| 40576 |
2021-10-15 13:51
|
 DOCS-93897-2021-2975GJ53.scr 8575cb6fc0f2e03e427b847b8bf734a9
Generic Malware UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
|
|
15.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40577 |
2021-10-15 13:50
|
 ARRIVAL NOTICE A AND B GLOBAL ... 8575cb6fc0f2e03e427b847b8bf734a9
Generic Malware UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
|
|
15.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40578 |
2021-10-15 10:31
|
 goshcj.exe d1baa9515f4c67a7b561938bbd81bc75
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40579 |
2021-10-15 10:30
|
 vbc.exe 609915e8865871b0b131450d661a0ccb
Gorgon Group Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40580 |
2021-10-15 10:29
|
 vbc.exe ab5135e71815ad27daf57be78754c85d
Gorgon Group Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.2 |
M |
34 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40581 |
2021-10-15 10:27
|
 vbc.exe 025eaccfdecb9df000e526122ce84aa2
Gorgon Group Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.6 |
M |
31 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40582 |
2021-10-15 10:22
|
 1562391525.exe 604b759172262363118ab37833ca63bb
Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware unpack itself Windows utilities WriteConsoleW Windows ComputerName |
|
|
|
|
3.0 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40583 |
2021-10-15 10:17
|
 1562391525.exe 604b759172262363118ab37833ca63bb
PE File PE32 VirusTotal Malware unpack itself Windows utilities WriteConsoleW Windows ComputerName |
|
|
|
|
3.0 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40584 |
2021-10-15 10:10
|
 Kofi.exe 4e956950a9aea405936b0ba0653138ef
RAT PWS .NET framework BitCoin email stealer Generic Malware DNS SMTP Code injection KeyLogger ScreenShot Steal credential AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName Cryptographic key keylogger |
3
http://whatismyipaddress.com/
https://cdn.discordapp.com/attachments/893177342426509335/898153500754722827/761CEF3D.jpg
https://cdn.discordapp.com/attachments/893177342426509335/898153497281843220/34E198FA.jpg
|
6
cdn.discordapp.com(162.159.129.233) - malware
whatismyipaddress.com(104.16.155.36)
mail.kofimade.com(212.1.210.54)
212.1.210.54
162.159.135.233 - malware
104.16.155.36
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
15.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40585 |
2021-10-15 10:10
|
 @haiz_install.exe 7ae610290258f93dead5795ad70c793d
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://ne.komaiasowu.ru/
http://65.21.105.85/barell.exe
|
4
ne.komaiasowu.ru(81.177.141.85)
81.177.141.85 - mailcious
65.21.105.85 - malware
5.61.61.168
|
1
ET INFO Executable Download from dotted-quad Host
|
|
14.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40586 |
2021-10-15 10:05
|
 nwaba.exe 3567206f02eac9b9b004bf8f7ffad7a2
RAT BitCoin email stealer Generic Malware Malicious Library DNS SMTP Code injection KeyLogger ScreenShot Steal credential AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName Cryptographic key keylogger |
4
http://whatismyipaddress.com/
https://cdn.discordapp.com/attachments/893177342426509335/898153339576021032/1C84D56B.jpg
https://cdn.discordapp.com/attachments/893177342426509335/898153343401226240/FBC84B57.jpg
https://cdn.discordapp.com/attachments/893177342426509335/898153341647982662/F33830EF.jpg
|
6
mail.abagoodluck.com(212.1.210.54)
whatismyipaddress.com(104.16.154.36)
cdn.discordapp.com(162.159.133.233) - malware
212.1.210.54
162.159.135.233 - malware
104.16.155.36
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
15.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40587 |
2021-10-15 10:01
|
 vbc.exe ab5135e71815ad27daf57be78754c85d
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40588 |
2021-10-15 10:00
|
 Dpo.exe 19b40e11d12dc217a5fb301437c0d7f7
RAT PWS .NET framework email stealer BitCoin Generic Malware Malicious Library ScreenShot Steal credential DNS SMTP Code injection KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key keylogger |
3
http://whatismyipaddress.com/
https://cdn.discordapp.com/attachments/893177342426509335/898167236617981952/898D6AF5.jpg
https://cdn.discordapp.com/attachments/893177342426509335/898167239608504340/29015685.jpg
|
7
mail.abagoodluck.com(212.1.210.54)
whatismyipaddress.com(104.16.155.36)
cdn.discordapp.com(162.159.130.233) - malware
185.140.53.199
104.16.154.36
162.159.129.233 - malware
212.1.210.54
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
15.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40589 |
2021-10-15 09:58
|
 cssrss1.exe 1bd356bd20a2de1c53bc28104ee97d18
RAT email stealer Generic Malware ASPack UPX Malicious Packer Malicious Library Antivirus Socket DNS Code injection KeyLogger Escalate priviledges Downloader persistence AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://cdn.discordapp.com/attachments/893177342426509335/895715142967365722/D8AFFD45.jpg
https://cdn.discordapp.com/attachments/893177342426509335/895715141033811978/31016DA7.jpg
|
3
cdn.discordapp.com(162.159.134.233) - malware
185.140.53.199
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40590 |
2021-10-15 09:58
|
 vbc.exe da7b4c213039524dd2cd661cb20e62ae
PWS .NET framework Gen2 Emotet Gen1 Generic Malware NSIS Malicious Library UPX ASPack Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder installed browsers check Windows Browser DNS |
14
http://www.tongtongticket.com/bntn/
http://www.paramustowing.com/bntn/
http://www.xn--299akkrtr22f.com/bntn/
http://www.willpowerleggings.com/bntn/?jBZ4=O+Z4LQPQMzYbpWLT3n0a9n7LtLYJPcJESV/d+o2qxkdmboFsYtVgbm2hYoZiQsujkqIXV11z&P0D=kFQ0DXAxEZATHl
http://www.willpowerleggings.com/bntn/
http://www.tongtongticket.com/bntn/?jBZ4=ne/6WiBYUUUYQtT3BG3QSc8o6g/z53bI83kA9iocdDFA9OjsJRvH1C2xfRGKXih8pzuXfb+c&P0D=kFQ0DXAxEZATHl
http://www.empyrealgrowva.com/bntn/
http://www.9veronicaavenue.com/bntn/
http://www.frayahanson.com/bntn/?jBZ4=oFO9RmlSl++/v1YDeSY3mProiyQgi2+hlMkg7b4/PLGp1WpF3yb5DGOQUG8BL3f9IcGrhQt0&P0D=kFQ0DXAxEZATHl
http://www.9veronicaavenue.com/bntn/?jBZ4=kSOzIuOqf33icb7jL3P6+lFIMnyjwDTENnNLAiqlHmACuDUj5PbuHRXtUmX7xoWaH4Ofc9nZ&P0D=kFQ0DXAxEZATHl
http://www.paramustowing.com/bntn/?jBZ4=Zmfw4Esej640264nBF8rRgm9yb3Ifbhj/DSE9epy9UGl8RSLepUQfgEIh5a3fktibnFgotl4&P0D=kFQ0DXAxEZATHl
http://www.xn--299akkrtr22f.com/bntn/?jBZ4=kgkGF9Ysfd8zYCE+QJErmgVuQlgymn5hReCN8pGF7TzUt2dFl2/L26qKOsVtiPdmfnb0j80y&P0D=kFQ0DXAxEZATHl
http://www.frayahanson.com/bntn/
http://www.empyrealgrowva.com/bntn/?jBZ4=Au27EvwJrp50AVYHCUDqIIfox0HKUlVAbeEX7KAUxjtVY392IdfHlm/4EUWeS5gsUs7MiyW6&P0D=kFQ0DXAxEZATHl
|
18
www.71zkck.biz()
www.paramustowing.com(88.214.207.96)
www.9veronicaavenue.com(52.147.15.202)
www.tongtongticket.com(114.31.52.67)
www.frayahanson.com(66.96.162.137)
www.shristientreprise.com()
www.xn--299akkrtr22f.com(121.254.178.253)
www.empyrealgrowva.com(198.187.31.100)
www.eclipsegl.com()
www.bakermckenzieny.com()
www.willpowerleggings.com(23.227.38.74)
114.31.52.67
52.147.15.202 - mailcious
121.254.178.253 - mailcious
88.214.207.96 - mailcious
66.96.162.137
23.227.38.74 - mailcious
198.187.31.100
|
2
ET INFO Observed DNS Query to .biz TLD
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|