztiCF/71338ba4b086d102b5d8093083a97f3e57fb0994 - rule_id: 5071
http://5.181.156.77/ - rule_id: 5071
https://tttttt.me/h_biggsize_1
|
3
tttttt.me(95.216.186.40) - mailcious
95.216.186.40 - mailcious
5.181.156.77 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
3
http://5.181.156.77/
http://5.181.156.77/
http://5.181.156.77/
|
8.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12347 |
2021-09-13 09:07
|
 CurrencyCalculatorInstaller.ex... c5cb4a9e57a7d9a0ef934bada91aa881
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
2
https://api.coinbase.com/v2/currencies
https://api.pro.coinbase.com/currencies
|
4
api.pro.coinbase.com(104.18.14.237)
api.coinbase.com(104.18.7.10)
104.18.15.237
104.18.7.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12348 |
2021-09-13 09:16
|
 SmartPDF.exe 9774cdf92008b796b09b39ee32e48821
NPKI Generic Malware DNS Socket Create Service BitCoin Escalate priviledges KeyLogger Code injection ScreenShot AntiDebug AntiVM PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName Firmware DNS CoinMiner |
|
6
raw.githubusercontent.com(185.199.110.133) - malware
pastebin.com(104.23.98.190) - mailcious
xmr-asia1.nanopool.org(139.99.102.73) - mailcious
139.99.102.74
104.23.99.190 - mailcious
185.199.109.133 - mailcious
|
3
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
15.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12349 |
2021-09-13 09:27
|
 java.exe eda88d322065a9b364e4be013bb849f4
PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency Check memory Checks debugger ComputerName Firmware |
|
2
xmr.f2pool.com(203.107.32.162) - mailcious
203.107.32.162 - mailcious
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
3.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12350 |
2021-09-13 09:32
|
 task.exe 5120630343cdfdc8698f7ce9d9991894
PE64 PE File VirusTotal Open Directory Cryptocurrency Miner Malware Cryptocurrency AutoRuns Malicious Traffic Checks debugger Creates executable files Auto service Windows Exploit Remote Code Execution DNS |
2
http://154.91.1.118/java.exe - rule_id: 5127
http://154.91.1.118/WinRing0x64.sys
|
3
xmr.f2pool.com(203.107.32.162) - mailcious
154.91.1.118 - malware
203.107.32.162 - mailcious
|
7
ET POLICY Cryptocurrency Miner Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
|
1
http://154.91.1.118/java.exe
|
5.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12351 |
2021-09-13 09:42
|
 raccon.exe e45bef85aabecedb6ba2e4b0aaf7be90
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12352 |
2021-09-13 14:37
|
 admin.php dcbcd8c4fcdd17079caa96f80be4dd04
PE File OS Processor Check DLL PE32 VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12353 |
2021-09-13 16:45
|
 obizx.exe ab134b69986e53349affb1cf8cf863c1
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
|
21 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12354 |
2021-09-13 17:37
|
 task.exe 5120630343cdfdc8698f7ce9d9991894
UPX PE64 PE File VirusTotal Open Directory Malware AutoRuns Malicious Traffic Checks debugger Creates executable files Auto service Windows Exploit Remote Code Execution DNS |
2
http://154.91.1.118/java.exe - rule_id: 5127
http://154.91.1.118/WinRing0x64.sys
|
1
|
6
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
|
1
http://154.91.1.118/java.exe
|
5.4 |
M |
24 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12355 |
2021-09-13 18:02
|
 Inv_INV410599.jar 2a3426e77f270bf7d46e1f3599541271
Gen2 Gen1 NPKI Formbook Generic Malware Malicious Library Malicious Packer UPX Admin Tool (Sysinternals etc ...) ASPack PE File OS Processor Check DLL PE32 Malware download Adwind VirusTotal Malware AutoRuns Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder Windows Java ComputerName DNS crashed |
|
1
|
1
ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)
|
|
8.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12356 |
2021-09-13 18:17
|
 Stub.exe 3c4359296c65223a5b7acfc76e1f4ecd
RAT Generic Malware Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 OS Processor Check .NET E VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows ComputerName DNS |
1
http://62.109.1.30/triggers/vm_.php?IKJqpgOhe1yQhF6FuKf8qX6kg3Tm7=z7&IE=4VZ5NRqL9s1riviBamOvNiJwNmjeB1&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&IKJqpgOhe1yQhF6FuKf8qX6kg3Tm7=z7&IE=4VZ5NRqL9s1riviBamOvNiJwNmjeB1 - rule_id: 3585
|
3
ipinfo.io(34.117.59.81)
62.109.1.30 - mailcious
34.117.59.81
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
1
http://62.109.1.30/triggers/vm_.php
|
11.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12357 |
2021-09-13 18:20
|
 Quotation.exe 4b070580f22304cb805dd7ad83cf4152
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(104.21.19.200)
checkip.dyndns.org(193.122.6.168)
216.146.43.70 - suspicious
62.109.1.30 - mailcious
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12358 |
2021-09-13 18:33
|
 .---------------..------------... a5fedf6b6cb4f47640a5f2d8e36d09e7
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Tofsee Windows Exploit Advertising Google DNS crashed Downloader |
4
http://136.243.159.53/~element/page.php?id=429
http://23.95.85.181/http/vbc.exe
https://doc-00-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/44otpfku4m84nv2baa4uts53scs88sf5/1631525475000/14552286414405439806/*/1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_?e=download
https://drive.google.com/uc?export=download&id=1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_
|
6
doc-00-1c-docs.googleusercontent.com(142.250.196.97)
drive.google.com(142.250.199.110) - mailcious
172.217.25.238 - mailcious
136.243.159.53
23.95.85.181
172.217.161.161 - suspicious
|
13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
5.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12359 |
2021-09-13 18:41
|
 vbc.exe 6ce7cc1f376f6bd9d090eaf04ef72dfe
UPX PE File PE32 Check memory RWX flags setting unpack itself anti-virtualization Remote Code Execution |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12360 |
2021-09-14 07:35
|
 vbc.exe 9ac371a30cbd9fec68c18a1b2405d69b
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software crashed |
3
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://checkvim.com/fd4/fre.php
|
2
checkvim.com(164.132.216.38) - mailcious
164.132.216.38
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|