| 15556 |
2021-11-18 08:42
|
 emezx.exe 476f7ccfae367d3a1379c260ca28b8d5
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.amarabeautyusa.com/e5dn/?jFNHix=uIU+nU5Vgs1EY4BcJXImi/K0kvoxBW2+Ng39xbhDV2f5mkmk7Xhc9otXYXZ5SZ1+EqyU/DPs&Ppm=_0GDCjlXRtr4u
http://www.vacationrentalsevl.com/e5dn/?jFNHix=e5+rFRN0xj3xAkWo1u3ce595ulJ85BFGM8+HO3ZHf7C9OoKGTh4OvkDrFg6Mb1zcsH5Dhoxq&Ppm=_0GDCjlXRtr4u
http://www.rudolphsxmasdeco.com/e5dn/?jFNHix=RRZWsocGvQ06sUL2ZL1chxZMtMsFzt1qpW0i+rxBvsMwb9TW15FyBsPQ6HasC8GDlFXmJy77&Ppm=_0GDCjlXRtr4u
|
6
www.rudolphsxmasdeco.com(23.227.38.74)
www.vacationrentalsevl.com(34.102.136.180)
www.amarabeautyusa.com(34.117.168.233)
23.227.38.74 - mailcious
34.117.168.233
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15557 |
2021-11-18 08:43
|
 XUBS 86a05c561153b2d3c796ce5162523c40
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
28
81.0.236.90
195.154.133.20
104.251.214.46
138.185.72.26
185.184.25.237
103.75.201.2
94.177.248.64
176.104.106.96
212.237.5.209
207.38.84.195
158.69.222.101
51.68.175.8
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
110.232.117.186
45.142.114.231
91.200.186.228
216.158.226.206
107.182.225.142
66.42.55.5
58.227.42.236
212.237.56.116
212.237.17.99
45.118.135.203
50.116.54.215
191.252.196.221
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
5.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15558 |
2021-11-18 10:04
|
 y76gkOkGrbYHjh.dll 722f898d814e4d04ed7c41bde6760eff
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Checks debugger unpack itself sandbox evasion ComputerName |
|
|
|
|
2.0 |
|
|
블루
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15559 |
2021-11-18 10:25
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15560 |
2021-11-18 10:27
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15561 |
2021-11-18 10:29
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15562 |
2021-11-18 10:43
|
 y76gkOkGrbYHjh.dll 722f898d814e4d04ed7c41bde6760eff
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger ICMP traffic unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
195.154.146.35
177.72.80.14
45.79.33.48
168.197.250.14
54.38.242.185
191.252.103.16
51.210.242.234
207.148.81.119
51.178.61.60
66.42.57.149
78.46.73.125
196.44.98.190
142.4.219.173
195.77.239.39
185.148.169.10
78.47.204.80
37.59.209.141
85.214.67.203
37.44.244.177
54.37.228.122
|
6
ET CNC Feodo Tracker Reported CnC Server group 18
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.4 |
|
|
블루
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15563 |
2021-11-18 12:55
|
 octafx4setup.exe 568e1204996456984c05f12de9201168
Gen2 Formbook Generic Malware UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware Check memory buffers extracted WMI unpack itself Check virtual network interfaces AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee ComputerName Remote Code Execution DNS |
1
http://crt.usertrust.com/USERTrustECCAddTrustCA.crt
|
23
api9.mql5.net(147.75.92.40)
download.mql5.com(27.111.161.152)
crt.usertrust.com(91.199.212.52)
api14.mql5.net(0.0.0.0)
content.mql5.com(27.111.161.150)
91.199.212.52
47.91.24.164
27.111.161.152
195.201.80.82
142.215.208.235
117.20.41.198
103.26.205.122
27.111.161.150
102.68.85.100
147.75.92.40
88.212.232.132
177.154.156.125
78.140.180.43
47.74.84.54
156.38.206.21
156.38.206.18
147.75.48.214
147.139.41.121
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
1 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15564 |
2021-11-18 13:01
|
 t-rex.exe d8a71db524074bb8b29928c141a570f9
Malicious Library PE64 PE File VirusTotal Malware |
|
|
|
|
1.8 |
|
44 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15565 |
2021-11-18 13:10
|
 7wmp0b4s.rsc b258374a8e32542b9eba337a3f82f5b1
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
2 |
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15566 |
2021-11-18 13:16
|
http://chek.zennolab.com/proxy... b6dc5502b3a9e484f096210896f467f5
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://chek.zennolab.com/proxy.php
http://chek.zennolab.com/favicon.ico
|
2
chek.zennolab.com(37.1.223.41)
37.1.223.41
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15567 |
2021-11-18 13:34
|
 PCHealthCheck.exe c5a267398167c6a47f81a89056761528
Gen2 Generic Malware Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX PE64 PE File OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15568 |
2021-11-18 13:47
|
balzak.html c8975f3bb4a94c035e7b3a4594c8dab0
Generic Malware UPX Antivirus AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
2
http://198.252.108.121/images/bird.png
http://94.140.115.0/images/bird.png
|
2
94.140.115.0
198.252.108.121
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15569 |
2021-11-18 13:49
|
 4637_1637095941_5016.exe 8c96471e0c39a68c73fcd9cf571b9cdc
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15570 |
2021-11-18 13:50
|
invoice_0003900000.wbk cfeee36c618563537127b7c9c2787c45
Loki RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://103.170.255.140/59993/vbc.exe
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
3
secure01-redirect.net(193.109.78.71)
193.109.78.71
103.170.255.140
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
4.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|