| 33031 |
2022-03-29 10:04
|
 XC9.exe 401c2310332df57b56b12416be948470
PWS[m] RAT PWS .NET framework email stealer Generic Malware Antivirus DNS Internet API Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM .NET EXE PE File PE32 powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
genasispony.publicvm.com(23.226.132.103) - mailcious
23.226.132.103
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33032 |
2022-03-29 10:02
|
 ghostun.exe 904f6a034bd611111921696a293806d5
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33033 |
2022-03-29 10:00
|
 33.exe 64d7045bb593fcb01e73d22c1cfcc38c
Generic Malware Malicious Packer Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware Check memory Windows DNS DDNS keylogger |
|
2
harveyautos110.ddns.net(104.215.84.159) - mailcious
104.215.84.159 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
3.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33034 |
2022-03-29 10:00
|
 stp.jpg c57458c975e484181ad2b5f69228ff6d
Malicious Library UPX PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
mail.nascosteel.xyz(51.195.105.6)
51.195.105.6
|
3
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33035 |
2022-03-29 09:58
|
 Bills.html 102279ff9669e073b6a2641a1d34c6e9
Formbook AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33036 |
2022-03-29 09:58
|
 O2Z1HMebIXiHYBBS d4aebb327243895ce7254996bb2f85aa
Malicious Packer Malicious Library UPX OS Processor Check DLL PE File PE32 Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
30
196.218.30.83 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
58.227.42.236 - mailcious
185.8.212.130 - mailcious
209.126.98.206 - mailcious
5.9.116.246 - mailcious
138.185.72.26 - mailcious
195.201.151.129 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
216.120.236.62 - mailcious
51.91.7.5 - mailcious
153.126.146.25 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
79.172.212.216 - mailcious
158.69.222.101 - mailcious
164.68.99.3 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.76.89 - malware
131.100.24.231 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
45.118.135.203 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
|
11
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 19
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 14
|
|
5.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33037 |
2022-03-29 09:56
|
 vbc.exe c2c50555ad59c413114dc3e71fdcf64c
PWS[m] RAT PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33038 |
2022-03-29 09:55
|
 root.exe 49085fa9f78999122e55dd7e95f950df
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33039 |
2022-03-29 09:54
|
 e3e30ac5222c12da7593c10aa56bbb... ad565b51665416d2abe47cc462df2dcd
Emotet Malicious Packer Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware Check memory unpack itself Check virtual network interfaces Tofsee RCE |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.81)
v.xyzgamev.com(172.67.188.70)
182.162.106.33 - malware
104.21.40.196
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33040 |
2022-03-29 09:54
|
 vbc.exe 1821678eb54e3802418df29c85bcb0a4
Loki Malicious Library UPX PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://62.197.136.186/oluwa/five/fre.php - rule_id: 14521
|
1
62.197.136.186 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://62.197.136.186/oluwa/five/fre.php
|
10.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33041 |
2022-03-29 09:51
|
 vbc.exe 818109bbfd025ef72c7cb41006ff9e6a
Formbook AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
12
http://www.unitedtrials.net/foi3/?8pM4SPWx=b75Vh/k8l8NzNxuSkA7G8tIO4nYfkkFc93Zt8cZehvy0UQ54ZR6DsV3iXv3cn9b99q0Zxh40&Bd68=ilCLzpZPM
http://www.kolekonieczka.com/foi3/?8pM4SPWx=bkDnPxfcD7647Z/OcbbAbcTtwmRexjBiQeDNBInxn8n623iODQfJRA6q2NLvpDOBY3oZZ9V5&Bd68=ilCLzpZPM
http://www.winnigst0re.com/foi3/?8pM4SPWx=rpkYSbn+3OEprlFWthejxD79u0lWrr0e4EZnU45dCgJ0AOgGPQXc6BcZoyTZhr/HICMlwYtO&Bd68=ilCLzpZPM
http://www.health2earn.com/foi3/?8pM4SPWx=1e/dMCVrZs33RIbAndgsIftr/p2749eLVne8ar9Uk84uyJg/nE4e0omSG3JvwocRJ0E8ybiK&Bd68=ilCLzpZPM
http://www.dubaicars.online/foi3/?8pM4SPWx=+cxhert9u0EWi6l7Hp1MV9BK8efkiYoYsq4TQZJ0VvjlQnFuraj7tGOMVcPJ4vLJsCDf5/WS&Bd68=ilCLzpZPM
http://www.astronomygames.online/foi3/?8pM4SPWx=QvqDUpZV3B3KuQFXfDy83WJZ/b/ALrvaL6wJgXGDzcxR9G21GcuAO3PYl9ZF5O6ybb+zqQ9E&Bd68=ilCLzpZPM
http://www.chainreaction-au.website/foi3/?8pM4SPWx=l44fmHNT4A9iGyzF47ZnUDeTqXMQAb390AHBjNrMbyrIxSJ1e7dn4agFM9DoOq6ktEsebzW8&Bd68=ilCLzpZPM
http://www.france-ais.com/foi3/?8pM4SPWx=XQC8FqEbRuUWtPGUqX0S1AsRYoU0hiYPGmSbij2x8hVvCIIhpfLhBuNYf5F8miXFZ6y5HrPW&Bd68=ilCLzpZPM
http://www.kdg123.com/foi3/?8pM4SPWx=KCRZTmekIyoq2trronrg6xNgQYDvDtj/4v/evyUdvUqS+QEOzt1YR54ZqnCnBdkJphE3k0lY&Bd68=ilCLzpZPM
http://www.jewellerycapitol.com/foi3/?8pM4SPWx=UtAWSnTT4WBIr7qt1JpBzDCKh/x9UnLcdP7U9yh2ygkvPieq5fhfcYMhXNwcsoa4J80XC+3c&Bd68=ilCLzpZPM
http://www.tjginde.com/foi3/?8pM4SPWx=+3Oc61A2+CxOJh0kW8+QptREWWWOLuINRMjO9MOOrLLKAEm4V/rzefqrBP6bUd9Yt8sZHZpL&Bd68=ilCLzpZPM
http://www.marcopolotogo.com/foi3/?8pM4SPWx=zIiwOP9O77ECLxyAKwTwiioZQ7K0DMyuK+hL1EkMz/uZ1UFo5wQvq67Pn4BQo5tCcmdGf2wE&Bd68=ilCLzpZPM
|
29
www.dubaicars.online(185.104.45.141)
www.jewellerycapitol.com(198.54.114.237)
www.caixadepandora.club()
www.iphone13pro.guide()
www.france-ais.com(217.160.0.150)
www.kolekonieczka.com(34.102.136.180)
www.artrascents.com(156.232.154.174)
www.unitedtrials.net(74.208.236.190)
www.health2earn.com(199.36.158.100)
www.astronomygames.online(34.117.168.233)
www.kdg123.com(162.210.196.167)
www.revolvewsefsu.top()
www.chainreaction-au.website(51.195.219.171)
www.marcopolotogo.com(74.208.236.196)
www.tjginde.com(23.110.200.167)
www.winnigst0re.com(23.227.38.74)
199.36.158.100 - phishing
34.117.168.233 - mailcious
198.54.114.237
217.160.0.150 - mailcious
74.208.236.196 - mailcious
51.195.219.171
74.208.236.190 - mailcious
34.102.136.180 - mailcious
185.104.45.141
156.232.154.174
23.227.38.74 - mailcious
199.115.115.118 - phishing
23.110.200.167
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DNS Query to a *.top domain - Likely Hostile
|
|
8.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33042 |
2022-03-29 09:51
|
 sfGsF ac0df56c97c8ccbb36187fd6cf7d6502
Malicious Packer Malicious Library UPX OS Processor Check DLL PE File PE32 Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
29
188.44.20.25 - mailcious
212.24.98.99 - mailcious
58.227.42.236 - mailcious
185.8.212.130 - mailcious
209.126.98.206 - mailcious
5.9.116.246 - mailcious
138.185.72.26 - mailcious
195.201.151.129 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
216.120.236.62 - mailcious
51.91.7.5 - mailcious
153.126.146.25 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
79.172.212.216 - mailcious
158.69.222.101 - mailcious
164.68.99.3 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.76.89 - malware
131.100.24.231 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
45.118.135.203 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
|
11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 14
|
|
5.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33043 |
2022-03-29 09:51
|
 30C 31df52782ab71cab086d403ef124b251
Malicious Packer Malicious Library UPX OS Processor Check DLL PE File PE32 Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
29
188.44.20.25 - mailcious
212.24.98.99 - mailcious
58.227.42.236 - mailcious
185.8.212.130 - mailcious
209.126.98.206 - mailcious
5.9.116.246 - mailcious
138.185.72.26 - mailcious
195.201.151.129 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
216.120.236.62 - mailcious
51.91.7.5 - mailcious
153.126.146.25 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
79.172.212.216 - mailcious
158.69.222.101 - mailcious
164.68.99.3 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.76.89 - malware
131.100.24.231 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
45.118.135.203 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
|
11
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 15
|
|
5.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33044 |
2022-03-29 09:49
|
 .csrss.exe c1a9a80852abba625c95128152d311ed
Loki Malicious Library UPX PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ge14/fre.php - rule_id: 15195
|
2
sempersim.su(193.124.118.77) - mailcious
193.124.118.77
|
9
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://sempersim.su/ge14/fre.php
|
9.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33045 |
2022-03-29 09:49
|
jquery.matchHeight.js 8c73009d85d91bf7e8041528942d6ed8unpack itself crashed |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|