| 12931 |
2021-09-29 10:59
|
Document-753GF01.msi 2d6ba1a2c184dccac37e3c8b10083989
Gen2 Malicious Packer Malicious Library OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12932 |
2021-09-29 11:03
|
 PURCHASE ORDER EXPORTO52022 IM... b5697d67ea7945e6944061d076eeecc3
Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
james12.ddns.net(91.193.75.132) - phishing
91.193.75.132
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12933 |
2021-09-29 11:03
|
 PROFORMA INVOICE EXPORTO52022 ... 65691a95adce3b875c496e077d5f7aa5
Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
futurist11.ddns.net(194.5.98.46)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
194.5.98.46 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12934 |
2021-09-29 11:08
|
 PURCHASE ORDER EXPORTO52022 IM... b5697d67ea7945e6944061d076eeecc3
Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
james12.ddns.net(91.193.75.132) - phishing
91.193.75.132
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12935 |
2021-09-29 11:09
|
PURCHASE ORDER, PRICE AND AVAI... 5599a3b68f359dc757f72b493d1a3fdd
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process WriteConsoleW VMware anti-virtualization human activity check Windows ComputerName DNS Cryptographic key DDNS Software |
|
4
sonspices.ddns.net(197.210.84.17)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
197.210.84.17
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
17.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12936 |
2021-09-29 11:15
|
Quotation pdf.exe 1ffd399d86c04f2ca7eb2d9b8f95388f
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
norly519.ddns.net(185.244.30.198)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
185.244.30.198
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12937 |
2021-09-29 11:15
|
Revised & Final Document for S... 54b442adb39e17c3fb224136bdc3e1b3
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
hdstlindos.duckdns.org(185.140.53.158) - mailcious
185.140.53.158
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Possible NanoCore C2 60B
|
|
13.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12938 |
2021-09-29 11:20
|
SWIFT PAYMENT-KAZAZI FARM SHPK... d641710cc3d6ddb2d3e70a68c0f53c61
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
whizzle321.ddns.net(79.134.225.74)
whizzle456.duckdns.org(79.134.225.74)
79.134.225.74 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12939 |
2021-09-29 11:22
|
Shipping Documents-BL#SE201000... 8993ca9025df7cdfee64edc454377def
UPX PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW anti-virtualization Tofsee Windows ComputerName DNS DDNS |
2
https://onedrive.live.com/download?cid=6BC744122027ACE8&resid=6BC744122027ACE8%21137&authkey=AHDc8B9P60uuA9c
https://7tgopa.am.files.1drv.com/y4mckn5MC3Qv-gVPVwFjos5tnqZQsy01f4ydquxfI_0P50St21A-sQTMObg1CL6lJZjE_lMc9Z9Ri15T28oKLIAo5_-35MWYEf-PuEl-SOXDH2MMxIbmE-fYjO37ArBfJT3n8GTS0IgVQ7ex0gTMVPcmk7D7BAckrNRkQ4SyrbBJthYXSeb8nQyfuiITS4ewOMyMYsvH7HaLu7Xvbbbg6Gtnw/LIGHT.bin?download&psid=1
|
6
darkeye.hopto.org(160.152.6.54)
7tgopa.am.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
160.152.6.54
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
8.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12940 |
2021-09-29 11:30
|
TT SWIFT.exe 46855d8af16f8ae6251cc0e2a65dcfdd
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
blackb.duckdns.org(197.210.79.57)
197.210.79.57
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12941 |
2021-09-29 11:30
|
TT USD 32000.exe 43f300620443cf156513fcfef7218561
PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
blackb.duckdns.org(197.210.79.57)
197.210.79.57
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12942 |
2021-09-29 11:35
|
 VSB_093876535367-0398765345637... c4d393054bc0954eedc9f72d5edc1b0e
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
3232st.ddns.net(185.140.53.9)
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12943 |
2021-09-29 11:35
|
 daiparl.exe d0efa396aec4477851bb35136c716732
Gen1 Generic Malware Malicious Library Malicious Packer UPX Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 DLL PE64 VirusTotal Malware suspicious privilege Checks debugger Creates executable files unpack itself suspicious process AppData folder WriteConsoleW Turn off Windows Error Recovery notification window Tofsee ComputerName crashed |
|
2
imagizer.imageshack.com(151.139.128.11)
151.139.128.11 - phishing
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12944 |
2021-09-29 16:19
|
 CompensationClaim-1630636598-0... f3e5e9eb94f7bc0115c4b373093d085d
VBA_macro Generic Malware MSOffice File VirusTotal Malware ICMP traffic RWX flags setting unpack itself suspicious process DNS |
3
http://190.14.37.187/44468.6789060185.dat
http://94.140.112.126/44468.6789060185.dat
http://185.141.27.213/44468.6789060185.dat
|
3
190.14.37.187 - mailcious
94.140.112.126 - mailcious
185.141.27.213 - mailcious
|
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12945 |
2021-09-29 16:27
|
 etooltipred.png 7dc229cc5bf7e78b899a888728a11198
Emotet Gen1 UPX Malicious Library PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://179.189.229.254/top125/TEST22-PC_W617601.88F1D4E3B76E7578C633B085D7CDCBB8/5/file/
|
5
179.189.229.254 - mailcious
46.99.175.217 - mailcious
62.99.79.77 - mailcious
46.99.175.149 - mailcious
65.152.201.203 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|