| 40591 |
2021-10-15 09:55
|
 CHILESKY.exe 2838a508700df0b9ae80674c2f42ef4b
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40592 |
2021-10-15 09:55
|
 vbc.exe f11ebc7e0b269ee17f61f7a4ab4ce9ec
UPX Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40593 |
2021-10-15 09:53
|
 h_online.exe 2bfef42ea03e4fbb32243da6cb861205
PWS Loki[b] Loki.m .NET framework NPKI Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox malicious URLs AntiVM_Disk VMware anti-virtualization VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
136.243.159.53 - mailcious
|
|
|
16.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40594 |
2021-10-15 09:53
|
 vbc.exe e1ece154e7d217115851bb74b8b79e24
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40595 |
2021-10-15 09:51
|
 vbc.exe 81ecab9fa2aa18c3d5dc61e9b2bebb7b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
6
http://www.appliancestar.xyz/wogm/?FTjlCFf=CZa7IhhKqH+i67SZ8DlxL7SD9/c86vP1pUqMFjpE9JLrEijbe5cqjfJtalcieGMffdwsnkHJ&vR-h8=khOtRrQxX4YlEtU
http://www.truenettnpasumo2.xyz/wogm/?FTjlCFf=++H91393A+kX/y57heqir4yoHK/0wF8hbhB6ZkZ2FevYLBcUz29qdFfIsbl4hf6qK5sS70Fr&vR-h8=khOtRrQxX4YlEtU
http://www.cvkf.email/wogm/?FTjlCFf=sRTLAMGyy4X7UY05DVBPxGqu9GiCi5X1NGTsSugbG85T5MJdD4skDqvEhNnlyFyuRx/UAW/w&vR-h8=khOtRrQxX4YlEtU
http://www.santamariamoto.express/wogm/?FTjlCFf=XFl2HGFZDbM3ilnNSLCKR55vAZz9/GlrmlrmLStPz+t/Cfryq2xL+Ou2JEuSZKfyQZPLJhwt&vR-h8=khOtRrQxX4YlEtU
http://www.javaportal.info/wogm/?FTjlCFf=lSKsitiyws6CV1iMLxhrahVtvrIwWCHcUDACNSJ1QCT90EZMnOuQMhpHp/9WWeYlZFWK0aAa&vR-h8=khOtRrQxX4YlEtU
http://www.porchlightwoodworks.com/wogm/?FTjlCFf=hTlYLujhLIBfNhXKle4Ne5c9nbuG2ANBn8MRHjr/JSY/AGMyu0tlASlL1mMShb9c7W3t9T0r&vR-h8=khOtRrQxX4YlEtU
|
15
www.truenettnpasumo2.xyz(150.95.255.38)
www.cvkf.email(217.160.0.253)
www.javaportal.info(217.70.184.50)
www.goodspaz.com()
www.porchlightwoodworks.com(23.229.175.71)
www.appliancestar.xyz(104.21.85.225)
www.santamariamoto.express(185.27.134.221)
www.hypermediastore.com()
www.884651.com()
185.27.134.221
150.95.255.38 - mailcious
217.160.0.253
23.229.175.71 - malware
217.70.184.50 - mailcious
172.67.211.221 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40596 |
2021-10-15 09:50
|
 1st0build.exe fa36788c0488fe6f660e5ea1e9ca277a
RAT PWS .NET framework Generic Malware ASPack Malicious Packer UPX Malicious Library Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://cdn.discordapp.com/attachments/893177342426509335/897835449870090250/D3E31C82.jpg
https://b.ckauni.ru/
https://cdn.discordapp.com/attachments/893177342426509335/897835452164366366/FBFC4F80.jpg
|
7
apps.identrust.com(119.207.65.153)
b.ckauni.ru(81.177.141.85)
cdn.discordapp.com(162.159.130.233) - malware
212.193.30.193
81.177.141.85 - mailcious
162.159.129.233 - malware
182.162.106.26
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40597 |
2021-10-15 09:49
|
 PrimeAuth.exe 6e88324fa975a177ec1aae3a7e9cbf0c
RAT PWS .NET framework Generic Malware UPX Malicious Library PE File PE32 OS Processor Check .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40598 |
2021-10-15 09:46
|
 vbc.exe 09a2d9ea4a18f01aff698b8cfc98a87e
UPX Malicious Library PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40599 |
2021-10-15 09:46
|
 vbc.exe 025eaccfdecb9df000e526122ce84aa2
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE DNS |
|
1
|
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40600 |
2021-10-15 09:44
|
 aeopmguywjffmigwnfbefrvgqg.exe 8d81b074c6351ef6cb801ddbc24d4354
PWS Loki[b] Loki.m Generic Malware task schedule Antivirus DNS KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder WriteConsoleW IP Check Windows ComputerName DNS Cryptographic key DDNS crashed |
1
|
6
sommerishere.sytes.net(194.5.98.99) - mailcious
mommerishere.sytes.net(154.118.104.87)
ip-api.com(208.95.112.1)
154.118.104.87
194.5.98.99
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40601 |
2021-10-15 09:44
|
 vbc.exe 215e5cc2650d15c79ab17bd24e8458b9
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself RCE |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40602 |
2021-10-15 09:42
|
 vbc.exe 607afbfc6f90d724bd7014ca4ab30be5
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
20
http://www.yourhomestimate.com/wogm/?jDKP8=OiSf9jV3Npz/RZJgbb0bKL9e2athsvXRQV6jCPdiTUSk124+vr4+cLKhD6dZYTypWjoW5Nc5&8p3=IbtHbD
http://www.eygtogel021.com/wogm/
http://www.pokipass-niigata.com/wogm/
http://www.muescabynes.quest/wogm/
http://www.muescabynes.quest/wogm/?jDKP8=Cp2YzvgLUfohnHjhVFBNosoQ2J5qGB8UGxOLTRa7K8nkaGFbF9DyFpQO+4Qxvwo23h3ZSf7z&8p3=IbtHbD
http://www.workospbit.space/wogm/
http://www.pokipass-niigata.com/wogm/?jDKP8=5JB5Sfq0uItgtJtC5HDt9qd+awyibUOSqveCkor2hMTAiAHHLxQY8a2Rwp3Q+p3+yguzgVgy&8p3=IbtHbD
http://www.workospbit.space/wogm/?jDKP8=tAL4F5NLH4VmvVC1AGtDqpAVgb8tD+i+qrKuhbccqAXskllAguOxxUH0apD5Y6EEQuKJRsNk&8p3=IbtHbD
http://www.insightmyhome.com/wogm/?jDKP8=85BUmEEX/LdX7Ydf+9I0bWyJhbr74kbGW+J4EcMhGlvjV6F5mj5NWVmgik83SynmBl96r7SB&8p3=IbtHbD
http://www.straetah.com/wogm/
http://www.weeklywars.com/wogm/
http://www.sinagropuree.com/wogm/
http://www.weeklywars.com/wogm/?jDKP8=4vPo1SJ4QXujYzlw76fQXs7HvlTQbV0+0txMnGRghQaMN633jA6UZgSWswdwEnRAOgPWuZC1&8p3=IbtHbD
http://www.blessedfurnitures.com/wogm/
http://www.insightmyhome.com/wogm/
http://www.blessedfurnitures.com/wogm/?jDKP8=zV6Dv0kcLx7IGnnwhXAN0xDRsIYVVts8P2q2S3hOBQp88DOpKfnLZ8aifiCKR08hOFrs3RzE&8p3=IbtHbD
http://www.eygtogel021.com/wogm/?jDKP8=OLfsUZOZM89huaQ2Rhq4Iq6vg35ZMytgB5JTmZSEOAiHvxtp6AgRBdz2Ob59YcBboWHm0lh9&8p3=IbtHbD
http://www.sinagropuree.com/wogm/?jDKP8=nwMgSNojV35EyJ9hphk06is8J3BDs4E1a66hewTnIuP7M3cS+zLeGjThioYS1Y8r0L7sYBrx&8p3=IbtHbD
http://www.straetah.com/wogm/?jDKP8=VugJ8iGiQbMyEpiZcguIhpak7udmJ3C00wBMtiXi6+Au/rTbCR/obkne6QZn8sjGYaJfXaMw&8p3=IbtHbD
http://www.yourhomestimate.com/wogm/
|
21
www.workospbit.space(185.215.4.14)
www.yourhomestimate.com(198.54.117.244)
www.straetah.com(104.18.26.58)
www.pokipass-niigata.com(183.181.96.120)
www.blessedfurnitures.com(104.21.9.160)
www.eygtogel021.com(172.67.200.237)
www.chantaldesign.space()
www.sinagropuree.com(154.23.109.132)
www.insightmyhome.com(5.79.70.98)
www.weeklywars.com(34.102.136.180)
www.muescabynes.quest(37.123.118.150)
37.123.118.150 - mailcious
183.181.96.120
172.67.200.237 - mailcious
154.23.109.132
34.102.136.180 - mailcious
198.54.117.244 - phishing
185.215.4.14
5.79.70.98
104.21.9.160
104.18.26.58
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40603 |
2021-10-15 09:41
|
 vbc.exe 10397feb14b5e8aad2b1e8fd3686763c
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40604 |
2021-10-15 09:41
|
 LS.exe 50bc873b8e08fdc5832350f377a1b5a7
UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows crashed |
|
|
|
|
4.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40605 |
2021-10-15 09:40
|
 me.exe 8cbc2f3f7e55f6d8a1e28816d9621d0a
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Disables Windows Security Check virtual network interfaces WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
193.122.6.168
172.67.188.154
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|