| 1 |
2022-06-02 18:42
|
 2.exe 62a7edf820591e7943ec306f5ad29d8e
UPX Malicious Library Admin Tool (Sysinternals etc ...) PE32 PE File FormBook Emotet Malware download Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Tofsee Windows crashed |
11
http://www.pdqstaffingg.com/ab58/?YL0=ARlZ/HIrplVwO8cVuYC1nnGUUbKEMJayKp4ome/ODo6nwdJysU4Zp1oyQQEltCsPPlh8TWoF&Ezr0AJ=XpITk40Hp&sql=1
http://www.plasticcardcommitteecave.com/ab58/?YL0=p3N97t9JNkKN5CnM6qShGQBFuofMeaxTPgYrxHbF4CwdNhbhMbsLSILRliI5yAWCPMsZ4kNS&Ezr0AJ=XpITk40Hp&sql=1
http://www.plasticcardcommitteecave.com/ab58/
http://www.usnmdpc.xyz/ab58/?YL0=IONmJM6Tmkl/jGiwoblj5IdOq0DpnyTGLwWeZlLVSxZKSBB80gnY6JkoLPyGA2LEDqMMUQL9&Ezr0AJ=XpITk40Hp&sql=1
http://www.usnmdpc.xyz/ab58/
http://www.hachyuce.com/ab58/
http://www.hachyuce.com/ab58/?YL0=8zuK7ofCgl8BO+y6TG26Vt2NQzko7jrJwXtDsYZ2b2xJ9W9hu3mFHXLTyqOzvvPZ9awPY/LL&Ezr0AJ=XpITk40Hp&sql=1
http://www.pdqstaffingg.com/ab58/
https://scutaw.am.files.1drv.com/y4mpiCumdtNXywgrm099mOcchoMmNNoB3Mf8F4Rj-HQpAv2fvRijvj-mxvdGfZP-Nvm00wAVguPeNrQ70_F2od-2ZroHXvv-qOoQUXD69ghuQnYFC8BaxrwjN78SEJhHgWQEzzVfVPCmT3BgT02FXLtXRHnjO18X2w2m4u3AYprBUa8MTJ1QlVA_BKIQb-pVsGaIbNmPt3jpLCo269ygf0wXw/Zekxvyrxvdwyjwnojxfsfzghnincixn?download&psid=1
https://onedrive.live.com/download?cid=A4F53BC8378343EE&resid=A4F53BC8378343EE%21172&authkey=AIjumNQ2Chdl3jM
https://scutaw.am.files.1drv.com/y4m2ro3ZVP6GbZTUVWddkQ-gYwfae0rN2bWqc_6P1KHLTd96uniu_nFjxPB_ChdXE-E8qDeIVTsalUestA2zQLUz7JO7xFvOTuitRh2sRJpB4-lh_H9c0NK1QlX89JlW1oYUk-EItDCewJ_uHUbIiUZgRRH1Z1vtKHeBoCJxKqIGgxJ2PBy4wWrn83u29EZJ20eiaHnPj1MfDXOuCPcnNPmTA/Zekxvyrxvdwyjwnojxfsfzghnincixn?download&psid=1
|
11
onedrive.live.com(13.107.42.13) - mailcious
www.usnmdpc.xyz(198.54.117.215)
www.hachyuce.com(27.124.2.235)
www.pdqstaffingg.com(185.53.179.171)
scutaw.am.files.1drv.com(13.107.42.12)
www.plasticcardcommitteecave.com(198.54.117.216)
27.124.2.235
13.107.42.13 - mailcious
13.107.42.12 - malware
185.53.179.171 - mailcious
198.54.117.217 - phishing
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2022-02-08 23:01
|
 .win32.exe 8809460ab60bc7113f8790dfecfe57da
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee Remote Code Execution crashed |
14
https://jxncqg.am.files.1drv.com/y4m1_J3hUC8g9QiOiHrmtIQ1y14iz7FUMEwwBGUlQae4Ax6MBl15spUM-mq-A80onMra4bHdap5a-ls5bVZjN_hxHFOV7VOhTEWyiYKW_POFKknfOshygPoPmWACG3V61pVYGzcV6dcvhZ6twEgQMXXGxqZfTNmOC7qZMBqOV53itVIEBbZ0WjCUunQUTH1RtZjneqzVosZrZFHmqQzlWsHaA/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mBbhg4Y2R30xlB5XVeMtiyMmo8ZR3jtnrcDRar7PdbObESO9VOOrE1fwNd7VoaBMey8jRPG7BNA6s_VAZIGhmb11jx6EwTwPAXaiqv6wWMwyO6ddllygeQpCr3_PlhJs_bVp-TTAcppk3wtYi_2fRVAg50b1z0eRimZRPE397iKt8XQYhEaa2ANryWYmXnx6DFI1pj_wlZU1uMH2B7rCDSg/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://onedrive.live.com/download?cid=C38D15779AFD1231&resid=C38D15779AFD1231%21127&authkey=ABEaV7HPTTV0Dv4
https://jxncqg.am.files.1drv.com/y4mjIcFqJtO7bQw9dbEG0qrGzDflVvLY5pCKAxrTcDIpaBsMK7NjJk2whinNvmKDDh9JNxwZIf4z6sL4wxqdZSehi9BcnBAVwwMD0s_qwPEqXMcPg22VafOatjOF90V5VcObA0GRqlTP7zVuslzB6xmhiMtPFlxIMM5HpVmcUUo0qZ4e2p9e091J3oAl6vfv_HjXqpBVFwULvFJQ_oFIt8uAg/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mj9PCroNeuW72_hWgIh2wmVaHgjfzVDULam77_KPiTGuT7qy_HPBvjT31HpmxpvJN5NG8bGK-3cooJfjDTQs050okoWegkf6qykRImYOZGQlNPwB4fiUuZfqyQnMcaNlHmmoA6Cenwsj6t-ZCpAGLmC_SI05AUFU5mSQpKtetIGOYFZopk7n44E0S7rftjtWoOdXa2ROhwEZ5vksFMW0ttw/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mrJlWMEcVvhb3EUpikqCunHlR6N0eceCg1J1v6BtVkHFWaDEmrqP-6no9EFk7m-wi4bUZyklcppVFWjUfiIQqiIb4I1kr_JJP2EaREzrPochVZ01x4pDEidQdEvSRDVhRwBfhyPnRx4hdLgifvWxqt-mgJREG2LpmCVaDUZYhOmBsXvGhYYINgOzcdnA-wC2G2CBsiZpOVP1fUXeZ6NlcMQ/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mE_EZY-JxwpHzq3NMezZtIUsdB8UxVgLXybu6YUm0VuNfNB_2oxhDfEH7NcZeytNRTT84uH0geaO3jiOtWC_1tuneIM5HfVAWqjsVQHlmeyC6Djfnx8gEL0XUALJ9EyiuasSLLZ-Qw5NBdVIQxB0zZirmvjMBhzdLwYJ9O4FCMqZFuj8iRxhNT4Lhyy74iXKZ2HJpdEzM_U4rS0lCF9K6qQ/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4m0rpj3iSP0bWx5OtFoEa9ICCjqmWPvAq9JKTQ5PPjd8_4U6JUBSDdLCp8nlSH5y7Zf8iR3hiXNbkyuzVSV16wzPC_omkAA6Kg5bAoolC6QBCO8QjZpnCDIMGxM5MRitKFRF5Yn3JFoLj0YZX18d_Nf1B0SzPhJrIQfxcaI6wX1rZRgBqLxBgRYwL_HMsLRwiOgE2qL9gXsnBNdoiuan4Mtw/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4my3tBInp7fazMJy0hWbrAe_d72YiQhRqWTk5YJp3Ik_AwaMTiwPIUPizLZEs3sdhlHjF9RuG_LJhkFZMNu6OUZMJeL2iZZkmqXAUOjcAzr5ACqYUsobD2OLfyewyerd8gz2owy28upPGr4P8D5kQRO2zJ-oyO-a9QeIlNTYyIuHeyeNs4BDJB5hb94CfFjeUzD39tLx6ELQ7k9BPSyUk8eA/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4m9wnwnV_7mIRwr9pdtPcZoyUlen_-T_3D24kAXlprYMicLpeoB_aAyW5PHZrzugWYfnmVRSr9BiXMKbldJrteyxtwa1Yk1HLgPlASaKUAs9wfUR0oKxz9pQJmiaZp_UKH5FybZQpIQYD7ojpIrxsCAgXi1q5e688Gt94FkhTiLugZs1r-ep6vqG5IlAKXpjHynnhYyAUVA5E08V5VGyN8pw/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mxne5mDlhlNX_bH0ObC-nlUsBM8McoknrD9NwaDuLE0GAmnQv_KYr_rUW_xfI2wT0bHUbrKxQkiNEnos503Q-xSqbQorEJ9yTbqLWp3EhcVQYK0kA3ElLPXq-NGC6Ga5qWNVr4PtrVnNf4EhaCZYX1FSn_zy014hZ6cdQ9iXySJXADvlrMWHeLgCJ8jSvSPAvNKDWQkdP2FKOQCupsnG-dg/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4m9t7pdQ_ldFdVheHGJIXGJjLtP5RZJBZN-7zHAsOYWHlxRen60uUePi7gGHBA8dVPWgISIJHAWMGT-p7SRcQJxQreHn9Wil_jlOOHorycye7Nvun2DbiqYqwYs0F4hizrf7TriqHGBDusteYko2mGYw20Y2xQevx3jcdiCFxk7JgJzyaTYVjGWz-P1iylyT4JZz0n_uc7SQV2N6hiRRpxhQ/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mFb16tKWdgQD5rG9bOnEAP-p3ifCdaTcwft0d3dTUtpyZG5TwAb9JQM9M9kCJI71sZreYWg9Q_VfosUAXZyiRavYw7Uo9CzVFuPB4cWHriWKQkXv-1sbigRIqwcTSfo164lXTAPls5aEYs9AjKiN3_OfveT2M6i_iZvthCmSufkZS7qx8bK6IStF5b6dTY71aoWmvtYUopT7lH993kqXFCw/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
https://jxncqg.am.files.1drv.com/y4mGqE7agwFFN49dvxkb0wnvfjEZ2GNAYc1DhC-8HA5AVz5NeGhoncVS5kT3XcapD46mgO0dNKFd0eBvH0B1lDZonel8xmEKJvuXOpGV74Bxqm3_IZEqvYaNMYKdrOoiQb3vdVn39bOWe-wDaXXzfgl0fJXBCdQztWxrbf4v1jp2cARl4H9YpPE3cQ-G5twt18q3gPMBybV0d5xKsPaXHnQ6A/Nknompwokktxmosdrwsqdxfdayamztx?download&psid=1
|
4
jxncqg.am.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-10-29 09:45
|
 eo.exe fb0d1d127da05d102f94ef77ab205875
PWS Loki[b] Loki.m RAT Generic Malware Socket DNS Internet API HTTP KeyLogger ScreenShot Http API AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Browser ComputerName DNS |
1
http://45.133.1.13/xsaz/index.php
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
9.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-10-29 09:44
|
 vx.exe b8b06e334cfa1e325851a840065b6aa1
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
6
http://www.mundodeplantasyjardineria.com/sl4w/?8pgTVrp0=Sz5F0hhTWuyLbGbdNo38kMXFARIiPeqFV1F4heNNKyhjPcCKin5OaBV6KiN8coe95ElLHQtU&BZO034=x4X4gd9xi
http://www.thelittlebee.store/sl4w/?8pgTVrp0=pW5BymMniPuDIyN4h+/Cz1WSn7yQSodoDHF2TCguXWUv3BV+yCeJLr00BNyz4gz0G3lbCgUH&BZO034=x4X4gd9xi
http://www.trustedfurnituretransport.net/sl4w/?8pgTVrp0=SU6djegnNokhXatHD0Zt/RgvM6Zh0SA/H/J8xjjIneGyQtz5eA+PvmJcxeEsuLxakaSqDUJr&BZO034=x4X4gd9xi - rule_id: 6984
http://www.trustedfurnituretransport.net/sl4w/?8pgTVrp0=SU6djegnNokhXatHD0Zt/RgvM6Zh0SA/H/J8xjjIneGyQtz5eA+PvmJcxeEsuLxakaSqDUJr&BZO034=x4X4gd9xi
http://www.mdnnoeli.xyz/sl4w/?8pgTVrp0=BnibipHhyvNw3vhe0wol5AOubF0kupJ2VzFkU7RNVxyixZjYoFLSjqlJrzgQ4EYImPmVYZaY&BZO034=x4X4gd9xi
http://www.ageddspa.xyz/sl4w/?8pgTVrp0=f46LrelELX9mofNZRi7HKbB3Rg7KLVb8n8zQ7/tWSKeE1yI39pJIaGNnJqKkvfeCu6od+paJ&BZO034=x4X4gd9xi
|
10
www.thelittlebee.store(23.227.38.74)
www.ageddspa.xyz(172.67.157.106)
www.mdnnoeli.xyz(104.21.39.187)
www.trustedfurnituretransport.net(202.124.241.178)
www.mundodeplantasyjardineria.com(156.67.74.29)
104.21.39.187
172.67.157.106
156.67.74.29
202.124.241.178 - mailcious
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.trustedfurnituretransport.net/sl4w/
|
8.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-10-29 09:34
|
 out.exe 671eb2b7682de507f36f6d57ca812b1c
RAT Generic Malware UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself ComputerName |
18
http://www.lsurpriseremix.com/n8cr/
http://www.darbodrum.com/n8cr/
http://www.faceandco.clinic/n8cr/?BRjh4D=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/
http://www.dellmoor.com/n8cr/
http://www.dellmoor.com/n8cr/?BRjh4D=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&J46Tz=ARm8z0bxQhIX40p0
http://www.darbodrum.com/n8cr/?BRjh4D=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/?BRjh4D=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/?BRjh4D=4bZxzaC+6Rb3KtW25UC3MyfmF9MiGl1RBuRXSALb6XsaDdV8S10uPqd/+3Q9Cm1C2PxTwzjc&J46Tz=ARm8z0bxQhIX40p0
http://www.isearchpartner.agency/n8cr/?BRjh4D=dcLZxWQ2Dmoyk8mqq6WD24qjgh46lJJJRLC+7rDi3CpeHO6n9MooORgZ9Lo+BmkGFEyIoRDx&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/?BRjh4D=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&J46Tz=ARm8z0bxQhIX40p0
http://www.lsurpriseremix.com/n8cr/?BRjh4D=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/
http://www.isearchpartner.agency/n8cr/
http://www.faceandco.clinic/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.pharmasolutionspr.net/n8cr/?BRjh4D=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/
|
20
www.isearchpartner.agency(34.102.136.180)
www.darbodrum.com(52.58.78.16)
www.equityreleaseshelpukweb.com(185.53.179.93)
www.istesdesv.xyz()
www.radiesn.store()
www.mistikistapp.xyz()
www.karasevda-jor.com(151.101.130.199)
www.twdesignacreation.com()
www.recifetopschoolteacher.com()
www.faceandco.clinic(34.102.136.180)
www.lbsp3.xyz()
www.lsurpriseremix.com(3.64.163.50)
www.godigitalwithpavitra.com(34.102.136.180)
www.dellmoor.com(34.102.136.180)
www.pharmasolutionspr.net(34.102.136.180)
185.53.179.93
52.58.78.16 - mailcious
34.102.136.180 - mailcious
3.64.163.50 - mailcious
151.101.130.199
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|