10156 |
2021-05-24 18:23
|
bin---0.exe 9191f2c11d448ac2baa34768d210f3a7 Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
20
http://www.leonardocarrillo.com/p2io/ http://www.micheldrake.com/p2io/?8pz8KT3x=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&CR=CFQH8Xe http://www.yunlimall.com/p2io/ http://www.vectoroutlines.com/p2io/?8pz8KT3x=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&CR=CFQH8Xe http://www.adultpeace.com/p2io/ http://www.liminaltechnology.com/p2io/?8pz8KT3x=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&CR=CFQH8Xe http://www.adultpeace.com/p2io/?8pz8KT3x=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&CR=CFQH8Xe http://www.alfenas.info/p2io/ http://www.untylservice.com/p2io/?8pz8KT3x=L8zxg9SOaofWzoyPv00N4yNSfvs8vmV6MzKbpPLG03vcM8SdHJJ++2zBKn8m8TZ8Pf8jLpz7&CR=CFQH8Xe http://www.alfenas.info/p2io/?8pz8KT3x=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&CR=CFQH8Xe http://www.liminaltechnology.com/p2io/ http://www.essentiallyourscandles.com/p2io/?8pz8KT3x=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&CR=CFQH8Xe http://www.untylservice.com/p2io/ http://www.vectoroutlines.com/p2io/ http://www.myfavbutik.com/p2io/ http://www.yunlimall.com/p2io/?8pz8KT3x=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&CR=CFQH8Xe http://www.essentiallyourscandles.com/p2io/ http://www.leonardocarrillo.com/p2io/?8pz8KT3x=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&CR=CFQH8Xe http://www.micheldrake.com/p2io/ http://www.myfavbutik.com/p2io/?8pz8KT3x=dKp6rERBK113SD0GvHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqFHc7ZWN2qvn1fWpyoOF&CR=CFQH8Xe
|
24
www.leonardocarrillo.com() www.essentiallyourscandles.com(23.227.38.74) www.vectoroutlines.com(198.54.126.105) www.pandemisorgugirisi-tr.com() www.adultpeace.com(163.44.239.73) www.liminaltechnology.com(185.111.89.170) www.buylocalclub.info() www.tricqr.com() www.micheldrake.com(192.0.78.25) www.myfavbutik.com(172.67.161.4) www.alfenas.info(34.102.136.180) www.untylservice.com(185.224.137.223) www.zgcbw.net() www.yunlimall.com(142.111.47.2) 185.224.137.223 163.44.239.73 198.54.126.105 - mailcious 209.99.40.222 - mailcious 185.111.89.170 34.102.136.180 - mailcious 104.21.15.16 192.0.78.24 - mailcious 23.227.38.74 - mailcious 142.111.47.2
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10157 |
2021-05-24 18:20
|
sIIpO8jjC02iQCT.exe 3d9a120a83e330ab0f26454a46b9e1e7 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10158 |
2021-05-24 18:15
|
YpB5uPa1YKwLPKt.exe 5c8003788c729d9c9d6f91c62aef10f4 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10159 |
2021-05-24 18:14
|
bin---09.exe c2db9ae19f2ed393fb6ae0703dc30b2c PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
17
http://www.adultpeace.com/p2io/?GF=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&llvt=fTRHzZwpYvUX0J http://www.pyithuhluttaw.net/p2io/?GF=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&llvt=fTRHzZwpYvUX0J http://www.adultpeace.com/p2io/ http://www.ololmychartlogin.com/p2io/ http://www.bigplatesmallwallet.com/p2io/?GF=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&llvt=fTRHzZwpYvUX0J http://www.ololmychartlogin.com/p2io/?GF=2q6D4S4KFKmlXKAOo+dmfNOnFlWkohYFDzximTpdHsIuBKx0b3v/5p4ytrwsGJikHaDfqBb+&llvt=fTRHzZwpYvUX0J http://www.alfenas.info/p2io/ http://www.alfenas.info/p2io/?GF=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&llvt=fTRHzZwpYvUX0J http://www.leonardocarrillo.com/p2io/?GF=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&llvt=fTRHzZwpYvUX0J http://www.hfjxhs.com/p2io/ http://www.ruhexuangou.com/p2io/?GF=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&llvt=fTRHzZwpYvUX0J http://www.ruhexuangou.com/p2io/ http://www.essentiallyourscandles.com/p2io/ http://www.bigplatesmallwallet.com/p2io/ http://www.pyithuhluttaw.net/p2io/ http://www.essentiallyourscandles.com/p2io/?GF=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&llvt=fTRHzZwpYvUX0J http://www.hfjxhs.com/p2io/?GF=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&llvt=fTRHzZwpYvUX0J
|
18
www.leonardocarrillo.com() www.ruhexuangou.com(23.82.57.32) www.adultpeace.com(163.44.239.73) www.pyithuhluttaw.net(103.91.67.83) www.bigplatesmallwallet.com(66.235.200.147) www.essentiallyourscandles.com(23.227.38.74) www.hfjxhs.com(156.241.53.161) www.ololmychartlogin.com(23.82.12.29) www.alfenas.info(34.102.136.180) 66.235.200.147 - phishing 163.44.239.73 156.241.53.161 209.99.40.222 - mailcious 34.102.136.180 - mailcious 23.82.57.32 23.82.12.29 - suspicious 23.227.38.74 - mailcious 103.91.67.83
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10160 |
2021-05-24 18:13
|
aYnQ4B6WoQm6DuG.exe 20afb202b5cfbb60dc7ff5f2509c3991 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10161 |
2021-05-24 18:11
|
bin.exe dbb0d24252b09d49478c336e5d0ec994 PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.cyrilgraze.com/p2io/?qR-HnluH=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy&TVg84P=yjR8IXLxMLv http://www.dmgt4m2g8y2uh.net/p2io/?qR-HnluH=QtqXFq7HS/X4MIE9GXms050Yi4WsLwGmbpvB1Cdjo9kEhb/cEuRUaHG+vgNP8VkCpLdNveMs&TVg84P=yjR8IXLxMLv http://www.cmannouncements.com/p2io/ http://www.adultpeace.com/p2io/?qR-HnluH=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&TVg84P=yjR8IXLxMLv http://www.dmgt4m2g8y2uh.net/p2io/ http://www.adultpeace.com/p2io/ http://www.thriveglucose.com/p2io/ http://www.thriveglucose.com/p2io/?qR-HnluH=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&TVg84P=yjR8IXLxMLv http://www.zmzcrossrt.xyz/p2io/ http://www.cyrilgraze.com/p2io/ http://www.pyithuhluttaw.net/p2io/?qR-HnluH=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&TVg84P=yjR8IXLxMLv http://www.zmzcrossrt.xyz/p2io/?qR-HnluH=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&TVg84P=yjR8IXLxMLv http://www.cmannouncements.com/p2io/?qR-HnluH=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&TVg84P=yjR8IXLxMLv http://www.micheldrake.com/p2io/?qR-HnluH=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&TVg84P=yjR8IXLxMLv http://www.pyithuhluttaw.net/p2io/ http://www.micheldrake.com/p2io/
|
19
www.adultpeace.com(163.44.239.73) www.buylocalclub.info() www.mercuryaid.net() www.cmannouncements.com(69.195.83.71) www.micheldrake.com(192.0.78.25) www.zmzcrossrt.xyz(99.83.185.45) www.pyithuhluttaw.net(103.91.67.83) www.cyrilgraze.com(172.67.138.177) www.thriveglucose.com(184.168.131.241) www.m678.xyz() www.dmgt4m2g8y2uh.net(103.120.13.242) 69.195.83.71 163.44.239.73 103.120.13.132 184.168.131.241 - mailcious 99.83.230.40 - mailcious 192.0.78.24 - mailcious 104.21.65.7 103.91.67.83
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10162 |
2021-05-24 18:10
|
LluwMXf8ngOwqea.exe 3517aa20f6e5641cd95afb5d9173e696 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10163 |
2021-05-23 10:46
|
kakashi_cry.exe 62c59ba0375eebf49b4d80c290e69646 AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows |
1
|
3
www.google.com(172.217.161.36) 142.250.199.68 142.250.207.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10164 |
2021-05-23 10:23
|
hbggg.exe e6f6fd13001b8df1af345df56caba5de Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS |
5
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/?sid=210725&key=72674f7accaa137688c0ad545432594d - rule_id: 1396 http://ip-api.com/json/ https://iplogger.org/18hh57 https://www.facebook.com/
|
8
www.facebook.com(157.240.215.35) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ip-api.com(208.95.112.1) iplogger.org(88.99.66.31) - mailcious 88.99.66.31 - mailcious 208.95.112.1 88.218.92.148 - malware 157.240.215.35
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
2
http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
7.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10165 |
2021-05-23 10:13
|
BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393 https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947 https://api.ip.sb/geoip
|
5
c.pycharm3.ru(217.107.34.191) api.ip.sb(172.67.75.172) 104.26.12.31 87.251.71.193 - mailcious 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
1
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10166 |
2021-05-21 10:00
|
vbc.exe 6e1e56fd157c5d33cac5a84225561906 AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10167 |
2021-05-21 08:43
|
netwire.exe 9d19dad3b71dfeec8276cb6e266365df PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10168 |
2021-05-21 08:41
|
netwire-988.exe c225922e8ec40ccca7d491fa57ece50b PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName DNS Cryptographic key |
|
|
|
|
2.8 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10169 |
2021-05-21 08:35
|
00.exe 83377601918cdc76c76ed36c06a01546 PE File OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger Creates executable files AppData folder DNS |
|
1
|
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10170 |
2021-05-20 16:57
|
fax_Documents.exe 5e9c34075c2eb3d3db131e1227383f1e Malicious Packer .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|