| 30976 |
2022-05-20 10:37
|
 vbc.exe cf67271f2b35c9db343f08eba81c2408
PWS[m] RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
us2.smtp.mailhostbox.com(162.222.225.29)
162.222.225.16
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30977 |
2022-05-20 10:36
|
 52.exe 244646cab529a829e48f3120d716e82c
PWS[m] RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM PE32 OS Processor Check PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
transfer.sh() - malware
193.106.191.253 - mailcious
|
2
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
|
|
10.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30978 |
2022-05-20 10:34
|
 vbc.exe ecf727ab04283bb4eff09cf58a47f38d
PWS[m] SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30979 |
2022-05-20 10:34
|
 E3406792198.xls 6fa95c9fc12894519b4332e029f564db
PWS[m] MS_Excel_Hidden_Macro_Sheet ScreenShot KeyLogger AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.8 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30980 |
2022-05-20 10:11
|
 edi.vbs f2fd3e3b8ea581fef8c483c2dad1546d
AgentTesla PWS[m] Gen2 browser info stealer Generic Malware Google Chrome User Data Antivirus Malicious Packer Malicious Library Create Service Socket DNS Internet API Code injection Sniff Audio KeyLogger Downloader Escalate priviledges Hide_URL AntiDebug VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
4
http://geoplugin.net/json.gp
http://192.210.149.242/favicon.ico
http://192.210.149.242/nokey.txt
http://192.210.149.242/nokey.jpg
|
7
geoplugin.net(178.237.33.50)
google.com(172.217.161.78)
eter101.dvrlists.com(79.134.225.82) - mailcious
142.251.42.142
178.237.33.50
192.210.149.242
79.134.225.82 - mailcious
|
|
|
16.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30981 |
2022-05-20 09:51
|
 a ed13c0f818722108fed4022b48bca1b9
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot ENERGETIC BEAR Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process Kovter Windows ComputerName DNS crashed |
|
10
94.23.45.86 - mailcious
201.94.166.162 - mailcious
159.65.88.10 - mailcious
209.97.163.214 - mailcious
131.100.24.231 - mailcious
150.95.66.124 - mailcious
173.239.37.178 - mailcious
172.105.70.96 - mailcious
149.56.131.28 - mailcious
89.29.244.7 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 5
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30982 |
2022-05-20 09:49
|
 3 814c61968eb47e3b94b880c2e9b2a7d9
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot ENERGETIC BEAR Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process Kovter Windows ComputerName DNS crashed |
|
10
94.23.45.86 - mailcious
173.239.37.178 - mailcious
159.65.88.10 - mailcious
209.97.163.214 - mailcious
131.100.24.231 - mailcious
201.94.166.162 - mailcious
150.95.66.124 - mailcious
172.105.70.96 - mailcious
149.56.131.28 - mailcious
89.29.244.7 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 24
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30983 |
2022-05-20 09:47
|
 ff.dotm b27e7d922dc99ea500f129ebe4fdcd3c
VBA_macro Malicious Library Word 2007 file format(docx) PE32 PE File Malware download VirusTotal Malware AutoRuns Checks debugger WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder Windows Exploit ComputerName crashed |
1
http://ajoa.org/home/error/tmp/VV.tmp
|
2
ajoa.org(103.141.96.117)
103.141.96.117
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
9.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30984 |
2022-05-20 09:46
|
 VV.tmp 7ece5b64d1c796869435a2d6eb5dbd3b
Malicious Library PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30985 |
2022-05-20 07:39
|
https://malware.me/analysis/up... 3cd4478ada7ba0ce0e9a0f3a82a53dae
PWS[m] Anti_VM Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM BitCoin icon PNG Format MSOffice F Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
50
https://malware.me/static/js/cuckoo/analysis_network.js
https://malware.me/static/fonts/Roboto_normal_300_default.woff
https://malware.me/static/plugins/pace-progress/pace.min.js
https://malware.me/static/js/cuckoo/analysis_feedback.js
https://malware.me/static/custom/js/jquery-ui.min.js
https://malware.me/static/js/cuckoo/rdp.js
https://malware.me/static/js/handlebars-templates.js
https://malware.me/static/fonts/fa-solid-900.eot?
https://malware.me/static/plugins/bootstrap/js/bootstrap.bundle.min.js
https://malware.me/static/fonts/Roboto_normal_400_default.woff
https://malware.me/static/js/cuckoo/loader.js
https://malware.me/favicon.ico
https://malware.me/static/js/cuckoo/analysis_sidebar.js
https://malware.me/static/plugins/fontawesome-free/webfonts/fa-regular-400.eot?
https://malware.me/static/css/main.css
https://malware.me/static/fonts/Roboto_italic_400_default.woff
https://malware.me/static/plugins/pace-progress/themes/black/pace-theme-flat-top.css
https://malware.me/static/lightslider/lightgallery-all.min.js
https://malware.me/static/js/hexdump.js
https://malware.me/static/lightslider/lightslider.js
https://malware.me/static/custom/js/datepicker-ko.js
https://malware.me/static/dist/js/adminlte.js
https://malware.me/static/plugins/toastr/toastr.min.css
https://malware.me/static/js/cuckoo/submission.js
https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700
https://malware.me/static/plugins/fontawesome-free/webfonts/fa-solid-900.eot?
https://malware.me/static/dist/css/adminlte.min.css
https://malware.me/analysis/upload/
https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css
https://malware.me/static/js/cuckoo/process_tree.js
https://malware.me/static/fonts/fa-regular-400.eot?
https://fonts.gstatic.com/s/sourcesanspro/v21/6xK1dSBYKcSV-LCoeQqfX1RYOo3qPZ7nsDQ.woff
https://fonts.gstatic.com/s/sourcesanspro/v21/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdo.woff
https://malware.me/static/js/vendor.js
https://malware.me/static/fonts/fa-light-300.eot?
https://malware.me/static/js/cuckoo/app.js
https://malware.me/static/fonts/Roboto_normal_700_default.woff
https://malware.me/static/fonts/Roboto_normal_500_default.woff
https://malware.me/static/custom/css/screen_variablilty.css
https://malware.me/static/plugins/toastr/toastr.min.js
https://malware.me/static/js/cuckoo/sticky.js
https://malware.me/static/plugins/fontawesome-free/webfonts/fa-brands-400.eot?
https://malware.me/static/custom/js/jquery-1.11.0.min.js
https://malware.me/static/plugins/fontawesome-free/css/all.min.css
https://malware.me/img/profile/logo.png
https://malware.me/static/fonts/fa-brands-400.eot?
https://fonts.gstatic.com/s/sourcesanspro/v21/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7j.woff
https://malware.me/static/js/cuckoo/recent.js
https://malware.me/static/fonts/fontawesome-webfont.eot?
https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/fonts/fontawesome-webfont.eot?
|
10
fonts.gstatic.com(142.251.42.131)
maxcdn.bootstrapcdn.com(104.18.11.207)
fonts.googleapis.com(172.217.161.42)
malware.me(175.208.134.152)
code.ionicframework.com(104.26.7.173)
104.18.11.207
175.208.134.152
172.67.69.29
172.217.174.99
172.217.31.138
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30986 |
2022-05-20 00:39
|
 .rels 77bf61733a633ea617a4db76ef769a4d
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30987 |
2022-05-20 00:39
|
 .rels 77bf61733a633ea617a4db76ef769a4d
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30988 |
2022-05-20 00:38
|
 [Content_Types].xml f1a40fee6c937b83ef04e859e2067ef0
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30989 |
2022-05-20 00:37
|
 [Content_Types].xml f1a40fee6c937b83ef04e859e2067ef0
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30990 |
2022-05-19 11:42
|
 PO4550358074.exe ed9c16720462e8381b5048cd57be1532
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder suspicious TLD DNS |
21
http://www.honeyinunft.com/tgdh/?k2JxtP=TqoYW0fOJihoF3UKpMlpyZlHfa4RvvaBUQpvqsbGjFo+t73YbufxeK2PYWYBnEP2gjDF146r&uFQh=XP7HLl20&Tzpd=2dfh-nup
http://www.honeyinunft.com/tgdh/
http://www.stickscollar.com/tgdh/?k2JxtP=acGlUfVkWmWVflw+xL35pCNy6pbIrLuDAngQu8VWTg1Pd/+K/gQWDJIUeRN5jeJoZfAMJ4xt&uFQh=XP7HLl20&NHpC=nd5PivY8
http://www.qw8932.com/tgdh/
http://www.qw8932.com/tgdh/?k2JxtP=qCV3iQ0ufCbpWNcM4knPsvCf0UQaQuK51EGTEDWEFSV6jG3FPv9fitElvjSK6TaWL/16TsB3&uFQh=XP7HLl20&0yCp=RV0dqLcx
http://www.szlgi.com/tgdh/
http://www.socialcrayons.com/tgdh/?k2JxtP=AkIp2eED1pFiXkYOGYOKBgSrvoJlM7uPGyhWbVOCo5bSOQOUdmVeAfL8gFnbOTwfh1JuFvs5&uFQh=XP7HLl20&5yJZ=zrzh-DVP
http://www.socialcrayons.com/tgdh/
http://www.smonique.com/tgdh/?k2JxtP=6IzDNvq36e1W8CiJ1NlVZuy5vYNCYHHTzCVE35nOSEe2qUNdEDdqHjuFWccjs6VEiGwwaE+o&uFQh=XP7HLl20
http://www.bodi8.com/tgdh/?k2JxtP=J/eqBrpct+Kk/auyfiqnSEJ+qWIzLtvE8+dCz5RBLwfTGJ2f8ZgY8phsveO8f7cUlUokmJkq&uFQh=XP7HLl20&xUuI=p0Dl2LoX
http://www.disneyy.online/tgdh/?k2JxtP=yTnVb2tg7ARKFX050KVe//mT5Ff12juh011QKHkYix65bxDVqf807Xrt0Hcx6eNyVazFzzpR&uFQh=XP7HLl20&544f=SdaHplfx
http://www.lychee.solutions/tgdh/
http://www.vernshandmade.com/tgdh/?k2JxtP=bQnQKnB1Ss+iIFTY4P53xmPXEpjrMWsWSs3GF18+WwXvqWynx9MRCd3hJcujecrJ+mv2Gevf&uFQh=XP7HLl20&UxKD=PPjTRh4X
http://www.stickscollar.com/tgdh/
http://www.bodi8.com/tgdh/
http://www.vernshandmade.com/tgdh/
http://www.szlgi.com/tgdh/?k2JxtP=bFL4NVDPP6VXdXY1SuzpzbtqiYPh46YkADVXKhWcMTcVUEMkMAxmZVfC1gNuxZV64OhS4btR&uFQh=XP7HLl20&u4Ku=4h04eLjX
http://www.lychee.solutions/tgdh/?k2JxtP=UlKbuswi2Y15wEsv3lQ89d1PQ+7W2P8S37KfK5fMXAO8xBwAZ7A9X+0QBphQ8KC7Yj0SKJjN&uFQh=XP7HLl20&KrJW=t8YXKti8
http://www.newsday12pm.com/tgdh/
http://www.disneyy.online/tgdh/
http://www.newsday12pm.com/tgdh/?k2JxtP=kFYRd19Y/IGJExFm6fi2CUZfsI+Ckpr7ZH9KQmVx4J4ZUzYwZeKOilpKXgelWXKThK9aOv5U&uFQh=XP7HLl20&CSiH=FFNdbJQ0
|
25
www.eversonexhaust.com()
www.smonique.com(162.0.216.71)
www.socialcrayons.com(34.102.136.180)
www.disneyy.online(104.21.73.18)
www.tyoods.top()
www.stickscollar.com(209.74.108.198)
www.honeyinunft.com(198.54.117.216)
www.newsday12pm.com(45.252.249.58)
www.vernshandmade.com(203.146.252.150)
www.szlgi.com(170.178.194.226)
www.qw8932.com(93.179.125.22)
www.bodi8.com(23.227.38.74)
www.avakuma.com()
www.lychee.solutions(213.186.33.5)
45.252.249.58
170.178.194.226
34.102.136.180 - mailcious
213.186.33.5 - mailcious
198.54.117.216 - phishing
162.0.216.71
203.146.252.150
172.67.137.72
93.179.125.22
209.74.108.198
23.227.38.74 - mailcious
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|