| 40531 |
2021-10-16 13:33
|
 .wininit.exe b007ee7994afb90b45e3fb23d0acc313
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40532 |
2021-10-16 13:32
|
 zool.exe 87cd2ddf31c62ed3219d2c559d4a9cb6
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.mylori.net/ef6c/?8pM0A2eH=dYV4FvE4untOqhJUUHmMS4MiaT9y7jEiob7/fgenPq9yvClivGcNDxr/HcpFKVtE0DHzORm4&Cdxx=inCHmv0P
http://www.stopmoshenik.online/ef6c/?8pM0A2eH=AItpU6mQCC6s81rj7necuGYpWrqi0PbHxxDMCTfv5nDjvQQMu+peq6WH+jA65E1HrZKOBeeG&Cdxx=inCHmv0P - rule_id: 5858
http://www.fis.photos/ef6c/?8pM0A2eH=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&Cdxx=inCHmv0P - rule_id: 5835
http://www.gaminghallarna.net/ef6c/?8pM0A2eH=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&Cdxx=inCHmv0P - rule_id: 5824
http://www.sensorypantry.com/ef6c/?8pM0A2eH=cw2PwNl+5NOQItrLnKllT2tGwrd+rdd5UTQlQyS8ptLSIxj973nGji9KRlDOdanBBwTAA2mM&Cdxx=inCHmv0P - rule_id: 5819
http://www.kinglot2499.com/ef6c/?8pM0A2eH=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&Cdxx=inCHmv0P - rule_id: 5829
http://www.kidzgovroom.com/ef6c/?8pM0A2eH=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&Cdxx=inCHmv0P - rule_id: 5814
http://www.gicaredocs.com/ef6c/?8pM0A2eH=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&Cdxx=inCHmv0P - rule_id: 5816
http://www.conquershirts.store/ef6c/?8pM0A2eH=95iB74+m3m1QSa2Yie21q98JT48wC3F76MvrX9tv4DSLixTQWiFMLp60PgPoHI6cr/owSd7w&Cdxx=inCHmv0P - rule_id: 5846
|
17
www.kinglot2499.com(34.102.136.180)
www.conquershirts.store(195.110.124.133) - mailcious
www.sensorypantry.com(34.102.136.180)
www.dbe648.com()
www.kidzgovroom.com(34.102.136.180)
www.gaminghallarna.net(194.9.94.85)
www.gicaredocs.com(208.91.197.27)
www.mylori.net(103.8.25.68)
www.fis.photos(192.0.78.25)
www.stopmoshenik.online(194.58.112.174)
195.110.124.133 - mailcious
208.91.197.27 - mailcious
34.102.136.180 - mailcious
194.58.112.174 - mailcious
192.0.78.25 - mailcious
194.9.94.86 - mailcious
103.8.25.68 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.stopmoshenik.online/ef6c/
http://www.fis.photos/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.sensorypantry.com/ef6c/
http://www.kinglot2499.com/ef6c/
http://www.kidzgovroom.com/ef6c/
http://www.gicaredocs.com/ef6c/
http://www.conquershirts.store/ef6c/
|
8.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40533 |
2021-10-16 13:29
|
 vbc.exe 7ca5a6d622c55365fda10c9e9ba8ee88
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware Phishing suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
24
http://www.petanimals2021.com/hr8n/ - rule_id: 6413
http://www.metroprocesservers.com/hr8n/
http://www.apnagas.com/hr8n/ - rule_id: 6332
http://www.suvsangebotguenstigdeorg.com/hr8n/?b6=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&DbG=_DKdFj - rule_id: 6328
http://www.thirdize.com/hr8n/?b6=Qa3RkDOgafNf+melphWyZKlqUuAjhP8HGanOQow9UjkiPbTvHr8bFxEtMyTD6MWjfTHARvhq&DbG=_DKdFj
http://www.sairafashions.xyz/hr8n/ - rule_id: 6330
http://www.topomappro.com/hr8n/
http://www.taschenhimmel.guru/hr8n/?b6=yJ4GO29XYUJ6kbG1GRGXThACvN8qU+BD3SVuKAwHCyV4JpEO0MjgfQHHB8RtU9GLUJB1g/bU&DbG=_DKdFj - rule_id: 6337
http://www.thirdize.com/hr8n/
http://www.petanimals2021.com/hr8n/?b6=dhF4+GHKKWXHWz/d5EmptZUO4Y6cQInERplAOomPQSCFdac6mXYK7VAXrARsxAd8fsGWtC6P&DbG=_DKdFj - rule_id: 6413
http://www.goddesslifecbd.com/hr8n/?b6=GtvkudhA78tbF3WvE4bBZvCKlYqS4/vnN8UfWC/v3gZk1BTClvfo2IF/GomLTAo7w3kyh1zp&DbG=_DKdFj - rule_id: 6414
http://www.srivijayalakshmitravels.com/hr8n/?b6=9v/nC4SFMBfI4hKsuOB7MiStXQc7RohZ6Texmz1ZCQXWBvTc6q6eeiQy5bzdZDXxPhAdejER&DbG=_DKdFj
http://www.metroprocesservers.com/hr8n/?b6=icc3nfQfldM2yDnz3ARimeMTo44uwW9Ag7RC8nnojD1Z8vvluU+zwlSnkBHNfngv3DZkdM+B&DbG=_DKdFj
http://www.srivijayalakshmitravels.com/hr8n/
http://www.pochi-owarai.com/hr8n/?b6=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&DbG=_DKdFj - rule_id: 6329
http://www.suvsangebotguenstigdeorg.com/hr8n/ - rule_id: 6328
http://www.reals-markets-34.xyz/hr8n/?b6=JruannHobxWHEFJ95PsW3egWrPXikKWWzJJvQqVwFcQ4tWxJTo35fEXQkvPsOyc+Y9/rElxg&DbG=_DKdFj
http://www.pochi-owarai.com/hr8n/ - rule_id: 6329
http://www.taschenhimmel.guru/hr8n/ - rule_id: 6337
http://www.reals-markets-34.xyz/hr8n/
http://www.goddesslifecbd.com/hr8n/ - rule_id: 6414
http://www.sairafashions.xyz/hr8n/?b6=eY7bowusc/bCtxQMT3E4oiaJBtnJA6QvJzKziTbvMWKe2c93ynfcfmr+9Oy8QuoOqX4wikEz&DbG=_DKdFj - rule_id: 6330
http://www.apnagas.com/hr8n/?b6=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&DbG=_DKdFj - rule_id: 6332
http://www.topomappro.com/hr8n/?b6=wiN28mWLGHEs9NOlV0zmk/4GYpeBqpVs+O1x9r8Kp44813DxbzeXSS8fzAR5x5rXvYyL3ygx&DbG=_DKdFj
|
24
www.suvsangebotguenstigdeorg.com(185.53.179.94)
www.taschenhimmel.guru(34.102.136.180)
www.metroprocesservers.com(34.102.136.180)
www.pochi-owarai.com(118.27.122.218)
www.tigerpay-partners.com()
www.topomappro.com(101.100.203.40)
www.goddesslifecbd.com(34.102.136.180)
www.thirdize.com(206.188.193.204)
www.sairafashions.xyz(103.148.14.203)
www.petanimals2021.com(185.201.11.206)
www.drfgr1.com() - mailcious
www.reals-markets-34.xyz(185.156.72.15)
www.apnagas.com(208.91.197.91)
www.srivijayalakshmitravels.com(103.76.228.3)
185.53.179.94 - mailcious
101.100.203.40 - mailcious
185.156.72.15
34.102.136.180 - mailcious
185.201.11.206 - mailcious
103.76.228.3
206.188.193.204
103.148.14.203 - mailcious
208.91.197.91 - mailcious
118.27.122.218 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.petanimals2021.com/hr8n/
http://www.apnagas.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.sairafashions.xyz/hr8n/
http://www.taschenhimmel.guru/hr8n/
http://www.petanimals2021.com/hr8n/
http://www.goddesslifecbd.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.taschenhimmel.guru/hr8n/
http://www.goddesslifecbd.com/hr8n/
http://www.sairafashions.xyz/hr8n/
http://www.apnagas.com/hr8n/
|
7.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40534 |
2021-10-16 13:29
|
 vbc.exe cc92dedec89f09b08729784048f1060b
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
1
https://cdn.discordapp.com/attachments/893140719018074156/898293922470707280/Dkymiyhznmowgddxyesvhguburkkhid
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40535 |
2021-10-16 13:26
|
 file.exe c200e4d07007a35710e92d7dfceb0324
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40536 |
2021-10-16 13:26
|
 Oxqfxohrjqryauuonybvsdergonzry... a8521386eacf0f858077249faa381763
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
3
https://ok0muq.by.files.1drv.com/y4mXn3SB0c_rGmgXxjbH3WmsppOibbL1oZlW_b9zNu1Rx8XhZjP5jfvuXh4_Qxkk7alRd6tzyqugEoIqRqia9VXhCi-qHc4nV1eEqqZYxL09QqabDodVVaeAjr9QKU4OcnvpEiaLJn_lNvvRk5nSRSglAUUEkH2uR3f2HucXpts-XB8ZMJS-8maqxetjB-Cp_5UTXnZqAhAKCsuyMmQrFYK3Q/Oxqfxohrjqryauuonybvsdergonzryw?download&psid=1
https://onedrive.live.com/download?cid=8CDD9A903CA2B7A1&resid=8CDD9A903CA2B7A1%21121&authkey=AE4pGuvsTEf3vdI
https://ok0muq.by.files.1drv.com/y4mqHdWeQYGK5cbxmAzdiBSNTk4dffD-Ux0OULCWBTQdnmGloOWxVwE84xYkIhVD9KkYQ9lq_2wnzd0HMh6CgniFyiFiDaIpIHHYq1pIdhQtBjSorBL-s0HLwukMAbS0of6PmckxpqSsT_GI8ycKX1OiicltQgceZjhZoGLoNx40m0l0qTLluxGC1FTgeLgLPGO2srxxLy08oKJJMgx4wFpKA/Oxqfxohrjqryauuonybvsdergonzryw?download&psid=1
|
4
onedrive.live.com(13.107.42.13) - mailcious
ok0muq.by.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40537 |
2021-10-16 13:24
|
 chrome.exe a6654b9757e5cecbd124a6d157c11ec0
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Checks debugger buffers extracted unpack itself Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
23.59.72.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40538 |
2021-10-16 13:22
|
 kv3.dll 5c76498485ac6534b1b1aa0d6d543762
Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40539 |
2021-10-16 13:22
|
 ole.exe 53e0ffb4bae3b44092706ccb01cf99f5
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=719442
|
1
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
11.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40540 |
2021-10-16 13:22
|
 .lsass.exe f1d94fcc611053cd5162e70dc36fddfa
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40541 |
2021-10-16 13:22
|
 rundll32.exe 09c8e4c071be047a8e47bc7da2144a86
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.yamacorp.digital/fqiq/?oPqLRL=M8EV+3ovsEMdktBkEix26icKR/EOtVSURZNfj8BEgByaWxyramv04i2EvFiTdonxleLcsdR4&Lv0h=ZVypVbS8c
http://www.weeden.xyz/fqiq/
http://www.srofkansas.com/fqiq/ - rule_id: 6445
http://www.esyscoloradosprings.com/fqiq/ - rule_id: 6444
http://www.yamacorp.digital/fqiq/
http://www.4bellemaison.com/fqiq/
http://www.seal-brother.com/fqiq/?oPqLRL=mnFbYCr+AW78Kl2ulk1rPiA6Of2qOAThWlvrEIJbjMlKOtQ7tqTA3v+J7YK2FP1KSWelWkwc&Lv0h=ZVypVbS8c
http://www.hanenosuke.com/fqiq/
http://www.sophiagunterman.art/fqiq/?oPqLRL=xr2hRkHSJ+UsXowxi6McaJRxgcInZTFjwe9eYARVx2PKFNYpXRh/IJY1HCqVtWxffV7QcJh9&Lv0h=ZVypVbS8c
http://www.esyscoloradosprings.com/fqiq/?oPqLRL=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&Lv0h=ZVypVbS8c - rule_id: 6444
http://www.weeden.xyz/fqiq/?oPqLRL=USYLug/oA1YO3zHhBpyf49MelhMmknrjwB+F0T6I7p0aWr8Ic8GlSHHjxu6xNcH2bdjI/bcO&Lv0h=ZVypVbS8c
http://www.4bellemaison.com/fqiq/?oPqLRL=pVy0te3+f5YTkdzZvZ2VLxiaenEFjhJOmtKP8w+eQDwc/hJpDlGml3GHPqPqoWWLi+7PNiIM&Lv0h=ZVypVbS8c
http://www.sophiagunterman.art/fqiq/
http://www.srofkansas.com/fqiq/?oPqLRL=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&Lv0h=ZVypVbS8c - rule_id: 6445
http://www.seal-brother.com/fqiq/
http://www.hanenosuke.com/fqiq/?oPqLRL=xeMdXENerBxjIMz2FKChqf1nt0cxl+Ge/IuoWLeYNAKPizmuJVRlAC2vXkQEDiA7tI/nE2A5&Lv0h=ZVypVbS8c
|
19
www.mountlaketerraceapartments.com()
www.hanenosuke.com(104.21.96.28)
www.sophiagunterman.art(34.225.31.148)
www.4bellemaison.com(52.147.15.202)
www.srofkansas.com(199.59.242.153)
www.qywyfeo8.xyz() - mailcious
www.yamacorp.digital(185.61.153.108)
www.seal-brother.com(59.106.13.53)
www.esyscoloradosprings.com(108.167.135.122)
www.weeden.xyz(192.185.5.49)
www.dmc--llc.com()
35.169.40.107 - mailcious
108.167.135.122 - mailcious
172.67.150.160
185.61.153.108 - phishing
52.147.15.202 - mailcious
192.185.5.49
199.59.242.153 - mailcious
59.106.13.53
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
SURICATA HTTP unable to match response to request
|
4
http://www.srofkansas.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.srofkansas.com/fqiq/
|
8.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40542 |
2021-10-16 13:20
|
 csrss.exe b2fdec3c92a41a4e140b334184ef4e30
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40543 |
2021-10-16 13:12
|
 TRAN31.exe c53015e5e1f2f0fd85f21e00b65f80e2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40544 |
2021-10-16 13:11
|
 clipe.exe 2c55be40df541743683b7be0cdcd31bc
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40545 |
2021-10-16 13:10
|
 trend-1805140215.xls 0c9961a5d8c7ee6bda37f75d1a59e8d9
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://elcbd.net/QJ89y2Nztyh/alena.html
https://pmbtvonline.com/HHQxjY8UnnDR/ale.html
https://saftronics.co.za/WRpRfTpvJ/alen.html
|
6
saftronics.co.za(196.37.111.115)
pmbtvonline.com(192.185.227.95)
elcbd.net(209.222.97.206)
209.222.97.206
196.37.111.115 - mailcious
192.185.227.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|