| 12391 |
2021-09-14 15:56
|
 conhost.exe 86ec1c19a29d25b109102faa921c7796
UPX PE64 PE File VirusTotal Open Directory Cryptocurrency Miner Malware Cryptocurrency Malicious Traffic Check memory Checks debugger Creates executable files sandbox evasion Windows Exploit Browser ComputerName Firmware DNS |
2
http://154.91.1.118/java.exe - rule_id: 5127
http://154.91.1.118/WinRing0x64.sys
|
3
xmr.f2pool.com(203.107.32.162) - mailcious
154.91.1.118 - malware
203.107.32.162 - mailcious
|
7
ET POLICY Cryptocurrency Miner Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
|
1
http://154.91.1.118/java.exe
|
7.0 |
M |
36 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12392 |
2021-09-14 16:01
|
 nok.exe 5930b25610cc3ebdc2543cf8a1bf1906
Generic Malware UPX PE64 PE File MSOffice File VirusTotal Malware Check memory Creates executable files sandbox evasion |
|
|
|
|
3.2 |
|
9 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12393 |
2021-09-14 16:16
|
 Windows_Update_004.exe 9fac6c17290657d895651d3aa3407f9c
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 JPEG Format VirusTotal Malware PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName |
3
http://wondershares.xyz/guid.php
http://wondershares.xyz/ups.php?mid=1
http://wondershares.xyz/w_update.php?mid=1
|
2
wondershares.xyz(74.208.236.24) - malware
74.208.236.24 - malware
|
|
|
7.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12394 |
2021-09-14 16:17
|
 Sponsing.exe 26ec7418203795762f728e143977d350
RAT Generic Malware Malicious Packer Antivirus AntiDebug AntiVM PE File .NET EXE PE32 PE64 Browser Info Stealer VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://a0575239.xsph.ru/133722.exe
https://api.ip.sb/geoip
|
5
a0575239.xsph.ru(141.8.194.74)
api.ip.sb(104.26.13.31)
141.8.194.74 - malware
172.67.75.172 - mailcious
51.254.69.209 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
16.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12395 |
2021-09-14 16:36
|
Profit and Loss Statement.xlsx... 1b025ec7e56c329c94a05c819a9dfaff
Generic Malware DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting suspicious process malicious URLs Tofsee Interception |
1
https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=
|
2
share.bloomcloud.org(139.180.164.131) - mailcious
139.180.164.131 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12396 |
2021-09-14 16:44
|
 133722.exe 3cc4c60a4749cff024eddf4d880b261a
RAT Generic Malware Antivirus Malicious Packer PE64 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12397 |
2021-09-14 17:26
|
 document.docx 3c64e8a4bfdce7c4f19a441d13413acb
Word 2007 file format(docx) VirusTotal Malware |
|
|
|
|
1.6 |
|
22 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12398 |
2021-09-14 17:44
|
 document.docx 3c64e8a4bfdce7c4f19a441d13413acb
Word 2007 file format(docx) VirusTotal Malware MachineGuid Malicious Traffic Check memory RWX flags setting unpack itself GameoverP2P Zeus ComputerName Trojan Banking DNS |
2
http://104.254.245.82/word.html
http://104.254.245.82/
|
1
|
|
|
6.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12399 |
2021-09-14 17:49
|
 document.docx 3c64e8a4bfdce7c4f19a441d13413acb
Word 2007 file format(docx) VirusTotal Malware MachineGuid Malicious Traffic Check memory RWX flags setting unpack itself GameoverP2P Zeus ComputerName Trojan Banking DNS |
3
http://104.254.245.82/word.html - rule_id: 5184
http://104.254.245.82/word.html
http://104.254.245.82/
|
1
|
|
1
http://104.254.245.82/word.html
|
6.2 |
|
22 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12400 |
2021-09-14 17:53
|
 side.html f36f4411138ce9327eb375343af7ba0f
AntiDebug AntiVM PNG Format MSOffice File JPEG Format Malware download Malware Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Windows Update Exploit DNS crashed Downloader |
2
http://104.254.245.82/nok.exe - rule_id: 5183
http://104.254.245.82/nok.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Unknown - Loader - Check .exe Updated
|
1
http://104.254.245.82/nok.exe
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12401 |
2021-09-14 17:54
|
 nok.exe 5930b25610cc3ebdc2543cf8a1bf1906
Generic Malware UPX PE64 PE File MSOffice File VirusTotal Malware Check memory Creates executable files sandbox evasion |
|
|
|
|
4.2 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12402 |
2021-09-15 07:45
|
 proliv14.exe 2ff990b7213b944c586a7ae2ce8dcbfc
Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
144.76.183.53 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12403 |
2021-09-15 07:47
|
 new.exe 39e8ee4f0ed001776b1447a764d40c9c
Generic Malware Themida Packer Malicious Library PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
1
|
4
api.ip.sb(172.67.75.172)
46.8.153.118 - mailcious
144.76.183.53 - mailcious
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12404 |
2021-09-15 07:51
|
 proliv14go.exe dbb53aec87a062a9b0729c8aa9acd449
Emotet Gen2 Generic Malware Themida Packer Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
144.76.183.53 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12405 |
2021-09-15 07:53
|
 rxoes.exe 4bebe52555714d9eddd2203ba86e685e
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|