| 32986 |
2022-03-30 00:21
|
https://tdwcontent.telkomsel.c... 0582129c935566982f5fa309fe6fb379
AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
tdwcontent.telkomsel.com(43.255.196.163)
43.255.196.163
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
Greytroya
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32987 |
2022-03-30 00:19
|
https://tdwcontent.telkomsel.c... 0582129c935566982f5fa309fe6fb379
AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
tdwcontent.telkomsel.com(202.3.208.121)
202.3.208.121
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32988 |
2022-03-29 22:17
|
 H6xxeLefX1I2vgJFM1Y 7eee2607e8e08b3716c0e91b553682a6
Malicious Packer Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot VirusTotal Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself Kovter ComputerName RCE DNS |
|
26
159.203.141.156 - mailcious
195.154.133.20 - mailcious
58.227.42.236 - mailcious
79.143.187.147 - mailcious
176.104.106.96 - mailcious
82.165.152.127 - mailcious
167.172.253.162 - mailcious
103.75.201.2 - mailcious
153.126.146.25 - mailcious
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
50.30.40.196 - mailcious
46.55.222.11 - mailcious
176.56.128.118 - mailcious
216.158.226.206 - mailcious
159.65.88.10 - mailcious
51.91.76.89 - malware
188.44.20.25 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
173.212.193.249 - mailcious
189.126.111.200 - mailcious
192.99.251.50 - mailcious
|
10
ET CNC Feodo Tracker Reported CnC Server group 2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 8
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 20
|
|
5.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32989 |
2022-03-29 22:15
|
 SCAN959_00079.xls 93bf45cf075f4d8e690046ba964e348f
Excel with Emotet MS_Excel_Hidden_Macro_Sheet Malicious Packer Malicious Library UPX MSOffice File OS Processor Check DLL PE32 PE File Malware download Dridex TrickBot VirusTotal Malware Report AutoRuns Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows Exploit ComputerName DNS crashed |
3
http://drvishalchestclinic.com/wp-includes/SqqCZQ6y2uyFF/ - rule_id: 15413
http://funestotal.com/5aclo1em/21U/ - rule_id: 15416
http://g-wizcomputers.com/party/61W0ovBu86/ - rule_id: 15414
|
21
funestotal.com(168.197.51.146) - mailcious
drvishalchestclinic.com(172.105.51.130) - mailcious
g-wizcomputers.com(74.124.193.14) - malware
217.182.25.250 - mailcious
159.8.59.82 - mailcious
158.69.222.101 - mailcious
197.242.150.244 - mailcious
51.91.76.89 - malware
212.24.98.99 - mailcious
168.197.51.146 - mailcious
131.100.24.231 - mailcious
58.227.42.236 - mailcious
119.193.124.41 - mailcious
172.105.51.130 - malware
74.124.193.14 - malware
138.185.72.26 - mailcious
189.232.46.161 - mailcious
195.201.151.129 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
216.120.236.62 - mailcious
|
11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 20
ET POLICY PE EXE or DLL Windows file download HTTP
ET CNC Feodo Tracker Reported CnC Server group 4
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 12
|
3
http://drvishalchestclinic.com/wp-includes/SqqCZQ6y2uyFF/
http://funestotal.com/5aclo1em/21U/
http://g-wizcomputers.com/party/61W0ovBu86/
|
10.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32990 |
2022-03-29 22:09
|
 top.exe 3f6d29bb9a3ddd6cb68799ddc458d147
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32991 |
2022-03-29 22:05
|
 SCAN959_00079.xls 93bf45cf075f4d8e690046ba964e348f
PWS[m] Excel with Emotet MS_Excel_Hidden_Macro_Sheet ScreenShot KeyLogger AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
6
http://drvishalchestclinic.com/wp-includes/SqqCZQ6y2uyFF/
http://g-wizcomputers.com/party/61W0ovBu86/
http://la-csi.com/mt-admin/BB7/
http://funestotal.com/5aclo1em/21U/
http://primefind.com/1mall-uk/h5/
https://pancook.com/newsite/H6xxeLefX1I2vgJFM1Y/
|
|
|
|
2.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32992 |
2022-03-29 22:03
|
 BB7 9a7ac94938452767041f763270f313e2
Malicious Packer Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot VirusTotal Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
28
159.203.141.156
195.154.133.20 - mailcious
58.227.42.236 - mailcious
79.143.187.147
176.104.106.96 - mailcious
195.201.151.129 - mailcious
82.165.152.127 - mailcious
167.172.253.162
103.75.201.2 - mailcious
153.126.146.25 - mailcious
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
45.176.232.124 - mailcious
50.30.40.196 - mailcious
192.99.251.50 - mailcious
176.56.128.118 - mailcious
216.158.226.206 - mailcious
159.65.88.10 - mailcious
51.91.76.89 - malware
188.44.20.25 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
173.212.193.249 - mailcious
189.126.111.200
46.55.222.11 - mailcious
|
10
ET CNC Feodo Tracker Reported CnC Server group 19
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
5.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32993 |
2022-03-29 18:45
|
 fattura richiesta offerta 0022... b1e6b5e71c78e1ced0f1202c45d52ec3
RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
2.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32994 |
2022-03-29 18:44
|
 exploit.html aab78c3ac73fe6c1e3440793f9f2fde0
AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32995 |
2022-03-29 18:42
|
 csrss.exe 52352e2a92e0f413f7d97051580823c9
RAT UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
6
http://www.mackinko.com/h93d/
http://www.mytravelsday1.xyz/h93d/
http://www.junkremovallawrencevillega.com/h93d/?8pBp3p=UFQ1uTt8yuk6zIRnbYw3EJwokJYNq/x7DsEB7O/9GdKhdouBBd8BiTATIM6UQ4IO7R3k7hKo&L6Ah=2dSLFXghW4ATaR&sql=1
http://www.mackinko.com/h93d/?8pBp3p=G9B/yhGp/pY8SxpAwdtHJPJXfBWWecyih/yDnPYlKawqAYzpgFUB6z19v/s5+RzL39y07g/B&L6Ah=2dSLFXghW4ATaR&sql=1
http://www.mytravelsday1.xyz/h93d/?8pBp3p=bbf2zXradMTKJRpBXj9pEuPcqWk5F+1ZY0B09rZIik2sm8FPNhvAmkuRDVwqWZSSX/2X3uty&L6Ah=2dSLFXghW4ATaR&sql=1
http://www.junkremovallawrencevillega.com/h93d/
|
6
www.junkremovallawrencevillega.com(199.34.228.68)
www.mackinko.com(103.138.88.26)
www.mytravelsday1.xyz(173.214.240.15)
103.138.88.26
173.214.240.15
199.34.228.68
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32996 |
2022-03-29 18:39
|
 vbc.exe 2bc50055320d813246c25f14af24ad43
Loki Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ge3/fre.php - rule_id: 15192
|
2
sempersim.su(193.124.118.77) - mailcious
193.124.118.77 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ge3/fre.php
|
9.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32997 |
2022-03-29 18:37
|
 vbc.exe 2452325885751050fd5e987386068a06
Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/bb/fre.php
|
2
sempersim.su(193.124.118.77) - mailcious
193.124.118.77 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32998 |
2022-03-29 18:36
|
 vbc.exe 064fd42a1630d44f682005a653d323af
RAT PWS .NET framework AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware Phishing suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.loveless-kaneki.com/k3rh/?w0G=gAdJ/8y++cOSaSv2DoN3u01mcztU+LbcrzurMOt1T6mXk3Hb0hQudzTZwUYJWjIEyg6G1VaZ&tFQh=YP4HHtr8
http://www.danielaandjason.com/k3rh/?w0G=nOAIg58V37t3ceUXR9H6tVEE6XYAvxqNMATQawUj1vh2K39BGZSx2V2YyXwidEmbROOUl40+&tFQh=YP4HHtr8
http://www.sanzhitianlang.com/k3rh/?w0G=HtHYLl479dP7V+/1Dx6cXMO2zvXxtoSiMZqF+fV7O/5QcCEOv5NOgFrn3q8C+kbUQ8CGzvwX&tFQh=YP4HHtr8
http://www.nwork-tmin.store/k3rh/?w0G=70OnSfRQN/v74PWHScn4e+7pif1CYkiDvUajIAal7F+S1Ocm8QIGqL2Y9e2oIersUF69cq31&tFQh=YP4HHtr8
http://www.slimeskate.tech/k3rh/?w0G=laPyYu8/OT777mxGn3+pBj4r5Ak83ZJne0hofZ6PIWRv+HR3TbhTZ/AW8NEuZnvW/Io3AWxL&tFQh=YP4HHtr8
http://www.mystitched.com/k3rh/?w0G=+Opiv8Gbj1F4LZE0ZYR1fmwoqBWo44tnnLkeVzx03QxPBitQlperNSMDFSa3w9RP9zAiGNu4&tFQh=YP4HHtr8
http://www.dicecamp.com/k3rh/?w0G=6sHoUt2Ek8u9Zpaou06q39AiShccGyZmN8ZToljmaNkf0cMo2V/bNdGxozu3YuVzNyEfJpfB&tFQh=YP4HHtr8
|
16
www.slimeskate.tech(172.67.154.234)
www.danielaandjason.com(198.185.159.145)
www.loveless-kaneki.com(183.181.85.77)
www.hosh.club()
www.mystitched.com(52.71.57.184)
www.dicecamp.com(137.184.247.239)
www.halvorson-pickup.com()
www.nwork-tmin.store(45.130.41.10)
www.sanzhitianlang.com(156.237.194.43)
183.181.85.77
198.49.23.145 - mailcious
104.21.6.46
156.237.194.43
3.18.7.81 - mailcious
137.184.247.239
45.130.41.10 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
|
|
8.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32999 |
2022-03-29 18:35
|
 vbc.exe 156005b919d333c1f8c84128803fca45
Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://62.197.136.176/userbob/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33000 |
2022-03-29 18:33
|
 vet.exe be5a9260212bf1ad09d582507cd83c31
PWS[m] PWS .NET framework Generic Malware task schedule UPX Antivirus Create Service DGA Socket ScreenShot DNS Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges FTP Http API AntiDebug AntiVM .NET E VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
12.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|