| 12811 |
2021-09-25 17:06
|
 chart-1352070144.xls 9531c29f3fa2b245c4e107a528ad3da5
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://finejewels.com.au/w3wU4YqfP/say.html
https://new.americold.com/4Tn6Vu2ML/say.html
https://thietbiagt.com/1OLxyr4H/say.html
|
5
thietbiagt.com(210.245.90.247) - mailcious
finejewels.com.au(192.124.249.84) - mailcious
new.americold.com() - mailcious
210.245.90.247 - phishing
192.124.249.84 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12812 |
2021-09-25 17:08
|
 file8.exe 3146709a424c7546aa78d89159618da8
Malicious Packer Malicious Library PE File PE32 VirusTotal Malware ICMP traffic unpack itself Tofsee DNS crashed |
|
2
mas.to(88.99.75.82)
88.99.75.82
|
3
ET DNS Query for .to TLD
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
31 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12813 |
2021-09-25 17:09
|
 chart-1351856767.xls e20d23985ac0123cbe9085ae1bd8f401
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://finejewels.com.au/w3wU4YqfP/say.html
https://new.americold.com/4Tn6Vu2ML/say.html
https://thietbiagt.com/1OLxyr4H/say.html
|
5
thietbiagt.com(210.245.90.247) - mailcious
finejewels.com.au(192.124.249.84) - mailcious
new.americold.com() - mailcious
210.245.90.247 - phishing
192.124.249.84 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12814 |
2021-09-25 17:20
|
Original-BL Copy.exe a8db095259794e9185b05c111cfad9a1
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
8.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12815 |
2021-09-25 17:21
|
 липень.docx 6d956049dbaadc19543a565d303e26a5
Word 2007 file format(docx) VirusTotal Malware MachineGuid Check memory RWX flags setting unpack itself suspicious TLD GameoverP2P Zeus ComputerName Trojan Banking |
|
2
classroom.dangeti.ru(194.67.87.218) - mailcious
194.67.87.218
|
|
|
6.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12816 |
2021-09-25 17:22
|
RFQQ.ppt a3b289f75249284dc08633c2d766c682
VBA_macro Generic Malware MSOffice File VirusTotal Malware |
1
http://www.bitly.com/hyuiqohwkjbsk
|
1
www.bitly.com(67.199.248.14)
|
|
|
0.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12817 |
2021-09-25 17:23
|
Nakul Kumar.doc 7c6ff96ddaf3bf3bf824ba6e625a9d21
VBA_macro Generic Malware MSOffice File VirusTotal Malware heapspray RWX flags setting unpack itself |
|
2
tasnimnewstehran.club(185.161.208.57) - mailcious
185.161.208.57 - mailcious
|
|
|
4.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12818 |
2021-09-25 17:33
|
 calib123123.html a77b068a60e6c4c11005bb676043d3a0
Antivirus AntiDebug AntiVM MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
32
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://www.google.com/css/maia.css
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.google-analytics.com/analytics.js
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=200b0911-0882-4deb-8fde-8f99f2f1f0cf
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ryugjggvbmmmaachoodduga.blogspot.com/p/calib123123.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ryugjggvbmmmaachoodduga.blogspot.com/p/calib123123.html%26type%3Dblog%26bpli%3D1&go=true
https://www.blogger.com/img/share_buttons_20_3.png
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://resources.blogblog.com/img/blank.gif
https://www.blogger.com/static/v1/jsbin/186635561-comment_from_post_iframe.js
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=7301963801132102092&blogspotRpcToken=5387502&bpli=1
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.gstatic.com/s/opensans/v26/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ.woff
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D7301963801132102092%26blogspotRpcToken%3D5387502%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D7301963801132102092%26blogspotRpcToken%3D5387502%26bpli%3D1&go=true
https://www.blogger.com/static/v1/jsbin/3528351275-cmt__en_gb.js
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fryugjggvbmmmaachoodduga.blogspot.com%2Fp%2Fcalib123123.html&type=blog&bpli=1
https://www.google.com/js/bg/YID3nKnqqNXN2uhbEUmuJ-MdQHG2wvkENi-EiWi2IJI.js
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=YID3nKnqqNXN2uhbEUmuJ-MdQHG2wvkENi-EiWi2IJI
https://www.blogger.com/blogin.g?blogspotURL=https://ryugjggvbmmmaachoodduga.blogspot.com/p/calib123123.html&type=blog
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=7301963801132102092&blogspotRpcToken=5387502
https://www.blogger.com/static/v1/widgets/1527282520-widgets.js
|
15
resources.blogblog.com(172.217.161.41)
www.google.com(172.217.175.100)
www.gstatic.com(172.217.24.131)
fonts.googleapis.com(172.217.175.42)
accounts.google.com(172.217.25.237)
www.google-analytics.com(172.217.25.110)
fonts.gstatic.com(216.58.220.131)
www.blogger.com(172.217.161.41)
172.217.24.67
142.250.207.68
142.250.66.74
142.250.199.78
172.217.31.237
142.250.66.41
142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12819 |
2021-09-25 17:36
|
 dd.exe 745e57d1e9ef58647a60e3d341589d0f
RAT Generic Malware Antivirus Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12820 |
2021-09-26 09:02
|
 03e509b6063c398b29d279772b5da6... 7cdd71abb518c66b689a1941c4fea102
VBA_macro Generic Malware Antivirus MSOffice File powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
1
comanylimiteddocume.com()
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12821 |
2021-09-26 09:05
|
 ConsoleApp19.exe 41d54244280dd5a221565c203f459f5d
AgentTesla NPKI browser info stealer Generic Malware Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
2
upstand.duckdns.org(194.5.97.83)
194.5.97.83
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
13.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12822 |
2021-09-26 09:08
|
Love lettre.vbs 8d7e6344c4df391b4c3899b5063f53b9ComputerName |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12823 |
2021-09-27 08:03
|
 1337.exe b1f7f880924a93222a01cf3bc0a9ed83
PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12824 |
2021-09-27 08:03
|
 13123.exe 8da26029b1c8475f9ff8ecc59efc6d07
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.12.31)
172.67.75.172 - mailcious
94.250.250.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12825 |
2021-09-27 08:06
|
 build1.exe 3b0601423f1fb5ca121b524c6273f7d1
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
45.156.21.209
104.26.12.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|