| 38656 |
2021-11-18 10:27
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38657 |
2021-11-18 10:25
|
 f59ovCcsI09zqD8KZ0o.dll bd63c91ebde9fde16b3ce1b890074baa
PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
15 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38658 |
2021-11-18 10:04
|
 y76gkOkGrbYHjh.dll 722f898d814e4d04ed7c41bde6760eff
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Checks debugger unpack itself sandbox evasion ComputerName |
|
|
|
|
2.0 |
|
|
블루
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38659 |
2021-11-18 08:43
|
 XUBS 86a05c561153b2d3c796ce5162523c40
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
28
81.0.236.90
195.154.133.20
104.251.214.46
138.185.72.26
185.184.25.237
103.75.201.2
94.177.248.64
176.104.106.96
212.237.5.209
207.38.84.195
158.69.222.101
51.68.175.8
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
110.232.117.186
45.142.114.231
91.200.186.228
216.158.226.206
107.182.225.142
66.42.55.5
58.227.42.236
212.237.56.116
212.237.17.99
45.118.135.203
50.116.54.215
191.252.196.221
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
5.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38660 |
2021-11-18 08:42
|
 emezx.exe 476f7ccfae367d3a1379c260ca28b8d5
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.amarabeautyusa.com/e5dn/?jFNHix=uIU+nU5Vgs1EY4BcJXImi/K0kvoxBW2+Ng39xbhDV2f5mkmk7Xhc9otXYXZ5SZ1+EqyU/DPs&Ppm=_0GDCjlXRtr4u
http://www.vacationrentalsevl.com/e5dn/?jFNHix=e5+rFRN0xj3xAkWo1u3ce595ulJ85BFGM8+HO3ZHf7C9OoKGTh4OvkDrFg6Mb1zcsH5Dhoxq&Ppm=_0GDCjlXRtr4u
http://www.rudolphsxmasdeco.com/e5dn/?jFNHix=RRZWsocGvQ06sUL2ZL1chxZMtMsFzt1qpW0i+rxBvsMwb9TW15FyBsPQ6HasC8GDlFXmJy77&Ppm=_0GDCjlXRtr4u
|
6
www.rudolphsxmasdeco.com(23.227.38.74)
www.vacationrentalsevl.com(34.102.136.180)
www.amarabeautyusa.com(34.117.168.233)
23.227.38.74 - mailcious
34.117.168.233
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38661 |
2021-11-18 08:41
|
 vbc.exe cad43af39f983c31ad5579ea34a31457
Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
14
http://www.seeklightandlogic.com/p0se/?AdhDQXr=v8eOpJ5pSZtRbrnsGw2QoU0Tcaab59HZDYF9JUKf6F2sNlVv9XFNl00F9pnyMp41hSNpW5ZC&pPU=EFQxUrRpC2Qh
http://www.sarasotacountysolar.com/p0se/?AdhDQXr=OYXzUVkbQBn87X4UVLPoQM44BgjEbFTY849uuOiCiLBhqJKfoUJue64IIPZ3m3EV1TLdLQTt&pPU=EFQxUrRpC2Qh
http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh - rule_id: 7680
http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh
http://www.mgav67.xyz/p0se/?AdhDQXr=HYHuyWMWS1fgLIUv7k1a3h0sjyQ2H8/HDVflvgP37+tigXoTURpSGq5OVapW4G89DO8EvEpq&pPU=EFQxUrRpC2Qh
http://www.trungtambtx.com/p0se/?AdhDQXr=EN+pW9frennecAWJgD6Rqtphsaf+/pY6cu4GooIXx/aM/sJfkFY0WH3Frw9ZmW1T0AAd/bHA&pPU=EFQxUrRpC2Qh
http://www.graylinkelectric.com/p0se/?AdhDQXr=TJBl9Xef33zqqB/TYYZ5Zr06Zjo1jum6QYq+egGPBuXzqcA7sn5bcltUsvWL9smVZn+gpIyw&pPU=EFQxUrRpC2Qh
http://www.teo-by.com/p0se/?AdhDQXr=FeJFAF+obH72CQbbPLarFy8KNhiLPhM71Jd9G4PYUxenhMp7DosU+Y1W6Wtf4fJWftA5N6Wd&pPU=EFQxUrRpC2Qh
http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh - rule_id: 7683
http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh
http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh - rule_id: 7686
http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh
http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh - rule_id: 7685
http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh
|
23
www.bestexpecting.com(23.227.38.74)
www.bailios.com(154.23.202.51)
www.seeklightandlogic.com(50.87.195.38)
www.theleadersmanifesto.com()
www.trungtambtx.com(103.90.234.17)
www.sarasotacountysolar.com(34.102.136.180)
www.mgav67.xyz(45.128.51.67)
www.oprimanumerodos.com(34.102.136.180)
www.graylinkelectric.com(194.195.211.26)
www.iscinet.com()
www.dhakhtarka.net()
www.ethicalvibe.com()
www.teo-by.com(185.104.45.81)
www.attractivereviews.com(156.240.151.190)
185.104.45.81
156.240.151.190
50.87.195.38
194.195.211.26
103.90.234.17
34.102.136.180 - mailcious
45.128.51.67
154.23.202.51
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
4
http://www.bailios.com/p0se/
http://www.oprimanumerodos.com/p0se/
http://www.bestexpecting.com/p0se/
http://www.attractivereviews.com/p0se/
|
5.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38662 |
2021-11-18 08:37
|
 at.exe 0dcbd79d3ef702f1a33ae9fef6fdef06
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows DNS |
|
1
|
|
|
9.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38663 |
2021-11-18 08:35
|
 vbc.exe b8ecacd6489899bdfa00948c3992ea92
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Antivirus Create Service Socket Code injection Sniff Audio KeyLogger Escalate priviledges Downloader AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process WriteConsoleW VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software keylogger |
|
1
|
|
|
18.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38664 |
2021-11-18 08:35
|
 8102_1637053425_3753.exe 58e37acf9f2ad681a0fdb5470315ed4f
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Collect installed applications powershell.exe wrote suspicious process WriteConsoleW installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
www.toyotabacninhcn.com()
37.61.213.242
|
|
|
12.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38665 |
2021-11-18 08:34
|
 vbc.exe fae2478fe97d52d83a21c91e6148ed78
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
6
http://www.tipsforgirldads.net/ns87/?Bb=7NICfTjg9rWe1IaBYb9bXd28etantL1LIkJBClyu8nD3vaLqLb05dLPrZfP3yJDwM8xDNNzd&uTg8S=yVCTVbEP
http://www.mgav40.xyz/ns87/?Bb=wycJjFnDvylI43fv6KpMQc8rVvW+hcYGgppEjHLuLAW83I4mOtXO2XaQvmgK/rXSX/WXZ/Y7&uTg8S=yVCTVbEP
http://www.rubberyslouka.xyz/ns87/?Bb=NKXuIeOboa3kyHogN1PTDFw2VYj7piDRZT9pD+V52F1teeXhnDfMjOGAyar8yFMCEMSAjEyj&uTg8S=yVCTVbEP
http://www.autisticadhdcoach.com/ns87/?Bb=pdb8rjOdupMbq2TKayWDhmqgBnKYMtbDZp41HdONmP3ekDy02NHFIRkCsXK+XuSS+2VDDgrq&uTg8S=yVCTVbEP
http://www.witwiam.com/ns87/?Bb=cAmFYN0ge4TVotu+W/aIFTDRmmuIrvuhQ/2IozNASOEeTJPEotvt0u2lEtqO6gckwEdsSuQ8&uTg8S=yVCTVbEP
http://www.abovecover.net/ns87/?Bb=epheG0qfNnPIcCA0yk8T9X9Typ7ZoXx8B7X0V3Epq1wlVrE6BsEy9658vynLcoiPGHxPl+Pn&uTg8S=yVCTVbEP
|
15
www.abovecover.net(34.98.99.30)
www.autisticadhdcoach.com(199.34.228.159)
www.witwiam.com(34.102.136.180)
www.mgav40.xyz(45.128.51.66)
www.tipsforgirldads.net(208.91.197.27)
www.rubberyslouka.xyz(198.54.117.216)
www.toyotabacninhcn.com()
www.mchaskell.com(88.214.207.96)
198.54.117.211 - phishing
34.102.136.180 - mailcious
208.91.197.27 - mailcious
45.128.51.66
88.214.207.96 - mailcious
34.98.99.30 - phishing
199.34.228.159
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38666 |
2021-11-18 08:33
|
 vbc.exe 06451b346cd5a8c319f2ca34212ee91f
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb8/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38667 |
2021-11-18 08:31
|
 .csrss.exe 47bb87e13ffafcf6abbc5908a48c4d08
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
14.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38668 |
2021-11-18 08:31
|
 jay.jpg bd5c3ee098497398ee0f1a08b37923e1
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.uslugi-email.site/jy0b/?jBZ4=HW3oe3dLfLkFpuABY1JtXYDCS2cfvkVkZm2Pi0bCKxVjKzZMsr5DahcmDzHoWriW5XKcS2cH&1bz=WXrtCbzPm
|
4
www.uslugi-email.site(172.67.149.22)
www.expressdiagnostics.info()
www.greendylife.com()
172.67.149.22
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38669 |
2021-11-18 08:30
|
 srfs.exe a32ab1ff2ec5f835b6456bb20a356e5e
Gen1 Generic Malware Themida Packer Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare VMware anti-virtualization installed browsers check Windows Browser Email ComputerName Firmware DNS crashed |
8
http://45.95.235.77/softokn3.dll
http://45.95.235.77/6LuciSfmJZ.php
http://45.95.235.77/vcruntime140.dll
http://45.95.235.77/msvcp140.dll
http://45.95.235.77/freebl3.dll
http://45.95.235.77/mozglue.dll
http://45.95.235.77/sqlite3.dll
http://45.95.235.77/nss3.dll
|
1
|
3
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
12.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38670 |
2021-11-18 08:29
|
 6111_1636987952_2658.exe 56324b7b63d05f41ce9b5b02a1a284f2
NPKI AntiDebug AntiVM PE File PE32 Browser Info Stealer FTP Client Info Stealer Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|