| 1 |
2021-08-05 10:15
|
 GUN-2.exe b92376d5972be4bf3f100b17e978b6af
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
16
http://www.martabaroagency.com/wufn/?Ez=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&lhud=Txol_2G - rule_id: 2915
http://www.travelstipsguide.com/wufn/?Ez=VyftNyjG0aQ5lx947SUGSmHD3tMYmiTmQvBtAxw4efd8ssVW9Od3MOGKP5omeKQ1iB3A5VY5&lhud=Txol_2G
http://www.gaigoilaocai.com/wufn/?Ez=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&lhud=Txol_2G - rule_id: 2912
http://www.iqpt.info/wufn/ - rule_id: 2910
http://www.iqpt.info/wufn/?Ez=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&lhud=Txol_2G - rule_id: 2910
http://www.theroseofsharonsalon.com/wufn/?Ez=OadTn2uJtzT8oubefSjMAoLtzsAZKEPGGNEB1Q92m5bHHV2MxPvD7WU/WfzEYQpZzBC6ZQgQ&lhud=Txol_2G - rule_id: 2913
http://www.rsautoluxe.com/wufn/ - rule_id: 3288
http://www.martabaroagency.com/wufn/ - rule_id: 2915
http://www.joneshondaservice.com/wufn/ - rule_id: 3491
http://www.pon.xyz/wufn/?Ez=TjHmMFEWoC7f3AvZD4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCe56sbMIcecYmi82gg8d&lhud=Txol_2G
http://www.theroseofsharonsalon.com/wufn/ - rule_id: 2913
http://www.rsautoluxe.com/wufn/?Ez=w5EnrSKap8oRy2zPlnddF8gTSk3mhpsg6+K+ZUM/zOnILWZ553OzJd1vgJ8iXK568zhVN9hj&lhud=Txol_2G - rule_id: 3288
http://www.travelstipsguide.com/wufn/
http://www.joneshondaservice.com/wufn/?Ez=cHwUMaOvOUl4mR2wsbRfLYaultZ7TSeYo2Z/vCzCk8dNTOF36Jse9g+x5El8dvRa2DMYrrKS&lhud=Txol_2G - rule_id: 3491
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.pon.xyz/wufn/
|
17
www.rsautoluxe.com(103.48.133.134) - mailcious
www.joneshondaservice.com(50.87.249.29)
www.martabaroagency.com(185.14.56.84)
www.travelstipsguide.com(204.11.56.48)
www.pon.xyz(199.59.242.153)
www.iqpt.info(67.199.248.13)
www.gaigoilaocai.com(104.21.84.71)
www.800pls.info()
www.theroseofsharonsalon.com(198.49.23.144)
198.49.23.144 - mailcious
185.14.56.84 - mailcious
199.59.242.153 - mailcious
204.11.56.48 - phishing
67.199.248.12 - mailcious
172.67.187.204 - mailcious
103.48.133.134 - mailcious
50.87.249.29 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
12
http://www.martabaroagency.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.iqpt.info/wufn/
http://www.iqpt.info/wufn/
http://www.theroseofsharonsalon.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.martabaroagency.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.theroseofsharonsalon.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.gaigoilaocai.com/wufn/
|
10.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-08-05 10:08
|
 .wininit.exe 4790a6bec0eb9efda12d2abe2bb38d00
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
12
http://www.browbabelondon.com/n84e/
http://www.792argonne.com/n84e/
http://www.betterhealthdc.com/n84e/?s0=HpDyM7h5S8k83y8yqRedKYUfYoom3rvCxt/61BOuhsxa8LZ1DHJJwbq3je7qCSJdcJE1pbe9&CZ=7nH8XRk
http://www.scorchonerecords.com/n84e/
http://www.conectaragora.com/n84e/ - rule_id: 3740
http://www.notemanches.com/n84e/?s0=t6cJ++5ur6LyOWHVfvSSg1kOqj+5LkQnu0xiLqduvq4gQlmcvj2tgZjJWmh2P/ItDCI8JQg1&CZ=7nH8XRk
http://www.scorchonerecords.com/n84e/?s0=AAar8/QTt3rWpEU75zSnopAP9jFchFx03LuP9S6n7N0ZyqjMic65prikiu4NCiYQqXEz50yr&CZ=7nH8XRk
http://www.conectaragora.com/n84e/?s0=p6i+kRTznlIfp8/7XMyecgcPSEfEpCNZNLU/042ESd3JmDRQsTR5UXzjOO9R4eeSQMVHZgcS&CZ=7nH8XRk - rule_id: 3740
http://www.betterhealthdc.com/n84e/
http://www.notemanches.com/n84e/
http://www.792argonne.com/n84e/?s0=DFZFTQHbXlya/MeaUFAazqs5HaS9PDJCmOYPBYguisCI4Vi6jG07nsAfhM9aFpcU+h3ZeOvL&CZ=7nH8XRk
http://www.browbabelondon.com/n84e/?s0=iN/2jpDVItD0PjH3kQlCvYGpp+lZ4fRxObDvETofyrxd1QZoKdP5K/qHZNaGThNBJIIcYPFv&CZ=7nH8XRk
|
12
www.notemanches.com(34.102.136.180)
www.792argonne.com(184.168.131.241)
www.kailinsen.com(23.234.7.122)
www.browbabelondon.com(34.80.190.141)
www.betterhealthdc.com(67.205.10.140)
www.scorchonerecords.com(34.102.136.180)
www.conectaragora.com(184.168.131.241)
184.168.131.241 - mailcious
34.102.136.180 - mailcious
23.234.7.122
67.205.10.140
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.conectaragora.com/n84e/
http://www.conectaragora.com/n84e/
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-08-04 17:07
|
 whesilox.exe 53aef228cd00d59916a1b375fe86e9cf
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key DDNS |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(158.101.44.242)
132.226.247.73
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
10.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-08-04 09:32
|
 dun.exe 214b1ddf045e4d6fdd73a5c8788d2adc
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
8
http://www.thesoulrevitalist.com/p2io/ - rule_id: 2157
http://www.thesoulrevitalist.com/p2io/?VPXhs=ywi4HDlC8ElSOMEyK6H+rd6B6cynTULkanOSXBUPYg06e2wPUHpv6wPun14JIO+5lIaxxIkr&nHLD_L=8p-HvnrH7hptqnk - rule_id: 2157
http://www.zmzcrossrt.xyz/p2io/ - rule_id: 1573
http://www.procircleacademy.com/p2io/?VPXhs=tgVoMP8jv8oJh0LH0MPWwDnGYGbnfEGTJ+yRL/Ijcc1+MHyU0MyQxKIFLUwq3WzUPcz2/uvN&nHLD_L=8p-HvnrH7hptqnk - rule_id: 2905
http://www.procircleacademy.com/p2io/ - rule_id: 2905
http://www.totally-seo.com/p2io/
http://www.totally-seo.com/p2io/?VPXhs=TySV6YYxUBKYb4HOwOCoDLKT5SC+Z4HfI/KqKrWSPqp5raNcMGgDmwJErp1xJY1yPtBpBPJW&nHLD_L=8p-HvnrH7hptqnk
http://www.zmzcrossrt.xyz/p2io/?VPXhs=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&nHLD_L=8p-HvnrH7hptqnk - rule_id: 1573
|
9
www.procircleacademy.com(104.16.13.194) - mailcious
www.zmzcrossrt.xyz(99.83.183.31)
www.totally-seo.com(198.49.23.144)
www.thesoulrevitalist.com(34.102.136.180) - mailcious
www.a3i7ufz4pt3.net()
198.49.23.145 - mailcious
34.102.136.180 - mailcious
104.16.12.194
75.2.73.220 - mailcious
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.thesoulrevitalist.com/p2io/
http://www.thesoulrevitalist.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
http://www.procircleacademy.com/p2io/
http://www.procircleacademy.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
|
9.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-08-04 09:27
|
 arinzex.exe ba17343be61c0394910b0ada481b1f86
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(193.122.130.0)
132.226.8.169
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|