| 10156 |
2021-05-24 18:23
|
 bin---0.exe 9191f2c11d448ac2baa34768d210f3a7
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
20
http://www.leonardocarrillo.com/p2io/
http://www.micheldrake.com/p2io/?8pz8KT3x=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&CR=CFQH8Xe
http://www.yunlimall.com/p2io/
http://www.vectoroutlines.com/p2io/?8pz8KT3x=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&CR=CFQH8Xe
http://www.adultpeace.com/p2io/
http://www.liminaltechnology.com/p2io/?8pz8KT3x=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&CR=CFQH8Xe
http://www.adultpeace.com/p2io/?8pz8KT3x=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&CR=CFQH8Xe
http://www.alfenas.info/p2io/
http://www.untylservice.com/p2io/?8pz8KT3x=L8zxg9SOaofWzoyPv00N4yNSfvs8vmV6MzKbpPLG03vcM8SdHJJ++2zBKn8m8TZ8Pf8jLpz7&CR=CFQH8Xe
http://www.alfenas.info/p2io/?8pz8KT3x=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&CR=CFQH8Xe
http://www.liminaltechnology.com/p2io/
http://www.essentiallyourscandles.com/p2io/?8pz8KT3x=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&CR=CFQH8Xe
http://www.untylservice.com/p2io/
http://www.vectoroutlines.com/p2io/
http://www.myfavbutik.com/p2io/
http://www.yunlimall.com/p2io/?8pz8KT3x=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&CR=CFQH8Xe
http://www.essentiallyourscandles.com/p2io/
http://www.leonardocarrillo.com/p2io/?8pz8KT3x=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&CR=CFQH8Xe
http://www.micheldrake.com/p2io/
http://www.myfavbutik.com/p2io/?8pz8KT3x=dKp6rERBK113SD0GvHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqFHc7ZWN2qvn1fWpyoOF&CR=CFQH8Xe
|
24
www.leonardocarrillo.com()
www.essentiallyourscandles.com(23.227.38.74)
www.vectoroutlines.com(198.54.126.105)
www.pandemisorgugirisi-tr.com()
www.adultpeace.com(163.44.239.73)
www.liminaltechnology.com(185.111.89.170)
www.buylocalclub.info()
www.tricqr.com()
www.micheldrake.com(192.0.78.25)
www.myfavbutik.com(172.67.161.4)
www.alfenas.info(34.102.136.180)
www.untylservice.com(185.224.137.223)
www.zgcbw.net()
www.yunlimall.com(142.111.47.2)
185.224.137.223
163.44.239.73
198.54.126.105 - mailcious
209.99.40.222 - mailcious
185.111.89.170
34.102.136.180 - mailcious
104.21.15.16
192.0.78.24 - mailcious
23.227.38.74 - mailcious
142.111.47.2
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10157 |
2021-05-24 18:20
|
 sIIpO8jjC02iQCT.exe 3d9a120a83e330ab0f26454a46b9e1e7
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10158 |
2021-05-24 18:15
|
 YpB5uPa1YKwLPKt.exe 5c8003788c729d9c9d6f91c62aef10f4
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10159 |
2021-05-24 18:14
|
 bin---09.exe c2db9ae19f2ed393fb6ae0703dc30b2c
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
17
http://www.adultpeace.com/p2io/?GF=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&llvt=fTRHzZwpYvUX0J
http://www.pyithuhluttaw.net/p2io/?GF=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&llvt=fTRHzZwpYvUX0J
http://www.adultpeace.com/p2io/
http://www.ololmychartlogin.com/p2io/
http://www.bigplatesmallwallet.com/p2io/?GF=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&llvt=fTRHzZwpYvUX0J
http://www.ololmychartlogin.com/p2io/?GF=2q6D4S4KFKmlXKAOo+dmfNOnFlWkohYFDzximTpdHsIuBKx0b3v/5p4ytrwsGJikHaDfqBb+&llvt=fTRHzZwpYvUX0J
http://www.alfenas.info/p2io/
http://www.alfenas.info/p2io/?GF=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&llvt=fTRHzZwpYvUX0J
http://www.leonardocarrillo.com/p2io/?GF=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&llvt=fTRHzZwpYvUX0J
http://www.hfjxhs.com/p2io/
http://www.ruhexuangou.com/p2io/?GF=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&llvt=fTRHzZwpYvUX0J
http://www.ruhexuangou.com/p2io/
http://www.essentiallyourscandles.com/p2io/
http://www.bigplatesmallwallet.com/p2io/
http://www.pyithuhluttaw.net/p2io/
http://www.essentiallyourscandles.com/p2io/?GF=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&llvt=fTRHzZwpYvUX0J
http://www.hfjxhs.com/p2io/?GF=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&llvt=fTRHzZwpYvUX0J
|
18
www.leonardocarrillo.com()
www.ruhexuangou.com(23.82.57.32)
www.adultpeace.com(163.44.239.73)
www.pyithuhluttaw.net(103.91.67.83)
www.bigplatesmallwallet.com(66.235.200.147)
www.essentiallyourscandles.com(23.227.38.74)
www.hfjxhs.com(156.241.53.161)
www.ololmychartlogin.com(23.82.12.29)
www.alfenas.info(34.102.136.180)
66.235.200.147 - phishing
163.44.239.73
156.241.53.161
209.99.40.222 - mailcious
34.102.136.180 - mailcious
23.82.57.32
23.82.12.29 - suspicious
23.227.38.74 - mailcious
103.91.67.83
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10160 |
2021-05-24 18:13
|
 aYnQ4B6WoQm6DuG.exe 20afb202b5cfbb60dc7ff5f2509c3991
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10161 |
2021-05-24 18:11
|
 bin.exe dbb0d24252b09d49478c336e5d0ec994
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.cyrilgraze.com/p2io/?qR-HnluH=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy&TVg84P=yjR8IXLxMLv
http://www.dmgt4m2g8y2uh.net/p2io/?qR-HnluH=QtqXFq7HS/X4MIE9GXms050Yi4WsLwGmbpvB1Cdjo9kEhb/cEuRUaHG+vgNP8VkCpLdNveMs&TVg84P=yjR8IXLxMLv
http://www.cmannouncements.com/p2io/
http://www.adultpeace.com/p2io/?qR-HnluH=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&TVg84P=yjR8IXLxMLv
http://www.dmgt4m2g8y2uh.net/p2io/
http://www.adultpeace.com/p2io/
http://www.thriveglucose.com/p2io/
http://www.thriveglucose.com/p2io/?qR-HnluH=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&TVg84P=yjR8IXLxMLv
http://www.zmzcrossrt.xyz/p2io/
http://www.cyrilgraze.com/p2io/
http://www.pyithuhluttaw.net/p2io/?qR-HnluH=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&TVg84P=yjR8IXLxMLv
http://www.zmzcrossrt.xyz/p2io/?qR-HnluH=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&TVg84P=yjR8IXLxMLv
http://www.cmannouncements.com/p2io/?qR-HnluH=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&TVg84P=yjR8IXLxMLv
http://www.micheldrake.com/p2io/?qR-HnluH=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&TVg84P=yjR8IXLxMLv
http://www.pyithuhluttaw.net/p2io/
http://www.micheldrake.com/p2io/
|
19
www.adultpeace.com(163.44.239.73)
www.buylocalclub.info()
www.mercuryaid.net()
www.cmannouncements.com(69.195.83.71)
www.micheldrake.com(192.0.78.25)
www.zmzcrossrt.xyz(99.83.185.45)
www.pyithuhluttaw.net(103.91.67.83)
www.cyrilgraze.com(172.67.138.177)
www.thriveglucose.com(184.168.131.241)
www.m678.xyz()
www.dmgt4m2g8y2uh.net(103.120.13.242)
69.195.83.71
163.44.239.73
103.120.13.132
184.168.131.241 - mailcious
99.83.230.40 - mailcious
192.0.78.24 - mailcious
104.21.65.7
103.91.67.83
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10162 |
2021-05-24 18:10
|
 LluwMXf8ngOwqea.exe 3517aa20f6e5641cd95afb5d9173e696
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10163 |
2021-05-23 10:46
|
 kakashi_cry.exe 62c59ba0375eebf49b4d80c290e69646
AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows |
1
|
3
www.google.com(172.217.161.36)
142.250.199.68
142.250.207.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10164 |
2021-05-23 10:23
|
 hbggg.exe e6f6fd13001b8df1af345df56caba5de
Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
5
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/?sid=210725&key=72674f7accaa137688c0ad545432594d - rule_id: 1396
http://ip-api.com/json/
https://iplogger.org/18hh57
https://www.facebook.com/
|
8
www.facebook.com(157.240.215.35)
uyg5wye.2ihsfa.com(88.218.92.148) - mailcious
ip-api.com(208.95.112.1)
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
208.95.112.1
88.218.92.148 - malware
157.240.215.35
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/
|
7.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10165 |
2021-05-23 10:13
|
 BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393
https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
https://api.ip.sb/geoip
|
5
c.pycharm3.ru(217.107.34.191)
api.ip.sb(172.67.75.172)
104.26.12.31
87.251.71.193 - mailcious
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10166 |
2021-05-21 10:00
|
 vbc.exe 6e1e56fd157c5d33cac5a84225561906
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10167 |
2021-05-21 08:43
|
 netwire.exe 9d19dad3b71dfeec8276cb6e266365df
PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10168 |
2021-05-21 08:41
|
 netwire-988.exe c225922e8ec40ccca7d491fa57ece50b
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName DNS Cryptographic key |
|
|
|
|
2.8 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10169 |
2021-05-21 08:35
|
 00.exe 83377601918cdc76c76ed36c06a01546
PE File OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger Creates executable files AppData folder DNS |
|
1
|
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10170 |
2021-05-20 16:57
|
 fax_Documents.exe 5e9c34075c2eb3d3db131e1227383f1e
Malicious Packer .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|