| 15301 |
2021-11-12 11:01
|
 papizx.exe 779f94d5fe55e6d397d40e438954edae
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.truebagus.xyz/s9be/?t8o=nwGcN8/92Ds0u20QZA5SJKu80GEU90gceT77OUU/1vnpUSkTjF1erE9BI0Le9o9AgeaJ8GaX&UlX=YvLT_
http://www.338slot.space/s9be/?t8o=BNvoylARj6a0Hl4+jN9wULqjU1s6hgj2bu9jm4Sw+EAlETD8fK2nQIEsa//z+7fAuETtQ9bN&UlX=YvLT_
http://www.viewba.store/s9be/?t8o=MS/jK5Ab7dOTUEPV0nc26fLOtl6S2z7Y1ygV0Znncgo12ZtyADOVOrsnxdtb6E52S8DE4pWp&UlX=YvLT_
http://www.airconditionermedics.com/s9be/?t8o=MgfUUWHC2scrsvPepHi+pg6WvfxdFeIXk/9Wm5u/VotNbcwovUBPIlMd0OgWfMKOlscKXkah&UlX=YvLT_
http://www.nifties.ink/s9be/?t8o=Oq9okVi3ON72qoK7u89rL5O219xZtzCniglRrqF4NhuC+W45rei9xdHhWi3W689eDuEyLbqP&UlX=YvLT_
http://www.uneqjewelry.com/s9be/?t8o=JNmSJ0J+8yBa2bDJza6F4DcKruQKFiavK5AEKiPaTKa/lZ/zeE1rBZu2p5r/gXml0hTDGN9I&UlX=YvLT_
http://www.courtownangling.com/s9be/?t8o=hu/EJZb0B54JpSEt1/uW39b0/OBgBsii1I+dsNKV3ExV9pKAXVQFXHxDjyjjQHz1xsYXZD5I&UlX=YvLT_
|
16
www.338slot.space(198.54.117.217)
www.metamorphicals.com()
www.tasveerwaala.com()
www.courtownangling.com(172.67.180.194)
www.viewba.store(92.118.37.199)
www.nifties.ink(64.190.62.111)
www.ukash-online.com()
www.uneqjewelry.com(34.102.136.180)
www.airconditionermedics.com(34.102.136.180)
www.truebagus.xyz(172.104.54.178)
172.104.54.178
92.118.37.199
198.54.117.215 - mailcious
34.102.136.180 - mailcious
104.21.96.126
64.190.62.111 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15302 |
2021-11-12 11:05
|
 wnserve.exe ecbdb6be1aa503f9a9a7c783677b639a
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Disables Windows Security Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
132.226.8.169
172.67.188.154
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
8.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15303 |
2021-11-12 11:06
|
 vbc.exe f7058072591bbc7032cc0daedbccbf85
Generic Malware Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 Check memory RWX flags setting unpack itself crashed |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15304 |
2021-11-12 11:10
|
 uqiwang.exe 2fa17055cbe751f03a57d8b8ec3c6cd4
Emotet Gen1 Gen2 Generic Malware Malicious Packer Malicious Library UPX MPRESS Anti_VM ASPack VMProtect Socket KeyLogger Escalate priviledges ScreenShot AntiDebug AntiVM PE File OS Processor Check PE32 DLL PE64 GIF Format VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check ComputerName Remote Code Execution |
5
http://47.92.195.246:80/
http://47.97.7.140:80/
http://116.132.219.184:80/
http://140.206.225.232:80/
http://tj.driverzj.com:8972/api/request
|
21
tj.driverzj.com(47.115.157.13)
zhu.wuyouxitong.com(120.76.246.204)
hub5pr.hz.sandai.net(47.92.195.246)
relay.phub.hz.sandai.net(127.0.0.1)
hub5pnc.hz.sandai.net(47.92.100.53)
imhub5pr.hz.sandai.net(127.0.0.1)
hub5c.hz.sandai.net(112.64.218.64)
score.phub.hz.sandai.net(127.0.0.1)
hub5pn.hz.sandai.net(157.255.225.53)
hubstat.hz.sandai.net(140.206.225.136)
pmap.hz.sandai.net(47.97.7.140)
hub5u.hz.sandai.net(47.92.75.245)
157.255.225.49
47.92.195.246
39.100.9.39
116.132.219.184
47.115.157.13
47.97.7.140
120.76.246.204
140.206.225.232
47.92.99.221
|
|
|
13.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15305 |
2021-11-12 15:38
|
 OCT STATEMENT 2021.exe 8c6bfb5a2b22475020ac017903981236
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
14.4 |
|
25 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15306 |
2021-11-13 11:01
|
 skyzx.exe add49d5c2fd2a4cd8e535828536a22b5
Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.sunbear.net/zaip/?uTuD=y04h6IED/I3mKbq7VkQCaDZQx3OYE73f7cdQrf7w5vmdRJKBQIo53fk9e6aQFW8ouhBalcrK&Kj6ly=ATY8dPG0edH0BnWP
http://www.padel-ledverlichting.com/zaip/?uTuD=VMl0kTGiLv6+9uC4kXZCOUac89eA793hkqRSWyRZiMWUSZoW8TnTCIGiJeNvK0ayTM7I4uZw&Kj6ly=ATY8dPG0edH0BnWP
http://www.weixiaotuo.com/zaip/?uTuD=H2kDIyzMk/WxTtoutr62v+/lCcF+T9KTCb4SMmgzStINz+8mAXNjUbsFrkIz4ubeT0NVwsXw&Kj6ly=ATY8dPG0edH0BnWP
http://www.khayacoffee.com/zaip/?uTuD=RgFPC/N76xEP4cygV2rz92vrzfKqnea0FH+LfdrseTZQpWGnTtVLJbWHq7+bFyGknH+2gV4S&Kj6ly=ATY8dPG0edH0BnWP
http://www.kayonstore.com/zaip/?uTuD=5EPdImnDAMek2UUWF1u6JfCuMROmH1Xnu1QVO3Xfd7nHIyDzp0uSOBKFny1Z6mjpjk329I5C&Kj6ly=ATY8dPG0edH0BnWP
http://www.simpaticostrategies.com/zaip/?uTuD=ZrnC8DRRO5VzILrcPaZmhJfisqVdH5EsYsF19dOhgn2eQEbGgn/ibeudCINXh/r08gey/e+m&Kj6ly=ATY8dPG0edH0BnWP
http://www.quetaylor.com/zaip/?uTuD=HAqh6cOZnLOnS3SHH16MZHaJ4csidjMHsZ2CzJlUzLX8i4OfANm4LxD8egK5fR/yBMd3iy5T&Kj6ly=ATY8dPG0edH0BnWP
http://www.atapoll.com/zaip/?uTuD=+GMt1v8bkkG9+5aoi5PPGpy93ojDZ0zt+0CiRAmjO7mrCda/qH2ab/5qYwAO8Tmkdsyhivnc&Kj6ly=ATY8dPG0edH0BnWP
http://www.madlyrics.net/zaip/?uTuD=/kPr8Bya4HNZ++AxanM8HdhCEAGPGizPi2szuB+EyVsbFmEbPsOwyJWDVDczq0Zg9NoqGrIa&Kj6ly=ATY8dPG0edH0BnWP
|
20
www.sunbear.net(3.64.163.50)
www.padel-ledverlichting.com(91.184.0.100)
www.arairazur.xyz()
www.kayonstore.com(162.241.253.45)
www.khayacoffee.com(52.37.245.235)
www.quetaylor.com(3.64.163.50)
www.gsjbd41.club()
www.madlyrics.net(198.54.117.216)
www.simpaticostrategies.com(198.54.116.202)
www.y-promotion.com()
www.atapoll.com(199.59.242.153)
www.weixiaotuo.com(108.186.180.138)
162.241.253.45
44.238.240.115
198.54.116.202
91.184.0.100 - mailcious
198.54.117.215 - mailcious
199.59.242.153 - mailcious
3.64.163.50 - mailcious
108.186.180.138
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15307 |
2021-11-13 11:06
|
 low-1087878423.xls 8d7a8ba815b3f83ef3200028f23e0b9d
Downloader MSOffice File RWX flags setting unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15308 |
2021-11-13 11:09
|
 lianzhanst.exe 96e4d115b0edc2d77fb7b447e11fda39
ASPack UPX PE File PE32 VirusTotal Malware Detects VMWare Check virtual network interfaces AntiVM_Disk sandbox evasion VMware anti-virtualization VM Disk Size Check Remote Code Execution Software crashed |
|
3
www.hzyotoy.com(218.12.76.163)
bdtg.hzyotoy.com()
www.zhaost.com88()
|
|
|
5.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15309 |
2021-11-13 11:11
|
 242.exe 75adcf794cf086e354c4534f2a6f2369
RAT PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself Collect installed applications anti-virtualization installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.109 - phishing
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
|
|
7.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15310 |
2021-11-13 11:14
|
 toolspab2.exe bc4940fd19fe5e89a56a42833a39ef68
Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 Malware PDB Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15311 |
2021-11-13 11:14
|
 ry.exe 6b37045bf22d1a6617551099626f4dec
PWS Loki[b] Loki.m RAT Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga19/fre.php
|
2
secure01-redirect.net(176.32.33.47)
176.32.33.47
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15312 |
2021-11-13 11:16
|
 8577_1636402824_8748.exe b1a0bc55343edb874ec4c54cbb5a21b4
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15313 |
2021-11-13 11:16
|
 hk.exe d80556615215eb36fa163f14720e6411
Loki PWS Loki[b] Loki.m RAT Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga22/fre.php - rule_id: 7884
http://secure01-redirect.net/ga22/fre.php
|
2
secure01-redirect.net(176.32.33.47)
176.32.33.47
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga22/fre.php
|
12.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15314 |
2021-11-13 11:18
|
 sefile.exe e05a1928cd4ad6e8ffd8258bf653670b
Darkside Ransomware Cobalt Strike Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15315 |
2021-11-13 11:18
|
 2113_1636729338_8051.exe 44ad735bb80385db6f54e921733dbf48
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|