| 1 |
2021-11-03 17:01
|
 qa.exe 068b5c216553c58c1068819bb8bd0195
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
20
http://www.iran-style.com/n8cr/?RVE=GXfO8B+dYCYwH7WfZsiiqwaUAAueNeu6MDNafot3+FTdKfteynY4gSrLUTempKfrY+jdfgZk&oX=Txo8nt4pMBsp
http://www.alexchen032104.com/n8cr/?RVE=EdcaDOzsnrgFHSEkgf65m1FrWY/Hf53INeAgoIBAXIwzlcDd64JyoQZysLIpk1YZWqFFBv8a&oX=Txo8nt4pMBsp
http://www.faceandco.clinic/n8cr/?RVE=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&oX=Txo8nt4pMBsp - rule_id: 7158
http://www.faceandco.clinic/n8cr/?RVE=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&oX=Txo8nt4pMBsp
http://www.karasevda-jor.com/n8cr/?RVE=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&oX=Txo8nt4pMBsp - rule_id: 7160
http://www.karasevda-jor.com/n8cr/?RVE=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&oX=Txo8nt4pMBsp
http://www.metaverse360.biz/n8cr/?RVE=a1iYZxDNUxPZ3BDpTTjp6GyZjjVUvaBttrRTAisrx3JfQWRNE2QL6zxye3rkeOOJStsSY+TA&oX=Txo8nt4pMBsp
http://www.pharmasolutionspr.net/n8cr/?RVE=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&oX=Txo8nt4pMBsp - rule_id: 7161
http://www.pharmasolutionspr.net/n8cr/?RVE=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&oX=Txo8nt4pMBsp
http://www.thesaltandpeppercompany.com/n8cr/?RVE=KEg72S8Kgq3jqU/Dvj3XtXev4vRdKH+I6PfdyGiW9oQHzuaf15VYTt2ur/Af8Lc7mGTrTCee&oX=Txo8nt4pMBsp
http://www.denim-dots.com/n8cr/?RVE=qwkzac1j/67F9bss9FYZBW87jp0Bt+sWJslQldl38e5d08yUah7TTEiAe+JGX9F5JVqNCAa/&oX=Txo8nt4pMBsp
http://www.metaverse360.biz/n8cr/?RVE=a1iYZxDNUxPZ3BDpTTjp6GyZjjVUvaBttrRTAisrx3JfQWRNE2QL6zxye3rkeOOJStsSY+TA&Mrn=uVjH
http://www.salvationshippingsecurity.com/n8cr/?RVE=78UME4TI/rV8xZ+buxbYQpMgVk8CS4P/0Mk5rSJGt63WJVcn3+gzRmywil+pDTVKA2ZCHb9f&oX=Txo8nt4pMBsp
http://www.mainponsel.com/n8cr/?RVE=mVFDnNjJ2vTsUPjU2vMB3+FXNX8eexEZxlIfz47NSAhBxvMoxs8esVMv/fjPY52Pp2B0mYDW&oX=Txo8nt4pMBsp
http://www.dellmoor.com/n8cr/?RVE=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&oX=Txo8nt4pMBsp - rule_id: 7162
http://www.dellmoor.com/n8cr/?RVE=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&oX=Txo8nt4pMBsp
http://www.godigitalwithpavitra.com/n8cr/?RVE=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&Mrn=uVjH - rule_id: 7163
http://www.godigitalwithpavitra.com/n8cr/?RVE=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&Mrn=uVjH
http://www.mygreatsport.com/n8cr/?RVE=6TrfVAfyv4wZJuUs2Y+7pQpWT8ScL4b/U6XAXH/1NoUMsx3E79jr4ZvGs9GXn/NNbXfgKcsF&oX=Txo8nt4pMBsp
http://www.aestheticgeneration.com/n8cr/?RVE=Rz970MULcJlEpQ6KB3BFBwmnE+Qwu9WizwqeBL5K2JZ4RTX0YwbwMuJMBXUYpxAAm/unvsS8&oX=Txo8nt4pMBsp
|
27
www.thesaltandpeppercompany.com(208.91.197.27)
www.exodiguis.com()
www.karasevda-jor.com(151.101.130.199)
www.mygreatsport.com(165.232.189.23)
www.istesdesv.xyz()
www.aestheticgeneration.com(172.67.160.172)
www.iran-style.com(185.73.226.144)
www.alexchen032104.com(108.167.140.88)
www.metaverse360.biz(3.33.152.147)
www.mainponsel.com(192.0.78.24)
www.faceandco.clinic(34.102.136.180)
www.pharmasolutionspr.net(34.102.136.180)
www.dellmoor.com(34.102.136.180)
www.godigitalwithpavitra.com(34.102.136.180)
www.salvationshippingsecurity.com(51.210.240.92)
www.denim-dots.com(182.50.132.242)
108.167.140.88
51.210.240.92 - mailcious
3.33.152.147
172.67.160.172
208.91.197.27 - mailcious
34.102.136.180 - mailcious
165.232.189.23
182.50.132.242 - mailcious
151.101.130.199
192.0.78.25 - mailcious
185.73.226.144
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
|
5
http://www.faceandco.clinic/n8cr/
http://www.karasevda-jor.com/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.dellmoor.com/n8cr/
http://www.godigitalwithpavitra.com/n8cr/
|
8.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-11-03 16:54
|
 uux.exe bd4ef60928a0418f2f42958444a3ffc4
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-11-02 11:49
|
 ov.exe 9c87428041d39d0be69711fa64cb4035
PWS Loki[b] Loki.m RAT Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://195.133.18.192/oxsxo/fre.php
|
2
195.133.18.192
104.21.19.200
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-11-02 11:43
|
 sa.exe 9d1ce1bf77fa0c73721fbd73269fc24b
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
3
http://www.findallclass.com/sl4w/?oPqLWL=kCV/FIfZxfFmzJxKj7aZffhVdUOkEqgZ5bZHEs6N9QXUciE7SpQlAbnjoozDJB0YroPV18tp&Lv0h=ZVyXVbS8c
http://www.theflourfactory.online/sl4w/?oPqLWL=a2oqy9nz6L5P4+5JZLs75vMiXmXKc4/fQL2IKL334cvENcHqkf3keYD41dhm701TqhPcfQ2d&Lv0h=ZVyXVbS8c
http://www.ledbulb.xyz/sl4w/?oPqLWL=YcH+O3zr2j868bhr1Ddrrm/IdzhIudC82VthSc1bFxhN6LCPS13XVKD2pq8huN9Q4u7NE0re&Lv0h=ZVyXVbS8c
|
7
www.frameyes.com()
www.theflourfactory.online(203.170.80.250)
www.ledbulb.xyz(64.190.62.111)
www.findallclass.com(162.241.253.42)
64.190.62.111 - mailcious
203.170.80.250 - phishing
162.241.253.42
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-11-02 11:40
|
 xs.exe e9680f9e3f58e0e087d82243b07ce93b
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-10-29 09:48
|
 xso.exe 257679d1ffeaa47dcea2491b13637e50
RAT Generic Malware UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
3
http://www.buildstarconst.com/sl4w/?6l8P=rWwJ7ET0sHd4gGkB9dVKIEIoJ+RqQrFmVMEdCyZm6skUMbIw/1NiBsgVzJPxFFkOUojtFvF6&mlvx=fZU8pTY0MT2trP
http://www.roxytocin.art/sl4w/?6l8P=EubUdb3A3+v3zBAO2yMZszRUAX6MySP9IuHIW5t779IK3kZlpI6b33bDf1ILvDReab3Uu77l&mlvx=fZU8pTY0MT2trP
http://www.getgoldwithmrsbest.com/sl4w/?6l8P=1JDKyruM/74jwNm/2X+0t2d5cjjeO1YF2ZZr07xm6iLte28LljOvl4p69ACcbMMjDgnwMGvg&mlvx=fZU8pTY0MT2trP
|
7
www.roxytocin.art(198.54.117.210)
www.getgoldwithmrsbest.com(198.54.117.215)
www.buildstarconst.com(66.96.162.129)
www.susu521.com()
198.54.117.211 - phishing
66.96.162.129
198.54.117.216 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-10-29 09:43
|
 fed.exe e574ad4af9b6fc033fdf0b54ca7bf014
PWS Loki[b] Loki.m RAT Gen1 Gen2 Generic Malware Malicious Packer Malicious Library UPX Socket DNS Internet API HTTP KeyLogger ScreenShot Http API AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Ransomware Zeus Windows Browser Email ComputerName DNS Software |
1
http://45.133.1.13/xsaz/index.php
|
1
|
3
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.3 Server Response M1
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
|
|
18.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-09-28 16:21
|
 cc.exe 4c70d5b1c63a468f7e0aedf64f93ca42
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
20
http://www.5fbuy.com/mjyv/
http://www.tropicaldepression.info/mjyv/
http://www.productprinting.online/mjyv/?w0G=dI0EVfu1T7SuYQVSFiskZOhLU8OYvItQe6UNnJ1ElFuaQLbdP5Uf2YRPyTd8+GYShGrxOpBk&uFQh=XP7HMZ_0
http://www.behiscalm.com/mjyv/?w0G=K9FJa1ryPTd/bsjfiuRfbodFPMpyTpIbchH43KPgl0gdBdpLbzvy0KNnzkM4/ITWWD0DdyPm&uFQh=XP7HMZ_0
http://www.esomvw.com/mjyv/?w0G=84GmfEPteUtbFNbJoLd8GDghdGpnh6a0oBhzpjSSdSN1iSLo8RVzibpVbWjYetZr49ZHqSiu&uFQh=XP7HMZ_0
http://www.simpeltattofor.men/mjyv/
http://www.5fbuy.com/mjyv/?w0G=ywYd3xylGJO5OLpkslz37JrHIzwp3tlWSnLC1Y96rw35uOcoKsXpHhY5pdkkf/dPTOcgW5oS&uFQh=XP7HMZ_0
http://www.behiscalm.com/mjyv/
http://www.recreativemysteriousgift.com/mjyv/
http://www.heianswer.xyz/mjyv/
http://www.totalselfconfidence.net/mjyv/?w0G=7+dRD0Usrp3WWVtSB58FWZJEotErpYduYxSnFhVAMtOnW0W/yaWH2gNfK0a+FiHaPyaiz1lE&uFQh=XP7HMZ_0
http://www.simpeltattofor.men/mjyv/?w0G=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&uFQh=XP7HMZ_0
http://www.recreativemysteriousgift.com/mjyv/?w0G=UIDv5jYg+EGmLgH+kIA/UtxX3yxSo1C4sdt8PdUehlnxHFL/vvHfTGKb0f+7G6qAqL9f6D8F&uFQh=XP7HMZ_0
http://www.tropicaldepression.info/mjyv/?w0G=6gygz6yKUka1Qt5eq57e3sczR1onff0rQ5APpUKZF9lXnBs4e0E13IroulXz/W0b6vprOEhp&uFQh=XP7HMZ_0
http://www.heianswer.xyz/mjyv/?w0G=PnJxMkqvc09Z2Oi3w0K1aE42Df2MO+gXeSc77N3Ck37Jj1CPHETfefhUrzlouLifmytUaiIJ&uFQh=XP7HMZ_0
http://www.productprinting.online/mjyv/
http://www.lebonaharchitects.com/mjyv/?w0G=0MkTYu9FMNUsMiLIDY53araUyNOR0X7Q4YfgznEZYap2TEr+u3Fin7WpC36DVb6QOCYDEkLN&uFQh=XP7HMZ_0
http://www.esomvw.com/mjyv/
http://www.totalselfconfidence.net/mjyv/
http://www.lebonaharchitects.com/mjyv/
|
22
www.chilestew.com()
www.wenyuexuan.com()
www.simpeltattofor.men(103.224.182.210)
www.lebonaharchitects.com(34.102.136.180)
www.babybox.media()
www.5fbuy.com(172.255.219.23)
www.behiscalm.com(34.102.136.180)
www.recreativemysteriousgift.com(104.156.48.44)
www.esomvw.com(104.18.26.58)
www.productprinting.online(108.179.246.105)
www.totalselfconfidence.net(107.160.80.135)
www.medicalmanagementinc.info()
www.heianswer.xyz(34.102.136.180)
www.tropicaldepression.info(34.80.190.141)
104.156.48.44 - malware
104.18.27.58
172.255.219.23
34.102.136.180 - mailcious
107.160.80.135
103.224.182.210 - phishing
34.80.190.141 - mailcious
108.179.246.105 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-09-28 16:13
|
 ooo.exe 2465c0064588369df56b47c28e38aa7e
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.binoler.xyz/hp6s/?ChOhp=Y0r6UfnM38LgcpYKBlb0i50Dv2SvJNbcX2aAiW6VOnO1SbIPk0VLDMIEprqsED4g5ujfqFSw&Ez=ltH4x0I
http://www.affordableapartmentssl.com/hp6s/?ChOhp=xduxBy0qZ+DufZSL/R2onClCL9XD8RA8qPy1IQZcPY/Pf+1IWUPWX/JY4Mf09a70XNWl6hDx&Ez=ltH4x0I
http://www.plxcksd.xyz/hp6s/?ChOhp=nWxINci6IYVyUMacVxyy/VVZomVhI1dtr5KzNL0MsrLoy2oaJyhKJK8IAcZwTNRL2WaiPkpq&Ez=ltH4x0I
|
7
www.plxcksd.xyz(52.8.80.253)
www.affordableapartmentssl.com(104.197.108.89)
www.candelas.one()
www.binoler.xyz(188.166.50.136)
104.197.108.89
52.8.80.253
188.166.50.136
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|