| 13261 |
2021-10-07 17:30
|
 Clipper.exe a76095f2d5727733b3ca4bd8a51349a2
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
M |
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13262 |
2021-10-07 17:37
|
 ConsoleApp17.exe 0497faff25c24f11d0813f8da6b5c2d7
AgentTesla PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Windows DNS Cryptographic key DDNS crashed keylogger |
|
2
lplazadtemins.duckdns.org(194.147.140.45)
194.147.140.45
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13263 |
2021-10-07 17:38
|
 Clipper.exe a76095f2d5727733b3ca4bd8a51349a2
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.8 |
M |
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13264 |
2021-10-07 17:38
|
 octane.exe d8667b25ba6dda415c8aae718dd4acbe
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution crashed |
3
https://20mqvq.am.files.1drv.com/y4mUh_YT7N5cZ_VtYj7gY-pLi8ax9qzfrx2nbGHZ7G1U61GzcbwSU8iAsSYmf4Jyh-cQD8gC5IsZXT3NdfbXn-6ClX-Ym5zGliSPzVI32b3Ew1iMIKynGYhOz3ZkIz5WXAhE2_-np3wFxBXD4vDAkYtjLc1gALD8fzAvwxJlIBUecmXh0qVBxg4N_dmmNtN--5J5Wmq0pbRBxhqaOq9fB_0Jg/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
https://onedrive.live.com/download?cid=D6CD7BA665204307&resid=D6CD7BA665204307%21109&authkey=AMdOM29o41CbOZ0
https://20mqvq.am.files.1drv.com/y4mIICgczn0jQ6zC8-aw8Xb86SRr2CmJy2ooH9966h6ZkT_AUu9dtWSt-mU9kkZ3qd5cYMw79sssxrVislI6ELzqwRjOrwQJHO8jnXz0I3kSCIVfFNj6gKFnW6vIjjDV9UQRTSdfp0NjNpEqxAnPmZIKXsSVZyMp_epb-KQRwil_gw_dAONVvND-k4n11x4W_NJ4wPdBbVgnJrgcy3vmBGBCQ/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
|
6
saptransmissions.dvrlists.com(45.162.228.171) - mailcious
onedrive.live.com(13.107.42.13) - mailcious
20mqvq.am.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
45.162.228.171
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13265 |
2021-10-07 17:39
|
 1.dll 55ee6dca51e918bd51a000b0899e275a
Malicious Library PE File PE32 OS Processor Check DLL Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://46.99.175.217/soc1/TEST22-PC_W617601.2A8BB47119C5EF3D19B55F83BB0AF91C/5/file/ - rule_id: 5810
|
6
46.99.175.217 - mailcious
216.166.148.187 - mailcious
185.56.175.122 - mailcious
65.152.201.203 - mailcious
181.129.167.82 - mailcious
24.162.214.166 - mailcious
|
6
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 19
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 11
|
1
https://46.99.175.217/soc1/
|
6.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13266 |
2021-10-07 17:39
|
 lifegreen.png 28a26a67316358ef183f71df68713e92
Malicious Packer Malicious Library PE File PE32 OS Processor Check DLL Dridex TrickBot Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://185.56.175.122/fat1/TEST22-PC_W617601.B567912A0F3236F3B59B331D473A977B/5/file/
|
4
128.201.76.252 - mailcious
179.189.229.254 - mailcious
46.99.175.149 - mailcious
185.56.175.122 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 5
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13267 |
2021-10-07 17:42
|
 images.exe 6d883d583924bab2b456690401265966
Gen2 NPKI Generic Malware ASPack Malicious Library Antivirus PE File PE32 OS Processor Check PE64 DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key |
1
http://connecturl.com/rat.exc
|
3
connecturl.com(185.53.178.9)
185.53.178.9 - mailcious
23.94.199.19 - malware
|
|
|
11.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13268 |
2021-10-07 17:43
|
 secret_conversations.html e57fdf1dad4fabac8ad020453f07cdbb
AntiDebug AntiVM MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://scontent-lga3-2.xx.fbcdn.net/v/t1.6435-1/cp0/p24x24/240958031_2948688838792595_1661814721335136491_n.jpg?_nc_cat=108&ccb=1-5&_nc_sid=84712d&_nc_ohc=5Cm8iRXW8fkAX_M594l&_nc_ad=z-m&_nc_cid=1087&_nc_ht=scontent-lga3-2.xx&oh=4edcbd681cd75e62941efe15a0a2f60a&oe=6182CCBC
|
2
scontent-lga3-2.xx.fbcdn.net(157.240.241.1)
157.240.241.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13269 |
2021-10-07 18:06
|
 Soft_Manager_Cpm.exe c4644ce4651d79a20de41d54fa5f8e73
Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces ComputerName crashed |
1
|
2
www.google.com(172.217.25.68)
172.217.161.164
|
|
|
4.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13270 |
2021-10-07 18:09
|
 askinstall58.exe 55f84bb842413ebe0348409cae00cc12
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie PE File PE32 OS Processor Check PNG Format Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cjnovone.top/Home/Index/lkdinl - rule_id: 6119
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/14Jup7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
www.cjnovone.top(188.225.87.175) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
3
http://www.cjnovone.top/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
9.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13271 |
2021-10-07 18:10
|
 pub3.exe e07fee7a8c4ac7954e14c62aa03475e0
Malicious Library PE File PE32 OS Processor Check PDB unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13272 |
2021-10-07 18:11
|
 md7_7dfj.exe 0122c6b7f2509a0eec1b39c8689bee86
PE File PE32 Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory unpack itself Tofsee Interception Browser Remote Code Execution DNS crashed |
2
http://186.2.171.3/seemorebty/il.php?e=md7_7dfj - rule_id: 4715
https://iplogger.org/ZlbB4
|
3
iplogger.org(88.99.66.31) - mailcious
186.2.171.3 - mailcious
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://186.2.171.3/seemorebty/il.php
|
5.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13273 |
2021-10-07 18:13
|
 FolderShare.exe cab181c59fd045c2d4c87f600bea3f6f
Generic Malware PE File PE32 .NET EXE PDB MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13274 |
2021-10-07 18:14
|
 CalcCryptoInstalww.exe 86a1c8f0737fc82085f4a859733c9514
Emotet RAT Gen1 Generic Malware Themida Packer Malicious Library UPX Antivirus PE File PE32 OS Processor Check .NET EXE GIF Format PE64 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
3
http://gdv.federguda.ru/PeZcZ/
http://gdv.federguda.ru/
http://e6tfvc.federguda.ru/
|
6
e6tfvc.federguda.ru(81.177.141.85)
gdv.federguda.ru(81.177.141.85)
lessab.space(80.66.87.32)
185.215.113.121
81.177.141.85 - mailcious
80.66.87.32 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
|
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13275 |
2021-10-07 18:15
|
 ShareFolder.exe f66c458713ad1c49fab2f59ceb3abf82
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|