| 30901 |
2022-05-20 14:15
|
 ddo1053.exe 7db32f392535e5ed4e540d5cff319c49
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30902 |
2022-05-20 14:15
|
 rtst1060.exe cd7883d5f7212f21fb5481929cba7f1f
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30903 |
2022-05-20 14:14
|
 vbc.exe 851bfdd07219ce507c79fa16dc106490
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.loginnetflixcontractors.com/a30z/?DVlpi=DYBdqMTmAqrRo1yr0PHA8i5yzjSdpPNuBwriGBkVwp5uea6QpDFdu4KyFPjyWuAVR0r67Nub&mnSh=Txlh
http://www.dhl.guru/a30z/?DVlpi=nrPH3LAmjgbB/2KcK/lJFxiIuxzoLqO8rOR9ywdiVKK9xb6R4CFMNgU/Ay94xUWfsQTQVTx4&mnSh=Txlh
http://www.suntrustassetnandd.com/a30z/?DVlpi=IQPUj4xFi2mgegP8DA84EKguqbk7KP8t54lS8gPnZHtCSaa+T+pzfppGjnRRASa9KXYaHWE3&mnSh=Txlh
|
8
www.suntrustassetnandd.com(162.241.24.218)
www.dhl.guru(3.64.163.50)
www.theboysprint.com()
www.loginnetflixcontractors.com(103.224.182.210)
www.haierbrother.xyz()
3.64.163.50 - mailcious
103.224.182.210 - phishing
162.241.24.218
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30904 |
2022-05-20 14:13
|
 z1CD 700777b9d962cc217a202312cef1a9eb
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot Malware Report AutoRuns Checks debugger unpack itself Auto service suspicious process Kovter Windows ComputerName DNS crashed |
|
8
195.154.146.35 - mailcious
103.8.26.17 - mailcious
104.248.225.227 - mailcious
178.62.112.199 - mailcious
103.133.214.242 - mailcious
116.124.128.206 - mailcious
134.122.119.23 - mailcious
188.225.32.231 - mailcious
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 3
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30905 |
2022-05-20 14:10
|
 93.dll 4159eef3e9d5b156a67b9d35a3c9bf70
UPX Malicious Library PE32 OS Processor Check DLL PE File VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30906 |
2022-05-20 14:10
|
 rtst1039.exe 966722db7d8eaee5b5b8b17dfed90d8f
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30907 |
2022-05-20 14:08
|
 rtst1069.exe e384d0ef37d43cf2e7266e8b1a6818e5
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30908 |
2022-05-20 14:08
|
 rtst1057.exe 0327dfb56630470385af9d7f73d84a78
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30909 |
2022-05-20 14:03
|
 winlogon.exe 738a9b03dcbc5baddebe69e14fce6a53
Formbook RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key crashed |
13
http://www.sawarita.com/s2q8/?Jt7=o7goVAelaelLa+jQzG8g34+b40hpRuBfNTFs1SHuFZBBSPY+kIWXVGn4B4OeEp93ZyP+7NKx&EHU40X=gbTpoN4xgh - rule_id: 17272
http://www.programadoranoah.space/s2q8/?Jt7=h89cEhKb39NBpoGl3C7TXwtruQbe0OzHhfZ4Ek+GY2Bi2GfMPzwTIYz5r2Kr6BOwndQS7qHT&EHU40X=gbTpoN4xgh
http://www.moix.xyz/s2q8/?Jt7=iMfOVp+CWPRseQRjA54xUJz8VmkKFLOPm/t0xboKogYnq/43+Ej8DVAR6i9ILWXuzh0YUVhN&EHU40X=gbTpoN4xgh
http://www.areahomes-changedbysupport.com/s2q8/?Jt7=M3PgzST1q+IOS1jBKmjaXkrnquYUSI11nRevrrV774TIKKqxKvjUHWecSNslA5Kmp5O3iMv0&EHU40X=gbTpoN4xgh
http://193.142.59.104/swift/Ouqqekub_Lbtpkxss.bmp
http://www.simplythaliachicago.com/s2q8/?Jt7=+VcbARHkLN/IGhY/WI05DmV8X7omBI6+JDFKo2LvUoVxV6cfC3GZOedBJ1uv54GtY0ajnZMn&EHU40X=gbTpoN4xgh
http://www.dcsmj.com/s2q8/?Jt7=zTBrOdebNVyoJmV8qLIC4aJyUa8owuSzT0MvO4yZZYWbVIjXN3oVoTl3t1dXyYnPQj4VlMPl&EHU40X=gbTpoN4xgh
http://www.fieldingsoundworks.com/s2q8/?Jt7=Q/Ke9U6C+DcYZ9UgQgKup97JYcoOkFYe7Vgyn4alCfwhrs+ftOlf3J2pyZpKI7/DZwybk1XC&EHU40X=gbTpoN4xgh - rule_id: 17821
http://www.mingwwww.store/s2q8/?Jt7=dyDkaBNPto8iM8ENJ3PwlyDHZBxL+KYWJHiU4myTUI6LWGiHD2ssNxAkq+ERShEOByXe/913&EHU40X=gbTpoN4xgh
http://www.stemgen.institute/s2q8/?Jt7=HyC7uMwNg7Ze8JIhOYzu/TCf4RnljdHWr5//omzf/hddN/C63sR6rzd7b2yd1o2B0d/ItMI/&EHU40X=gbTpoN4xgh - rule_id: 17269
http://www.shopdealzen.com/s2q8/?Jt7=EmRDD+F4MFxd1ezA/CmCvgQ9Dq8cRmTd4LoUHPGIQKM+9HxusbG1+vBkOyrekrhOHSjdQRyV&EHU40X=gbTpoN4xgh - rule_id: 17270
http://www.europeflyscreen.com/s2q8/?Jt7=RUBn0IKXK/bJijRmoANa1g1SkjxEQXbWFaeyosCSz41433MKx1WZF5Ie08sbNPZtEPIP/SJ7&EHU40X=gbTpoN4xgh
http://www.brighteningyourskin.com/s2q8/?Jt7=vhliLhO/dqx08b5cWZU1oq3h9sWK0oUNqBQamMD4qIRLp3lcXXba9XHYv2Ezr/rdNCFOiv/u&EHU40X=gbTpoN4xgh
|
27
www.shopdealzen.com(192.185.48.224)
www.simplythaliachicago.com(199.59.243.200)
www.stemgen.institute(34.102.136.180)
www.programadoranoah.space(54.39.107.28)
www.areahomes-changedbysupport.com(34.102.136.180)
www.dcsmj.com(216.10.245.123)
www.europeflyscreen.com(45.84.191.3)
www.sawarita.com(104.18.27.58)
www.notvaccinatedjobs.com(54.176.36.242)
www.moix.xyz(104.21.50.87)
www.brighteningyourskin.com(45.143.81.76)
www.triple16.com()
www.mingwwww.store(3.33.152.147)
www.fieldingsoundworks.com(172.67.174.103)
192.185.48.224 - mailcious
216.10.245.123
104.21.50.87
45.143.81.76
15.197.142.173 - mailcious
34.102.136.180 - mailcious
45.84.191.3
104.21.72.32 - mailcious
193.142.59.104
54.176.36.242
54.39.107.28 - mailcious
199.59.243.200 - mailcious
104.18.26.58 - mailcious
|
3
ET HUNTING Suspicious Terse Request for .bmp
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
4
http://www.sawarita.com/s2q8/
http://www.fieldingsoundworks.com/s2q8/
http://www.stemgen.institute/s2q8/
http://www.shopdealzen.com/s2q8/
|
10.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30910 |
2022-05-20 13:51
|
 noo.exe 24ec18a30815496490d2054419b1980b
RAT PE32 .NET EXE PE File VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName |
1
http://example.com/Nzzgmmjy_Shkxumyu.bmp
|
2
example.com(93.184.216.34)
93.184.216.34
|
1
ET HUNTING Suspicious Terse Request for .bmp
|
|
3.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30911 |
2022-05-20 13:46
|
 vbc.exe 8133ee977a0f5e8649fdf16976ff84fc
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/gg1/fre.php - rule_id: 17804
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/gg1/fre.php
|
9.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30912 |
2022-05-20 13:44
|
 Polution_v0.7b_windows_64.exe 1dcaed15ea8d428bf34e413f686ba904
PE File PE64 Browser Info Stealer VirusTotal Malware Checks debugger WMI Windows utilities suspicious process WriteConsoleW Windows Browser ComputerName |
|
|
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30913 |
2022-05-20 13:41
|
 vbc.exe d85f82b6c267725dbef70ba110f5b972
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://hyatqfuh9olahvxf.gq/BN3/fre.php - rule_id: 15762
|
2
hyatqfuh9olahvxf.gq(104.21.5.136) - mailcious
104.21.5.136 - malware
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://hyatqfuh9olahvxf.gq/BN3/fre.php
|
9.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30914 |
2022-05-20 13:40
|
 vbc.exe 3445422a39889348ab630c8b5b911f5a
Formbook Generic Malware Antivirus AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
8
http://www.6084pinelake.info/n6g4/?p0D=/EgobrQDT6eYXvmSTJIDXiQ/qbao7wANV39NpTJLs0brSRoOswaCV2zc+DqJbKfEJnrHxpXI&uFNl=XPclnfQPULv - rule_id: 17583
http://www.agelessfish.com/n6g4/?p0D=VVT0eV61/duqSEOzU/upkp96eNUViODnSPjhFuoMZk9HTCgswXUihgeBz4Z2JJbjJkgG4Igj&uFNl=XPclnfQPULv
http://www.executivetravelandlogistics.com/n6g4/?p0D=GLoe/4UCmwC7HlqyZw3VEquRQI9a0MrOtnwix5hO8JL11MHqKzLvDjNwgO7O9nDHqKf/RaLP&uFNl=XPclnfQPULv - rule_id: 17245
http://www.moment4miracles.com/n6g4/?p0D=PsntvU6v4CRkSuqaFHZW0pb5PTAK+hbatLrgbJuIkT0ZTI72gQG9OaDIbkaiFRK5RvhsvPxb&uFNl=XPclnfQPULv - rule_id: 17833
http://www.bldh45.xyz/n6g4/?p0D=er/aW89hqZ/x2jPnh32zztWhmYSSn5MxbIy54W/3LVEYBqAoUdX3JCn0upO7r/Zv4Uhzd0tX&uFNl=XPclnfQPULv - rule_id: 17831
http://www.employeebnsf.com/n6g4/?p0D=/8Ga1vKGX5EU/V/vBfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGFkeqd0AB3P/UBWI+Fxa&uFNl=XPclnfQPULv - rule_id: 17247
http://www.lojas-marias.com/n6g4/?p0D=TLEfg0hRnrZPcnYqH+5VOmv8AlAgrPRjTjTVBNqqBZfa0++7AI5xrB+dAMg9LLi6clhi6lha&uFNl=XPclnfQPULv - rule_id: 17249
http://www.alcosto.club/n6g4/?p0D=2el/ot7c5YMBGOF4tAPHNftfrICusYpqYK7DNkJepwGfwFVVH29M1MFuPNXmLzoTPja39Bx2&uFNl=XPclnfQPULv - rule_id: 17250
|
16
www.6084pinelake.info(3.33.152.147)
www.moment4miracles.com(208.91.197.27)
www.employeebnsf.com(185.53.179.171)
www.admincost.com()
www.bldh45.xyz(35.241.47.216)
www.alcosto.club(34.102.136.180)
www.lojas-marias.com(23.227.38.74)
www.executivetravelandlogistics.com(34.102.136.180)
www.agelessfish.com(134.122.225.195)
15.197.142.173 - mailcious
185.53.179.171 - mailcious
208.91.197.27 - mailcious
134.122.225.195
34.102.136.180 - mailcious
23.227.38.74 - mailcious
35.241.47.216 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
7
http://www.6084pinelake.info/n6g4/
http://www.executivetravelandlogistics.com/n6g4/
http://www.moment4miracles.com/n6g4/
http://www.bldh45.xyz/n6g4/
http://www.employeebnsf.com/n6g4/
http://www.lojas-marias.com/n6g4/
http://www.alcosto.club/n6g4/
|
13.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30915 |
2022-05-20 13:40
|
 vbc.exe f3ef43446e2e9b54be156d5ae18d1214
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.appalachianfamilies.com/m9y5/?CP=+GD5YjtNV3eBccK7v9j8+5BUhNuKhWFlggCG8cTNFwe9NUAu8inL5YcmfWpeGLNSOFl7n1EC&nX=Sxl0iBPp_L-dm - rule_id: 17618
http://www.upliftpropertysolutions.com/m9y5/?CP=4hBvWVqdO7NkLwKn7Cs9qmiEXogQ5h4Zhb3ZWCa7rGh5XOap+o/EVmkkjDV1biy8cAzHq7Hk&nX=Sxl0iBPp_L-dm
|
4
www.upliftpropertysolutions.com(85.92.66.248)
www.appalachianfamilies.com(74.220.199.6)
74.220.199.6 - mailcious
85.92.66.248
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.appalachianfamilies.com/m9y5/
|
8.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|