| 15541 |
2021-11-18 08:22
|
 office.exe b99700a45b29cd93558629b868d1f0c1
Antivirus Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware AutoRuns Windows DNS |
|
1
|
|
|
4.8 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15542 |
2021-11-18 08:24
|
 2690_1636884579_4822.exe 42bef8c160d0b00cb4c26f713b7e9d3f
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
6.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15543 |
2021-11-18 08:24
|
 Systemltd.exe 84ee3ad9ae07bf078a255ebf59a216a6
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/909861975964659745/910208045328531528/x.dll
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15544 |
2021-11-18 08:26
|
 9370_1636985686_7616.exe 0198c5a612317a06f11abbe95294408e
RAT Generic Malware PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
1
https://cdn.discordapp.com/attachments/907388240229716010/909788097527545866/45756734124235.exe
|
3
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
93.115.20.139 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15545 |
2021-11-18 08:27
|
 TSO_011020_10063863221.exe ee997c35fca1094cf6ca6ca00e410f78
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(193.122.6.168)
131.186.113.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15546 |
2021-11-18 08:29
|
 6111_1636987952_2658.exe 56324b7b63d05f41ce9b5b02a1a284f2
NPKI AntiDebug AntiVM PE File PE32 Browser Info Stealer FTP Client Info Stealer Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15547 |
2021-11-18 08:30
|
 srfs.exe a32ab1ff2ec5f835b6456bb20a356e5e
Gen1 Generic Malware Themida Packer Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare VMware anti-virtualization installed browsers check Windows Browser Email ComputerName Firmware DNS crashed |
8
http://45.95.235.77/softokn3.dll
http://45.95.235.77/6LuciSfmJZ.php
http://45.95.235.77/vcruntime140.dll
http://45.95.235.77/msvcp140.dll
http://45.95.235.77/freebl3.dll
http://45.95.235.77/mozglue.dll
http://45.95.235.77/sqlite3.dll
http://45.95.235.77/nss3.dll
|
1
|
3
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
12.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15548 |
2021-11-18 08:31
|
 jay.jpg bd5c3ee098497398ee0f1a08b37923e1
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.uslugi-email.site/jy0b/?jBZ4=HW3oe3dLfLkFpuABY1JtXYDCS2cfvkVkZm2Pi0bCKxVjKzZMsr5DahcmDzHoWriW5XKcS2cH&1bz=WXrtCbzPm
|
4
www.uslugi-email.site(172.67.149.22)
www.expressdiagnostics.info()
www.greendylife.com()
172.67.149.22
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15549 |
2021-11-18 08:31
|
 .csrss.exe 47bb87e13ffafcf6abbc5908a48c4d08
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
14.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15550 |
2021-11-18 08:33
|
 vbc.exe 06451b346cd5a8c319f2ca34212ee91f
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb8/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15551 |
2021-11-18 08:34
|
 vbc.exe fae2478fe97d52d83a21c91e6148ed78
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
6
http://www.tipsforgirldads.net/ns87/?Bb=7NICfTjg9rWe1IaBYb9bXd28etantL1LIkJBClyu8nD3vaLqLb05dLPrZfP3yJDwM8xDNNzd&uTg8S=yVCTVbEP
http://www.mgav40.xyz/ns87/?Bb=wycJjFnDvylI43fv6KpMQc8rVvW+hcYGgppEjHLuLAW83I4mOtXO2XaQvmgK/rXSX/WXZ/Y7&uTg8S=yVCTVbEP
http://www.rubberyslouka.xyz/ns87/?Bb=NKXuIeOboa3kyHogN1PTDFw2VYj7piDRZT9pD+V52F1teeXhnDfMjOGAyar8yFMCEMSAjEyj&uTg8S=yVCTVbEP
http://www.autisticadhdcoach.com/ns87/?Bb=pdb8rjOdupMbq2TKayWDhmqgBnKYMtbDZp41HdONmP3ekDy02NHFIRkCsXK+XuSS+2VDDgrq&uTg8S=yVCTVbEP
http://www.witwiam.com/ns87/?Bb=cAmFYN0ge4TVotu+W/aIFTDRmmuIrvuhQ/2IozNASOEeTJPEotvt0u2lEtqO6gckwEdsSuQ8&uTg8S=yVCTVbEP
http://www.abovecover.net/ns87/?Bb=epheG0qfNnPIcCA0yk8T9X9Typ7ZoXx8B7X0V3Epq1wlVrE6BsEy9658vynLcoiPGHxPl+Pn&uTg8S=yVCTVbEP
|
15
www.abovecover.net(34.98.99.30)
www.autisticadhdcoach.com(199.34.228.159)
www.witwiam.com(34.102.136.180)
www.mgav40.xyz(45.128.51.66)
www.tipsforgirldads.net(208.91.197.27)
www.rubberyslouka.xyz(198.54.117.216)
www.toyotabacninhcn.com()
www.mchaskell.com(88.214.207.96)
198.54.117.211 - phishing
34.102.136.180 - mailcious
208.91.197.27 - mailcious
45.128.51.66
88.214.207.96 - mailcious
34.98.99.30 - phishing
199.34.228.159
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15552 |
2021-11-18 08:35
|
 8102_1637053425_3753.exe 58e37acf9f2ad681a0fdb5470315ed4f
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Collect installed applications powershell.exe wrote suspicious process WriteConsoleW installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
www.toyotabacninhcn.com()
37.61.213.242
|
|
|
12.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15553 |
2021-11-18 08:35
|
 vbc.exe b8ecacd6489899bdfa00948c3992ea92
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Antivirus Create Service Socket Code injection Sniff Audio KeyLogger Escalate priviledges Downloader AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process WriteConsoleW VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software keylogger |
|
1
|
|
|
18.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15554 |
2021-11-18 08:37
|
 at.exe 0dcbd79d3ef702f1a33ae9fef6fdef06
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows DNS |
|
1
|
|
|
9.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15555 |
2021-11-18 08:41
|
 vbc.exe cad43af39f983c31ad5579ea34a31457
Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
14
http://www.seeklightandlogic.com/p0se/?AdhDQXr=v8eOpJ5pSZtRbrnsGw2QoU0Tcaab59HZDYF9JUKf6F2sNlVv9XFNl00F9pnyMp41hSNpW5ZC&pPU=EFQxUrRpC2Qh
http://www.sarasotacountysolar.com/p0se/?AdhDQXr=OYXzUVkbQBn87X4UVLPoQM44BgjEbFTY849uuOiCiLBhqJKfoUJue64IIPZ3m3EV1TLdLQTt&pPU=EFQxUrRpC2Qh
http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh - rule_id: 7680
http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh
http://www.mgav67.xyz/p0se/?AdhDQXr=HYHuyWMWS1fgLIUv7k1a3h0sjyQ2H8/HDVflvgP37+tigXoTURpSGq5OVapW4G89DO8EvEpq&pPU=EFQxUrRpC2Qh
http://www.trungtambtx.com/p0se/?AdhDQXr=EN+pW9frennecAWJgD6Rqtphsaf+/pY6cu4GooIXx/aM/sJfkFY0WH3Frw9ZmW1T0AAd/bHA&pPU=EFQxUrRpC2Qh
http://www.graylinkelectric.com/p0se/?AdhDQXr=TJBl9Xef33zqqB/TYYZ5Zr06Zjo1jum6QYq+egGPBuXzqcA7sn5bcltUsvWL9smVZn+gpIyw&pPU=EFQxUrRpC2Qh
http://www.teo-by.com/p0se/?AdhDQXr=FeJFAF+obH72CQbbPLarFy8KNhiLPhM71Jd9G4PYUxenhMp7DosU+Y1W6Wtf4fJWftA5N6Wd&pPU=EFQxUrRpC2Qh
http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh - rule_id: 7683
http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh
http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh - rule_id: 7686
http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh
http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh - rule_id: 7685
http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh
|
23
www.bestexpecting.com(23.227.38.74)
www.bailios.com(154.23.202.51)
www.seeklightandlogic.com(50.87.195.38)
www.theleadersmanifesto.com()
www.trungtambtx.com(103.90.234.17)
www.sarasotacountysolar.com(34.102.136.180)
www.mgav67.xyz(45.128.51.67)
www.oprimanumerodos.com(34.102.136.180)
www.graylinkelectric.com(194.195.211.26)
www.iscinet.com()
www.dhakhtarka.net()
www.ethicalvibe.com()
www.teo-by.com(185.104.45.81)
www.attractivereviews.com(156.240.151.190)
185.104.45.81
156.240.151.190
50.87.195.38
194.195.211.26
103.90.234.17
34.102.136.180 - mailcious
45.128.51.67
154.23.202.51
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
4
http://www.bailios.com/p0se/
http://www.oprimanumerodos.com/p0se/
http://www.bestexpecting.com/p0se/
http://www.attractivereviews.com/p0se/
|
5.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|