| 1 |
2022-12-20 14:34
|
 wopngduxgf.exe dc017def056e0c20105a4d767541a580
PWS[m] RAT email stealer Downloader UPX DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows |
|
|
|
|
8.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-08-11 09:34
|
 vc.exe 5615be335807b5eb2d4c9f59f5f914dd
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
4
http://www.startfortoday.com/glgd/?k2MHoV=0MHzMxpJH4rILertVw/6MkQ8XgJjg7Igm9BaWXqz5e9JsR+Gvn2wWzdV9N9x+I11yW/2pRBs&tXR=NZiHaP
http://www.tiny-tobi.com/glgd/?k2MHoV=Tf3VOJhMPEKSFVG4lRUL1GzDFZ6CZBEdr5MR7bq2IBxaGKCn7xrLB1FW9dPQYXeSruzHPx7P&tXR=NZiHaP
http://www.southernedgewaterdesigns.com/glgd/?k2MHoV=LmTpLul+ArKV8Uwki1jSQCkGp6Aq6ai3+ySGBIz1ozwHhyIBPM/T1rbH77EFyn0FPiGQCryP&tXR=NZiHaP
https://www.bing.com/
|
8
www.southernedgewaterdesigns.com(34.102.136.180)
www.startfortoday.com(184.168.131.241)
www.tiny-tobi.com(184.168.131.241)
www.google.com(172.217.175.4)
216.58.220.196
172.67.188.154
34.102.136.180 - mailcious
184.168.131.241 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-08-11 09:25
|
 us.exe 78f998a3e27a3a76480d4bc25cd37286
RAT PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key crashed |
5
http://www.sabortradicion.com/glgd/?RR=RWZUdDZM2vWJGNyKWyakMM1rPTQtzSNU3Jzm3LUz16xspXtvwrI+PBSJlVTsPv0xAjpy10DH&sPX4gJ=lnRlMNFPWfi0
http://www.danielsdonuteria.com/glgd/?RR=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&sPX4gJ=lnRlMNFPWfi0
http://www.soilhelp.com/glgd/?RR=asBy0YopPjG4dHaqcidLxAgpRjeYKvHFAx/LEx9W68MuHxQADtJpsJBj24UwIzZQ8AGX6ju+&sPX4gJ=lnRlMNFPWfi0
http://www.farendofthebench.com/glgd/?RR=svcqGWQO7MOM0XfFk+NDKL2Ww32z3qceQtZ1u2oY7ETYeE8QmVUYaDfZDsJbMwTSbwYX1aU8&sPX4gJ=lnRlMNFPWfi0
https://www.bing.com/
|
10
www.soilhelp.com(3.133.163.136)
www.sabortradicion.com(87.98.230.60)
www.google.com(172.217.26.36)
www.farendofthebench.com(34.102.136.180)
www.danielsdonuteria.com(167.114.6.154)
87.98.230.60
34.102.136.180 - mailcious
167.114.6.154 - phishing
13.58.168.69 - mailcious
216.58.220.196
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-07-16 07:39
|
 nv.exe 43deb9e60877d57aba0d166976f9a735
PWS Loki[b] Loki[m] RAT Generic Malware DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows ComputerName DNS crashed |
1
|
3
www.google.com(216.58.220.100)
136.144.41.135
142.250.207.68
|
|
|
13.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-07-16 07:36
|
 zxx.exe 9ea8f0cefae38838925df14a6f2a29d6
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows crashed |
2
http://www.shikhardeals.com/bsdd/?Kzux=6+V1HrHDkbuNn6Cv3YxHVO2ini0phccEfu7HbKCoxymyMS/RgpFI/Qlk71oJU9Gi5JhK/P+t&p0D=AfhDLL2
https://www.bing.com/
|
5
www.shikhardeals.com(88.99.53.105)
www.dwsykj.com()
www.google.com(216.58.220.100)
88.99.53.105
142.250.66.36
|
|
|
10.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-07-01 18:14
|
 si.exe df75bedbb01fdfb56956fa33a46205dd
Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.inspiredpractice.net/csls/?yVMpQNlP=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A&1bz=o8rLp - rule_id: 2426
http://www.refundoftaxsurplus.com/csls/?yVMpQNlP=Ym+oHoYN/xZYdl3jvUNligLhYqYCEJLDVEooMpY/m4VRQE6HUdWU47bsyLt1OssAv4HZM1oN&1bz=o8rLp
http://www.decorhomestyle.info/csls/?yVMpQNlP=iSLD+1PhY73eZBKoU9CM1ShoYrO8PjamQvwnurQpI+yEMjtzsi7/Y3dvoSIc7OAlKSzo8G86&1bz=o8rLp
|
7
www.hbpro2.com()
www.inspiredpractice.net(182.50.132.242) - mailcious
www.refundoftaxsurplus.com(34.102.136.180)
www.decorhomestyle.info(88.214.207.96)
182.50.132.242 - mailcious
34.102.136.180 - mailcious
88.214.207.96 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.inspiredpractice.net/csls/
|
9.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-07-01 18:12
|
 dg.exe cf4451b3972a3a0c80ba775579c60de5
Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
4
http://www.vmdoctor.com/lvno/?Kzux=z5V9e9CabOAi0u4rmoa/UfEKbROekej59ljPlo8Q+nQLAKhl5cN+OI8RoEb12W3eqG/yW4Kr&p0D=AfpHLx9
http://www.hai96.com/lvno/?Kzux=k9QIkx5GCt5YvieM+yDM1rNmuWw3ZYu70gQPKUbfhMkm/Olm+/k+bmmYakDeX1iB9Dpnmtma&p0D=AfpHLx9
http://www.pizzafromsky.com/lvno/?Kzux=hrc86bj5dJczUKK4C2Z5ksFfVnrDN93+er1RK/RU41IsAR27IoSTEuryZJwxOmH1025bJtBt&p0D=AfpHLx9
http://www.karlakarony.com/lvno/?Kzux=mepXojAupUjOhnsr5OdCMMT8PCW1ujZfe8HjdU7EVlgpYioQzA85FA+noB09SNR8LwLZ9QYQ&p0D=AfpHLx9
|
8
www.hai96.com(3.223.115.185)
www.pizzafromsky.com(195.110.124.133)
www.karlakarony.com(162.241.61.204)
www.vmdoctor.com(156.241.53.152)
3.223.115.185 - mailcious
195.110.124.133 - mailcious
156.241.53.152
162.241.61.204 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-07-01 18:09
|
 ew.exe d0a3271d3966f4765b194b203abaf782
Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
3
http://www.nivafitness.com/vn3b/?Vnw0_=-Z2l72s0kFHhurC&FrJd4PD=bqDBP0O9Vn3So+RBn75VdyvT/sToQzDOCpoIADkSiO14IsvETUp9boKBnXh5Ks2dUI8lKoag
http://www.pibblekibble.com/vn3b/?Vnw0_=-Z2l72s0kFHhurC&FrJd4PD=7KKODc5MDsDCEzAoRYM76RaAm8zujJIqN8Cp4oN6MSU5XPOB4MX/FWfC5xEyCIoPdsXLCh3W
http://www.blackbettyxt.com/vn3b/?FrJd4PD=HEEXiPM4fqncc4MMlrlRss4O3bw3kYvQfpb+dGO4B3Vuh61Wc/rFV6l7vkxAcZYhR9ZLHOlr&Vnw0_=-Z2l72s0kFHhurC
|
4
www.nivafitness.com(34.102.136.180)
www.pibblekibble.com(34.102.136.180)
www.blackbettyxt.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-06-30 18:33
|
 ou.exe 8d1a835aec4a08b9f3bd3be40c3de3e4
Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
11
http://195.133.40.227/az//4.jpg
http://195.133.40.227/az//6.jpg
http://195.133.40.227/az//2.jpg
http://195.133.40.227/az//main.php - rule_id: 2421
http://195.133.40.227/az//main.php
http://195.133.40.227/az//5.jpg
http://195.133.40.227/az//7.jpg
http://195.133.40.227/az//1.jpg
http://195.133.40.227/az//3.jpg
http://195.133.40.227/az/ - rule_id: 2420
http://195.133.40.227/az/
|
2
50.31.98.39
195.133.40.227
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://195.133.40.227/az//main.php
http://195.133.40.227/az/
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-06-30 18:31
|
 v.exe fb7152e24744c5dcde84318931ca8946
PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.lifeafterbobby.com/vn3b/?a6A=ukz3ZcSyHr/GIf2N108Ax5ccAg3Q9VRV0tpzhLkblml9ey4voFbA7o6uSo3NbjIhjtnPLi9d&D8S=_FND6l
http://www.trust-red.net/vn3b/?a6A=7v3Rtst9q+y60iNonvc1rMV0zdwSKue1HEt/9m2h8VeztM3zw9MVZAdCdDzUvrLHeQyE64Dr&D8S=_FND6l
http://www.wygouji.com/vn3b/?a6A=DLf0HnWZCZ1ZQBgw+IkRC778n0lxE+hQtcSQcM/mZD+sLSLyVLz3ydLY2cpsP2/jYu9qgGHQ&D8S=_FND6l
|
6
www.lifeafterbobby.com(156.240.33.142)
www.trust-red.net(185.98.131.227)
www.wygouji.com(142.111.242.143)
156.240.33.142
185.98.131.227
142.111.242.143
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-06-30 18:31
|
 vin.exe 4c273ea74257fef4e25796421320b5fd
Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
3
http://www.toughcookie.love/vn3b/?u6u0=hBZ87r4HS6D&LZQL=9BMdMx2jD9TLJewezHgjwBnSXRzCaJZ4dU0aDHkAou+6sTUeGhJPvuU1YrnoJYZaI2bj7L7d
http://www.marvinlucassuperpac.com/vn3b/?u6u0=hBZ87r4HS6D&LZQL=Q1VJuWd39DPAgscqM6Elj9PGWuHe2EkCiMDZRkj4lg6eUq4bMPZ2btcIL+vfRg1ArZ2wrs8q
http://www.theexpertinsuranceagency.com/vn3b/?LZQL=VtbJmj+MIjfmoC3A9zODeVnbxq5aGUN6TH6Avp691dvIuKphHjAieugYigDV10RxqdWW/xpp&u6u0=hBZ87r4HS6D
|
6
www.toughcookie.love(145.239.37.162)
www.theexpertinsuranceagency.com(34.102.136.180)
www.marvinlucassuperpac.com(50.31.98.39)
50.31.98.39
34.102.136.180 - mailcious
145.239.37.162 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-06-30 18:28
|
 zk.exe 97a3aa2b0a6e0a26fca4db32eaaec5ef
PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.doshjpft.icu/lvno/?CR=xcRNZPxNHyHareFnl3uARUXWRuKrrRVMn2tb6jYVj31HQksvWGQZJa1xkqXuEYsGywL+tDz0&RZ3=dhrxPpcXOFuDHpA
http://www.newyearin.com/lvno/?CR=zujNaLwadosC862oYrhQ9YkLT50Mhjh6zIUWZbXMql8MJxUX27nri42Hi8CZRWCsLhUQqglv&RZ3=dhrxPpcXOFuDHpA
|
5
www.businessearlywarningsystems.com()
www.doshjpft.icu(47.57.3.252)
www.newyearin.com(108.177.163.198)
47.57.3.252
108.177.163.198
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-06-30 18:28
|
 sm.exe 93ba3f6589d1765284d285257ef2b3b7
Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
2
http://www.ninkatsu-stepbystep.com/csls/?uZxT=XPjTRh4P&2dcTO=ElCUMwgfBgXOjBuGE/teBUnaUqYehI6Y2gk1NYE7zTjPFaA4+euTdzDuANJ9U4ovFV76Tfg8
http://www.inspiredpractice.net/csls/?uZxT=XPjTRh4P&2dcTO=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A
|
5
www.inspiredpractice.net(182.50.132.242)
www.ninkatsu-stepbystep.com(202.210.8.148)
www.hack-cloud.icu()
202.210.8.148
182.50.132.242 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-06-30 18:27
|
 sza.scr 1c1b93412ab9925460ee78ebf5c76a15
Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
9
http://195.133.40.227/az//4.jpg
http://195.133.40.227/az//6.jpg
http://195.133.40.227/az//2.jpg
http://195.133.40.227/az//main.php
http://195.133.40.227/az//5.jpg
http://195.133.40.227/az//7.jpg
http://195.133.40.227/az//1.jpg
http://195.133.40.227/az//3.jpg
http://195.133.40.227/az/
|
1
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2021-06-30 18:26
|
 w.exe dbc7dec63082150e42c786fbc47dea8a
PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.szlandas.com/wlns/?SVE=GKZWCMEw3T5aOBpNO42YjE/TaP1B6pPd2pbjYzDF3p7yhpxX2M2GLn3QuEoCBwC+72ICaQ2c&oX=Txo8n04xDBsp
http://www.guniverse.net/wlns/?SVE=obmV34E+VnU01louI7hyDBOk8azyZSyy8u3EY5X02UVoxZoekQW179fH12awdQjVw+iljCJU&oX=Txo8n04xDBsp
http://www.theircouture.com/wlns/?SVE=vbQ70DSOjBu6wXqoiLl8xulYFqbBUo6FNBZyPPsJA5VA6onbJOTBpmYGjXjMfEPpp2tfldem&oX=Txo8n04xDBsp
|
6
www.szlandas.com(160.124.142.64)
www.theircouture.com(192.187.111.220)
www.guniverse.net(213.186.33.5)
81.17.18.195 - suspicious
213.186.33.5 - mailcious
160.124.142.64
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|