| 1 |
2021-11-02 17:46
|
 vbc.exe bd6966e21dcfc96431ea8480ca155210
Generic Malware Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed |
11
http://www.monascake.xyz/n8rn/?Pxo=3fKP&vPk=N+dVDga5k5AlZARgxf0keIIR5PT09j6wREJ5P1Drd6FP6MHOFZZzURI1C8BfFN1cL/fZ3JG0
http://www.bredaslo.com/n8rn/?vPk=YvkrLgX5v+gJLfYhZfQlVjOJ0OIl65oSsVBXHv1hYHJfNDyLkexHx42TzRiy/ukcmn+kwtcz&Pxo=3fKP
http://www.phillystore.net/n8rn/?Pxo=3fKP&vPk=JB6wAuEkgy1Nk6Tu6zbqaEuGQElQy2wdDt9NUPdjCsR5tR3VwKW+HfPEGyIYiGiHHoiODDnN
http://www.ff4c75x4e.xyz/n8rn/?vPk=CBFdZGnlCWVyMNbmcVQzF6AW/CZxn+KqjlORQ9hNsSK+4izEjtpZMhTv1QtxgyyzCztkLTJv&Pxo=3fKP
http://www.falcongroupmanagement.com/n8rn/?vPk=3xlBHzuE5euLVvcsiNIMjPhb86iYLA9xdco2AA0J4ute1jO3RwK5T+IefUHbd6tmt5Iag9Cg&Pxo=3fKP
http://www.gb2022-club.com/n8rn/?vPk=o1gu4PeDCGZ8O7/faZBmRhPW5GICwfPAiqrEmBPVxrkFFiNE1m4IuJhA1F+Bnq1vJSz8Ctqu&Pxo=3fKP
http://www.nekomediphile.com/n8rn/?vPk=BeS87FozIjObfhQbb0qima65PDce7tJfTy+2W7jryaKe46jtR54eN2VVXZ5JDrAz5HefR4eS&Pxo=3fKP
http://www.lab-design.online/n8rn/?Pxo=3fKP&vPk=LKMF4jNCARj2uzutzxP04GNkD95VZlHoB4lLHyNgq1q6DZlTHkNd4XvAyDE3Qjg/y/Gr5de9
http://www.nomarcapital.com/n8rn/?Pxo=3fKP&vPk=5fudNtQb7QGDewQUcAnpca8CxpRsfIxl6oYL1821qyEnrOOlpvuIBk6+M0fG21gfpwODYZYC
http://www.mgav26.xyz/n8rn/?vPk=YjHQL/lZ9lt15+1S7htBkoLP3cVg4raGTzPrL96VOT7wYXJUlMGIpKHQe9o+Px0XhwLbcxzF&Pxo=3fKP
https://cdn.discordapp.com/attachments/902800096066928694/904612550010863636/Ouxdtsdanhfgbtopuikzukibwmuiitm
|
25
www.islandresiliency.com()
www.mgav26.xyz(45.128.51.66)
www.jaynelsonphotog.com()
www.nekomediphile.com(118.27.122.222)
www.gb2022-club.com(185.49.20.101)
www.prill.quest()
www.bredaslo.com(182.50.132.242)
www.nomarcapital.com(34.80.190.141)
www.phillystore.net(192.200.108.3)
cdn.discordapp.com(162.159.129.233) - malware
www.ff4c75x4e.xyz(23.225.139.107)
www.falcongroupmanagement.com(35.222.73.243)
www.monascake.xyz(162.0.209.201)
www.lab-design.online(182.50.132.242)
162.0.209.201
162.159.134.233 - malware
35.222.73.243
185.157.160.198
45.128.51.66
23.225.139.107
182.50.132.242 - mailcious
34.80.190.141 - mailcious
192.200.108.3
185.49.20.101 - mailcious
118.27.122.222
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-11-01 11:08
|
 obizx.exe 29d0ed1ca60e07577f03d4a17b598d67
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
1
https://cdn.discordapp.com/attachments/903211351529381901/903590250696286218/Psijmezhywzuigxndupjupuuxltarmp
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-10-29 18:02
|
 vbc.exe 8980a24aeb5d63283add48c1391ebc40
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS crashed |
15
http://www.joy1263.com/ht08/?wP9=5zTHw+cMQysQB01avDS62dEk0lc83/+ymY2tuhZYuDPhhCZOWQyRnsgLnjpjzHaWki+k6UdA&lZQ=7nbLpdZHS
http://www.angyfoods.com/ht08/?wP9=i+WDIm9jHC82FUdEypgqNiotqHRMt1GHvUM0F97kEGeCHK0nEcPd7ey+L8ZvA9C8LXWvmksm&lZQ=7nbLpdZHS
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS - rule_id: 6848
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS
http://www.timothyschmallrealt.com/ht08/?wP9=67tCic8sYzV3es+kuEWGJwm1Ye4iZ5Z2e1jXvgEPi6twS6Q6g6gUEXBuqD/zm8ihdyV9/0Vz&lZQ=7nbLpdZHS
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS - rule_id: 6852
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS
http://www.centercodebase.com/ht08/?wP9=/+0I8Ix2qwnmm99cJTV+asIBU4YhAk3i42qpadk7iBPvfU/iuBCITxOCE2i7jfepiW74eJH1&lZQ=7nbLpdZHS
http://www.progettogenesi.cloud/ht08/?wP9=GSCIKY2MiKJRQQFt3aZ/9xy11Q2rDBmxaZZvlmLuIp/PfjM3dG+vVKQyviZHcQzjsXYyybP/&lZQ=7nbLpdZHS
http://www.kalaraskincare.com/ht08/?wP9=VdZobeFV+7zDZ4W6RO8SoxUhXPNifKLPEeijVGSeVjZRWgaL88Xeqi3CusAoM82Kcv2du8+8&lZQ=7nbLpdZHS
http://www.coachingbywatson.com/ht08/?wP9=mAxcwESmkYSGCUCaLnGm/zT/JlgVo9zog7cKgoc53e0EkOLj0DO/YWNBWe36QgFLCczpzj83&lZQ=7nbLpdZHS
http://www.huakf.com/ht08/?wP9=lRq/YKJ/q1c7pbxstH5R510zK5E/jMlHWkiKB6bNw1tOje7FFb/Ec3t87aIL9cVe6vCoPnf2&lZQ=7nbLpdZHS
https://mpdtiw.am.files.1drv.com/y4mJYrNKi50QwA_4D2kFQ1obXvJGvka4_Aepi3gF9xIwvSduItdBQbjKsurMtjJwmEqon-FEWclF2tawlL_getvIRqrD7PGWwtpszBvM64c2z4g5jNuam15AXG5t-ks8HcXwers3rC2Zu_QeSB0SPd0zd-nV4osRn8fC9pvguJOqfWHgvaOaAgep8VT4XAuwS8PQL450gMztpxEvjWE6u4qZQ/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
https://onedrive.live.com/download?cid=5495F48E1F7898E3&resid=5495F48E1F7898E3%21116&authkey=AP3RqWxF2H8Kmj4
https://mpdtiw.am.files.1drv.com/y4mJOoxPJribiJ-aSEneiHMYI3MTo8oKXFvAh3BnPfhB133CpfLraTAQRbykpPnKOfUF_ySNijPlCdzBXfAOry3_pYrx4iwYP6nhEhxFKVVZE5bw_4qWDRBV04siT86HHgf1OPGJdWjiojOeivhllaSWbkdCwZ4A7HQwioUSleEaX1FLAdv9h77_aB5Ma-13sYSNmZQxrVUN8qGhsSr-Exu7w/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
|
26
www.coachingbywatson.com(35.204.59.57)
www.istanbulemlakgalerisi.online()
www.digipoint-entertainment.com()
www.angyfoods.com(77.68.118.64)
www.progettogenesi.cloud(34.80.190.141)
www.centercodebase.com(137.184.99.236)
www.huakf.com(154.208.173.82)
mpdtiw.am.files.1drv.com(13.107.42.12)
www.kalaraskincare.com(34.102.136.180)
www.timothyschmallrealt.com(34.68.234.4)
onedrive.live.com(13.107.42.13) - mailcious
www.joy1263.com(45.116.161.174)
www.septemberstockevent200.com(172.67.188.247)
www.trashwasher.com(151.101.66.159)
35.204.59.57
34.68.234.4
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
61.4.115.183
172.67.188.247
77.68.118.64
34.80.190.141 - mailcious
154.208.173.82
137.184.99.236
151.101.66.159 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.septemberstockevent200.com/ht08/
http://www.trashwasher.com/ht08/
|
8.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-10-29 07:56
|
 vbc.exe 8341a43885eb6960bd658ba5a1c8b84d
Malicious Library UPX PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS DDNS crashed |
3
https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
https://pkc5hq.by.files.1drv.com/y4mvzsRcwXGDSbbaIRnJHJoy7rydv1mvZGvUJpoUdNzrZxzT50L19Wph96_2DA6hfmyi-su6AGdLXSBndNqYJz_bklxD9wT9Qe_mvrcJZ-C8AGVNG3aKny2ZgeSOtfCH9den21Vwp_cdPKF7UXwGbE2IyXXt6S5DmG3q9HkkhkX0pLOtVgKl_IEz6NUVlS3o_qvkRvDIt1nAEb6EcNkJUm-KQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
https://pkc5hq.by.files.1drv.com/y4mDWdC-H4D_BoPjpW5tZZG5TPbFf0FF-zxaibY2r4d7dPuPlTLE6jXIfMJrUs-VZ6Y2nxcu7AhEOjd0ZsCwKVF09E5Kw6lNiIQHALwKH7ZaGvuZVl1jJAeZP6y7-KCKXu-pARqtbA_1CgvSXhuQH_8JBEEghb1NCPjI35isq6BbLdHAohzji8w6f-jDMLvSrHWblDkH_UUsgPu_rgx-fOADg/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
|
9
onedrive.live.com(13.107.42.13) - mailcious
sheilabeltagy4m.hopto.org(23.105.131.236)
micheal3m.hopto.org(23.105.131.236)
johnie3m.hopto.org(23.105.131.236)
pkc5hq.by.files.1drv.com(13.107.42.12)
sugarcane.hopto.org()
13.107.42.13 - mailcious
13.107.42.12 - malware
23.105.131.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-10-28 18:24
|
 vbc.exe 9980e7e39379cbe367adf3b7443dd319
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Tofsee Windows DNS crashed |
9
http://www.hubmedia.digital/rqan/?ARmdX8=vzr0Av30tV&Q2J=jKXuqpJ845LlYgXLN57GGReLMLujtTvdbdtZr6KDyHbeGyC6N93DxSGPylyr0R/BLC7uEPiJ
http://www.buratacoin.com/rqan/?Q2J=Jt/jULqvuHmFHTQHoInL/hgvG9NOCzgC+ifeqw8dEamPSAWqFa2LRIXLynF/lbhL2qE+xTiF&ARmdX8=vzr0Av30tV - rule_id: 6093
http://www.cardboutiqueapp.com/rqan/?ARmdX8=vzr0Av30tV&Q2J=7XmFwjbCeixI2TDSYCNwr0HgHUHoiQEi/VPj3ka7wDWICz/dm8qqNJY2vVzGU6p/p2qyOoMU - rule_id: 6216
http://www.delocdinh.com/rqan/?ARmdX8=vzr0Av30tV&Q2J=9+ltUe4Es3ydY2P59+460GeH7BXYQI/omiZxZpx1KJYKq++oKHgZPCowv5/QmVkI6ItS41fc
http://www.anthonyaarnold.com/rqan/?Q2J=nXb8TAZPYTKJnRrZC8GfrTSCrGoVlau1gQGn5GO75UMd983Q3NLO89qWBoHnTj4RfZv8bfb0&ARmdX8=vzr0Av30tV
https://pdzxoa.db.files.1drv.com/y4m_O1zVrsu4yM38s1h0XXuc6gMBIvbfaHcCwBZZ8_ckbvOg4zAD_VMxuI54uU9k0KgfsyTuQIy4ApBOnB8B9G7YxSipIIFZebrdPC-hzvkCJHP2pcI3CVkS5w0hWyiiXRkE0UmoV0fwW6XWlm-_RbM8cYrRTNT8LZaL6HA91bGHqKXWKLZbgaiPU0B6rqfAs6jrcs8PVIXgJ7zpwlxIhtirA/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
https://pdzxoa.db.files.1drv.com/y4miZSeYgjdCfzvZiFaRNZDDiOec4mE-vtZ8TwjIP5UcupVO3whh951XVdDw9LviCkdXoqiuFTtKEHHZ5lTtqrf3SQ85kictk50f50Y1i_sExzGdOvU4kyxaglk23yo3xoo7h-mc-qYkQ98A-MK_Ncl43Mnmjo5Z2QWUEGSemWl-GQpUHjpooeSMDmC7FD4HtYPYmcsF0eDPVWtm6YokKzF1Q/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
https://onedrive.live.com/download?cid=50DB9D917FD3F0DD&resid=50DB9D917FD3F0DD%21114&authkey=AIwRtImV0tqYgK0
https://pdzxoa.db.files.1drv.com/y4mr2aaBbKzkO-TXX2xqbJmRaUYNoTauKGoRW7_JnK6wEAqtxDJjnJ2kqZcylgJ1KgIMt_w0LsZouncEguMeXwPTYEqo7Se16yv6rPgrZwL04Ej8DYBLONeJAR6hsDuhH0yc3QkyixasilefFu4kS1CAYdmFGviN4aarYrr1Efp9IzOeJZ5bzD7NKfDtqDvp2D-j7kCPwDgb0BGBKWvx1CL5w/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
|
18
www.lakshhomesbalram.info()
pdzxoa.db.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
www.anthonyaarnold.com(198.54.117.218)
www.cambabez.xyz() - mailcious
www.hubmedia.digital(2.57.90.16)
www.delocdinh.com(112.213.89.167)
www.sergomosta.com() - mailcious
www.cardboutiqueapp.com(185.129.100.113)
www.buratacoin.com(54.39.107.28)
54.39.107.28 - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
198.54.117.217 - phishing
185.129.100.113 - mailcious
167.71.28.113
2.57.90.16 - mailcious
112.213.89.167 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.buratacoin.com/rqan/
http://www.cardboutiqueapp.com/rqan/
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|