| 15346 |
2021-11-13 13:18
|
 vbc.exe c41c0066207793508de97c4c5d157f70
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://cedarfalls.hopto.org/redeem2.txt
http://cedarfalls.hopto.org/VpnHBe.txt
|
2
cedarfalls.hopto.org(147.189.171.5)
147.189.171.5
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET INFO HTTP Connection To DDNS Domain Hopto.org
|
|
12.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15347 |
2021-11-13 13:20
|
 loads3.exe 9453aa71524267a1ec46a7272db3f9e0
Malicious Library UPX PE File OS Processor Check PE32 PDB unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15348 |
2021-11-13 13:25
|
 loader1.exe 18208aa1787da8cb3bfe2289a4a4a423
Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
15
http://www.tangerineinit.com/ga6b/?DVEl=CgQkCL4kNOXVaMWaW+W+7tG2VuScNWe1RIrYKb/ikW2Nwi/NJBz1hnm9GQ2J2lMDdzGUFZgw&1bO8Ax=pFNTGZ90snzLa4C0
http://www.smartgadgetscompare.com/ga6b/?DVEl=vDaGXYd6gjLCQTqwOPGPy5LvomfttahAahHE85Q1VhlijdJF30llx7sZQyFNH9wmHXEWSldG&1bO8Ax=pFNTGZ90snzLa4C0
http://www.egyptian-museum.com/ga6b/?DVEl=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&1bO8Ax=pFNTGZ90snzLa4C0 - rule_id: 7106
http://www.egyptian-museum.com/ga6b/?DVEl=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&1bO8Ax=pFNTGZ90snzLa4C0
http://www.digitaldreamcloud.net/ga6b/?DVEl=5WGPHl4VPD01j8M9M+tOINDYD63xyRqqO/w0s3LW3P/Qu5xC80vS+vfuMtj60mCVXiqL9STg&1bO8Ax=pFNTGZ90snzLa4C0
http://www.5559913.win/ga6b/?DVEl=BsLI4B+bmIypp6VG9i1mvBr3FbP6MnOeaOpeEVRsQMY9+2loXlkdnmFwfncWgaUkhHBh2x3h&1bO8Ax=pFNTGZ90snzLa4C0
http://www.nobodybutgod.com/ga6b/?DVEl=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&1bO8Ax=pFNTGZ90snzLa4C0 - rule_id: 7109
http://www.nobodybutgod.com/ga6b/?DVEl=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&1bO8Ax=pFNTGZ90snzLa4C0
http://www.garageair.agency/ga6b/?DVEl=d08S4xcN/NMsorWpXwRlyCCH66HZh3etKhFBY5TZ8MkBXXhOwsqcJfUvANfm4lRK3xvcJJRx&1bO8Ax=pFNTGZ90snzLa4C0
http://www.necesryaou.com/ga6b/?DVEl=Z3o6N93v6CU4m7XtA/lbT1e4xE/jsIueflbFRezDyVtxMYEukOv94ScBegi/ZpW+oVO0nzHV&1bO8Ax=pFNTGZ90snzLa4C0
http://www.baohiemtv24h.com/ga6b/?DVEl=6dQVu8UHcZgaj0y03GzvAhfNwH0MHXa5ZY8rhbUdbCaY8PlbGz89x08imuD5bjryCUUXVHy+&1bO8Ax=pFNTGZ90snzLa4C0
http://www.ara7z.com/ga6b/?DVEl=f8p3ixvuysstkVkbxkSLsyQ08m5iiUSHUSQ+dEucd72/naUGjvA4vd8t8r7qlazlF5SpiXNT&1bO8Ax=pFNTGZ90snzLa4C0
http://www.onlinewritingjobs.net/ga6b/?DVEl=PI3t5I/vLPjLEXSAiMassyghn8jG+EohIXjBFkJ1Bgr3IKLvgafQ0xYRNHrG7F5KwDP0G4jF&1bO8Ax=pFNTGZ90snzLa4C0
http://www.corvusexpeditii.xyz/ga6b/?DVEl=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&1bO8Ax=pFNTGZ90snzLa4C0 - rule_id: 7112
http://www.corvusexpeditii.xyz/ga6b/?DVEl=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&1bO8Ax=pFNTGZ90snzLa4C0
|
27
www.necesryaou.com(104.18.26.58)
www.maviesurdvd.com()
www.tangerineinit.com(44.238.240.115)
www.egyptian-museum.com(143.95.1.174)
www.baohiemtv24h.com(209.99.40.222)
www.digitaldreamcloud.net(52.214.224.110)
www.corvusexpeditii.xyz(88.214.207.96)
www.5559913.win(188.166.46.127)
www.nobodybutgod.com(34.98.99.30)
www.garageair.agency(172.67.213.197)
www.onlinewritingjobs.net(35.213.169.61)
www.smartgadgetscompare.com(185.210.145.38)
www.era636.com(165.32.109.217)
www.ara7z.com(103.56.98.73)
35.213.169.61
188.166.46.127
104.18.27.58 - mailcious
103.56.98.73
209.99.40.222 - mailcious
165.32.109.217
185.210.145.38
88.214.207.96 - mailcious
52.37.245.235
104.21.75.49
34.251.91.168
34.98.99.30 - phishing
143.95.1.174
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
3
http://www.egyptian-museum.com/ga6b/
http://www.nobodybutgod.com/ga6b/
http://www.corvusexpeditii.xyz/ga6b/
|
7.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15349 |
2021-11-13 13:26
|
 mar-signature_request.exe 479cffcb45bfb5e8b97858ce3cb2c128
Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder Browser ComputerName DNS crashed |
|
1
|
|
|
7.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15350 |
2021-11-14 18:08
|
 miner.exe 3762bab8e1146f8ae6abd90d97b30cb9
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15351 |
2021-11-14 18:09
|
 7742_1636811177_5077.exe aa557208f21ea676ff97d6cee2566ffe
RAT Generic Malware UPX Socket DNS Internet API Code injection ScreenShot Http API persistence AntiDebug AntiVM PE File PE32 .NET EXE Malware download VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS |
2
https://cdn.discordapp.com/attachments/902978026868965390/909005676829880410/AnthonySantosInventoryManagementSystem.dll
https://cdn.discordapp.com/attachments/908722977724563480/909071436805726248/Client.exe
|
3
cdn.discordapp.com(162.159.130.233) - malware
45.61.138.237
162.159.129.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE TinyNuke VNC Checkin
|
|
9.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15352 |
2021-11-14 18:10
|
 uk.exe e0d0f69523666930260d57f7a5484038
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
9.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15353 |
2021-11-14 18:10
|
 dllhost.exe 1ad9efcddab819d24cca2f9323395f9e
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows |
2
http://www.northeastonmusic.com/kzk9/?p0G=CbYt+EsKcgTkzmEIs4UmfBzuCeQEUakvE3DKOcFbSHbSDiJDbJqhrZ1M3l5T2SpOEh0qVbRM&wPX=BFNpdtd0Q2I8h
http://www.donnachicacreperia.com/kzk9/?p0G=3f3ioWwNpTfwVsiElrlrwj4X94wpjxXh8fT/bENaiRBV55hnBCTfsMGV6VabREDm/LwFdYfN&wPX=BFNpdtd0Q2I8h
|
4
www.northeastonmusic.com(34.102.136.180)
www.donnachicacreperia.com(162.241.203.130)
34.102.136.180 - mailcious
162.241.203.130
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15354 |
2021-11-14 18:13
|
 vbc.exe c4318a253bdb17851bcbee433dc988c4
Loki PWS Loki[b] Loki.m RAT Generic Malware Antivirus Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
2
http://gridnetworks.xyz/five/fre.php - rule_id: 7189
http://gridnetworks.xyz/five/fre.php
|
2
gridnetworks.xyz(172.67.209.118)
172.67.209.118
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://gridnetworks.xyz/five/fre.php
|
16.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15355 |
2021-11-14 18:13
|
 dllhost.exe 7d22b7632fc02e12438e7748eca086b4
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.synth.repair/kzk9/?x48hFDZp=g1hiHJPeQHzDzCgQGK/9UZNTMgX7Rjk5Lbn/m+2f074teto1fphomaeoo//jHfvlhwx9Iqft&CR=Cr-8QJE
http://www.akomandr.com/kzk9/?x48hFDZp=SxulXjC5OwLjw6FfX6ooRAopWodOgf+a0ZDz3Gw2omqauvqdn7zgdHMKn+CFzQ77YMZ7QO1X&CR=Cr-8QJE
|
4
www.akomandr.com(216.239.34.21)
www.synth.repair(52.217.223.61)
52.216.89.2
216.239.38.21 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15356 |
2021-11-14 18:14
|
 231.exe cfc59bc8b478578358711bbc68506c3b
AntiDebug AntiVM PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare VMware anti-virtualization installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
1
|
|
|
15.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15357 |
2021-11-14 18:14
|
 Client.exe be5c1be0364b3ec5644e1ae66fb1438b
Generic Malware Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 Malware download VirusTotal Malware PDB buffers extracted DNS |
|
1
|
1
ET MALWARE TinyNuke VNC Checkin
|
|
2.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15358 |
2021-11-14 18:16
|
 S.exe cdfb55fc43a7b0a4e5e13f8c0af5f6a6
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15359 |
2021-11-14 18:17
|
 ShareFolder.exe 48b0a9eff9c4934c0b0b8875b8867ac5
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15360 |
2021-11-14 18:19
|
 232.exe d612f933a765ea9a122d3f66b9f278a8
RAT PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself Collect installed applications anti-virtualization installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
185.215.113.109 - phishing
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
|
|
6.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|