| 30751 |
2022-05-25 09:53
|
 vbc.exe 44e906d3886422559ed74202f5f91314
RAT PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName RCE crashed |
|
|
|
|
2.6 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30752 |
2022-05-25 09:53
|
 1.exe df7bcc6a339e5d1d61f040c538669b2b
Themida Packer Malicious Packer Malicious Library PE32 PE File Check memory unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30753 |
2022-05-25 09:51
|
 jb7urLT2s a8e53abcb6cd89d8730ea89072711152
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process AntiVM_Disk VM Disk Size Check Kovter Windows ComputerName RCE DNS |
|
15
160.16.143.191 - mailcious
202.29.239.162 - mailcious
202.28.34.99 - mailcious
87.106.97.83 - mailcious
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107 - mailcious
165.22.73.229 - mailcious
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13
ET INFO TLS Handshake Failure
|
|
8.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30754 |
2022-05-25 09:50
|
 ik8EFuXqc 9347e031acdbf6cda0c961fa968e0bb5
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process human activity check Kovter Windows ComputerName RCE DNS |
|
16
www.ruvedaj.xyz()
160.16.143.191 - mailcious
202.29.239.162 - mailcious
202.28.34.99 - mailcious
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
87.106.97.83 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107 - mailcious
165.22.73.229 - mailcious
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30755 |
2022-05-25 09:50
|
 sleep.exe e7141cadb71a36b0dcddb0ef7a67caec
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.sdfijsdjidf.xyz/m0d4/?LL0=qa2HCuehd+OLluEj+ZaoAc9XIsur+rI4EFCYyrG+J7mbG8JHTzLv2WdBKhUJ+7SIbEylXPoH&APcPAD=dhItCFUXjf9x
http://www.cryoablation.xyz/m0d4/?LL0=YUmoHpfUPyDRMD4vBz5urBozJPl1O97m0DXdDlwENz/Wz1XTyx+p7AJWswgLEjMsRwA+jz0k&APcPAD=dhItCFUXjf9x
http://www.arthamandirialkesindo.com/m0d4/?LL0=mf1bYp/FUP+Ts7S79apP1hkr0w8WZdLzLYn+xRmG0PkAZk5rfm9mwOwUYcGgvUO+IESzcMgd&APcPAD=dhItCFUXjf9x
http://www.zhidao95.com/m0d4/?LL0=NAAVMfeqbK0z8vD+Qvzh9xXRUU+fA/5gjMBr3ElO5qTI90nZ+R2ISaurvJy762/h5RKa5fTC&APcPAD=dhItCFUXjf9x
|
9
www.cryoablation.xyz(64.190.63.111)
www.arthamandirialkesindo.com(103.145.226.120)
www.sdfijsdjidf.xyz(64.32.22.102)
www.ruvedaj.xyz()
www.zhidao95.com(134.73.225.58)
64.32.22.102 - mailcious
134.73.225.58
103.145.226.120
64.190.63.111 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30756 |
2022-05-25 09:48
|
 2.exe 046804d6a8900b2fff9596823db0ce93
Themida Packer Malicious Packer PE32 PE File unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30757 |
2022-05-25 09:46
|
 ideainv.sfx.exe fa47b24566cb07aa26b215f121cb8758
Emotet VBA_macro UPX Malicious Library Anti_VM Admin Tool (Sysinternals etc ...) PE32 PE File MSOffice File VirusTotal Malware PDB Check memory Creates executable files RWX flags setting unpack itself AppData folder DNS |
|
1
|
|
|
3.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30758 |
2022-05-25 09:46
|
 abl.exe f46edbe315ff60d02ce7c243edda1072
UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName Software |
1
http://aboyus.buzz/five/fre.php
|
2
aboyus.buzz(172.67.201.232)
104.21.76.223
|
8
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.buzz domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30759 |
2022-05-25 09:45
|
 vbc.exe 4a29481bcff7afa8eba55c66ea729833
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
8
http://www.nobodylikesbrettmoist.com/pvgu/?LL0=nvz2XLJKHrVEvwOOvqMo23cnB7GA3CSZgzM7NGrnKp2ptYqPI5p79IP3SkhePjy4TC8rMuEe&APcPAD=dhItCFUXjf9x - rule_id: 17592
http://www.nefitegroup.com/pvgu/?LL0=k+QTDRHdnEtUsHLGQg6Iw1al4pyCYwcayg85U4DqAbua8ytHfL/skunEScp6nz+x3Wk9MXim&APcPAD=dhItCFUXjf9x
http://www.macralace.online/pvgu/?LL0=/TZCjQ47umXByn9Km9kdV8rm5zZ9DN+jmfPnLSP70xRBJX7BCcRCEsQ/uYWqAXXlHiTQYyrd&APcPAD=dhItCFUXjf9x&JEx-=RdoHsb2X
http://www.macralace.online/pvgu/
http://www.bigboyd.xyz/pvgu/?LL0=tP0Q3eoZ8OB0n/ihtNtVt/i+uXyKbed/w9CnT/COaGWr+INWB84o8XFICAu+hOQ8GaOP7mYw&APcPAD=dhItCFUXjf9x&24PD=i4MDkZJ8 - rule_id: 17590
http://www.45069.email/pvgu/
http://www.bigboyd.xyz/pvgu/ - rule_id: 17590
http://www.greks33.com/pvgu/?LL0=ACUuPc1zMBKrdYIrvbcsob0MIhlsilEmDfnJzxGy9WftQ1gsfW8KLuvYNpwg7uiSXw2KvQ9G&APcPAD=dhItCFUXjf9x - rule_id: 17596
|
15
www.nefitegroup.com(51.79.17.60)
www.agapecarenc.net()
www.greks33.com(31.187.72.243)
www.89151111.com()
www.huaen-elec.com()
www.nobodylikesbrettmoist.com(142.250.199.115)
www.bigboyd.xyz(34.102.136.180)
www.45069.email(103.120.80.141)
www.macralace.online(209.17.116.163)
209.17.116.163 - mailcious
103.120.80.141
216.58.220.147
34.102.136.180 - mailcious
31.187.72.243 - mailcious
51.79.17.60
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET MALWARE FormBook CnC Checkin (POST) M2
|
4
http://www.nobodylikesbrettmoist.com/pvgu/
http://www.bigboyd.xyz/pvgu/
http://www.bigboyd.xyz/pvgu/
http://www.greks33.com/pvgu/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30760 |
2022-05-25 09:44
|
 .winlogon.exe 4a6ca68276fb5529ff073c3b8bbcf380
PWS[m] NPKI email stealer Socket DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30761 |
2022-05-25 09:44
|
 .svchost.exe f8f22c4c4b54bb78aa18c80bf25f6cdc
RAT UPX Malicious Library PE32 PE File PNG Format DLL JPEG Format PE64 GIF Format VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder |
|
|
|
|
3.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30762 |
2022-05-25 09:41
|
 haitianzx.exe fae9f5c20ea03843c1df7f5812ba9b0a
PWS[m] SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30763 |
2022-05-25 09:39
|
 data64_6.exe 09e435274ff2f3f7fd404c81855700c4
UPX Malicious Library AntiDebug AntiVM PE32 OS Processor Check PE File DLL VirusTotal Malware PDB Code Injection Checks debugger unpack itself AppData folder RCE |
|
|
|
|
3.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30764 |
2022-05-25 09:37
|
 toolspab2.exe 4675c3011c2da9ee9e9aa64f98754660
Malicious Library AntiDebug AntiVM PE32 PE File Malware PDB Code Injection Checks debugger buffers extracted unpack itself RCE |
|
|
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30765 |
2022-05-25 09:36
|
 in.exe 4fa69e0d7185f0e227c7ac6223afa015
PWS[m] RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
1
http://checkip.dyndns.org/
|
4
api.telegram.org(149.154.167.220)
checkip.dyndns.org(132.226.8.169)
158.101.44.242
149.154.167.220
|
6
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET HUNTING Telegram API Domain in DNS Lookup
|
|
12.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|