| 15136 |
2021-11-09 09:51
|
 tracking.php 819b1896050b11f6ffdd835f6249874e
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.4 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15137 |
2021-11-09 09:52
|
 vbc.exe 5ecf66273f0e0a3755cc65792c0379dc
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
2
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=3AD292385C59C809&resid=3AD292385C59C809%21106&authkey=AHXb1biR0zpJmSw
|
4
login.live.com(40.126.35.64)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
20.190.144.161
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15138 |
2021-11-09 09:53
|
 4166_1636313583_7068.exe ec7ad2ab3d136ace300b71640375087c
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
https://cdn.discordapp.com/attachments/901604840319369236/906988752465961061/123321123.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15139 |
2021-11-09 09:53
|
 vbc.exe d3a28d6192b09520c8f39eca65b79d5e
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://bobreplace.xyz/five/fre.php - rule_id: 7672
http://bobreplace.xyz/five/fre.php
|
2
bobreplace.xyz(104.21.78.45)
104.21.78.45
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobreplace.xyz/five/fre.php
|
12.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15140 |
2021-11-09 09:55
|
 7189_1636325531_3217.exe 0dd386e2ac96f7ddd2206510b6d74663
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15141 |
2021-11-09 09:55
|
 vbc.exe 0dabcdb8e3d8768527502f784841c91f
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(119.207.65.81)
121.254.136.27
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15142 |
2021-11-09 09:57
|
 vbc.exe 78b7c32f47c124fba8f540b418d17681
NSIS Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
10.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15143 |
2021-11-09 09:57
|
 loads3.exe f4c5d3ee974deea5fed544c55e6b7d7c
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15144 |
2021-11-09 10:00
|
 nna.exe 7c997ad970ecdce19a66d96d27b62c25
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.25.68)
172.217.24.68
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15145 |
2021-11-09 10:01
|
 vbc.exe 07c8b350b0d3e84f8e44c5e45b7f0b42
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
8
http://www.avaui.com/bs8f/?GzrXY=UD+8X2hogk5qDoIRWCfwzkS9a3kaEvubFApEqJNWnVbzvikcV2cjyLMotryRIXJXrQhMtzkt&AnE=O0Dpo4A05x
http://www.cvwerg.com/bs8f/?GzrXY=V8iKqIoValF7NbADCC+Iv3koxbHGe6pdIhy2sxfOE+GPo2JjqlsoO2fNvvGNPlkJLvqu10s2&AnE=O0Dpo4A05x
http://www.cardiopulmonaryservices.com/bs8f/?GzrXY=CIpGOtH+rm1iY/H2WV6N1bxPJVkwVfQs2oYReGLt/oh8D4VrG0UZW+OVE3WBxYk7L2INuWgD&AnE=O0Dpo4A05x
http://www.innoattic.com/bs8f/?GzrXY=gPvbgkUpeHyKvOcIg3Tla1oGEdPTt04jzJFwq+zy+XCPeJFywCVHj9D6JwQ0RGLgry5mzrOe&AnE=O0Dpo4A05x
http://www.rwilogisticsandbrokerage.com/bs8f/?GzrXY=O+ZFCK4COInkbeCtvcbM4cMiAd9wiFdBsN5Esn7lS6PC8Uc1RV355liD1/2ijziZVq0VIlSD&AnE=O0Dpo4A05x - rule_id: 7596
http://www.rwilogisticsandbrokerage.com/bs8f/?GzrXY=O+ZFCK4COInkbeCtvcbM4cMiAd9wiFdBsN5Esn7lS6PC8Uc1RV355liD1/2ijziZVq0VIlSD&AnE=O0Dpo4A05x
http://www.yotosunny.com/bs8f/?GzrXY=M0idvLqgR5We+e9Ik++MG6mInTkKTBgSMwPGa8x2m0KYctUcLi/95x70imYmTncdQbSyOnDA&AnE=O0Dpo4A05x
http://www.top-recordtodiscovertoday.info/bs8f/?GzrXY=bP5ScsBqwltCQ2JC/0strSX1cTxww7dKVM7kcPPPp0BU7L530PHzwpEElGr6WMcCmSwA+gXz&AnE=O0Dpo4A05x
|
17
www.cardiopulmonaryservices.com(195.78.67.58)
www.avaui.com(185.53.177.10)
www.yotosunny.com(3.64.163.50)
www.cvwerg.com(202.82.201.219)
www.sponsoredcrew.com()
www.innoattic.com(44.227.76.166)
www.top-recordtodiscovertoday.info(54.203.72.218)
www.medinaes.xyz()
www.alwaysmode.com()
www.rwilogisticsandbrokerage.com(104.17.196.73)
44.227.76.166 - mailcious
202.82.201.219
195.78.67.58
54.203.72.218
3.64.163.50 - mailcious
104.17.195.73
185.53.177.10 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.rwilogisticsandbrokerage.com/bs8f/
|
8.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15146 |
2021-11-09 10:02
|
 de.exe 9dcb608ed0cf8fcf1bf1b88b62b72b40
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
|
2
www.google.com(172.217.25.68)
172.217.25.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15147 |
2021-11-09 10:03
|
 vbc.exe b85423e5c62d589bf7ac49e3067eb623
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
7
http://www.glenndcp.com/bs8f/?9rJtvBQ=/11ZqOAse+gpRFBElJYVxT19faq4gS4nOJaq425ma8qcV6Dz0I5qxb8yINB+32HWx8wdRUxm&2d54=eV8He2k8ddU8Jjd
http://www.rwilogisticsandbrokerage.com/bs8f/?9rJtvBQ=O+ZFCK4COInkbeCtvcbM4cMiAd9wiFdBsN5Esn7lS6PC8Uc1RV355liD1/2ijziZVq0VIlSD&2d54=eV8He2k8ddU8Jjd - rule_id: 7596
http://www.rwilogisticsandbrokerage.com/bs8f/?9rJtvBQ=O+ZFCK4COInkbeCtvcbM4cMiAd9wiFdBsN5Esn7lS6PC8Uc1RV355liD1/2ijziZVq0VIlSD&2d54=eV8He2k8ddU8Jjd
http://www.tucochepordinero.net/bs8f/?9rJtvBQ=908HLdvtLTlJtZGqA/0Xr85HS3UtH2SoJFN9Mz2k0GjCUL3Ka74eVYqFKQYXheXH8zT6WXaA&2d54=eV8He2k8ddU8Jjd
http://www.sirabeyo.net/bs8f/?9rJtvBQ=FzoosW9qKeaJH6NtA2vqFikAezKM6IRY4IWTTmRU3ai0FWXo9+QCm0j7uqTvy7gSmvxnoEoS&2d54=eV8He2k8ddU8Jjd
http://www.onelovecafeatl.com/bs8f/?9rJtvBQ=9iM6LCj1nt7i9+o9pjA7k8iwdQoo4uU6oKpkIjifKiW7CC3DkRVHehOq56lfPaPol4q3tY0n&2d54=eV8He2k8ddU8Jjd
http://www.natsuyagimaki.com/bs8f/?9rJtvBQ=tnj2JSdPyXqHiUsZPUk3rXbiJf+WpZI21iqNic+5sZ5grnOEVGXs/MmoIh+yhiA7w5RFjszY&2d54=eV8He2k8ddU8Jjd
|
16
www.onelovecafeatl.com(103.224.212.222)
www.tucochepordinero.net(82.98.135.44)
www.natsuyagimaki.com(59.106.171.21)
www.vmini.info()
www.sirabeyo.net(183.181.96.115)
www.parkate.club()
www.narae-digital.com()
www.rwilogisticsandbrokerage.com(104.17.196.73)
www.glenndcp.com(154.208.173.193)
154.208.173.193
183.181.96.115
82.98.135.44
121.254.136.27
104.17.195.73
103.224.212.222 - mailcious
59.106.171.21
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.rwilogisticsandbrokerage.com/bs8f/
|
8.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15148 |
2021-11-09 10:04
|
 seasonzx.exe ac0ff10a492ecdc35a120afd52b662b1
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.spiderwebinar.net/s18y/?FFQL=/xewHRSjpGlUGtZ9W1FhDu9A0iLpT+H0J8ZwaV373xoTkilljSY4ekdWT8N3MXDJspjF9plG&Rb=VtxXE
http://www.aek181129aek.xyz/s18y/?FFQL=Oq1qSCHtPZDpZjwQPtDJHnAuoLHTVvsDClhSq0lV8QAyU3clVeJp+cw6Bo+XH4/mUofpiJ4q&Rb=VtxXE
http://www.dzzdjn.com/s18y/?FFQL=O1cFoOP+ivHb/P7qR9TpnoaVzlwYeNjfCrmqoh9Vqsz1oGoGkUYvSArVTaCn8avYre/VNLw1&Rb=VtxXE
|
6
www.dzzdjn.com(104.21.37.123)
www.aek181129aek.xyz(104.21.1.114)
www.spiderwebinar.net(198.54.117.216)
104.21.1.114
198.54.117.212 - mailcious
104.21.37.123
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15149 |
2021-11-09 10:06
|
 prescos.exe 32b7b97a9f131f197565167b4fe8f2ed
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows |
13
http://www.juliorodriguez.info/sywu/?QFQLCr=5VRIM5ss2p6ZudMjCnrL8O/59St/KGbj2TdWvwSpCUm0KuOvA/1YYy3NuZ8h0Sqrozu1Sf00&oXU=_6g8ydKhyJots
http://www.mikes-marine.com/sywu/?QFQLCr=PbabmpsWFdXWMNTeeZ9jCNWPOn1z0XvHeI08BocNs8nNIG8Ni599zrxFdxp3gdzeKqca/8nw&oXU=_6g8ydKhyJots - rule_id: 7348
http://www.mikes-marine.com/sywu/?QFQLCr=PbabmpsWFdXWMNTeeZ9jCNWPOn1z0XvHeI08BocNs8nNIG8Ni599zrxFdxp3gdzeKqca/8nw&oXU=_6g8ydKhyJots
http://www.gengzicompute.com/sywu/?QFQLCr=Sg/J+PD4SKoqXgcmmzEPzbkHChriOJdDtNPl57LzzQHkFhA1i4k5hjYuVkkFWhs3HT30LL4x&oXU=_6g8ydKhyJots - rule_id: 7346
http://www.gengzicompute.com/sywu/?QFQLCr=Sg/J+PD4SKoqXgcmmzEPzbkHChriOJdDtNPl57LzzQHkFhA1i4k5hjYuVkkFWhs3HT30LL4x&oXU=_6g8ydKhyJots
http://www.xiaye.tech/sywu/?QFQLCr=x7Iu+fJ4CmAPupAvzY5WOl6wiV/RAzr8WM0SK4RPaHw8bh00os20c9SAOwy8lJ+c+kxB1kQ/&oXU=_6g8ydKhyJots
http://www.heller.legal/sywu/?QFQLCr=+W5iPjmNShX7Fk/+KG2exPFYjLOMVLK3Ae1Rlp57G0GXt2//EO1I9i0ykHjehxLSnRB6hliw&oXU=_6g8ydKhyJots
http://www.lighthouseta.com/sywu/?QFQLCr=Fif6t9qBJS7PfbW+nV4zZIDOtUBpWKOdgsWufsEgrcVkaPOFX3rA+XhOwSnXgM/wsAdsDFIh&oXU=_6g8ydKhyJots - rule_id: 7341
http://www.lighthouseta.com/sywu/?QFQLCr=Fif6t9qBJS7PfbW+nV4zZIDOtUBpWKOdgsWufsEgrcVkaPOFX3rA+XhOwSnXgM/wsAdsDFIh&oXU=_6g8ydKhyJots
http://www.astrovivan.com/sywu/?QFQLCr=o5sNhDhfZJRS9/SUQMPBXHG3DbFi02fRsIqKUlu4kB6TLWYpQz0wrHenFh/mZBJR92RFyso8&oXU=_6g8ydKhyJots
http://www.lakeshoreurology.net/sywu/?QFQLCr=up20VcKRKdIgZz9VU8Md9oKitDDtgDFv/ji54jlEG7zvlMtIMbWFEpf4avyP5SUHM5ilpOCa&oXU=_6g8ydKhyJots
http://www.38leckiestreet.com/sywu/?QFQLCr=/vgTM4p9Z9iBgidmSY6A4cWY0D0pZxvvQpGDn6K72F4Gd8RLtU+z71PJ62L3W5IEhfgKqCPr&oXU=_6g8ydKhyJots - rule_id: 7345
http://www.38leckiestreet.com/sywu/?QFQLCr=/vgTM4p9Z9iBgidmSY6A4cWY0D0pZxvvQpGDn6K72F4Gd8RLtU+z71PJ62L3W5IEhfgKqCPr&oXU=_6g8ydKhyJots
|
21
www.heller.legal(198.54.117.212)
www.juliorodriguez.info(74.208.236.124)
www.lakeshoreurology.net(107.160.82.250)
www.bajajfinserv-amc.com()
www.lighthouseta.com(182.50.132.242)
www.parkate.club()
www.gengzicompute.com(35.75.36.192)
www.xiaye.tech(180.215.198.11)
www.38leckiestreet.com(52.147.15.202)
www.mikes-marine.com(172.81.119.116)
www.ppaltobk.com()
www.astrovivan.com(167.86.115.24)
167.86.115.24
172.81.119.116
198.54.117.210 - mailcious
180.215.198.11
52.147.15.202 - mailcious
182.50.132.242 - mailcious
35.75.36.192
107.160.82.250
74.208.236.124 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.mikes-marine.com/sywu/
http://www.gengzicompute.com/sywu/
http://www.lighthouseta.com/sywu/
http://www.38leckiestreet.com/sywu/
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15150 |
2021-11-09 10:06
|
 4435_1636055582_9819.exe 4116bb07f7477531f3d4284966b93dd8
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself anti-virtualization Windows ComputerName DNS Cryptographic key |
|
1
52.147.15.202 - mailcious
|
|
|
8.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|