| 15031 |
2021-11-07 09:34
|
 index-1862925899.xls 18e464bb54f5c85ea6caf14487ced92c
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15032 |
2021-11-07 09:36
|
 index-1863186207.xls a6dc8902798b7e3ba6a7984f2a2593ad
Downloader MSOffice File VirusTotal Malware ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
5.0 |
|
10 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15033 |
2021-11-07 09:38
|
 index-1863934855.xls 8584ca265513d78b293331cc0e446f34
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15034 |
2021-11-07 09:44
|
 2321_1636188522_6879.exe e78c12a4bd00e94b07db805c153985cf
PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
7.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15035 |
2021-11-07 09:44
|
 702_1636110597_938.exe 9769dd7aa91d1195becb8da72f4b9fbe
PWS Loki[b] Loki.m AgentTesla RAT browser info stealer Generic Malware UPX Code injection ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Tofsee Windows DNS Cryptographic key crashed |
|
2
mas.to(88.99.75.82)
88.99.75.82
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .to TLD
ET INFO TLS Handshake Failure
|
|
7.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15036 |
2021-11-07 09:45
|
 cruz_image.mp3.html a7ecdee268d12efae0f5cacc6ac5418b
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15037 |
2021-11-07 09:46
|
 j.exe 6c1bf5fd5e33a68d980525c71cacf1d8
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.8 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15038 |
2021-11-07 09:47
|
 rundll32.exe 5a66a0ab975ee61f330feb2af7b08d52
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows |
8
http://www.esyscoloradosprings.com/fqiq/?4hLpNJ=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&nfutZl=xPJ4abP8 - rule_id: 6444
http://www.farmersfirstseed.com/fqiq/?4hLpNJ=LbdaYrSs38N8uIwY7oVDq2uzukwE8JpfT85YdDwPyg/SznV3VAz0OihEXjn7VBiJtsEJeDaz&nfutZl=xPJ4abP8
http://www.hartfulcleaning.com/fqiq/?4hLpNJ=uHvuYmjit4fallNp1Ej7vtyQWzU3HFRSMqXztfeWYNDOTP1U0scGwGT4FHCGKhM8svXnQnS7&nfutZl=xPJ4abP8 - rule_id: 7210
http://www.hartfulcleaning.com/fqiq/?4hLpNJ=uHvuYmjit4fallNp1Ej7vtyQWzU3HFRSMqXztfeWYNDOTP1U0scGwGT4FHCGKhM8svXnQnS7&nfutZl=xPJ4abP8
http://www.satellitephonstore.com/fqiq/?4hLpNJ=Sq1XZHSrpCHed4l0gSE8w/MNMhRnHgbusCiv7TwhFJT/5cEiP7Kz4bRk1Jir79l1clbW8xKQ&nfutZl=xPJ4abP8 - rule_id: 6687
http://www.mambacustomboats.com/fqiq/?4hLpNJ=oM7C4s4IgTsCMDsM97tedYlymorHgm5Kv3M2/2amrfi4uqOFLGFzoQjLNIK3nvWL7hHP1K8A&nfutZl=xPJ4abP8
http://www.eclecticrenaissancewoman.com/fqiq/?4hLpNJ=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&nfutZl=xPJ4abP8 - rule_id: 7032
http://www.eclecticrenaissancewoman.com/fqiq/?4hLpNJ=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&nfutZl=xPJ4abP8
|
12
www.hartfulcleaning.com(34.80.190.141)
www.mambacustomboats.com(64.190.62.111)
www.eclecticrenaissancewoman.com(74.220.199.6)
www.satellitephonstore.com(35.186.238.101)
www.esyscoloradosprings.com(108.167.135.122) - mailcious
www.farmersfirstseed.com(34.102.136.180)
35.186.238.101 - mailcious
108.167.135.122 - mailcious
34.102.136.180 - mailcious
74.220.199.6 - mailcious
64.190.62.111 - mailcious
34.80.190.141 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP unable to match response to request
|
4
http://www.esyscoloradosprings.com/fqiq/
http://www.hartfulcleaning.com/fqiq/
http://www.satellitephonstore.com/fqiq/
http://www.eclecticrenaissancewoman.com/fqiq/
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15039 |
2021-11-07 09:48
|
 .csrss.exe 6aebd56c7cbd1a5ee218f2ef40c6133e
Loki PWS Loki[b] Loki.m Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
13.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15040 |
2021-11-07 09:49
|
 200.exe d3d8953a702ac5187dc16e54c280074f
Generic Malware Themida Packer Anti_VM UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
1
|
|
|
9.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15041 |
2021-11-07 09:50
|
 rollerkind2.exe ebff6c5c942d1800caef3eda207889d3
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15042 |
2021-11-07 09:51
|
 UUQf0owhn8UWJCz.exe 5917d602f423946e08474241e6a731a7
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.ranbix.com/noha/?ML3p=WqlLRyxmklHBR9bvDjAAjeD09IEXqdmYERcw+cExScONqRgH/+tJNETkvgWEj3p7qMAbvI1j&t8o=FrFLaXd - rule_id: 6288
http://www.paddlercentral.com/noha/?ML3p=BflZB6OqREwGJlb9Sk842/jtcaZ5fuiyOju/J2yjGs5y9yumeUh4rkZlJ2CmfPQeRsVHYWsh&t8o=FrFLaXd - rule_id: 6291
http://www.apocalyptoapertureserrature.net/noha/?ML3p=oktAv2LhUy86NFSiEbP+8ZjihMhV6NpBC9IoSL22dAOgFjsOiWhr4Snex0+MO9aHyMlhDMIV&t8o=FrFLaXd
http://www.overseaspoolservice.com/noha/?ML3p=M+DGWJWziq67KtkkSsXl3bSbfh2dDaXu2IQ75uBlbdJS0aUvllJuJ1UEsSNpguwNrUAivjLX&t8o=FrFLaXd
|
14
www.paddlercentral.com(198.54.117.218)
www.mglracing.com() - mailcious
www.overseaspoolservice.com(34.80.190.141)
www.ranbix.com(199.188.206.146)
www.kweeka.money()
www.xn--vhqp8mm8dbtz.group() - mailcious
www.nongminle.net() - mailcious
www.zsnhviig.xyz() - mailcious
www.apocalyptoapertureserrature.net(46.252.152.130)
www.data2form.com()
199.188.206.146 - mailcious
46.252.152.130
34.80.190.141 - mailcious
198.54.117.216 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.ranbix.com/noha/
http://www.paddlercentral.com/noha/
|
8.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15043 |
2021-11-07 09:53
|
 6788_1636125081_7928.exe bb8eeb02cb24e79c0ad10842b537a7bc
Generic Malware Themida Packer UPX AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
12.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15044 |
2021-11-07 09:53
|
 vbc.exe 6803bb0ea46eca1dc973c636efd058fb
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
3
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636246279&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DF0BB2981C1963476%26resid%3DF0BB2981C1963476%2521106%26authkey%3DAB3cW9SKwAMgUvw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636246280&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DF0BB2981C1963476%26resid%3DF0BB2981C1963476%2521106%26authkey%3DAB3cW9SKwAMgUvw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=F0BB2981C1963476&resid=F0BB2981C1963476%21106&authkey=AB3cW9SKwAMgUvw
|
4
login.live.com(40.126.35.86)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
40.126.35.129
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15045 |
2021-11-07 09:55
|
 GRSDFSDGSD.exe b7426df3b449ae7ec217cfdbdc36f242
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
goodboxx.in(104.223.93.105)
104.223.93.105
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|