| 1 |
2022-07-09 14:10
|
 vbc.exe b1136341dce035655548d5c78daca86e
Formbook RAT Confuser .NET AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.modernworklabs.com/mt88/?tZU0=j7uibnMZRiH6Z5vnqzjgX0gNpL8DZiBCaS+48zGkuX9mLd+Qr+517+RjAGznnvICKpS/CQd3&Unt8E=GTdPPh0XeT3ldb
http://www.nusires.com/mt88/?tZU0=NvBF34bjXutc9HsIv+oxny2vryjUm1fm+wCw64AWXQJZ80iccr4xr4oWjHmekka0LEpC3Mu7&Unt8E=GTdPPh0XeT3ldb - rule_id: 18903
http://www.penelope.team/mt88/ - rule_id: 18900
http://www.penelope.team/mt88/?tZU0=0iFOOnlh00IJT2pLFtex4Rywz5IkRz8Us3CHeT3c1cEXWh1eWIvg+Qz+YhIR4p6vXGf7REJI&Unt8E=GTdPPh0XeT3ldb&R8SO=bjoxn420 - rule_id: 18900
http://www.microw0rker.com/mt88/?tZU0=BbFFw+w8gJU7YgKVqJ0HE2MpcT3XH1j5SaewOtGRXrYGiT13+PTJTBvf+1SkJERsDvOd1eSS&Unt8E=GTdPPh0XeT3ldb
http://www.hcr.store/mt88/ - rule_id: 18901
http://www.mariafonsecafreitas.com/mt88/ - rule_id: 18899
http://www.hcr.store/mt88/?tZU0=z/FDdjPme4f4pgLC13OuRnVPHRHnJqq3CWlaFG0GG9Gyz/2aRqKolYiKr8HQ20ov6iLU+Z66&Unt8E=GTdPPh0XeT3ldb&nEVW=8pdTKHB8 - rule_id: 18901
http://www.mariafonsecafreitas.com/mt88/?tZU0=+5OeQ7orK/jQ8aR5I1UIK9jDr5aSsSo/+npfVyIJ7r9zWH6VvZcmKVazKVZ1YF4ot1mTy9Vr&Unt8E=GTdPPh0XeT3ldb&8FvT=5jlP5xMH - rule_id: 18899
|
16
www.microw0rker.com(185.53.179.173)
www.penelope.team(3.64.163.50) - mailcious
www.hcr.store(67.199.248.13) - mailcious
www.modernworklabs.com(34.102.136.180)
www.whoyoucall.net()
www.nusires.com(68.65.121.68) - mailcious
www.qxu0l1pgl9jm1.xyz()
www.mariafonsecafreitas.com(192.0.78.24) - mailcious
www.raytan5.com() - mailcious
www.pertlines.com()
68.65.121.68 - mailcious
34.102.136.180 - mailcious
67.199.248.12 - mailcious
3.64.163.50 - mailcious
185.53.179.173 - mailcious
192.0.78.25 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
|
7
http://www.nusires.com/mt88/
http://www.penelope.team/mt88/
http://www.penelope.team/mt88/
http://www.hcr.store/mt88/
http://www.mariafonsecafreitas.com/mt88/
http://www.hcr.store/mt88/
http://www.mariafonsecafreitas.com/mt88/
|
10.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2022-07-06 18:08
|
 mannzx.exe 910c70bd5764c892d86b0bc1a3e062f2
PWS[m] RAT SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2022-07-06 09:44
|
 vbc.exe 4c5903eb4a5bb90549d95a65df83c607
Formbook RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.syzbf15.xyz/n8it/?t8o4n4p=mV2dZn7KCQE5F8iZdx/q2lEc9m15obLx50LA6yIckIyVq0JP986kRhMEla0PCiFRsojHaXj/&jPj8q=Klh8
http://www.directbizlending.xyz/n8it/?t8o4n4p=JI8glnZ+T7+UylZ2b89MsJ6rlkOtfBC0nEEzYJdFcbriy8I0KlWbc6rU3MljMvExAEyTKMgf&jPj8q=Klh8
http://www.sculpturen.xyz/n8it/?t8o4n4p=t/erL9YR2sLhwlcVeiWqg7uX+X8EuJMz9loPi5Ru7Ev0G5hwzHDmBKBBzZq55RwmrwV8HJvG&jPj8q=Klh8
http://www.findkode.com/n8it/?t8o4n4p=XRaKY0b/Twn1itfyD/E5gBfdnCAcxmkkRwYqfANZ7Bii15s3PxLwLHSaNbWInT71XR8djyOA&jPj8q=Klh8
http://www.battene.com/n8it/?t8o4n4p=McOQamL1QnHgmn9hApqC5E9PzDOj7OTmjo9oDMMsU9kn44WZO/cbeCQYQ2vNt+WuA2a67BFc&jPj8q=Klh8
http://www.driveubertexas.com/n8it/?t8o4n4p=IF5z/94puPD9ykWHJqUEwQcusln6W8beospXTN957V1iD4KFYIE6xqxPXAKrOEfXLTEkZmjL&jPj8q=Klh8
http://www.fimacusa.net/n8it/?t8o4n4p=E+kQG3c6vbVFQNTOWHwoysd/3Wz4BdfLpjNdMipYl0pL497gaXDuUHPF3Fwc7FFHvRGPYqjF&jPj8q=Klh8
http://www.0532sme.com/n8it/?t8o4n4p=qaoZ79Tpz0q12XHVvwZL6iyRO9FVXvmsdm1G/iqD7XWn5r4rXZu1gNvUG5okbiskkeAiLaI2&jPj8q=Klh8
http://www.crossfitlaquila.com/n8it/?t8o4n4p=vF0eAXKRgjVgiplGFBMXRLMjJGWC1I+g3Sok3U0+1QWyjvHg0fDP7AmGGw6M2ZUAM9xHIbEq&jPj8q=Klh8
|
21
www.driveubertexas.com(52.32.87.211)
www.0532sme.com(45.199.106.125)
www.directbizlending.xyz(199.59.243.220)
www.crossfitlaquila.com(199.59.243.220)
www.battene.com(34.102.136.180)
www.weddingseopro.com()
www.xyypjq.xyz()
www.findkode.com(172.67.207.174)
www.gdpyy.com(43.138.169.174)
www.fimacusa.net(208.91.197.91)
www.sculpturen.xyz(3.64.163.50)
www.syzbf15.xyz(156.251.170.221)
43.138.169.174
45.199.106.125
104.21.74.241
199.59.243.220 - mailcious
34.102.136.180 - mailcious
3.64.163.50 - mailcious
156.251.170.150
52.32.87.211
208.91.197.91 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2022-07-05 10:04
|
 loader.exe 4a80cec907b418a133ad5d3eea96923f
Formbook RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.superspeedshops.com/sk8m/?vTax-=Q3JFdCu4F/2v5Vp0do6bMjlqVykP0fXikvB/26GqCc9luj+wnIm/yrgLha2N9W49J4o5cD0X&S0GhCH=RRHlpvnHLR_L
http://www.raj-spostitve.com/sk8m/?vTax-=CA4MDszlEQiVa8QuohMnz5KWC56gtVbEIbqxHI/R1crfj5r+DrbKSPLIFKJ7qAZPoB6pzAhp&S0GhCH=RRHlpvnHLR_L
http://www.healthtradeusa.com/sk8m/?vTax-=Fb3pA5pno5P35X5QSQqkk0hlGi1myd0Vde6bBkL5aKY+0nvRlmfdIvD7xD18j/2PvNpnPl3x&S0GhCH=RRHlpvnHLR_L
http://www.farmlimit.com/sk8m/?vTax-=rwL4Vei0dR1ZYWP3i1B3Rk/A/nTPosqQM+hiJXFs7Vvh34r6UEK8vwtc/BeLPcGDAHseGTzp&S0GhCH=RRHlpvnHLR_L
http://www.steam-whistle.xyz/sk8m/?vTax-=uS70jYYN+U8dGHn8VFoFZ/4pXSuuQSWRIMWi66iF5vJCXA8LaHinHb2InPk65Ir4+w0/ctsB&S0GhCH=RRHlpvnHLR_L
http://www.clearviewdirect.net/sk8m/?vTax-=TuK0/fcZz3lI+f14MfFZSNDWU5Snw17itkkBsnJu9srDMYiZ29c6nNwkAU4vkODlYkzhQj1A&S0GhCH=RRHlpvnHLR_L
http://www.shalomroofing.net/sk8m/?vTax-=J9anq05psdTiudpqrtQx6SZSGoeCxWcZItgpVr3gH+Htq1hNj30lNptIvmVm8syFHzm3l/sD&S0GhCH=RRHlpvnHLR_L
http://www.niagarachair.com/sk8m/?vTax-=QvN4n4Gegi5SqUlSH2afrPB0MUPiPKHHHkUIb8rYMuBaMm+4l3SriuDGNqSsEQrXFsPCJA7R&S0GhCH=RRHlpvnHLR_L
http://www.midlife-fitness.com/sk8m/?vTax-=UKYX7XBHSz2TLi7+B5AhlLmVzBZv2tXV9UdeVtlq/Gx7rIBSJYNmowTNG5zLKGGYgyNuEWMK&S0GhCH=RRHlpvnHLR_L
http://www.snowwisdom.com/sk8m/?vTax-=EMWvf+5txentTrdAzh69qrmuz2UZvSFmWuRRr/jkwjBJKrBr1zNaQW9R/NQy9w/w1eOYmMhA&S0GhCH=RRHlpvnHLR_L
|
21
www.superspeedshops.com(34.102.136.180)
www.raj-spostitve.com(192.0.78.190)
www.visiency.com()
www.steam-whistle.xyz(104.21.15.95)
www.farmlimit.com(3.19.116.195)
www.healthtradeusa.com(34.102.136.180)
www.clearviewdirect.net(95.179.128.208)
www.snowwisdom.com(213.136.93.170)
www.aandreashopp.com()
www.niagarachair.com(154.215.231.79)
www.b148twpnmu5uvtvnvfk5916.com()
www.midlife-fitness.com(34.102.136.180)
www.shalomroofing.net(72.167.84.214)
154.215.231.79
192.0.78.243 - mailcious
172.67.162.24
34.102.136.180 - mailcious
95.179.128.208
3.130.253.23 - mailcious
213.136.93.170 - mailcious
72.167.84.214
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
SURICATA HTTP Unexpected Request body
|
|
9.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2022-07-05 09:41
|
 dl.exe b95798891c33a49b161c00f869877cd2
RAT ScreenShot Code injection KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself Tofsee Browser Email DNS Software crashed |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2022-06-28 09:35
|
 vbc.exe e67bc6fca32bd5f5e0fa6bb98df682b3
RAT UPX PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
2.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2022-06-05 22:47
|
 vbc.exe 459cfcc4ddf45304119a9c8b4650d35e
Formbook RAT UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
7
http://www.tubesing.com/ocgr/?FTRP5jn=9V0bXTkmsNLOC31wRJOks70x/YcJP31krapG8syV36EMEOcdyeFLyv95jersbUnkW02vb78a&DxoHR=VDKPcJchZlYtJb - rule_id: 16585
http://www.fjqsdz.com/ocgr/?FTRP5jn=xwHyB8/bDEQaPcZ3Azf7vaYI1hM25FRs+FXE+Rzp440zxK/5e4VmwkxECyWNFDXGxu6/jGc0&DxoHR=VDKPcJchZlYtJb
http://www.tahnforest.com/ocgr/?FTRP5jn=kkcvVq03/3lDgVMLW4MaTtaHwAG6gu+AbYnshH2Mwdzmny692KyslllP252+PkadaeyoV9Cv&DxoHR=VDKPcJchZlYtJb - rule_id: 18376
http://www.american-atlantic.net/ocgr/?FTRP5jn=RCN0VIpPIbqX+jLn/AQqQ/q9rwjWgBzqDKQUWB8z/5wW9rduUkS+4T3/hFI0ke1BigbtdviD&DxoHR=VDKPcJchZlYtJb - rule_id: 16584
http://www.mentalnayaarifmetika.online/ocgr/?FTRP5jn=WCPK4waAr5EXG8SW/rbcYrxYoSsYkto1Afd9Drm9jpJADNSd9KR9P4A2ZEhlrXip+80cdLiS&DxoHR=VDKPcJchZlYtJb - rule_id: 16474
http://www.ccav11.xyz/ocgr/?FTRP5jn=iHGDCwWKkwajeFiaocK4h8/yIB8fTb9A2eYGs12SzQOxDvZT+refwGGwhXJfsc3tlXPll4gX&DxoHR=VDKPcJchZlYtJb - rule_id: 16733
http://www.chambaultfleurs.com/ocgr/?FTRP5jn=TZNys723pq2ghrS2WBMuzy6C02I8maceBlg0RW5FdONG+8UZavCJZwYbiSLw/qeGOokKmNxc&DxoHR=VDKPcJchZlYtJb - rule_id: 17611
|
19
www.tootko.com()
www.garglimited.com()
www.ccav11.xyz(35.201.101.222)
www.fjqsdz.com(104.166.82.145)
www.tahnforest.com(23.227.38.74)
www.chambaultfleurs.com(213.186.33.5)
www.mentalnayaarifmetika.online(185.68.16.179)
www.american-atlantic.net(3.33.152.147)
www.demetbatmaz.com() - mailcious
www.edisson-bd.com()
www.myamazonloan.net() - mailcious
www.tubesing.com(162.241.253.231)
35.201.101.222 - mailcious
104.166.82.145
15.197.142.173 - mailcious
213.186.33.5 - mailcious
162.241.253.231 - malware
185.68.16.179 - mailcious
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.tubesing.com/ocgr/
http://www.tahnforest.com/ocgr/
http://www.american-atlantic.net/ocgr/
http://www.mentalnayaarifmetika.online/ocgr/
http://www.ccav11.xyz/ocgr/
http://www.chambaultfleurs.com/ocgr/
|
8.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2022-06-05 22:08
|
 vbc.exe 5daed332426c66a3852518126bc49dfe
Formbook RAT UPX AntiDebug AntiVM PE32 .NET EXE PE File OS Processor Check FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows DNS Cryptographic key |
6
http://www.tahnforest.com/ocgr/?v6=kkcvVq03/3lDgVMLW4MaTtaHwAG6gu+AbYnshH2Mwdzmny692KyslllP252+PkadaeyoV9Cv&1b=V6RpsLj0n - rule_id: 18376
http://www.mentalnayaarifmetika.online/ocgr/?v6=WCPK4waAr5EXG8SW/rbcYrxYoSsYkto1Afd9Drm9jpJADNSd9KR9P4A2ZEhlrXip+80cdLiS&1b=V6RpsLj0n - rule_id: 16474
http://www.dbcyebnveoyu.cloud/ocgr/?v6=NDG9KC01HFGBB9DsALy3VqccTMt/l8ATZmUqKrl6ipangMiCP12KWRrhCJ/rfCl5rNuvAs7a&1b=V6RpsLj0n
http://www.insurancewineappraisals.com/ocgr/?v6=JObsRn19AdTkTzhzSx4/G4vHKR3Ocu5GfQq+UlZqrYFN7H7eyU/GWlSiGnkaO8zS8xrm0NBy&1b=V6RpsLj0n - rule_id: 17760
http://www.ageofcryptos.com/ocgr/?v6=/7YxqUa9m6G+5RhPxc9MRqyWJ3uHfA/CqbgrUyjJCZIsasmpWtsD/jId67xFo7gVLCDNXM6H&1b=V6RpsLj0n - rule_id: 16467
http://www.floridacaterpillar.com/ocgr/?v6=cHzMBU+My2VDKYJs4/si3p8Uu1AacF9CDlvbhldwQ+JQEJlNtP95Gcx9FP/BsUI6KNhZKzGQ&1b=V6RpsLj0n
|
16
www.muktobangla.xyz()
www.floridacaterpillar.com(34.102.136.180)
www.mftie.com(23.80.123.107)
www.ageofcryptos.com(62.149.128.40)
www.insurancewineappraisals.com(3.33.152.147)
www.dbcyebnveoyu.cloud(104.21.27.251)
www.mentalnayaarifmetika.online(185.68.16.179)
www.tahnforest.com(23.227.38.74)
www.tootko.com()
62.149.128.40 - mailcious
15.197.142.173 - mailcious
34.102.136.180 - mailcious
23.80.123.107 - mailcious
172.67.143.209
185.68.16.179 - mailcious
23.227.38.74 - mailcious
|
3
ET INFO Observed DNS Query to .cloud TLD
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to Suspicious *.cloud Domain
|
4
http://www.tahnforest.com/ocgr/
http://www.mentalnayaarifmetika.online/ocgr/
http://www.insurancewineappraisals.com/ocgr/
http://www.ageofcryptos.com/ocgr/
|
12.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-11-02 11:06
|
 Purchase%20order.exe 77b25a72ece714eaad2b52064082108a
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS |
1
https://saffdsfssfsdfd.000webhostapp.com/gov.exe
|
2
saffdsfssfsdfd.000webhostapp.com(145.14.144.196)
145.14.145.59 - mailcious
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
4.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-11-02 11:04
|
 Purchase%20order.exe 77b25a72ece714eaad2b52064082108a
RAT Generic Malware PE File PE32 .NET EXE Malware PDB MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS |
1
https://saffdsfssfsdfd.000webhostapp.com/gov.exe
|
2
saffdsfssfsdfd.000webhostapp.com(145.14.144.201)
145.14.144.65 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|