| 15001 |
2021-11-05 11:17
|
 vbc.exe fb86e3f69840fab7b93729f4a799f90f
Malicious Packer UPX PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15002 |
2021-11-05 11:17
|
 odinikazx.exe 44edb6a534c2542a0166dbf95edf2f81
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
11.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15003 |
2021-11-05 11:18
|
 190.exe 6579ea5bd462ab008ecea9eba5c908ca
RAT PWS .NET framework BitCoin Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs IP Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://185.235.130.48:44050/
https://cdn.discordapp.com/attachments/893177342426509335/905442111237816370/patch.jpg
https://ipinfo.io/ip
https://api.ip.sb/geoip
|
7
ipinfo.io(34.117.59.81)
api.ip.sb(172.67.75.172)
cdn.discordapp.com(162.159.134.233) - malware
172.67.75.172 - mailcious
185.235.130.48
162.159.135.233 - malware
34.117.59.81
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
SURICATA HTTP unable to match response to request
|
|
12.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15004 |
2021-11-05 11:18
|
 rat_server_x32_windows.exe 765661ae2b8e916652f91b80d33f0592
Gen1 Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory Creates executable files AppData folder WriteConsoleW |
|
|
|
|
1.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15005 |
2021-11-05 11:19
|
 swhoct.exe 51107b9099bf83dfc12a9b31ff5a7609
RAT Generic Malware Malicious Library UPX PE File OS Processor Check PE32 PE64 VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15006 |
2021-11-05 11:23
|
 rat_client_x32_windows.exe 028d46daecc32df5eabf16e28b1e4174
NPKI Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory Creates executable files AppData folder crashed |
|
|
|
|
2.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15007 |
2021-11-05 11:24
|
 vbc.exe a37a20dbb6602b5003b237cfe2e7c2c8
Loki PWS Loki[b] Loki.m Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga17/fre.php - rule_id: 6829
http://secure01-redirect.net/ga17/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga17/fre.php
|
13.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15008 |
2021-11-05 11:25
|
 askinstall59.exe c55a782fb3152c45d4d4944539b5f4ea
AgentTesla Gen2 Trojan_PWS_Stealer BitCoin browser info stealer Credential User Data Generic Malware Google Chrome Malicious Packer Malicious Library SQLite Cookie UPX Create Service DGA Socket Steal credential DNS Internet API Code injection S Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution crashed |
1
https://www.listincode.com/ - rule_id: 2327
|
4
www.listincode.com(149.28.253.196) - mailcious
iplogger.org(88.99.66.31) - mailcious
149.28.253.196
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://www.listincode.com/
|
9.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15009 |
2021-11-05 11:26
|
 autosubplayer.exe d15c06743856d324a96b542a002b0aee
Malicious Library UPX PE File PE32 DLL Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15010 |
2021-11-05 11:28
|
 1518_1635886867_1517.exe 85f4a0e72f1f2945989d19d35c672e2a
Themida Packer UPX Steal credential ScreenShot Http API AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
9.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15011 |
2021-11-05 11:30
|
 Antesternal.exe 7c24713f4e91edad058cc94988f403e0
RAT Generic Malware PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15012 |
2021-11-05 17:13
|
invc_0000020099200000.wbk 8449fdfb6705fd1748a5ddd3db0e2050
RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed Downloader |
9
http://198.23.212.140/8880/vbc.exe
http://www.facebook-meta-morphosis.com/wp1p/?jFN8ld=98chVD7sBa/qnech4EEDbRcRm6voyaFjl1l1LA+LqSDPR/pPEdjRhsOJLuWGMelNj2a09pyz&oXU=_0GDCjlXRtrXu
http://www.divatv.us/wp1p/?jFN8ld=1Szf3TR3y8ssD8Lp670PK1eet8x24hS9xPundd5MLxLoTbu8h9akdDPlBs7iasE17gy56x+b&oXU=_0GDCjlXRtrXu
https://vyxboa.bn.files.1drv.com/y4mPXJq2M2DOy9LdQBqRy7BIp8yrpxooyioMvdo-8EgIK_gfWkkHHJMKjJCo20rvTvGfibKiCDF_t7fXYF0wCoF0jQazSAMXoxDV6dCJuojV1uRmQdbEJVSTM3Fwgh9_lC5iIehTZKtWuE8y3WEOacmxy--KuBe6ehQ4un_yg5uRo3sAw75Xu54ef3LWLukEg1tYXuUk3IcY8DCPrUIBhq_LQ/OriginWX_IcbNVipt92.bin?download&psid=1
https://onedrive.live.com/download?cid=2D81EAA9FA612352&resid=2D81EAA9FA612352%21147&authkey=ALj0Tl_MdXFVvBU
https://onedrive.live.com/download?cid=2D81EAA9FA612352&resid=2D81EAA9FA612352%21148&authkey=AGnZ0BdH7S6vIrg
https://vyv99a.bn.files.1drv.com/y4mfXyMBnZts6PCQCRPbRfjxCu5JRyptNs5viBzXpIUdsymDftKAu9HnVicl28Qb4FSfXog0pAA9noFi9rpdk_XYwex0c_0rVGg_9ag3YHVnVc0K93anAMvoWRSM-swWR2qBE2XzCA5rS6101yIGOEXfrZwH2AezS6uHeIXFQJUF1zu5xar2cRZXjciYbzAjV4hgFWbNTWLhhfSQ18e8GO2XA/bin_IlYTwVi142.bin?download&psid=1
https://vyvaxa.bn.files.1drv.com/y4mKG0xsqnOwcFdtJLOuKXdepw1WssV1i86VHzysEuF8aNbaUQ6Preezplncg-iArWfi2z7cz6g7AzNeCW6NpIiIS0SZ7R38LM0JCybVHJdJbrt1WYDSCdIQOP0eXQDiftlHUD3L07WafVCKhbaEBpIH9UiG_LUgVZYUdxbIT-Nx4hELyybNnDl_PbADLIDZCdj0fN-CiuDuNlOE1aWBw6C0Q/CHEVIOTTETS.exe?download&psid=1
https://onedrive.live.com/download?cid=2D81EAA9FA612352&resid=2D81EAA9FA612352%21149&authkey=APQYd8SGOQ7g3zc
|
11
onedrive.live.com(13.107.42.13) - mailcious
www.divatv.us(104.21.1.194)
vyv99a.bn.files.1drv.com(13.107.42.12)
vyvaxa.bn.files.1drv.com(13.107.42.12)
www.facebook-meta-morphosis.com(34.102.136.180)
vyxboa.bn.files.1drv.com(13.107.42.12)
13.107.42.12 - malware
198.23.212.140 - malware
13.107.42.13 - mailcious
172.67.129.222
34.102.136.180 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15013 |
2021-11-05 18:07
|
 goal.exe 5f7161a3be422edba21e4d7753fd8be4
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName |
1
https://bitbucket.org/workflowcx87897/chech911/downloads/File.png
|
2
bitbucket.org(104.192.141.1) - malware
104.192.141.1 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15014 |
2021-11-05 18:07
|
 3428_1635961964_102.exe 1862fdbfb746681b4fed4af1844004a0
Emotet Generic Malware Malicious Packer Malicious Library UPX Antivirus AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://45.77.127.230:8888/ccddhmkiysjoxitw - rule_id: 5778
|
1
45.77.127.230 - mailcious
|
|
1
http://45.77.127.230:8888/
|
12.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15015 |
2021-11-05 18:09
|
 7944_1636015327_86.exe a2aedc16585b7813d6aaf70717e61a02
UPX PE File OS Processor Check PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|