| 13921 |
2021-10-22 09:04
|
 8_hp8500at.dll f8c801f32b822d210bbb788407ed29cf
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13922 |
2021-10-22 09:04
|
 Notepad.EXE f072f3491834b7d05e0ae01c78de778e
Generic Malware Antivirus PE64 PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger WMI Creates shortcut Creates executable files ICMP traffic unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
5
haberci1.duckdns.org(85.105.101.188)
haberci.ddns.net(0.0.0.0)
www.google.com(216.58.220.132)
85.105.101.188
142.250.204.36
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13923 |
2021-10-22 09:05
|
 lv.exe 63c6959237b662401a9f78e799d34db1
Gen1 Gen2 Themida Packer Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer PE File PE32 DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13924 |
2021-10-22 09:06
|
 2_api-ms-win-downlevel-normali... 00752a06db0eacfd3b09e36d3a3d29c6
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13925 |
2021-10-22 09:07
|
 5_System.Numerics.dll 4aa41378b7c700010b1a3ec72a588306
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13926 |
2021-10-22 09:07
|
 subzero.png 320fdabe9103d3e4bd67d2920e784640
AntiDebug AntiVM PE File PE32 DLL Dridex TrickBot Malware Report suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
9
http://apps.identrust.com/roots/dstrootcax3.p7c
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/14/user/test22/0/
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/5/file/
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/14/NAT%20status/client%20is%20behind%20NAT/0/
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/14/exc/E:%200xc0000005%20A:%200x0000000077379A5A/0/
https://ident.me/
https://36.66.188.251/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/5/pwgrabb64/
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CCregSysUtilsR353DR%5Cjzsubzero.pngzd.dmo/0/
https://46.99.175.217/rob136/TEST22-PC_W617601.10AD5D5DF7F4771F1BC33BD935F4633B/0/Windows%207%20x64%20SP1/1108/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/RHzx7VbphFtVXlzr9Nl1TpbjX5/
|
9
apps.identrust.com(119.207.65.74)
ident.me(176.58.123.25)
105.27.205.34 - mailcious
46.99.175.217 - mailcious
221.147.172.5 - mailcious
216.166.148.187 - mailcious
176.58.123.25
222.122.182.200
36.66.188.251 - mailcious
|
7
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 16
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 3
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13927 |
2021-10-22 09:09
|
 9_sysprepMCE.dll 493affe2d3fb24b9ef24a523292df0be
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13928 |
2021-10-22 09:09
|
 slovarikinstalls.exe 4788b9f2b49471fa3f20ce9ac9fd8524
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Report suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
185.215.113.94 - mailcious
36.66.188.251 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET CNC Feodo Tracker Reported CnC Server group 16
|
|
6.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13929 |
2021-10-22 09:10
|
 vbc.exe a91eb16dec4963d0b7198e9bb1b3d379
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13930 |
2021-10-22 09:10
|
 1_ieakui.dll 74e4a2208c91735a96bfbbba392b221a
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13931 |
2021-10-22 09:11
|
 101.exe 9d4458f6de6fb97b9b2a6ee9a69b62f4
RAT PWS .NET framework Generic Malware ASPack Malicious Packer Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Ransom Message installed browsers check Tofsee Ransomware GameoverP2P Zeus Windows Browser Tor ComputerName Trojan Banking Cryptographic key crashed |
2
https://cdn.discordapp.com/attachments/893177342426509335/900715748136214588/400C23D9.jpg
https://cdn.discordapp.com/attachments/893177342426509335/900715750510166056/4E05CD6C.jpg
|
3
cdn.discordapp.com(162.159.135.233) - malware
162.159.129.233 - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
20.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13932 |
2021-10-22 09:11
|
 vbc.exe 704f90b4d0eb8b2c5d76d119d1130039
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
pastebin.pl(168.119.93.163) - mailcious
apps.identrust.com(119.207.65.153)
168.119.93.163 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13933 |
2021-10-22 09:12
|
 hswaxn.exe c0fd2bdc5772986959399b514d854a9c
PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13934 |
2021-10-22 09:13
|
 0_WPDSp.dll 8bbac1f6e64537bd91f903994912dc96
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
2.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13935 |
2021-10-22 09:14
|
 buildz.exe 8daa272f411b68ce0bfbb42c9785bf3c
PWS Loki[b] Loki.m AgentTesla browser info stealer [m] Generic Malware task schedule Malicious Library UPX ScreenShot DGA Socket DNS Internet API Http API AntiDebug AntiVM PE File OS Processor Check PE32 Malware download Dridex Malware Microsoft AutoRuns PDB Code Injection Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs suspicious TLD WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS crashed |
2
http://znpst.top/dl/build2.exe - rule_id: 5606
http://rlrz.org/lancer/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
|
8
mas.to(88.99.75.82)
api.2ip.ua(77.123.139.190)
rlrz.org(188.172.93.164) - malware
znpst.top(183.100.39.157) - malware
175.117.131.127
175.117.131.126
88.99.75.82
77.123.139.190
|
12
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET DNS Query to a *.top domain - Likely Hostile
ET DNS Query for .to TLD
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
|
1
http://znpst.top/dl/build2.exe
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|