1 |
2022-12-20 14:34
|
wopngduxgf.exe dc017def056e0c20105a4d767541a580 PWS[m] RAT email stealer Downloader UPX DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows |
|
|
|
|
8.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2021-08-11 09:34
|
vc.exe 5615be335807b5eb2d4c9f59f5f914dd RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
4
http://www.startfortoday.com/glgd/?k2MHoV=0MHzMxpJH4rILertVw/6MkQ8XgJjg7Igm9BaWXqz5e9JsR+Gvn2wWzdV9N9x+I11yW/2pRBs&tXR=NZiHaP http://www.tiny-tobi.com/glgd/?k2MHoV=Tf3VOJhMPEKSFVG4lRUL1GzDFZ6CZBEdr5MR7bq2IBxaGKCn7xrLB1FW9dPQYXeSruzHPx7P&tXR=NZiHaP http://www.southernedgewaterdesigns.com/glgd/?k2MHoV=LmTpLul+ArKV8Uwki1jSQCkGp6Aq6ai3+ySGBIz1ozwHhyIBPM/T1rbH77EFyn0FPiGQCryP&tXR=NZiHaP https://www.bing.com/
|
8
www.southernedgewaterdesigns.com(34.102.136.180) www.startfortoday.com(184.168.131.241) www.tiny-tobi.com(184.168.131.241) www.google.com(172.217.175.4) 216.58.220.196 172.67.188.154 34.102.136.180 - mailcious 184.168.131.241 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
11.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2021-08-11 09:25
|
us.exe 78f998a3e27a3a76480d4bc25cd37286 RAT PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key crashed |
5
http://www.sabortradicion.com/glgd/?RR=RWZUdDZM2vWJGNyKWyakMM1rPTQtzSNU3Jzm3LUz16xspXtvwrI+PBSJlVTsPv0xAjpy10DH&sPX4gJ=lnRlMNFPWfi0 http://www.danielsdonuteria.com/glgd/?RR=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&sPX4gJ=lnRlMNFPWfi0 http://www.soilhelp.com/glgd/?RR=asBy0YopPjG4dHaqcidLxAgpRjeYKvHFAx/LEx9W68MuHxQADtJpsJBj24UwIzZQ8AGX6ju+&sPX4gJ=lnRlMNFPWfi0 http://www.farendofthebench.com/glgd/?RR=svcqGWQO7MOM0XfFk+NDKL2Ww32z3qceQtZ1u2oY7ETYeE8QmVUYaDfZDsJbMwTSbwYX1aU8&sPX4gJ=lnRlMNFPWfi0 https://www.bing.com/
|
10
www.soilhelp.com(3.133.163.136) www.sabortradicion.com(87.98.230.60) www.google.com(172.217.26.36) www.farendofthebench.com(34.102.136.180) www.danielsdonuteria.com(167.114.6.154) 87.98.230.60 34.102.136.180 - mailcious 167.114.6.154 - phishing 13.58.168.69 - mailcious 216.58.220.196
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2021-07-16 07:39
|
nv.exe 43deb9e60877d57aba0d166976f9a735 PWS Loki[b] Loki[m] RAT Generic Malware DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows ComputerName DNS crashed |
1
|
3
www.google.com(216.58.220.100) 136.144.41.135 142.250.207.68
|
|
|
13.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2021-07-16 07:36
|
zxx.exe 9ea8f0cefae38838925df14a6f2a29d6 RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows crashed |
2
http://www.shikhardeals.com/bsdd/?Kzux=6+V1HrHDkbuNn6Cv3YxHVO2ini0phccEfu7HbKCoxymyMS/RgpFI/Qlk71oJU9Gi5JhK/P+t&p0D=AfhDLL2 https://www.bing.com/
|
5
www.shikhardeals.com(88.99.53.105) www.dwsykj.com() www.google.com(216.58.220.100) 88.99.53.105 142.250.66.36
|
|
|
10.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2021-07-01 18:14
|
si.exe df75bedbb01fdfb56956fa33a46205dd Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.inspiredpractice.net/csls/?yVMpQNlP=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A&1bz=o8rLp - rule_id: 2426 http://www.refundoftaxsurplus.com/csls/?yVMpQNlP=Ym+oHoYN/xZYdl3jvUNligLhYqYCEJLDVEooMpY/m4VRQE6HUdWU47bsyLt1OssAv4HZM1oN&1bz=o8rLp http://www.decorhomestyle.info/csls/?yVMpQNlP=iSLD+1PhY73eZBKoU9CM1ShoYrO8PjamQvwnurQpI+yEMjtzsi7/Y3dvoSIc7OAlKSzo8G86&1bz=o8rLp
|
7
www.hbpro2.com() www.inspiredpractice.net(182.50.132.242) - mailcious www.refundoftaxsurplus.com(34.102.136.180) www.decorhomestyle.info(88.214.207.96) 182.50.132.242 - mailcious 34.102.136.180 - mailcious 88.214.207.96 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.inspiredpractice.net/csls/
|
9.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2021-07-01 18:12
|
dg.exe cf4451b3972a3a0c80ba775579c60de5 Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
4
http://www.vmdoctor.com/lvno/?Kzux=z5V9e9CabOAi0u4rmoa/UfEKbROekej59ljPlo8Q+nQLAKhl5cN+OI8RoEb12W3eqG/yW4Kr&p0D=AfpHLx9 http://www.hai96.com/lvno/?Kzux=k9QIkx5GCt5YvieM+yDM1rNmuWw3ZYu70gQPKUbfhMkm/Olm+/k+bmmYakDeX1iB9Dpnmtma&p0D=AfpHLx9 http://www.pizzafromsky.com/lvno/?Kzux=hrc86bj5dJczUKK4C2Z5ksFfVnrDN93+er1RK/RU41IsAR27IoSTEuryZJwxOmH1025bJtBt&p0D=AfpHLx9 http://www.karlakarony.com/lvno/?Kzux=mepXojAupUjOhnsr5OdCMMT8PCW1ujZfe8HjdU7EVlgpYioQzA85FA+noB09SNR8LwLZ9QYQ&p0D=AfpHLx9
|
8
www.hai96.com(3.223.115.185) www.pizzafromsky.com(195.110.124.133) www.karlakarony.com(162.241.61.204) www.vmdoctor.com(156.241.53.152) 3.223.115.185 - mailcious 195.110.124.133 - mailcious 156.241.53.152 162.241.61.204 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2021-07-01 18:09
|
ew.exe d0a3271d3966f4765b194b203abaf782 Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
3
http://www.nivafitness.com/vn3b/?Vnw0_=-Z2l72s0kFHhurC&FrJd4PD=bqDBP0O9Vn3So+RBn75VdyvT/sToQzDOCpoIADkSiO14IsvETUp9boKBnXh5Ks2dUI8lKoag http://www.pibblekibble.com/vn3b/?Vnw0_=-Z2l72s0kFHhurC&FrJd4PD=7KKODc5MDsDCEzAoRYM76RaAm8zujJIqN8Cp4oN6MSU5XPOB4MX/FWfC5xEyCIoPdsXLCh3W http://www.blackbettyxt.com/vn3b/?FrJd4PD=HEEXiPM4fqncc4MMlrlRss4O3bw3kYvQfpb+dGO4B3Vuh61Wc/rFV6l7vkxAcZYhR9ZLHOlr&Vnw0_=-Z2l72s0kFHhurC
|
4
www.nivafitness.com(34.102.136.180) www.pibblekibble.com(34.102.136.180) www.blackbettyxt.com(34.102.136.180) 34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2021-06-30 18:33
|
ou.exe 8d1a835aec4a08b9f3bd3be40c3de3e4 Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
11
http://195.133.40.227/az//4.jpg http://195.133.40.227/az//6.jpg http://195.133.40.227/az//2.jpg http://195.133.40.227/az//main.php - rule_id: 2421 http://195.133.40.227/az//main.php http://195.133.40.227/az//5.jpg http://195.133.40.227/az//7.jpg http://195.133.40.227/az//1.jpg http://195.133.40.227/az//3.jpg http://195.133.40.227/az/ - rule_id: 2420 http://195.133.40.227/az/
|
2
50.31.98.39 195.133.40.227
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://195.133.40.227/az//main.php http://195.133.40.227/az/
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2021-06-30 18:31
|
v.exe fb7152e24744c5dcde84318931ca8946 PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.lifeafterbobby.com/vn3b/?a6A=ukz3ZcSyHr/GIf2N108Ax5ccAg3Q9VRV0tpzhLkblml9ey4voFbA7o6uSo3NbjIhjtnPLi9d&D8S=_FND6l http://www.trust-red.net/vn3b/?a6A=7v3Rtst9q+y60iNonvc1rMV0zdwSKue1HEt/9m2h8VeztM3zw9MVZAdCdDzUvrLHeQyE64Dr&D8S=_FND6l http://www.wygouji.com/vn3b/?a6A=DLf0HnWZCZ1ZQBgw+IkRC778n0lxE+hQtcSQcM/mZD+sLSLyVLz3ydLY2cpsP2/jYu9qgGHQ&D8S=_FND6l
|
6
www.lifeafterbobby.com(156.240.33.142) www.trust-red.net(185.98.131.227) www.wygouji.com(142.111.242.143) 156.240.33.142 185.98.131.227 142.111.242.143
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2021-06-30 18:31
|
vin.exe 4c273ea74257fef4e25796421320b5fd Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
3
http://www.toughcookie.love/vn3b/?u6u0=hBZ87r4HS6D&LZQL=9BMdMx2jD9TLJewezHgjwBnSXRzCaJZ4dU0aDHkAou+6sTUeGhJPvuU1YrnoJYZaI2bj7L7d http://www.marvinlucassuperpac.com/vn3b/?u6u0=hBZ87r4HS6D&LZQL=Q1VJuWd39DPAgscqM6Elj9PGWuHe2EkCiMDZRkj4lg6eUq4bMPZ2btcIL+vfRg1ArZ2wrs8q http://www.theexpertinsuranceagency.com/vn3b/?LZQL=VtbJmj+MIjfmoC3A9zODeVnbxq5aGUN6TH6Avp691dvIuKphHjAieugYigDV10RxqdWW/xpp&u6u0=hBZ87r4HS6D
|
6
www.toughcookie.love(145.239.37.162) www.theexpertinsuranceagency.com(34.102.136.180) www.marvinlucassuperpac.com(50.31.98.39) 50.31.98.39 34.102.136.180 - mailcious 145.239.37.162 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2021-06-30 18:28
|
zk.exe 97a3aa2b0a6e0a26fca4db32eaaec5ef PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.doshjpft.icu/lvno/?CR=xcRNZPxNHyHareFnl3uARUXWRuKrrRVMn2tb6jYVj31HQksvWGQZJa1xkqXuEYsGywL+tDz0&RZ3=dhrxPpcXOFuDHpA http://www.newyearin.com/lvno/?CR=zujNaLwadosC862oYrhQ9YkLT50Mhjh6zIUWZbXMql8MJxUX27nri42Hi8CZRWCsLhUQqglv&RZ3=dhrxPpcXOFuDHpA
|
5
www.businessearlywarningsystems.com() www.doshjpft.icu(47.57.3.252) www.newyearin.com(108.177.163.198) 47.57.3.252 108.177.163.198
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2021-06-30 18:28
|
sm.exe 93ba3f6589d1765284d285257ef2b3b7 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
2
http://www.ninkatsu-stepbystep.com/csls/?uZxT=XPjTRh4P&2dcTO=ElCUMwgfBgXOjBuGE/teBUnaUqYehI6Y2gk1NYE7zTjPFaA4+euTdzDuANJ9U4ovFV76Tfg8 http://www.inspiredpractice.net/csls/?uZxT=XPjTRh4P&2dcTO=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A
|
5
www.inspiredpractice.net(182.50.132.242) www.ninkatsu-stepbystep.com(202.210.8.148) www.hack-cloud.icu() 202.210.8.148 182.50.132.242 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2021-06-30 18:27
|
sza.scr 1c1b93412ab9925460ee78ebf5c76a15 Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
9
http://195.133.40.227/az//4.jpg http://195.133.40.227/az//6.jpg http://195.133.40.227/az//2.jpg http://195.133.40.227/az//main.php http://195.133.40.227/az//5.jpg http://195.133.40.227/az//7.jpg http://195.133.40.227/az//1.jpg http://195.133.40.227/az//3.jpg http://195.133.40.227/az/
|
1
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2021-06-30 18:26
|
w.exe dbc7dec63082150e42c786fbc47dea8a PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.szlandas.com/wlns/?SVE=GKZWCMEw3T5aOBpNO42YjE/TaP1B6pPd2pbjYzDF3p7yhpxX2M2GLn3QuEoCBwC+72ICaQ2c&oX=Txo8n04xDBsp http://www.guniverse.net/wlns/?SVE=obmV34E+VnU01louI7hyDBOk8azyZSyy8u3EY5X02UVoxZoekQW179fH12awdQjVw+iljCJU&oX=Txo8n04xDBsp http://www.theircouture.com/wlns/?SVE=vbQ70DSOjBu6wXqoiLl8xulYFqbBUo6FNBZyPPsJA5VA6onbJOTBpmYGjXjMfEPpp2tfldem&oX=Txo8n04xDBsp
|
6
www.szlandas.com(160.124.142.64) www.theircouture.com(192.187.111.220) www.guniverse.net(213.186.33.5) 81.17.18.195 - suspicious 213.186.33.5 - mailcious 160.124.142.64
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|