| 41536 |
2021-09-15 09:35
|
 slFZvqw6JB8bsDt.exe 03fa2aa90ad1ce098de68893d83f701d
RAT PWS .NET framework NPKI Generic Malware Malicious Packer UPX Malicious Library PE File OS Processor Check .NET EXE PE32 Malware download VirusTotal Malware IoC AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName |
4
http://qjqpqiamh2.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
http://qjqpqiamh2.eternalhost.info//cisCheckerstroke.php
http://qjqpqiamh2.eternalhost.info//loader.txt
http://sherence.ru/12332123331.exe
|
4
qjqpqiamh2.eternalhost.info(194.61.0.8)
sherence.ru(104.21.48.37) - malware
104.21.48.37 - malware
194.61.0.8 - malware
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
|
|
8.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41537 |
2021-09-15 09:34
|
 esembler.exe 148fab089c36dcbd7cc58e0bdba881e4
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41538 |
2021-09-15 09:32
|
 bluestwozx.exe ab66db9b6118f9156a0bd820642fa9cf
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
172.67.188.154
132.226.247.73
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
15.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41539 |
2021-09-15 09:32
|
 d.wbk cfd3682c2cf1f604af25f77e9ac3fc84
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed |
1
http://www.fact-about.com/m8g0/?EzuxZl=CJjkS1LluJdyCrC/wWSSdZmBbPjhWleK8FTZxyZzjK5W/DntwLv4XF/Fx0jov/ipugt5t8Pp&anX=TXFxrpEH_FZt
|
4
www.fact-about.com(146.148.189.222)
www.corbvalperu.com()
146.148.189.222
198.46.199.161 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41540 |
2021-09-15 09:30
|
 tmt.exe b95fa0b61f4744cfb0ccd7dcb48270f8
North Korea RAT PWS .NET framework Generic Malware DNS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41541 |
2021-09-15 09:30
|
 plugmanzx.exe 19665f929613c0e945ff13dd25c9362e
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
1
blackbladeinc52.ddns.net() - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41542 |
2021-09-15 09:28
|
 vbc.exe 1ec248cde51ae1e700565074014f02d0
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
3
http://www.agirlsministry.com/by65/?DXFTJ=CfJnzJir5fNwbtNWtID7sAotyxsbsVh+JpS85dwFP7vOp8SDFxpIfioG0o7zTOp31uL8uCSV&Jt7=XPv4sVZH
http://www.boygirlthing.com/by65/?DXFTJ=RuPtncxmpRkBF/QMHMHEZu6r0m5pWck31IQ1KrcjF7csxN7vW2RN7HEHgOh4v0Rni4GxN9u+&Jt7=XPv4sVZH
http://www.cellshellmobiles.com/by65/?DXFTJ=Q0j9r9SdeUpCI+2J6FPNmRRzwhJa70g45YOl/AI0eGYqY1d/jxP63Ercx8ev7POIv7nSA5ca&Jt7=XPv4sVZH
|
6
www.boygirlthing.com(45.203.64.91)
www.agirlsministry.com(34.102.136.180)
www.cellshellmobiles.com(209.99.40.222)
209.99.40.222 - mailcious
34.102.136.180 - mailcious
45.203.64.91
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41543 |
2021-09-15 09:27
|
 1233212333.exe c0fe83baeb1facb1a25a686166660383
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
|
1
185.92.150.213 - mailcious
|
|
|
12.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41544 |
2021-09-15 09:25
|
 wealthzx.exe ffd78db073dcc4169752342093c603ea
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41545 |
2021-09-15 09:25
|
 f13058cb1065b13600fcb4a4f48e8e... dc0b13c9d739e5bd085ed2e8a8a263ab
Malicious Library PE File OS Processor Check PE32 DLL VirusTotal Malware Buffer PE Check memory buffers extracted WMI Creates executable files AppData folder Tofsee ComputerName |
2
https://a.goatgame.co/userf/dat/2202/sqlite.dat
https://a.goatgame.co/userf/dat/sqlite.dll - rule_id: 4717
|
2
a.goatgame.co(104.21.79.144) - malware
172.67.146.70 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://a.goatgame.co/userf/dat/sqlite.dll
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41546 |
2021-09-15 09:23
|
 buy.exe c162cbbb6353cb3b09bdc441fdd4c1b8
North Korea RAT PWS .NET framework Generic Malware DNS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41547 |
2021-09-15 09:23
|
 f.wbk e98b2039d50f2482200d688766f9789f
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://www.kkcindia.com/by65/?xVJtG4Th=PU+Ve4UAPi5Re9LLGDxmdgil374yQ6xwqpxATmSGSVF17+prnoHkx+dFYOe/+U0+Br20Y6Ns&1bw=L6Adp0nXjfjLdR2p
|
4
www.seniorlivingukhomes.com()
www.kkcindia.com(209.99.40.222)
209.99.40.222 - mailcious
198.46.199.161 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41548 |
2021-09-15 07:55
|
 rusk.exe b5faf0605f312ebc4ba7db08e4642530
Themida Packer Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName RCE Firmware DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
172.67.75.172 - mailcious
144.76.183.53 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41549 |
2021-09-15 07:53
|
 rxoes.exe 4bebe52555714d9eddd2203ba86e685e
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41550 |
2021-09-15 07:51
|
 proliv14go.exe dbb53aec87a062a9b0729c8aa9acd449
Emotet Gen2 Generic Malware Themida Packer Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName RCE Firmware DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
144.76.183.53 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|