| 31006 |
2022-05-19 11:21
|
 iU2SYlfYxsk 918fd1f190f9e56b690e0112e80cada4
UPX Malicious Library OS Processor Check DLL PE File PE64 AutoRuns Checks debugger unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Windows ComputerName DNS crashed |
|
1
104.21.40.196 - mailcious
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31007 |
2022-05-19 11:20
|
 12b567fef82d514a049230185bd089... ff28458c69cbc9c12e64266bf2f7af40
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.65.9)
v.xyzgamev.com(104.21.40.196) - mailcious
121.254.136.57
172.67.188.70
104.21.40.196 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31008 |
2022-05-19 11:20
|
 2351ab4dd6c480c070926ef53ee7a5... 12ef3ea1955d62e8ab5bb604966972cb
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory unpack itself Check virtual network interfaces Tofsee DNS |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.65.81)
v.xyzgamev.com(104.21.40.196) - mailcious
182.162.106.33 - malware
172.67.188.70
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31009 |
2022-05-19 11:18
|
 po kipo000903 ( kind122822 ).... 22bde89a8afcad7436370bcbc8a6b1ea
UPX Malicious Library PE32 PE File OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
11
http://www.manly-inc.net/tgdh/?oXL=T2hyiT4yGRSJySXgvQ92ynvHZeFzcAvRrmHKTRNyhOIVdtUvfNniaBMnD2YE3Kp/ivsTupKs&GFNL6=9rzX0zMPGJe
http://www.smonique.com/tgdh/?oXL=6IzDNvq36e1W8CiJ1NlVZuy5vYNCYHHTzCVE35nOSEe2qUNdEDdqHjuFWccjs6VEiGwwaE+o&GFNL6=9rzX0zMPGJe
http://www.socialcrayons.com/tgdh/
http://www.socialcrayons.com/tgdh/?oXL=AkIp2eED1pFiXkYOGYOKBgSrvoJlM7uPGyhWbVOCo5bSOQOUdmVeAfL8gFnbOTwfh1JuFvs5&GFNL6=9rzX0zMPGJe&5yJZ=qPX87RDh
http://www.stickscollar.com/tgdh/?oXL=acGlUfVkWmWVflw+xL35pCNy6pbIrLuDAngQu8VWTg1Pd/+K/gQWDJIUeRN5jeJoZfAMJ4xt&GFNL6=9rzX0zMPGJe&NHpC=KtxXAba0
http://www.progress-storage.com/tgdh/?oXL=1JFI+sqiJ53F/4r74AU6bnX0zMJGF2EjLTuIZSF/OAKO4l5yELQ4TKKxTaKAtUH5lAUlWY7l&GFNL6=9rzX0zMPGJe
http://www.disneyy.online/tgdh/?oXL=yTnVb2tg7ARKFX050KVe//mT5Ff12juh011QKHkYix65bxDVqf807Xrt0Hcx6eNyVazFzzpR&GFNL6=9rzX0zMPGJe
http://www.stickscollar.com/tgdh/
http://www.vernshandmade.com/tgdh/?oXL=bQnQKnB1Ss+iIFTY4P53xmPXEpjrMWsWSs3GF18+WwXvqWynx9MRCd3hJcujecrJ+mv2Gevf&GFNL6=9rzX0zMPGJe
http://www.youruaect.com/tgdh/?oXL=tZMPgU44/UyTvdlqydmrTmAWwCRIROfEbKPJDsOmrPCduNJSVa0bYRNrW2VwMflX5av73nuO&GFNL6=9rzX0zMPGJe
http://www.lychee.solutions/tgdh/?oXL=UlKbuswi2Y15wEsv3lQ89d1PQ+7W2P8S37KfK5fMXAO8xBwAZ7A9X+0QBphQ8KC7Yj0SKJjN&GFNL6=9rzX0zMPGJe
|
22
www.socialcrayons.com(34.102.136.180)
www.cestvotrejourdechance.com()
www.disneyy.online(104.21.73.18)
www.progress-storage.com(156.241.118.187)
www.youruaect.com(208.91.197.91)
www.manly-inc.net(103.224.182.242)
www.vernshandmade.com(203.146.252.150)
www.stickscollar.com(209.74.108.198)
www.didgaulab2.net()
www.lychee.solutions(213.186.33.5)
www.smonique.com(162.0.216.71)
www.ymhw.red(160.124.149.174)
160.124.149.174
104.21.73.18
34.102.136.180 - mailcious
156.241.118.187
162.0.216.71
203.146.252.150
213.186.33.5 - mailcious
209.74.108.198
103.224.182.242 - phishing
208.91.197.91 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
|
|
8.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31010 |
2022-05-19 11:17
|
 14b4e4efa6b587ddde956d90e1b979... 49a3826a6ddfce6b29f76a6c58feb336
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.74)
v.xyzgamev.com(172.67.188.70) - mailcious
172.67.188.70
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31011 |
2022-05-19 11:16
|
 .winlogon.exe 23d55ec743bb3c696c73ac8e3c8266f1
PWS[m] RAT PWS .NET framework email stealer Socket DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
1
|
|
|
9.8 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31012 |
2022-05-19 11:14
|
 dialozx.exe e6cebdd29b713d054f636e09fa411924
Formbook RAT PWS .NET framework AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
7
http://www.androidviews.info/emc3/?ETmlgZ0=e45CG1ebRoxFNLB0uj39KBwfUwRmjh7RGoMQSbWlusxAluE+iEx7u65RPUKqZmZtHm0ABwKd&VR-D4=3fgT8DnpTzVxuFb0
http://www.fahrdienste-mattes.com/emc3/?ETmlgZ0=VWGEB2RJN0aBlqpDnbPaL1ZYx8rb1HY+Lg9+s9DCK846PkwUCCnDgE7CEHdlA8yVzzXekGKY&VR-D4=3fgT8DnpTzVxuFb0
http://www.yuanchengkefu.com/emc3/?ETmlgZ0=5dOpH4ZLXu7gqsZ1flpEJSy5/LdZ10xjI/yeO+bfe65iP0yAbHsFfKBj2VicXLRb9n8+MeCp&VR-D4=3fgT8DnpTzVxuFb0
http://www.statuspropertyservices.com/emc3/?ETmlgZ0=L+osWNdBydeTWGsDxkWeGaaIoWhBVYSxnk3gwfJ7GUe0C6XIFVSc6vAKacCYfLhhZ3toJh8T&VR-D4=3fgT8DnpTzVxuFb0
http://www.vidacompany.online/emc3/?ETmlgZ0=Wr+JZRbgWq8n141kzlZzfyAzhWF5y3sTWd/JKuONDjuieCbQIZ0fkxqUUD3uLS1bgZ3dn43u&VR-D4=3fgT8DnpTzVxuFb0
http://www.paymenttoken.exchange/emc3/?ETmlgZ0=In3q5fcwqfPUvIHvOEXuZgrE0wtHaKVHhhvBmOU+LsTRa5uEC8dn2fxMD9iffVuCL4HwS9wl&VR-D4=3fgT8DnpTzVxuFb0
http://www.wloss5.site/emc3/?ETmlgZ0=tutBWMuEJTf8A7Qc2ebCBrBxG29piEEoH/p8OEQeRwYbe/gCmuxD82r91jZBNY0a3k8CYQHG&VR-D4=3fgT8DnpTzVxuFb0
|
18
www.conferencecloud-sek.net()
www.androidviews.info(162.213.251.164)
www.fahrdienste-mattes.com(81.169.145.84)
www.statuspropertyservices.com(66.210.173.37)
www.paymenttoken.exchange(3.133.215.23)
www.vidacompany.online(2.57.90.16)
www.yuanchengkefu.com(152.32.213.254)
www.wloss5.site(207.180.207.140)
www.seeyoursitemap.com()
152.32.213.254
81.169.145.84 - mailcious
172.67.188.70
121.254.136.27
3.134.153.35
2.57.90.16 - mailcious
207.180.207.140
162.213.251.164
66.210.173.37
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31013 |
2022-05-19 11:14
|
 vbc.exe 5163d334cdd1a55b19385ed4ad0f1d3a
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31014 |
2022-05-19 11:14
|
 vbc.exe 0ee2a81aae42ac9b413f02979c6ce6f9
HermeticWiper UPX Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31015 |
2022-05-19 11:12
|
 mine2.exe be75e9e51767b5a59536afbbf9ffafbc
Confuser .NET PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
1
|
|
|
4.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31016 |
2022-05-19 11:12
|
 40eaec2198d3972b509c91a36cf992... 86b68c244c6185ec27764e88709246d3
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.153)
v.xyzgamev.com(172.67.188.70) - mailcious
172.67.188.70
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31017 |
2022-05-19 11:12
|
 9b4c8b3c378343f781a61a72f36d75... 03ff2a4a17ca497d23b742ebb1c07346
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.153)
v.xyzgamev.com(104.21.40.196) - mailcious
172.67.188.70
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31018 |
2022-05-19 09:20
|
 bta.exe 9fef8755cf21e3579b88945398492bf5
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
6
http://www.thebeautifullifeofthearth.com/sn12/?nPnpM8=+bAqrraOPFP6G7VNldvEvmQlIsf6EpITHpJV0mplF4OII8J3s/Rhv2hUxoigmbYJPULf8A1w&Lh0h=ZTdp6Lqh8 - rule_id: 17928
http://www.thebeautifullifeofthearth.com/sn12/?nPnpM8=+bAqrraOPFP6G7VNldvEvmQlIsf6EpITHpJV0mplF4OII8J3s/Rhv2hUxoigmbYJPULf8A1w&Lh0h=ZTdp6Lqh8
http://advanced-ms.ml/n/Vnwayys_Nqgxigqk.bmp
http://www.mommoth.club/sn12/?nPnpM8=M1FrCRBfZI4URM1OR9+PPRBG9+ZjtDf1KcSpQBV/o5qXUsKvPLp9knFexYRpxxJTz8QEmRaD&Lh0h=ZTdp6Lqh8 - rule_id: 17927
http://www.mommoth.club/sn12/?nPnpM8=M1FrCRBfZI4URM1OR9+PPRBG9+ZjtDf1KcSpQBV/o5qXUsKvPLp9knFexYRpxxJTz8QEmRaD&Lh0h=ZTdp6Lqh8
http://www.xlblvd37.xyz/sn12/?nPnpM8=YM3GtV5qVLKpLRh+oYdy1+APxsbC0CfQN910FlDgY/N7Dk/bfVHsGC8BVqJyM7FpwOLWU+uU&Lh0h=ZTdp6Lqh8
|
8
www.xlblvd37.xyz(198.251.84.92)
www.mommoth.club(23.88.111.156)
advanced-ms.ml(192.185.174.18)
www.thebeautifullifeofthearth.com(192.0.78.24)
192.0.78.24 - mailcious
23.88.111.156
204.188.203.155 - mailcious
192.185.174.18 - malware
|
6
ET INFO DNS Query for Suspicious .ml Domain
ET HUNTING Suspicious Terse Request for .bmp
ET HUNTING Request to .ML Domain with Minimal Headers
ET INFO HTTP Request to a *.ml domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
2
http://www.thebeautifullifeofthearth.com/sn12/
http://www.mommoth.club/sn12/
|
10.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31019 |
2022-05-19 09:19
|
 vbc.exe ade32559a442031d0e5040a96639bd66
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.6 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31020 |
2022-05-19 09:18
|
 mine3.exe ff72b295ded9889cee24320db368bcf1
Confuser .NET PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
3.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|