| 41401 |
2021-09-19 10:53
|
 templezx.exe fbc43fdfa54c1ed1a41f4618d695e784
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(172.67.188.154)
mail.alliedhealthga.com(107.180.56.180)
checkip.dyndns.org(193.122.6.168)
107.180.56.180 - malware
158.101.44.242
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41402 |
2021-09-19 10:52
|
 vbc.exe 2a59d2396654692dc87a81df7554b608
Malicious Library PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself RCE DNS |
12
http://www.mengzhanxy.com/b6a4/?pPc=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&1b=W6RpsLRPH
http://www.helpmovingandstorage.com/b6a4/?pPc=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&1b=W6RpsLRPH
http://www.recargasasec.com/b6a4/?pPc=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&1b=W6RpsLRPH
http://www.asteroid.finance/b6a4/?pPc=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&1b=W6RpsLRPH
http://www.comprarmiaspiradora.com/b6a4/?pPc=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&1b=W6RpsLRPH
http://www.findsmartvestorpro.com/b6a4/?pPc=2zUiPygWWhGhTTPt59aALdzubfJOZPfGYm8T4hMrtq8qpNxJkD0bejz9pJEVuH2VhcQLkVD+&1b=W6RpsLRPH
http://www.darenscape.com/b6a4/?pPc=/o8bd4Yn+5EYQl0+0B6vT8FOqtBFFV3vKtm6qVeMT3pPn9BnW0HxlU6BOHg8g2MYVqRIgKAb&1b=W6RpsLRPH
http://www.puffycannabis.com/b6a4/?pPc=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&1b=W6RpsLRPH
http://www.shinebrightjournal.com/b6a4/?pPc=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&1b=W6RpsLRPH
http://www.banban365.net/b6a4/?pPc=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&1b=W6RpsLRPH
http://www.breathlessandinlove.com/b6a4/?pPc=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&1b=W6RpsLRPH
http://www.besthypee.com/b6a4/?pPc=Qns5Qsf7idreXcQcAn7ngAtcze6YDtPoIPtFsjnoPncdjMyZsXPG24zliSsXwtCsnKHDqpq8&1b=W6RpsLRPH
|
24
www.findsmartvestorpro.com(34.98.99.30)
www.comprarmiaspiradora.com(91.195.240.13)
www.mengzhanxy.com(154.85.61.184)
www.puffycannabis.com(34.102.136.180)
www.shinebrightjournal.com(66.96.162.247)
www.helpmovingandstorage.com(209.15.40.102)
www.banban365.net(34.98.99.30)
www.qipai039.com(47.91.170.222)
www.asteroid.finance(198.54.117.210)
www.darenscape.com(34.102.136.180)
www.besthypee.com(34.98.99.30)
www.breathlessandinlove.com(104.21.40.174)
www.recargasasec.com(157.230.119.90)
154.85.61.184
66.96.162.247
209.15.40.102
91.195.240.13 - phishing
198.54.117.212 - mailcious
157.230.119.90
34.102.136.180 - mailcious
92.119.113.140 - malware
47.91.170.222 - mailcious
34.98.99.30 - phishing
172.67.155.190
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41403 |
2021-09-19 10:49
|
 Stub.exe 5eaf5e0662c263dd7acc3476067991a2
RAT PWS .NET framework Gen2 Generic Malware Malicious Packer Malicious Library PE64 PE File OS Processor Check .NET EXE DLL VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
4
http://sherence.ru/323.exe - rule_id: 5192
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
|
5
sherence.ru(104.21.48.37) - malware
sh1729062.b.had.su(92.119.113.140) - mailcious
104.21.48.37 - malware
92.119.113.140 - malware
162.159.135.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41404 |
2021-09-19 10:49
|
 Stub.exe 5eaf5e0662c263dd7acc3476067991a2
RAT PWS .NET framework NPKI Gen2 Generic Malware Malicious Packer Malicious Library PE64 PE File OS Processor Check .NET EXE DLL VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
4
http://sherence.ru/323.exe - rule_id: 5192
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
|
4
sh1729062.b.had.su(92.119.113.140) - mailcious
sherence.ru(172.67.176.114) - malware
172.67.176.114 - malware
92.119.113.140 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
8.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41405 |
2021-09-19 10:47
|
 vbc.exe 866d1aeb69daac5e6e4dda938edf8d26
Malicious Library PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself RCE |
14
http://www.kedaiherbalalami.com/b6a4/?v4=AClaEyNViDSune13/YZUUjazMao4yP2qoW92J+V8GQKrmRmlM8SyMJgG/BS9WoJI+nFJwME4&Hp=V48HzvXX
http://www.puffycannabis.com/b6a4/?v4=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&Hp=V48HzvXX
http://www.banban365.net/b6a4/?v4=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&Hp=V48HzvXX
http://www.skoba-plast.com/b6a4/?v4=p6ZBaKxeDGGGbWVKNL6LmfLe4qu41/ZuDkLfUQVsf5tarRyTEM8ysZ8aqSh2CwtwR2aIkrq6&Hp=V48HzvXX
http://www.helpmovingandstorage.com/b6a4/?v4=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&Hp=V48HzvXX
http://www.mengzhanxy.com/b6a4/?v4=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&Hp=V48HzvXX
http://www.shinebrightjournal.com/b6a4/?v4=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&Hp=V48HzvXX
http://www.id-ers.com/b6a4/?v4=uH6EfKcepLhoITy038beys+pLFYYfex5cK/VvJ23mqODSQImeIcr0rdBhl7AYUs9qsPgSB01&Hp=V48HzvXX
http://www.rnerfrfw5z3ki.net/b6a4/?v4=855Z9vQ5XXc46/dVYdONeB9yi8X3cSgRKyshY/MEyACWaY62iqQ2QtSCUTEdj76PLZdbQSVg&Hp=V48HzvXX
http://www.naughty0milf.today/b6a4/?v4=y3Ab41qY+IWzqUQ9j62fWmWTVEKi2r9ZDEGdaGq9wc7JzSC40q3Bki+eTJ19ahFkSaZblDBO&Hp=V48HzvXX
http://www.maximumsale.com/b6a4/?v4=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&Hp=V48HzvXX
http://www.recargasasec.com/b6a4/?v4=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&Hp=V48HzvXX
http://www.mrtireshop.com/b6a4/?v4=1IxU2pCdzLjbc0WwjWEQ14t/h9IMUjYewkIb86Rsf7stw4Ydt/lwwX9QzcCR3qe4ia4DtzcM&Hp=V48HzvXX
http://www.avisdrummondhomes.com/b6a4/?v4=tgq8zJv4ZamsZtYNH8dbmFxJ3RcVgptpPUIUZanqqJHtnwqLeeTduXi6ZJW0PDdhmdVNmULh&Hp=V48HzvXX
|
27
www.naughty0milf.today(99.83.154.118)
www.mengzhanxy.com(154.85.61.184)
www.kedaiherbalalami.com(5.181.216.107)
www.shinebrightjournal.com(66.96.162.247)
www.helpmovingandstorage.com(209.15.40.102)
www.avisdrummondhomes.com(52.71.133.130)
www.banban365.net(34.98.99.30)
www.rnerfrfw5z3ki.net(54.65.172.3)
www.skoba-plast.com(193.34.169.17)
www.id-ers.com(34.102.136.180)
www.maximumsale.com(3.223.115.185)
www.mrtireshop.com(34.102.136.180)
www.puffycannabis.com(34.102.136.180)
www.recargasasec.com(157.230.119.90)
www.gr2future.com()
154.85.61.184
66.96.162.247
193.34.169.17
209.15.40.102
5.181.216.107
157.230.119.90
34.102.136.180 - mailcious
99.83.154.118 - mailcious
52.71.133.130 - mailcious
54.65.172.3
3.223.115.185 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41406 |
2021-09-19 10:46
|
 mygod.exe 60a01c98200c36b4917c453feedbf79d
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41407 |
2021-09-19 10:44
|
 cyber-server.exe 6d4254084c9aff0d20d9c1cdfb7a31ec
RAT PWS .NET framework Generic Malware Malicious Packer PE File .NET EXE PE32 VirusTotal Malware ICMP traffic IP Check DNS |
1
|
3
ip-api.com(208.95.112.1)
77.21.216.101
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
4.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41408 |
2021-09-19 10:44
|
 vbc.exe 3cb12929c01dcbf5af156b6ce3fa3a6f
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
3
checkvim.com(185.251.91.166) - mailcious
179.43.187.185
185.251.91.166
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://checkvim.com/fd7/fre.php
|
13.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41409 |
2021-09-19 10:42
|
 0d.exe 3a2984391e5a67689e60830f82700e74
RAT Generic Malware ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
http://179.43.187.185/
https://telete.in/opussenseus1
|
3
telete.in(195.201.225.248) - mailcious
179.43.187.185
195.201.225.248 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41410 |
2021-09-19 10:42
|
 Kdkvxufvvymmebagxmoolsfkmwkkqa... 663dfa8f055ba37eaa8bffc10026f311
UPX Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee RCE crashed |
1
https://cdn.discordapp.com/attachments/780223158832988201/888322445285662750/Kdkvxufvvymmebagxmoolsfkmwkkqan
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41411 |
2021-09-18 22:10
|
11 billentyűkombináció, ami me... 536838e1ba71280e538c83079e48495a
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41412 |
2021-09-18 22:04
|
11 billentyűkombináció, ami me... 536838e1ba71280e538c83079e48495a
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41413 |
2021-09-18 21:40
|
Japán vízkúra.pdf.igvm c27de5e6764d3f0cbce3dae0117a66f6
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41414 |
2021-09-18 20:02
|
 troupzx.exe 1c4fd4c1adfb8b5cc412128415251379
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41415 |
2021-09-18 20:02
|
 askinstall58.exe 75cd00f5ec5aa1120739721c6f0a1240
Gen2 Trojan_PWS_Stealer NPKI BitCoin Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie UPX Anti_VM DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenSh Browser Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE crashed |
4
http://www.wsrygoq.com/Home/Index/lkdinl
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/14Jup7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.wsrygoq.com(188.225.87.175)
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://www.iyiqian.com/
https://www.listincode.com/
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|