| 15316 |
2021-11-13 11:20
|
 9565_1636743030_8404.exe 8d9328dd33c28b417ff4909192e276d5
RAT PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications anti-virtualization installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
8.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15317 |
2021-11-13 11:21
|
 .csrss.exe 6009a6b7f11df3bb0c659e0772e617c1
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.cryptosgeneration.com/h6eg/?kHQD=lPsgH58Bpxx7oZkq1FFHygzTxLdTAu4EQM6Wo9usgVGVXIQ/2b7/WLH9KH8cdwSjURgYqzNi&uTxXo=hpmHi6apOhLH3pI
http://www.cavallitowerofficial.net/h6eg/?kHQD=N94FWVaNNMuG9BwlOsLcdDJ3Sv+b9pM8NsaNHjKzbOQOm1ujqSwIdQ4MLzqGtDvJiiFUcZ85&uTxXo=hpmHi6apOhLH3pI
http://www.archie-cnc.com/h6eg/?kHQD=7Q2AY/k8+XVGP6f6bbkpDj3SLIEBwpI+7fiFnAzZGW3CvS+glgSydbazoDMFq56IJL8yAA4p&uTxXo=hpmHi6apOhLH3pI
http://www.99000777.com/h6eg/?kHQD=JYobam77rDlOQKPpfHPbtEwg8lon5QmNO+VHoncOOfV/VHWoj7snn26aYoNMXfdt4GkV4TzH&uTxXo=hpmHi6apOhLH3pI
|
10
www.archie-cnc.com(160.153.137.40)
www.uuckpp.com()
www.99000777.com(104.21.92.51)
www.mdf108.space(119.8.50.32)
www.cavallitowerofficial.net(34.102.136.180)
www.cryptosgeneration.com(34.102.136.180)
104.21.92.51
119.8.50.32
34.102.136.180 - mailcious
160.153.137.40 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15318 |
2021-11-13 11:22
|
 file_01.exe 1cf8a1b380edfa63134bed8ef0a4062d
Malicious Library UPX PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
10.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15319 |
2021-11-13 11:23
|
 vbc.exe 6aed2cef774b6b6e9fe38a2e804fe561
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://cedarfalls.hopto.org/PbPucB.txt
http://cedarfalls.hopto.org/redeem2.txt
|
2
cedarfalls.hopto.org(147.189.171.5)
147.189.171.5
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET INFO HTTP Connection To DDNS Domain Hopto.org
|
|
12.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15320 |
2021-11-13 11:24
|
 ben.exe 3e1e27b5fc6dda21675ad901ab59c391
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15321 |
2021-11-13 11:24
|
 2905_1636735632_746.exe 3bd6f1203d096e38b85b1d72ea5b0c2c
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15322 |
2021-11-13 11:26
|
 version-1561770706.xls 31416ebbc605c43a9683d27920d7800c
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://imperialmm.com/423QuvpC/fe.html
https://nimixtutorials.ir/Spi1mddp6iW2/fe.html
|
4
imperialmm.com(192.185.216.245)
nimixtutorials.ir(213.239.202.83)
213.239.202.83
192.185.216.245 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15323 |
2021-11-13 11:27
|
 .winlogon.exe f2a5e9b90a3c266f888fe2d839048950
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
|
2
www.google.com(142.250.196.132)
172.217.24.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15324 |
2021-11-13 11:29
|
 xtain.exe 2373461f92033cdb39e3893a5ad1f123
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.liaslaton.com/nqm8/?BRjh4N=m6ENHuSXI8epq9TtBAffdS1XBgHpHPYHVBiHVVTVHbObzCH2mByRXo6SuupJqVHGSGLgz8PZ&J46Tz=ARm8z0AXOho0lfH0
http://www.gr8leiloes.com/nqm8/?BRjh4N=LYveQGN0HC2s91DJ4jTrcI9QJwKghOg5qC83BiZc7Y1oyqER8JVPG76yniLNcbVr5+leG1NB&J46Tz=ARm8z0AXOho0lfH0
|
5
www.gr8leiloes.com(104.21.32.176)
www.golosmega.online()
www.liaslaton.com(54.250.33.70)
172.67.153.47
54.250.33.70
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15325 |
2021-11-13 11:29
|
 .winlogon.exe 4171b0923b78c2e5322eea578d54937c
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(142.250.196.132)
172.217.24.100
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15326 |
2021-11-13 11:31
|
 version-1561719888.xls 0e4546d44dc83700a936d8b6b81475f1
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://imperialmm.com/423QuvpC/fe.html
https://nimixtutorials.ir/Spi1mddp6iW2/fe.html
|
4
imperialmm.com(192.185.216.245)
nimixtutorials.ir(213.239.202.83)
213.239.202.83
192.185.216.245 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15327 |
2021-11-13 11:32
|
 5752_1636656439_9604.exe 1790eae1cc50666ee6239bdd13123039
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization installed browsers check Stealer Windows Browser Email ComputerName Firmware DNS crashed |
2
http://37.1.211.108/sqlite3.dll
http://37.1.211.108/door.php
|
1
|
4
ET INFO Dotted Quad Host DLL Request
ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
18.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15328 |
2021-11-13 11:33
|
 Win_32Activator_kl_nt4_Itself.... 98101e48213904b5ea6e88856f361040
Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15329 |
2021-11-13 11:36
|
 macc.exe 1fc555b7fcb6c2587e8a51c215f10dfe
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
5
http://www.unarecord.com/noha/?hN9pAXih=YvZkpRzIvhyEmlzzRS448ue/J8Mk5cJYV8d0kFvUSx81G2wer5LDh4vokaiGyVzfr6bGhK1c&uTd4S=yVCT5lNPHjzh0XO - rule_id: 5964
http://www.phalcosnusa.com/noha/?hN9pAXih=x/yaKxng9WMCpV2HKcNVx+f+UadKvXtNm/2VkXIBnhOHfQyEe8IZ3Rq7ebcPDsx3GYujK8QG&uTd4S=yVCT5lNPHjzh0XO
http://www.nextgenproxyvote.com/noha/?hN9pAXih=j00ucNHSkHRYrjrfFGzLdJ8XGz0kN4GBwxRCM9UEvfF9+fOHPjBADx1I2IYUM2eYmqOdZN/G&uTd4S=yVCT5lNPHjzh0XO
http://www.478762.com/noha/?hN9pAXih=u1FPpIjIYhRqXmY5aJHx4hhflrhnkf8R3z2d+r6sXQdqPK1irqw+6UGaBROORQBYWmhBhcIF&uTd4S=yVCT5lNPHjzh0XO
http://www.bois-applique.com/noha/?hN9pAXih=bUhQERLpyNF3S/4WPZx/2yInVQcXiLPDhxdoMCXhoM+5+115cTKOZoaz7w3+FhRX4eW13PBz&uTd4S=yVCT5lNPHjzh0XO - rule_id: 5965
|
15
www.surveyplanetgroup.tech()
www.bois-applique.com(178.32.114.31)
www.fisworkdeck.com()
www.nextgenproxyvote.com(52.216.22.26)
www.478762.com(94.74.98.218)
www.kweeka.money()
www.mglracing.com() - mailcious
www.unarecord.com(52.118.136.180)
www.phalcosnusa.com(166.88.19.180)
www.data2form.com()
166.88.19.181 - mailcious
52.118.136.180 - mailcious
52.217.163.221
119.13.86.101
178.32.114.31 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.unarecord.com/noha/
http://www.bois-applique.com/noha/
|
9.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15330 |
2021-11-13 13:00
|
 vbc.exe ad21e35c0fae8bdeda31a26faa028305
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|