| 41386 |
2021-09-19 11:28
|
 xmrig.exe 4f5bbe6b657b6f5874e99baf62af5555
PE64 PE File VirusTotal Malware Checks Bios anti-virtualization crashed |
|
|
|
|
2.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41387 |
2021-09-19 11:28
|
 ZZZZZ.exe 2d42f56f58a4c19df022913160949c76
RAT Generic Malware Themida Packer Malicious Packer PE File PE32 OS Processor Check .NET EXE PE64 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
5
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyIDN3MTM&65ab24948c084368808c084126a043f5=wMmhDNzQjYmZTYiRzNxMTOjVWY0I2NhZWN0MTO5MGNxgjMxgjY0EmY&0c2329b9f0dc4c64441b4dcf29994306=d1nIhRDM1cjNwYmYlJzYmV2MjVmYlVjNjZ2M5cTM4YTO0QDOxgDNyI2NkJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=QX9JiI6ISYihjZiVzYmJWM1EWMmRjY1EjYmBzMlVTOzQDO3EjM1ICLiEGNwUzN2AjZiVmMjZWZzMWZiVWN2MmZzkzNxgjN5QDN4EDO0IjY3QmI6ICO0kTO1EjNxYTMzQjN1MWZyIGZzM2YjJDO4czYzE2YhJCLiQzNxYzYjhTMwYjNlljM3YmN1IGZxkTMxgjZ4gjMiRjNwQzNzMmYxQjI6IiZ0UGM2QmY4ATOkNGOmNWN2IWN4cTOzkTMhZGMyQGZ4Iyes0nI5EjbJpXMHlEerRVTp9maJRzZU5Uaa1WTw0kaZpmVX10MJJTT5F1RaJTRyk1aGpmTsJlMOxmUtpVaO1mTsJkeO1mUql1aKlXZ2k0UZBjRHJFMohlWpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dplkWKl2TpRzVhRnUXFles1WSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSzxWbkZkSp9UajVVUVp0QMlWUYF2QCNkTyEUaUxkQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ZHRWMGJjW1xmMjpHbXJmd4cVY1hTbaVHbHNGc5kHT20ESjBjUIFWavpWSsFzRahmVtNWa3lWSzZ1MixmTxwEasJzYCpUaPlWVtJmdwhlW0x2Rkl2dplkMnRVT6FkaJZTSDJGaSNzY2JkbJNXSTJmdOdlWzZ1RWdWRXpVe5IzUnllaONTU6VlQKl2TpNWbjZnSDxUaRR0TzsmaMJTSU10cBpmTyUlaMNTTqlkNJlXW2hXbJNXSpVFTKl2TptmbjBTNXRmdO1WSzl0QiFTOXpFVKl2TpRjMiBHZXpVeKNETpd3VkZnVyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWSzQzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W - rule_id: 3585
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4 - rule_id: 3585
http://176.31.32.198/VideoRecoderDriveMaster.exe
https://ipinfo.io/json
https://api.ipify.org/
|
6
ipinfo.io(34.117.59.81)
api.ipify.org(54.243.45.255)
50.16.239.65
176.31.32.198 - malware
62.109.1.30 - mailcious
34.117.59.81
|
8
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
2
http://62.109.1.30/triggers/vm_.php
http://62.109.1.30/triggers/vm_.php
|
12.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41388 |
2021-09-19 11:26
|
 System64.exe a2968300e88e5c7f392ea704e39ff9b4
Gen2 RAT Gen1 PWS .NET framework Generic Malware Malicious Packer Antivirus Malicious Library PE64 PE File OS Processor Check .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger unpack itself Auto service Windows ComputerName |
|
|
|
|
4.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41389 |
2021-09-19 11:20
|
 .svchost.exe a6288732dfc7779369a4712b345070fb
Generic Malware UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41390 |
2021-09-19 11:17
|
 xxxx1_2021-09-14_09-27.exe f343214355c07ba17b3726491847787a
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41391 |
2021-09-19 11:15
|
 753.exe af3e98549b975158f54ef8b171182d50
Admin Tool (Sysinternals etc ...) Malicious Library UPX AntiDebug AntiVM PE File PE32 PE64 Malware download VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Creates executable files Windows utilities suspicious process WriteConsoleW Windows DNS Downloader |
1
http://185.215.113.84/etc.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41392 |
2021-09-19 11:15
|
 kok.exe 2b0eb2dffd9788bfb9390e060f5e4bcc
PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41393 |
2021-09-19 11:00
|
 crock e74b2720eaf32bfc409eb52a3d5e937f
RAT Generic Malware Malicious Packer Antivirus PE64 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41394 |
2021-09-19 11:00
|
 CurrenyCalculatorInst.exe 63fe4796434aad20a0ccbb0944ea0f02
Themida Packer Generic Malware Malicious Library Anti_VM Antivirus UPX Admin Tool (Sysinternals etc ...) DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Dow Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization installed browsers check Tofsee Windows Exploit Browser ComputerName Firmware DNS Cryptographic key Software crashed |
5
http://secure.globalsign.com/cacert/root-r3.crt
https://installcb.online/40.exe
https://iplogger.org/favicon.ico
https://iplogger.org/1hEue7
https://api.ip.sb/geoip
|
12
secure.globalsign.com(104.18.20.226)
123456789009876()
api.ip.sb(104.26.12.31)
installcb.online(31.31.196.204)
iplogger.org(88.99.66.31) - mailcious
demner.site(80.66.87.32)
31.31.196.204 - mailcious
79.174.13.108
80.66.87.32
104.26.12.31
88.99.66.31 - mailcious
104.18.20.226
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41395 |
2021-09-19 10:59
|
 Tcx5xxXPl9GOucJ.exe 04ecb65ad3407b89abab206a1b921e5c
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
11.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41396 |
2021-09-19 10:58
|
 new.exe 0fa96c805292abfab6d01768050a0d3c
RAT Generic Malware UPX AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
185.204.109.42
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41397 |
2021-09-19 10:58
|
 vbc.exe de8a80136d8b6c2002ba8473bda2a617
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
26
http://www.id-ers.com/b6a4/
http://www.helpmovingandstorage.com/b6a4/?p0G=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&uFNl=XP7LsfJxpBQ
http://www.norfolkveggiebox.com/b6a4/
http://www.findingforeverrealty.com/b6a4/?p0G=PInLHBo1X2HDarmW4cmF2pBaWgvKn6miM8cLM6v9Qr8JSOd47ujhG3xH1L1lq6pkSFupWod4&uFNl=XP7LsfJxpBQ
http://www.findingforeverrealty.com/b6a4/
http://www.norfolkveggiebox.com/b6a4/?p0G=1/oriW/wBBMvnVsB6SWy9Yw+vFbi5sAE6aUu3YgJfO8ImsDD+rtOiN3CEmMRA2XQUKRL61LS&uFNl=XP7LsfJxpBQ
http://www.comprarmiaspiradora.com/b6a4/
http://www.cabalzi.com/b6a4/
http://www.rishitaprabhu.com/b6a4/
http://www.comprarmiaspiradora.com/b6a4/?p0G=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&uFNl=XP7LsfJxpBQ
http://www.asteroid.finance/b6a4/
http://www.e38.site/b6a4/?p0G=PYLlb9PqAnilyjTS8SDYyANzlEUh7Z5+yycE2LHFHltN8HlXGx/7Jd/QXNbEbwQsu4dLQl47&uFNl=XP7LsfJxpBQ
http://www.id-ers.com/b6a4/?p0G=uH6EfKcepLhoITy038beys+pLFYYfex5cK/VvJ23mqODSQImeIcr0rdBhl7AYUs9qsPgSB01&uFNl=XP7LsfJxpBQ
http://www.cabalzi.com/b6a4/?p0G=vCEfkciNsJLnQ6NTKgmnH0RKiXqKx4X1OsBfXMLmCHhcM6UjpXRp9mu9MO0KT8GS97XSNDdh&uFNl=XP7LsfJxpBQ
http://www.mygaybookcase.com/b6a4/?p0G=te2h0gcaE7p6i9wQxEk3TsaN/6gLiAYto4hyl6TRVV4kVjpqQnGMO7vaMYfNjjEPzzX2jHXy&uFNl=XP7LsfJxpBQ
http://www.helpmovingandstorage.com/b6a4/
http://www.breathlessandinlove.com/b6a4/?p0G=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&uFNl=XP7LsfJxpBQ
http://www.maximumsale.com/b6a4/?p0G=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&uFNl=XP7LsfJxpBQ
http://www.e38.site/b6a4/
http://www.banban365.net/b6a4/
http://www.rishitaprabhu.com/b6a4/?p0G=mXEWyNYhUxX28+1G/UM2VRAPihtF3WypxWTWJzN08wDEoA83vp8VPi/S1EIUDaTCIrurvPIx&uFNl=XP7LsfJxpBQ
http://www.asteroid.finance/b6a4/?p0G=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&uFNl=XP7LsfJxpBQ
http://www.breathlessandinlove.com/b6a4/
http://www.banban365.net/b6a4/?p0G=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&uFNl=XP7LsfJxpBQ
http://www.maximumsale.com/b6a4/
http://www.mygaybookcase.com/b6a4/
|
28
www.comprarmiaspiradora.com(91.195.240.13)
www.e38.site(18.215.128.143)
www.cabalzi.com(34.98.99.30)
www.meetheveganz.com()
www.banban365.net(34.98.99.30)
www.findingforeverrealty.com(52.71.133.130)
www.helpmovingandstorage.com(209.15.40.102)
www.norfolkveggiebox.com(94.136.40.51)
www.asteroid.finance(198.54.117.210)
www.maximumsale.com(3.223.115.185)
www.rishitaprabhu.com(31.170.161.30)
www.erinkiauq.icu()
www.mygaybookcase.com(172.217.25.83)
www.breathlessandinlove.com(172.67.155.190)
www.id-ers.com(34.102.136.180)
104.21.48.37 - malware
142.250.204.147
94.136.40.51 - mailcious
91.195.240.13 - phishing
198.54.117.212 - mailcious
34.102.136.180 - mailcious
52.71.133.130 - mailcious
31.170.161.30
209.15.40.102
18.213.250.117 - mailcious
104.21.40.174
3.223.115.185 - mailcious
34.98.99.30 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO DNS Query for Suspicious .icu Domain
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41398 |
2021-09-19 10:56
|
 vbc.exe 66ce1420280eceebeab924165f28b7bb
PWS .NET framework Gen2 Emotet Gen1 Generic Malware NSIS Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) ASPack Anti_VM KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process AppData folder WriteConsoleW VMware anti-virtualization installed browsers check Windows Browser ComputerName DNS Software |
|
1
|
|
|
16.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41399 |
2021-09-19 10:55
|
 n.wbk f001c279ed34264cd5bd0acf4987cec1
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
|
3
107.180.56.180 - malware
172.67.176.114 - malware
198.46.199.171 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41400 |
2021-09-19 10:53
|
 terrin.exe 4bcdcb852861a9d7f40a26bc825882b2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|