| 30841 |
2022-05-23 09:32
|
 E3946207595.xls 6fa95c9fc12894519b4332e029f564db
MS_Excel_Hidden_Macro_Sheet MSOffice File VirusTotal Malware Creates executable files RWX flags setting exploit crash unpack itself suspicious process Tofsee Exploit crashed |
3
https://uniross.site/SVmGtFWUNWs/I.png
https://alexadrivingschool.online/ViaawNBw/I.png
https://adboat.live/TCA1oiqkA/I.png
|
4
alexadrivingschool.online() - mailcious
adboat.live(192.185.129.139) - mailcious
uniross.site() - mailcious
192.185.129.139 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.4 |
|
33 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30842 |
2022-05-23 08:23
|
 54.exe 46941fd0c90a281ad25d2d68737bcf8d
UPX PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Check memory Checks debugger RWX flags setting unpack itself Windows ComputerName RCE DNS Cryptographic key crashed |
|
1
|
|
|
6.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30843 |
2022-05-23 08:22
|
 vbc.exe 61be5168cca3b1d728229f863b9f1162
UPX Malicious Library PE32 OS Processor Check PE File FormBook Malware download VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself ComputerName |
6
http://www.wona-nyc.com/uu0p/?JDK8bDY=6EEcCW2hRleNxntoip/GZrjouJMXic+r2ls54VYWqIK+WcgvNzWiKdLZoB/oUPYZ+96qgzow&BX=E2J4tHWxrVn
http://www.flipwatch.xyz/uu0p/?JDK8bDY=snSF/BRZqGOG4KqEyCINSdYzeAunTsUuEOjGimgAYDiOT3cOHZjj6gt/qOBUqsQIyxOcVLya&BX=E2J4tHWxrVn
http://www.watnefarms.com/uu0p/?JDK8bDY=ot1/kmT2Pm41G1TcEZqa8wl/uWMf5XpS7bAC9++BFjK3AV5FF4nPR2HfH3PnTsJ6ayFBl+vP&BX=E2J4tHWxrVn
http://www.click-tokens.com/uu0p/?JDK8bDY=JQnK+6RAiNMVdqZ3z2qVIKMKYF7w4bfaATfxd6xA4NOx6+DWi6nE8jG/7X+416DwL7N1O74k&BX=E2J4tHWxrVn
http://www.ut1r92k4.xyz/uu0p/?JDK8bDY=y9LlcKw7CILT/IAC242BlGhMDCoFzxuyKBPTsA5aMCCFzcBTVcaWng9Ihq1VfoCTHGtDhv3N&BX=E2J4tHWxrVn
http://www.enjoypresenting.com/uu0p/?JDK8bDY=pWPehcmt8MxE/PomB4pHJBmYymSftkENTQjvbinm7aYa1O4gG/Xz2uMuumw/L0Tsuiv2UKaW&BX=E2J4tHWxrVn
|
15
www.ut1r92k4.xyz(150.95.255.38)
www.wona-nyc.com(185.68.16.31)
www.flipwatch.xyz(3.33.152.147)
www.mingoenterprises.net()
www.easeupp.com()
www.enjoypresenting.com(160.153.138.163)
www.watnefarms.com(23.231.95.172)
www.click-tokens.com(66.29.142.85)
www.chappyportal.com()
160.153.138.163 - mailcious
15.197.142.173 - mailcious
150.95.255.38 - mailcious
23.231.95.172
185.68.16.31
66.29.142.85
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30844 |
2022-05-23 08:18
|
 tel.exe 99629a1f5888cf9ef2ddd7262d0af5d9
HermeticWiper UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30845 |
2022-05-23 08:17
|
 vbc.exe f6f4429e20b9926d303588a31653453a
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
22
http://www.spaceokara.com/ud5f/?inz0rV1h=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&SP=cnxTbjA0&JwlX=xvm4fvGX - rule_id: 17457
http://www.beam-birds.com/ud5f/ - rule_id: 17415
http://www.venerems.com/ud5f/ - rule_id: 17449
http://www.beam-birds.com/ud5f/?inz0rV1h=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&SP=cnxTbjA0&Ab0L=afGp2vvx - rule_id: 17415
http://www.theboemia.net/ud5f/?inz0rV1h=vNc4qngUhMPfsLhaAtSRbB5tdicAwtCMMZptOOPPQtFj7cp5P6Xrt98T3jq+QQVFaJGPuwgy&SP=cnxTbjA0&qUDS=VPNpdVLh - rule_id: 17751
http://www.theboemia.net/ud5f/?inz0rV1h=vNc4qngUhMPfsLhaAtSRbB5tdicAwtCMMZptOOPPQtFj7cp5P6Xrt98T3jq+QQVFaJGPuwgy&SP=cnxTbjA0&qUDS=VPNpdVLh
http://www.tripnii.com/ud5f/?inz0rV1h=N/pZwD3ciGRaBalB/st9KLrJwOHrAZcHEe9LScJkFQBh3cF/5u3uILtBrpiUdDWYV9t+nT9+&SP=cnxTbjA0&2CUR=pBZ0_xbH - rule_id: 17450
http://www.tripnii.com/ud5f/?inz0rV1h=N/pZwD3ciGRaBalB/st9KLrJwOHrAZcHEe9LScJkFQBh3cF/5u3uILtBrpiUdDWYV9t+nT9+&SP=cnxTbjA0&2CUR=pBZ0_xbH
http://www.venerems.com/ud5f/?inz0rV1h=K9u45/YQVGyEc9geHpEqgOMQoavn+DquAoSlVotvwrnEr+O2nsnegj4yqkliPvOpIqD7rz2g&SP=cnxTbjA0&nrzA=4hvtwR70 - rule_id: 17449
http://www.venerems.com/ud5f/?inz0rV1h=K9u45/YQVGyEc9geHpEqgOMQoavn+DquAoSlVotvwrnEr+O2nsnegj4yqkliPvOpIqD7rz2g&SP=cnxTbjA0&nrzA=4hvtwR70
http://www.animefnix.com/ud5f/?inz0rV1h=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&SP=cnxTbjA0&U4mX=N8uT8DAX - rule_id: 17454
http://www.animefnix.com/ud5f/?inz0rV1h=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&SP=cnxTbjA0&U4mX=N8uT8DAX
http://www.bupabii.site/ud5f/?inz0rV1h=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&SP=cnxTbjA0&TYIw=rpdlONf8 - rule_id: 17453
http://www.bupabii.site/ud5f/?inz0rV1h=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&SP=cnxTbjA0&TYIw=rpdlONf8
http://www.animefnix.com/ud5f/ - rule_id: 17454
http://www.topings33.com/ud5f/?inz0rV1h=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&SP=cnxTbjA0 - rule_id: 17411
http://www.spaceokara.com/ud5f/ - rule_id: 17457
http://www.freerenoadvice.com/ud5f/?inz0rV1h=/TToMDCW2ncgJ5LJRlT2wMaIAe2sglICrt5t2dOu5wDbuzlS1GgQ+Leahz1eY796FlJ1opun&SP=cnxTbjA0&WJ3E=oZND1hW0 - rule_id: 17412
http://www.theboemia.net/ud5f/ - rule_id: 17751
http://www.freerenoadvice.com/ud5f/ - rule_id: 17412
http://www.tripnii.com/ud5f/ - rule_id: 17450
http://www.bupabii.site/ud5f/ - rule_id: 17453
|
22
www.dadagrin.com(76.164.193.180)
www.tripnii.com(172.255.36.136)
www.mcgillinvestigation.com()
www.freerenoadvice.com(66.96.160.152)
www.venerems.com(62.149.128.45)
www.beam-birds.com(173.201.181.53)
www.animefnix.com(103.224.182.210)
www.topings33.com(162.0.230.89)
www.spaceokara.com(210.188.240.5)
www.theboemia.net(66.96.162.146)
www.bupabii.site(104.21.5.119)
www.rwbbrwe1.com()
210.188.240.5 - mailcious
66.96.160.152 - mailcious
173.201.181.53 - mailcious
162.0.230.89 - mailcious
62.149.128.45 - mailcious
104.21.5.119 - mailcious
103.224.182.210 - phishing
172.255.36.136 - mailcious
66.96.162.146 - mailcious
76.164.193.180 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
17
http://www.spaceokara.com/ud5f/
http://www.beam-birds.com/ud5f/
http://www.venerems.com/ud5f/
http://www.beam-birds.com/ud5f/
http://www.theboemia.net/ud5f/
http://www.tripnii.com/ud5f/
http://www.venerems.com/ud5f/
http://www.animefnix.com/ud5f/
http://www.bupabii.site/ud5f/
http://www.animefnix.com/ud5f/
http://www.topings33.com/ud5f/
http://www.spaceokara.com/ud5f/
http://www.freerenoadvice.com/ud5f/
http://www.theboemia.net/ud5f/
http://www.freerenoadvice.com/ud5f/
http://www.tripnii.com/ud5f/
http://www.bupabii.site/ud5f/
|
8.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30846 |
2022-05-23 08:17
|
 vbc.exe fe367da5cd1fe1f4c49b36ca398aca5d
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.lamsaradio.net/f43e/?9rQl7b=kgDLBiyuuBnO2O36ADskMafCW2d4/71y72t0y+FMqtNKvm12Bpjcy1rzQh34k72SWgO54B5F&EhU4Nv=gdD0Lxbh0V
http://www.desertcleanpro.com/f43e/?9rQl7b=4JAYsd9c494aW2aZIy0QpkxezkaG8OS+75vJESeprQJfGTYJfYiaN5kwF8bsPBjgwZ9Wy35M&EhU4Nv=gdD0Lxbh0V
http://www.backiptv.com/f43e/?9rQl7b=24S3EpNKtPSo1+L2NnW9QyM/FVEEB96HuWxixUoloH6PyIRJddc/Kz/9yBNDsxh0ygkLBhO0&EhU4Nv=gdD0Lxbh0V
http://www.neorevolution.ltd/f43e/?9rQl7b=SK4uEzjPcQwE4UJZgRiqgZrfV+PU8ZTadtSar3snkapDCl8mY0JmCaxJm8o8pqCsczLM8WXc&EhU4Nv=gdD0Lxbh0V
|
8
www.lamsaradio.net(34.102.136.180)
www.backiptv.com(204.11.56.48)
www.desertcleanpro.com(76.164.207.115)
www.neorevolution.ltd(198.54.115.235)
198.54.115.235
34.102.136.180 - mailcious
76.164.207.115
204.11.56.48 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30847 |
2022-05-23 08:17
|
 checkit2.exe 3af63779be731281cdd869c329832c1a
RAT PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://198.251.86.46/checkit2_Hbpragme.bmp
|
1
|
1
ET HUNTING Suspicious Terse Request for .bmp
|
|
9.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30848 |
2022-05-23 08:16
|
 zmb.exe 61d8380734dab62afb07e2d12cb746af
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself WriteConsoleW DNS |
2
http://www.euromarketinfinity.com/sn12/?9rJtvBQ=/wE2iff+KL+/ERRZNsMlaCyYzWgq8VOttP75WoZBJ+TwHPTujVyF9hPb5PrQrqya+LxTGX7m&2d54=eT8xe2NpddJ86tL
http://www.seementor.com/sn12/?9rJtvBQ=RtVC6loscM06usO/YI21fDXq59XBLcz9umfGdy2oQXWdI6QalDB8sFa/aIWAp2MtXDbGM+xQ&2d54=eT8xe2NpddJ86tL
|
7
www.seementor.com(38.26.152.100)
www.knowan.space()
www.euromarketinfinity.com(217.160.0.127)
darley.ml(192.185.174.178) - malware
217.160.0.127 - mailcious
192.185.174.178 - malware
38.26.152.100
|
5
ET INFO DNS Query for Suspicious .ml Domain
ET HUNTING Suspicious Terse Request for .bmp
ET HUNTING Request to .ML Domain with Minimal Headers
ET INFO HTTP Request to a *.ml domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30849 |
2022-05-23 08:14
|
 top.exe 41dda984ef09014f53cf0e12688c0cd7
HermeticWiper UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30850 |
2022-05-23 08:06
|
 tv.exe f1784327c0fa0c2928d0415d25b0c5f6
RAT PWS .NET framework UPX AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
3
http://www.lastting.xyz/mi25/?yVCTVbbP=hmaPNhLgQwknAvihb6WKNs/mQcu0BI1+uXejIQD5HCuOdr+i/6I+FHfjEBLGljF6W30vU0Ft&uTg8A=M6Al
http://www.milancricketclub.com/mi25/?yVCTVbbP=YbQ6lfVVmxjW1weSPJNHRia1New4AsyYpkLQpNBxlXpGYc1F7tu8AU+yPSWlOx5n7T/TTngj&uTg8A=M6Al
http://www.exerindo.com/mi25/?yVCTVbbP=L6PR3aLy+a75+jJf7ECsx7CKIahgaZr9q74WDp3gtSuSVg0T4ayX47d34QUXXVnYYicM6Mna&uTg8A=M6Al
|
7
www.milancricketclub.com(202.124.241.178)
www.lastting.xyz(104.21.87.95)
www.exerindo.com(170.130.145.171)
104.21.87.95
103.176.113.85 - mailcious
170.130.145.171
202.124.241.178 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30851 |
2022-05-23 08:04
|
 .winlogon.exe fc68fa337796688c1c367cf952036c41
PWS[m] PWS .NET framework NPKI email stealer DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
103.176.113.85 - mailcious
|
|
|
11.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30852 |
2022-05-23 08:02
|
 vbc.exe 8e910b0244ba51690798bfc4e7ecc994
AgentTesla PWS[m] RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data UPX Antivirus Create Service Socket DNS Internet API Code injection Sniff Audio KeyLogger Downloader Escalate priviledges AntiDebug AntiVM PE32 OS Proces VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
salesumishcn.ddns.net(31.42.186.188)
31.42.186.188
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30853 |
2022-05-23 08:01
|
 clip.jpg bc03255296791979fde6a769d753a3b8
UPX Malicious Library AntiDebug AntiVM PE32 OS Processor Check PE File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30854 |
2022-05-23 07:59
|
 55.exe 07c8ceffcfe28cc6c365d88434861190
RAT Generic Malware UPX PE32 OS Processor Check .NET EXE PE File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows RCE DNS Cryptographic key |
|
1
|
|
|
5.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30855 |
2022-05-23 07:59
|
 vbc.exe ec65b02b5000460be82c3723fdcfe228
RAT NPKI PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|