| 41776 |
2021-09-07 19:20
|
 stl.exe 66a8fb0b8be4768c062c24b7313a457a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41777 |
2021-09-07 19:17
|
 vbc.exe 3e7e25ad1c141f146e5ef2b18e624886
PE File PE32 VirusTotal Malware Tofsee |
1
https://img.neko.airforce/files/pazsby
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41778 |
2021-09-07 19:17
|
 kernel.exe e2178538425f24c99cc460d888733e28
Generic Malware Antivirus PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key Downloader |
2
https://ggle.io/4Fj4
http://13.238.159.178/ksfe/vbc.exe
|
3
ggle.io(151.101.65.195) - mailcious
151.101.1.195 - malware
13.238.159.178
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41779 |
2021-09-07 19:15
|
 usermasabikzx.exe ed32e8f2f6119552321f3ed79a730320
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41780 |
2021-09-07 19:15
|
 clip.exe 483715033eb4f12ab5c3d9a7e2953221
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41781 |
2021-09-07 19:14
|
 vbc.exe f1bb297d01ba31319a9e7e9a38ad42c0
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
16
http://www.rusmumrik.com/24ng/?ulmX=m7TGHaUMYwN31UVWgWF/s8Sfddvio/h+yp1zpCFRls/S5r6TGFuyVzwEYxvC5L41qSn/G2Me&D8ODAr=jfIXkDKpiPY8e6tp
http://www.rusmumrik.com/24ng/
http://www.myfreezic.com/24ng/
http://www.inanavcifitnessclub.com/24ng/ - rule_id: 4825
http://www.greenexpress24.com/24ng/
http://www.myfreezic.com/24ng/?ulmX=YF1kztGDlRJpsfA9HLEjfHWM3KfZfu6pVivDrAZmlPi8ADA1cW10jKFzSf6SS65dyB8FAXy7&D8ODAr=jfIXkDKpiPY8e6tp
http://www.wandallia.com/24ng/
http://www.wandallia.com/24ng/?ulmX=J2684jHzx1ks1z1g6UlnDqtB+rIWpEKzrrtDNmORcAxr0eWboAwg5tQUAmR9ZYmGMe6nI1qo&D8ODAr=jfIXkDKpiPY8e6tp
http://www.mercurydatas.com/24ng/?ulmX=73RKxnoEEGPHaiqYHtD+jTsNxYvkw6Ei3DrZaFJsPwj3AJHixVrZdfXfQY48NHPO2bpqzq2Z&D8ODAr=jfIXkDKpiPY8e6tp - rule_id: 4594
http://www.ibggroupkerala.com/24ng/
http://www.mercurydatas.com/24ng/ - rule_id: 4594
http://www.ibggroupkerala.com/24ng/?ulmX=Z5oHB8hUZvRhg9blaFXqK6c4wn9BH2EGRbhw5ERI5LiMf/uXJIEUSWuKFSUYehnKAlq2TlpW&D8ODAr=jfIXkDKpiPY8e6tp
http://www.inanavcifitnessclub.com/24ng/?ulmX=7B/mxEe684X+Fe8GJ5WQJKEToqxOKLoYRHSlnqT22Suhy7fkAEyyqsV6IsAMnECK+ppvVgFJ&D8ODAr=jfIXkDKpiPY8e6tp - rule_id: 4825
http://www.greenexpress24.com/24ng/?ulmX=2e6wYlryEa0vLTPjfN4r58Bshi9ru1qRbjT+bhMZ3EXC/MDmTGKly4nIEkqr25AZupeddAYD&D8ODAr=jfIXkDKpiPY8e6tp
http://www.stellarsoundsandevents.com/24ng/
http://www.stellarsoundsandevents.com/24ng/?ulmX=LBlxLjx1erJtyf7XMF1eHh63aPll/IBCmifS69HlewcLnWxqS/UmvMQdGifiaPD188nh048y&D8ODAr=jfIXkDKpiPY8e6tp
|
16
www.ibggroupkerala.com(209.99.40.222)
www.stellarsoundsandevents.com(172.217.174.115)
www.mercurydatas.com(91.194.91.202)
www.wandallia.com(85.128.134.235)
www.routrays.com()
www.inanavcifitnessclub.com(209.99.40.222)
www.myfreezic.com(103.139.0.32)
www.greenexpress24.com(208.91.197.46)
www.rusmumrik.com(160.121.109.52)
103.139.0.32 - mailcious
172.217.163.243
85.128.134.235
208.91.197.46 - mailcious
209.99.40.222 - mailcious
160.121.109.52
91.194.91.202 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.inanavcifitnessclub.com/24ng/
http://www.mercurydatas.com/24ng/
http://www.mercurydatas.com/24ng/
http://www.inanavcifitnessclub.com/24ng/
|
9.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41782 |
2021-09-07 19:13
|
 rac.exe 16838d8c5d81830caba15fdef47b3015
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41783 |
2021-09-07 19:12
|
 hv.exe 385eccb9e711368035f0f329f98255ec
Gen2 ASPack Malicious Library Malicious Packer PE File PE32 OS Processor Check Malware download VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Creates executable files Windows utilities suspicious process WriteConsoleW Zeus Windows ComputerName Trojan DNS |
1
http://37.49.230.185/bp/gate.php?017BD04FB3BF45B68167E
|
1
|
3
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41784 |
2021-09-07 19:11
|
 vbc.exe 1ad28c768524311e68f7db00b34e9c29
PE File PE32 VirusTotal Malware unpack itself Tofsee |
1
https://img.neko.airforce/files/ltnhq
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41785 |
2021-09-07 19:10
|
 raccon.exe 357f32eecd7be7427ccc0e7fab0ce386
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41786 |
2021-09-07 19:08
|
 Vids.exe 09f9f48eea4e7bf45dc549f15e4d27e8
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41787 |
2021-09-07 19:07
|
 vbc.exe 94253a7c421aeba9e411730ba3f3c897
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
12
http://www.agamdesigners.com/imi7/?GzuD=+Q7WlN4Hp8A5gOzDFXVaDonw6sKaX4xwzxcmYTkSJF2wJC8otdv/8Zp0zZIInzmaXv0UDelR&AlB=O2Mthllp7
http://www.abc-staff.com/imi7/?GzuD=3LZm1iRscnuMBa7eXiRmSKBb+/H8umyVbYMems3WtreaiyBf/kGruuLJ8kceVNcEixw/yb8u&AlB=O2Mthllp7 - rule_id: 4770
http://www.agamdesigners.com/imi7/
http://www.gtof.net/imi7/?GzuD=+j1/LGSTzSFy2WiPqgX06qTWSgEnm/IsRi2ZZUw9cN5z+r+J9ApLQHqEeUtXBDfftexbEh7P&AlB=O2Mthllp7
http://www.southerngiggle.com/imi7/ - rule_id: 4774
http://www.abc-staff.com/imi7/ - rule_id: 4770
http://www.gtof.net/imi7/
http://www.powerlinkme.com/imi7/?GzuD=M//sfA69f+etYomJd9U2YdUVkVopbLoRE9mfqGVotdj8O3ZNk+jc/j3Mry8rPUpRzBLqbT1f&AlB=O2Mthllp7 - rule_id: 4740
http://www.sungoldhomeliving.com/imi7/ - rule_id: 4772
http://www.southerngiggle.com/imi7/?GzuD=6DPXXUxjNhAUxFF0HJPciD7wCMdQ5Kjpq9HSdggl9T7QEXc1VUDnpVSWHHH5kcZKJv7Ciavm&AlB=O2Mthllp7 - rule_id: 4774
http://www.sungoldhomeliving.com/imi7/?GzuD=IZKb4HJqMXyJMqZyZW8ea0lZO79FfsahuXlqQdaEcqwYU031mgchofAtsOPxSTnym90X9JnS&AlB=O2Mthllp7 - rule_id: 4772
http://www.powerlinkme.com/imi7/ - rule_id: 4740
|
15
www.agamdesigners.com(182.50.132.242)
www.southerngiggle.com(34.98.99.30)
www.acceptedsolutions.net()
www.crownfoamus.com() - mailcious
www.sungoldhomeliving.com(34.98.99.30)
www.gtof.net(18.208.31.123)
www.abc-staff.com(157.112.189.34)
www.powerlinkme.com(23.80.211.101) - mailcious
www.be530.com()
23.80.211.101 - mailcious
52.205.158.209
182.50.132.242 - mailcious
157.112.189.34 - mailcious
34.117.59.81
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.abc-staff.com/imi7/
http://www.southerngiggle.com/imi7/
http://www.abc-staff.com/imi7/
http://www.powerlinkme.com/imi7/
http://www.sungoldhomeliving.com/imi7/
http://www.southerngiggle.com/imi7/
http://www.sungoldhomeliving.com/imi7/
http://www.powerlinkme.com/imi7/
|
8.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41788 |
2021-09-07 19:06
|
 c2.exe ef125f7a35d65a62902594b0b4c46812
RAT Generic Malware Malicious Packer PE File PE32 OS Processor Check .NET EXE VirusTotal Malware |
|
|
|
|
1.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41789 |
2021-09-07 19:04
|
 rig.exe 0b85eae86038116041ecc8d24ba2fadb
Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41790 |
2021-09-07 19:04
|
 clip.exe 745b2fa5052c6dd80ae98f7aed56d23a
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|