| 14521 |
2021-11-04 14:53
|
 7576_1635862012_3623.dll 628b068ebb6c34efd8b4d21d4f4c7723
PE64 PE File DLL IcedID Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee |
2
http://actuallyobligat.info/
https://aws.amazon.com/
|
4
actuallyobligat.info(172.105.27.36)
aws.amazon.com(54.230.166.71)
99.86.203.74
172.105.27.36
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/IcedID Request Cookie
|
|
3.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14522 |
2021-11-04 14:53
|
 ww15_testLL_0310_single.exe d6fe99dda423f5d46e37e8b803c36394
RAT Gen1 Generic Malware Malicious Library UPX Malicious Packer ASPack PE File OS Processor Check PE32 PE64 DLL .NET EXE Browser Info Stealer Malware download VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security Check virtual network interfaces suspicious process AppData folder suspicious TLD sandbox evasion WriteConsoleW IP Check Tofsee Windows Browser ComputerName DNS crashed |
23
http://www.hzradiant.com/askhelp42/askinstall42.exe
http://fouratlinks.com/installpartners/ShareFolder.exe
http://www.hzradiant.com/askinstall42.exe
http://ip-api.com/json/
http://dataonestorage.com/search_hyperfs_209.exe
http://45.133.1.182/proxies.txt - rule_id: 6139
http://staticimg.youtuuee.com/api/?sid=2038513&key=11f089e10a0c2265ea78807ce63e1d19 - rule_id: 5258
http://212.192.241.62/base/api/statistics.php
http://eguntong.com/pub33.exe
http://staticimg.youtuuee.com/api/fbtime - rule_id: 6464
http://apps.identrust.com/roots/dstrootcax3.p7c
http://212.192.241.62/base/api/getData.php
http://45.133.1.107/server.txt
http://212.192.241.62/service/communication.php
https://f.gogamef.com/userhome/22/23ce6573d0b61d1c6b7a3a8c1cdf07b2.exe
https://cdn.discordapp.com/attachments/896617596772839426/897483264074350653/Service.bmp
https://cdn.discordapp.com/attachments/896617596772839426/899593707228135434/Cube_WW14.bmp
https://d.gogamed.com/userhome/22/any.exe
https://yandex.ru/
https://el5en1977834657.s3.ap-south-1.amazonaws.com/kak.exe
https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
https://ipinfo.io/widget
https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
|
41
d.gogamed.com(104.21.59.236)
imgs.googlwaa.com(45.136.113.13) - malware
www.hzradiant.com(194.163.158.120)
t.gogamec.com(172.67.204.112)
apps.identrust.com(119.207.65.81)
iplis.ru(88.99.66.31) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
eguntong.com(5.8.76.205)
f.gogamef.com(104.21.72.228)
el5en1977834657.s3.ap-south-1.amazonaws.com(52.219.62.87)
connectini.net(162.0.210.44) - mailcious
ipinfo.io(34.117.59.81)
twitter.com(104.244.42.1)
dataonestorage.com(45.142.182.152) - malware
telegram.org(149.154.167.99)
ip-api.com(208.95.112.1)
fouratlinks.com(199.192.17.247)
yandex.ru(77.88.55.55)
staticimg.youtuuee.com(45.136.151.102) - mailcious
182.162.106.26
172.67.136.94
52.219.158.38
45.133.1.107 - malware
149.154.167.99
45.142.182.152
88.99.66.31 - mailcious
162.0.210.44 - mailcious
5.8.76.205
34.117.59.81
45.133.1.182 - malware
104.21.85.99
208.95.112.1
45.136.151.102 - mailcious
162.159.134.233 - malware
194.163.158.120 - malware
45.136.113.13 - malware
212.192.241.62
104.244.42.193 - suspicious
199.192.17.247
5.255.255.5
104.21.59.236
|
11
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
ET INFO TLS Handshake Failure
ET INFO Packed Executable Download
ET POLICY External IP Lookup ip-api.com
|
3
http://45.133.1.182/proxies.txt
http://staticimg.youtuuee.com/api/
http://staticimg.youtuuee.com/api/fbtime
|
16.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14523 |
2021-11-04 14:54
|
 zidem3 e476378637d33f422cef86ca864dbbfc
Emotet Gen2 Gen1 Malicious Packer Malicious Library UPX PE64 PE File DLL Checks debugger buffers extracted unpack itself DNS crashed |
|
1
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14524 |
2021-11-04 14:55
|
 setup.exe 3329dc6e93761fd9597063f368ea952c
Emotet RAT Gen1 Malicious Library UPX PE File PE32 PE64 DLL OS Processor Check Malware download VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName DNS crashed |
1
http://trgramm.com/71.exe
|
3
trgramm.com(47.254.184.183)
34.117.59.81
47.254.184.183
|
4
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET INFO EXE - Served Attached HTTP
|
|
6.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14525 |
2021-11-04 14:56
|
 mm.exe 03e95ad0249fb5036bbb4c3478542cbd
RAT Generic Malware PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
2
47.254.184.183
182.162.106.26
|
|
|
3.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14526 |
2021-11-04 14:56
|
 90000747287171161449.exe 05c3aa96ada8cb3d9f80ce44732329d8
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14527 |
2021-11-04 14:58
|
fwerdsfkjxcvjksdfkkwefkdkfsfjk... 9aa6aa141a72e6bdf7c94c6d9ec6393a
RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://75.127.1.235/88088/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14528 |
2021-11-04 14:59
|
 csrss.exe 20795e246cdfbeae65f0327b30e29e55
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14529 |
2021-11-04 15:01
|
 vbc.exe 9191670d633330ba6c57b6938c8bca01
Malicious Packer UPX PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14530 |
2021-11-04 15:01
|
 clip.exe 7f3928f07a5c02b94810216c0b792839
RAT PWS .NET framework BitCoin Generic Malware UPX Antivirus persistence AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE VirusTotal Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
11.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14531 |
2021-11-04 15:03
|
 EVA.exe 199e59926813eba310c9c218c2d8c7bb
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14532 |
2021-11-04 15:04
|
 vhJA4tqSpiN6pEO.exe ce44d33b7dadb6c6f15cc7a4052e8dbf
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
8
http://www.jppdev.com/mbs3/?FTjl4Fm=xTIp2j7oGBIJXI3pKuLR1SvSVVqOZNg6XTUVF74V4+oqUQ+MYDWfwA8kYlwyJeaAVXLzKoib&vR-hu=khOtRrQxX4YlE6q
http://www.deadlinedrivein.com/mbs3/?FTjl4Fm=FsLQ9ndG3kkIJWt1Wav4yj1ox2sq4C7FyhzqZ9/0vN54V0ltOuYIeh9gJmWGv1HFAPOcAhWv&vR-hu=khOtRrQxX4YlE6q
http://www.luceneo.com/mbs3/?FTjl4Fm=AMKwz8reuYr2ynuvkh/7Lx/ZVfUjkCuHvQshOOXxZv9jEcJXpHJ2VJZxywkdhi9SoRvNO+wK&vR-hu=khOtRrQxX4YlE6q
http://www.cf-park.com/mbs3/?FTjl4Fm=WcKYXgCLPlhghe8Q+iXjBGKwWa8txg/9ifeczICOywmpCVIwdxjzrCQDk+GgJTDBWu1tj6NS&vR-hu=khOtRrQxX4YlE6q
http://www.bloomdock.com/mbs3/?FTjl4Fm=+QLXc5Yzrqeb+oHWI5EJd0fhAfeeNp/nW1YBBfoPJdGpuKfFzXQmPpaSUaRnixeVGjmeenJ2&vR-hu=khOtRrQxX4YlE6q
http://www.lunon.net/mbs3/?FTjl4Fm=dl2xuYiJXG8BPiMn8YJAdjXWfxewBCRUZCBePjPykqiXE4380L2eDj/TziFWnISSEOOBK0II&vR-hu=khOtRrQxX4YlE6q
http://www.charcutrements.com/mbs3/?FTjl4Fm=h0GxH4aIW/vP+duOHY4W87oWli9OvBNTwK+NVGVZH5JeEPM9rtoTgXNFpRkRUb1e/XfHsXnG&vR-hu=khOtRrQxX4YlE6q
http://www.glamourwigsaustralia.com/mbs3/?FTjl4Fm=gYbzK+d7rDo/yvRMErEp/Xphb3nsFTiGAExou4JWeWHpdKkFtkrc7kLdU2ID8izTPpPMZ98+&vR-hu=khOtRrQxX4YlE6q
|
17
www.luceneo.com(34.102.136.180)
www.cf-park.com(154.208.173.174)
www.bloomdock.com(52.20.84.62)
www.jppdev.com(23.185.0.4)
www.glamourwigsaustralia.com(34.80.190.141)
www.charcutrements.com(34.102.136.180)
www.deadlinedrivein.com(66.96.147.109)
www.pntex.website()
www.ultimaroof.com()
www.lunon.net(150.95.217.206)
23.185.0.4 - malware
66.96.147.109 - mailcious
150.95.217.206
52.20.84.62 - mailcious
154.208.173.174
34.102.136.180 - mailcious
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14533 |
2021-11-04 15:08
|
 3799_1635922365_1426.exe 1bef6a1a0d0cdcb868aaa9fffd513f25
RAT Generic Malware PE64 PE File Browser Info Stealer VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Collect installed applications Windows Browser ComputerName DNS Cryptographic key crashed |
|
2
185.92.73.142
52.219.66.59
|
|
|
5.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14534 |
2021-11-04 15:08
|
 wnresrv.exe 1a0be1dd4745e67fdf94323f46789991
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Disables Windows Security Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.8.169)
193.122.6.168
172.67.188.154
52.219.156.6
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14535 |
2021-11-04 15:09
|
 15673391590007385026.exe d57f5d014ef57dc1703d49f89d94856a
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|