| 38701 |
2021-11-05 10:50
|
 v8hBqWuKscbjZRqNatPw.exe b5bd8dfef7366e06844f2b8595dd9910
Generic Malware UPX PE File PE32 .NET EXE MachineGuid Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows ComputerName |
1
http://fouratlinks.com/stockmerchandise/regular_punch_rec/zbqackY6g2W8AyNWZ8NJ.exe
|
4
google.com(172.217.161.78)
fouratlinks.com(199.192.17.247)
142.250.66.78
199.192.17.247
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38702 |
2021-11-05 10:47
|
 udptest.exe f98dfeecf4e63cb4d768f41491cc9a0b
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38703 |
2021-11-05 10:45
|
 vbc.exe 898badd240f8d99c109b1c8647eaa1f1
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobreplace.xyz/five/fre.php
|
2
bobreplace.xyz(172.67.216.6)
104.21.78.45
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
12.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38704 |
2021-11-05 10:45
|
 r4XZt5MYHpEdcdmzqr2D.exe fffd2903ec20ac275330f9d1d36f991d
Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces ComputerName crashed |
1
|
2
www.google.com(172.217.31.132)
172.217.174.196
|
|
|
4.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38705 |
2021-11-05 10:43
|
 serwices.exe 486700627b68a06007dac77bd7efebb4
[m] Generic Malware Themida Packer task schedule Anti_VM UPX AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare WriteConsoleW VMware anti-virtualization Windows ComputerName Firmware crashed |
|
|
|
|
10.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38706 |
2021-11-05 10:43
|
 watchdog.exe e0a50c60a85bfbb9ecf45bff0239aaa3
PE File PE32 VirusTotal Malware Creates executable files WriteConsoleW Trojan |
|
|
|
|
4.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38707 |
2021-11-05 09:46
|
 index-294441975.xls 294c6091ed8f9b30fabca946bc2e48ee
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38708 |
2021-11-05 09:44
|
 index-295687290.xls 4309aadc0b51d58084832e45cba1e1dd
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38709 |
2021-11-05 09:43
|
 vbc.exe d06c38d984a2f6e270ff39ece951c090
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
13
http://www.drproteaches.com/p0se/?Upth=woR5xm3tnDpzscA506QhcYxpqJNYYUoqwaxL1TBnwACXL4ehmoVy8YHXz+Srph4gv85KcD2/&S2Jl9T=JR-Ptri8rrtH
http://www.bestexpecting.com/p0se/?Upth=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&S2Jl9T=JR-Ptri8rrtH
http://www.islandrentals.biz/p0se/?Upth=swsh7jkH3Jayx1oBVzw679OGrX1puxEck2MRsug9EfA8sAUa4DViYtQbxqQy6tgBaEK34XmX&S2Jl9T=JR-Ptri8rrtH
http://www.antelbd.com/p0se/?Upth=9erJsbmg89xRlz0M2UbGQGsoL3knU+btxwpJSlEvKwY//6Ro8ymG4cTM8A9G1IzAegjGNHN5&S2Jl9T=JR-Ptri8rrtH
http://www.bailios.com/p0se/?Upth=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&S2Jl9T=JR-Ptri8rrtH
http://www.discsoverylandco.com/p0se/?Upth=BteP4tPaBKGelLixwpfDlG/9A6mmS+0MA34DaBA3zGLeePe9IT5he11Epx4cASOQEPkGi3lZ&S2Jl9T=JR-Ptri8rrtH
http://www.rapidfreecredit.com/p0se/?Upth=EgoGtPvOzMQIHn+MI9K9SlgAXJGJBFkzaqro+xII3Owtt3Khuq48OlyGMf8ozr+N8CoP+XHl&S2Jl9T=JR-Ptri8rrtH
http://www.zzsline.com/p0se/?Upth=kthmE/oWyD4fjO8tHH8xHUIk2isBffkb9Kt5y5yO+PwFSvLgMBfFKRyBis2HAYR5aHyddc0l&p0D=AfhHLL9
http://www.attractivereviews.com/p0se/?Upth=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&S2Jl9T=JR-Ptri8rrtH
http://www.officesetupofficesetup.com/p0se/?Upth=EYinZUgnnSwJyPV9oEessIoGQkE3PhJa69jO6sH1XRv94op+1srhHlr5FDeZOdoaC0vdviNL&S2Jl9T=JR-Ptri8rrtH
http://www.oprimanumerodos.com/p0se/?Upth=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&S2Jl9T=JR-Ptri8rrtH
http://www.puss888.com/p0se/?Upth=kikFeNiO3Wy3pwtISJcM7/vkxkaOrG97TwCy9kP35exs7OvQFm8ZXay1fTQTva1c0oVEPLTK&S2Jl9T=JR-Ptri8rrtH
http://www.ss5312.com/p0se/?Upth=VXm5Q0G4kF4WmG3lTMiXsUIcZR7Z75QHUAb2U0i9WhY0TVcNQnEKdNZZrn4ryxNGGf72+MNM&S2Jl9T=JR-Ptri8rrtH
|
33
www.zzsline.com(172.67.202.198)
www.bestexpecting.com(23.227.38.74)
www.bailios.com(154.23.202.51)
www.officesetupofficesetup.com(23.27.138.15)
www.mrteez.club()
www.puss888.com(104.21.8.56)
www.antelbd.com(103.148.14.203)
www.drproteaches.com(162.241.253.114)
www.oprimanumerodos.com(34.102.136.180)
www.graylinkelectric.com()
www.rapidfreecredit.com(162.241.218.178)
www.ss5312.com(67.211.65.43)
www.iscinet.com()
www.serestovfleacollar.com()
www.islandrentals.biz(199.34.228.77)
www.discsoverylandco.com(166.88.19.180)
www.attractivereviews.com(156.240.151.190)
199.34.228.77
156.240.151.190
166.88.19.180 - mailcious
104.21.8.56
23.27.138.15
172.67.202.198
34.102.136.180 - mailcious
172.67.207.136
162.241.218.178
172.67.196.11
67.211.65.43
154.23.202.51
23.227.38.74 - mailcious
162.241.253.114
104.21.79.9
103.148.14.203 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
|
|
7.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38710 |
2021-11-05 09:39
|
 vbc.exe ab47f89cf986d9e52822873e0052e7d4
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
3
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072606&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072608&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=92B2EF722ED2FA89&resid=92B2EF722ED2FA89%21117&authkey=AL8-gdX92sl2g5g
|
4
login.live.com(40.126.35.128)
onedrive.live.com(13.107.42.13) - mailcious
20.190.163.21
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38711 |
2021-11-05 09:38
|
 5334_1636030207_6453.exe d32aed7204ae5bf456dc9d1be2c53d9e
RAT NPKI Generic Malware Antivirus Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Malware download NetWireRC VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check DCRat Windows ComputerName RCE DNS crashed |
1
http://188.120.229.34/VideoWindowsPubliccdn.php?sRDQhUYRR1VCUcrGCBiFGxvBMt=ecDOPH1A2PBmSX1uU&tzG=u5jbrt4fBDxy&205613df31fa591f289d7ad292addb55=a50fbbbb03ddd573b80cc9b782586cf0&0e143c60b49591bb229951313b175b9b=QNlJDNmNGNzAjYhZTZ1IzYxgzMwUDOxgzMkJ2M3UjMhJTM5AjZyQ2N&sRDQhUYRR1VCUcrGCBiFGxvBMt=ecDOPH1A2PBmSX1uU&tzG=u5jbrt4fBDxy
|
1
|
1
ET MALWARE DCRAT Activity (GET)
|
|
9.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38712 |
2021-11-05 09:37
|
 clp_wsfmvg.exe 82ec554886de723258094e5509e76556
Emotet Gen1 RAT [m] Generic Malware Generic Malware task schedule Malicious Library UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE64 PE File PE32 .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName RCE DNS Cryptographic key |
1
|
3
www.google.com(172.217.31.132)
13.107.21.200
216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38713 |
2021-11-05 09:36
|
 ethm2305.exe ee30d6928c9de84049aa055417cc767e
Gen2 Formbook Generic Malware UPX Malicious Library PE File PE32 OS Processor Check Malware download VirusTotal Malware suspicious privilege MachineGuid buffers extracted WMI Creates executable files AppData folder sandbox evasion WriteConsoleW Tofsee Windows ComputerName DNS Downloader |
7
http://gohnot.com/2562df92c3d9c9beb09dc01eb070a473/watchdog.exe
http://gohnot.com/2562df92c3d9c9beb09dc01eb070a473/app.exe
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=2Pm2Vvelc%2FXXsXHHrEQVGdDiMoG9Up%2Fh40ogPyGe258%3D&spr=https&se=2021-11-06T01%3A12%3A02Z&rscl=x-e2eid-78e1d25e-46f943f8-8b2efe25-8918ed54-session-68f8ad52-19854c9b-baaa55f8-d37302a2
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=A2SslQnOkfZl7B73Oy527XkRzRFNQ6cU2E2aWTzZkRk%3D&spr=https&se=2021-11-06T00%3A35%3A45Z&rscl=x-e2eid-fddd96b9-73954362-b2baf06f-d24a2790-session-1a8e6819-f63b46e0-85093a15-61dda2aa
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
18
vsblobprodscussu5shard10.blob.core.windows.net(20.150.39.196)
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com()
server8.trumops.com(104.21.79.9)
267cfcc4-fcc9-4caa-b678-1330c01ab083.uuid.trumops.com()
msdl.microsoft.com(204.79.197.219)
trumops.com()
vsblobprodscussu5shard58.blob.core.windows.net(13.84.56.16)
runmodes.com(104.21.34.203)
server14.trumops.com(172.67.139.144)
gohnot.com(172.67.196.11)
logs.trumops.com()
204.79.197.219
13.84.56.16
172.67.207.136
172.67.196.11
20.150.39.196
104.21.79.9
104.21.34.203
|
7
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Request for EXE via GO HTTP Client
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38714 |
2021-11-05 09:36
|
 vbc.exe 39da7ab7a964862e9005e9e38d9c7568
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38715 |
2021-11-05 09:34
|
 nwamazx.exe 22f934036d8405eaf679a08f51babbec
RAT PWS .NET framework Gen1 Generic Malware UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName Password |
10
http://chrisupdated.xyz/2.jpg
http://chrisupdated.xyz/main.php
http://chrisupdated.xyz/
http://chrisupdated.xyz/7.jpg
http://%s%s:49169/%s
http://chrisupdated.xyz/5.jpg
http://chrisupdated.xyz/3.jpg
http://chrisupdated.xyz/1.jpg
http://chrisupdated.xyz/6.jpg
http://chrisupdated.xyz/4.jpg
|
2
chrisupdated.xyz(172.67.185.197)
104.21.0.108
|
7
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
15.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|