| 41986 |
2021-09-02 09:23
|
 mazx.exe 2aee5ea79b9327ec85da89421b92d219
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.gatel3ess.com/mxwf/?v6=xHFfgTEL+mJKwfpOdfq+qxaG0inkAfXbv5WaALWrbm9qy3zCGisDRu1Ryc3XwIlgKHY9Bve3&1b=V6ALsRjPe
|
3
www.llanoresources.com()
www.gatel3ess.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41987 |
2021-09-02 09:22
|
 vbc.exe ceed79fe40c1038ca78784cc26a1eed5
RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
https://pastebin.pl/view/raw/ae498e11 - rule_id: 4631
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.pl/view/raw/ae498e11
|
10.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41988 |
2021-09-02 09:21
|
 nnlt4.exe d1ce5b7ddf8d49a2554281ffe4e14270
AgentTesla(IN) RAT Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41989 |
2021-09-02 09:20
|
 vbc.exe a9a4ef232a3238c20d7e392ca286c265
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.proukai.com/sqwo/?DbG=59MH3VOILL5z2QNZYOizyHYj+fftqBxCIQuKhadA9I2TbROQrnwmP5EnQYKS9xNrkbzZMFXq&QZ0=ehutZJWpFNspox
http://www.indiavirtuallawchambers.com/sqwo/?DbG=2O1+i4BGI1k2joz277jApU5rnHZkWEAMJdqBHqZbDZi4Bp+j/RJ/M26ZihS3sjaRa1txQrME&QZ0=ehutZJWpFNspox
http://www.ringer.pro/sqwo/?DbG=mpg9f8Y45csooX22obIF6W7peY66eDDLthysSPYzep9v0aw78U9pk2CIUIlkmOE3dQhgn+V4&QZ0=ehutZJWpFNspox
http://www.coloradosalsa.com/sqwo/?DbG=ZQEzhroX/pXXk35s3WvvPNG9SpaofcoiDOazIUbGfrGHQIpNZYKOdDtNu1n/ilbTQe76O4xu&QZ0=ehutZJWpFNspox
http://www.thisisatemporaryemail.com/sqwo/?DbG=gAKOWl9ZlpvAq6Ow3+qmV/gdCeDECP4mzyGv8UTw+U6fFj1uXcepbG7pi5w+8yIeN80+gLnU&QZ0=ehutZJWpFNspox
http://www.ratarate.com/sqwo/?DbG=lrDfaoRzNAOMN2B0GfdQV0PruNWXKi9d61SjUyKjOmvObZ3cgWEpXFIDhKzUrtskx/c+maJ0&QZ0=ehutZJWpFNspox
http://www.xinfengsl.com/sqwo/?DbG=VCku72SNHpRVTt3EfV+y4RF0wvhRl+VcCN2KQOPjAfD5Yv2eImu3WtSd32tteAFusdEBHhzF&QZ0=ehutZJWpFNspox
http://www.boealive.com/sqwo/?DbG=YcUhFjlnWjkRFG+zvI9+SnpP7/awtrdVXC2/4yVsTo1nsotrZYX3lFz6dzvB548kciAseVEX&QZ0=ehutZJWpFNspox
http://www.path-precise.com/sqwo/?DbG=wXU3yaorPAVQEXrE6ARF3iFQKYm1nNlMx3B8o4H8pzqIJpzncizsh2wFey63TgewQz5bUBxD&QZ0=ehutZJWpFNspox
http://www.glamandtan.net/sqwo/?DbG=JhW4WKUAk7xlkEEDulhqKZMy2L/keqwe9HdINH+9b6LvJc3qx9ABslN47JV5O7XZ+76PGcj5&QZ0=ehutZJWpFNspox - rule_id: 4694
|
20
www.path-precise.com(72.52.178.23)
www.ratarate.com(101.32.12.102)
www.ringer.pro(75.2.18.233)
www.coloradosalsa.com(45.15.152.14)
www.thisisatemporaryemail.com(44.227.65.245)
www.glamandtan.net(209.99.40.222)
www.boealive.com(34.98.99.30)
www.proukai.com(91.195.240.117)
www.xinfengsl.com(154.81.37.104)
www.indiavirtuallawchambers.com(34.102.136.180)
44.227.76.166 - mailcious
75.2.18.233 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
45.15.152.14
91.195.240.117 - mailcious
154.81.37.104
101.32.12.102
34.98.99.30 - phishing
72.52.178.23 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.glamandtan.net/sqwo/
|
8.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41990 |
2021-09-02 09:19
|
 myformzx.exe caee75efc8bd1904d750d941d6a760b8
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41991 |
2021-09-02 09:19
|
 templefirstzx.exe 6c0795e7a1460e3eb294d63e6961bd1c
RAT PWS .NET framework Formbook Generic Malware SSL DNS Socket SMTP Escalate priviledges KeyLogger Internet API ScreenShot Dynamic Dns persistence AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder malicious URLs Tofsee Windows Advertising Google ComputerName DNS Cryptographic key DDNS crashed keylogger |
11
http://www.vnielvmdqxk538.xyz/b0ar/?r6=7CUt39hPMjg/s6qQ0+QbWtikgyOufco6CG9l+t5DjC9/JIPCU/WxQ6IAIg/iVENqz91MlH14&sBZxr2=FxopsJeXPvOX3
http://xred.site50.net/syn/SSLLibrary.dll - rule_id: 4617
http://www.mcinerneychrysler.com/b0ar/?r6=oBVrEuqKUfopUpAnqJfem3AP4MxLKUs3kUwU0NiQ7+oE8UvVtrvEXTcSUGgYTlPvZxyytEEp&sBZxr2=FxopsJeXPvOX3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://www.thepink.club/b0ar/?r6=35zmK/1nOG3ZiclOaRDNqBcycOB07sOwoO1SOSl9YfrEiskurZgjdyrE07vb97UKsZwkKKa4&sBZxr2=FxopsJeXPvOX3
http://www.livingalcohol.com/b0ar/?r6=32cJvtm6v5CrHkGtRaCKvnIzMPMaS8klC7QMWGugGRjVzPiNEaTJc2oUIDqYaKdywZUrkA7f&sBZxr2=FxopsJeXPvOX3
http://www.algarmotorcars.com/b0ar/?r6=GBw5w5TP0zGw7Ui1KyuWLvjFNgn/VJyG24akOFBAUZbsXTnWiW1DuuZdfbFm7e75UOMWX9j4&sBZxr2=FxopsJeXPvOX3
http://www.artjohntravis.com/b0ar/?r6=FI6V3ciXB53f+evAnSijLVseR7Fj9SHqs11tijwh7SEaqCYqOPT9yA6Mp0JLeXWl2GeMTJcV&sBZxr2=FxopsJeXPvOX3
https://www.000webhost.com/migrate?static=true
https://www.dropbox.com/s/dl/fzj752whr3ontsm/SSLLibrary.dll
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1 - rule_id: 4618
|
26
www.thepink.club(99.83.154.118)
www.000webhost.com(104.19.184.120)
www.dropbox.com(162.125.84.18) - mailcious
www.ceaice.com()
www.vnielvmdqxk538.xyz(72.52.178.23)
freedns.afraid.org(69.42.215.252)
www.algarmotorcars.com(34.80.190.141)
xred.site50.net(153.92.0.100) - mailcious
www.6972399.com()
www.mcinerneychrysler.com(104.74.219.56)
docs.google.com(172.217.26.14) - mailcious
xred.mooo.com() - mailcious
www.livingalcohol.com(34.102.136.180)
www.privsec-mail.com()
www.artjohntravis.com(34.102.136.180)
www.secure-dwellant.com()
72.52.178.23 - suspicious
104.74.219.56
153.92.0.100 - mailcious
99.83.154.118 - mailcious
34.102.136.180 - mailcious
34.80.190.141 - mailcious
104.19.185.120
69.42.215.252
172.217.26.14 - malware
162.125.84.18 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
ET POLICY Dropbox.com Offsite File Backup in Use
ET HUNTING Suspicious User-Agent Containing .exe
|
2
http://xred.site50.net/syn/SSLLibrary.dll
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
|
15.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41992 |
2021-09-02 09:19
|
 ..-.-...................------... 98a92918a128f1f26d552bb3aaab2a61
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
19
http://www.hfhwssc.com/24ng/ - rule_id: 4597
http://www.ptpatennis.com/24ng/
http://www.getzlppi.com/24ng/
http://www.jjyzscl.com/24ng/
http://www.emmymorrow.xyz/24ng/?TZ=MpsKsbuj3plW3zxxgPetNSfc39jzCcaN6Okb8XXwEkEAsEoFXdXIJgm+0gMt/BsRuN2GbYWJ&mvHtT=Y2J0irR8DZUtWbf
http://198.12.127.217/hsbc/vbc.exe
http://www.inanavcifitnessclub.com/24ng/?TZ=7B/mxEe684X+Fe8GJ5WQJKEToqxOKLoYRHSlnqT22Suhy7fkAEyyqsV6IsAMnECK+ppvVgFJ&mvHtT=Y2J0irR8DZUtWbf
http://www.brightstarqr.com/24ng/?TZ=8v1BaeXDdHouIcyDdFDGzu6REvBUz6OB3JNjO8R+mAtpk36d8yYIQhxbWZgde9Q6oLtpMRoQ&mvHtT=Y2J0irR8DZUtWbf
http://www.softouchcomputer.com/24ng/?TZ=fXBeYi2KYDeGue3GyybylYEREpAt73UzBLGgjKY/A8hX8o3UYaJp/MnPYrs1PjdYe+TTzooN&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4598
http://www.jjyzscl.com/24ng/?TZ=EaDH/+1mOmQ7aWJI7AX+IlzBUQKYpCjIvrNurEm81n5vQYPM3XYWZDGTjMXv7Z9O/YqAJJxc&mvHtT=Y2J0irR8DZUtWbf
http://www.hfhwssc.com/24ng/?TZ=tUr3L7F+3PGvEFcZd+SfWB+iCUteo8w/ToAKorOuAJitLd2/Au6xWCIPWaoTHGtlxQq11mO7&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4597
http://www.joycekayiba.com/24ng/?TZ=CabvNxLtXK7AxhBdYJap/g8mwsQmgWak8myj7hdi5lEds/kVRqaawrDB55LgJdOF0Pe0hBMQ&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4595
http://www.softouchcomputer.com/24ng/ - rule_id: 4598
http://www.inanavcifitnessclub.com/24ng/
http://www.emmymorrow.xyz/24ng/
http://www.brightstarqr.com/24ng/
http://www.joycekayiba.com/24ng/ - rule_id: 4595
http://www.getzlppi.com/24ng/?TZ=L5LGxFrJmFFW7+IY9g8iVUirVSu4fjeQj90+j0oTYvKK8rEJklo6J2dxJua7XjT6OpHJ/fPt&mvHtT=Y2J0irR8DZUtWbf
http://www.ptpatennis.com/24ng/?TZ=EgM9f4N/TTbc7wy+9K504atXnuYtNAxq+K5G2bjH3yNZBGKx+fYzE5a0kKWfzvBOG3xTHkvq&mvHtT=Y2J0irR8DZUtWbf
|
16
www.emmymorrow.xyz(75.2.18.233)
www.brightstarqr.com(54.157.58.70)
www.softouchcomputer.com(209.99.40.222)
www.hfhwssc.com(101.32.215.239)
www.ptpatennis.com(34.102.136.180)
www.joycekayiba.com(209.99.40.222)
www.getzlppi.com(34.102.136.180)
www.inanavcifitnessclub.com(209.99.40.222)
www.jjyzscl.com(104.252.232.119)
101.32.215.239 - mailcious
104.252.232.119
209.99.40.222 - mailcious
34.102.136.180 - mailcious
54.162.128.250
198.12.127.217
75.2.18.233 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.hfhwssc.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.hfhwssc.com/24ng/
http://www.joycekayiba.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.joycekayiba.com/24ng/
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41993 |
2021-09-02 09:17
|
 bytes.dll 0c6fec239a33864acdd558de506c1c3a
Generic Malware Malicious Packer PE File .NET DLL DLL PE32 VirusTotal Malware |
|
|
|
|
1.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41994 |
2021-09-02 08:24
|
 vbc.exe 1cd98a8f7c1680578f5a0f097ca218da
Malicious Library PE File OS Processor Check PE32 unpack itself Tofsee |
1
https://img.neko.airforce/files/vldyjj
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.6 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41995 |
2021-09-02 08:02
|
 vbc.exe 1cd98a8f7c1680578f5a0f097ca218da
Malicious Library PE File OS Processor Check PE32 unpack itself Tofsee |
1
https://img.neko.airforce/files/vldyjj
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41996 |
2021-09-02 07:54
|
 invoice.wbk dd2f7b986cc840b4c4f9b03def8fcadd
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/hsbc/vbc.exe
|
3
img.neko.airforce(167.172.239.151)
167.172.239.151
23.95.122.90
|
8
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41997 |
2021-09-02 07:52
|
 tud.exe ce5d381161004cbbd80eaf1f37089cb2
Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
3
https://nt5jww.sn.files.1drv.com/y4mIIeLspNJ3K28H6JugwGsEdpXjFzjPVJT4bPmRd4s8yB8qLpYXzcLDUWXEYrVapMd-sie624Z-x4WyElcv_PZHofwwgvlFNVGzNabdNZAV9sCzBHopy1lzLXg4cDygzCE7AGKWqmXzrN1QPk3Ut_beGliD9n9FYGgNVj_ATz8BvVbleQmMNwRjbVfSqkBTOXQZGlXkhFhKT-u5Snr_Wtezw/Uogsnykzlubtojeyocmevzvkobqbwih?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21134&authkey=AFTe8YO6kjuEIKY
https://nt5jww.sn.files.1drv.com/y4miUsf9sljhXmJzfbHSzBV5TVv6fiYklyyLJPEpgu9KzrWNc5gYDHZ5coO5NjYF8gvoNogRS-nj7GhSKMxPrxvQ3lak9G-88eu_Cq_0vpnd6O5argxr9COAVP2XuxhXOOUg41KabEabJjei_JBLFmHefbSrURxPYQ6Q64IBRowInSxDPXSGnlovCWV-5-GfE7AD0nDVKiNxNQH-lNT6nWWzQ/Uogsnykzlubtojeyocmevzvkobqbwih?download&psid=1
|
4
onedrive.live.com(13.107.42.13) - mailcious
nt5jww.sn.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41998 |
2021-09-02 07:37
|
 PAYLOAD2.PS1 71af182d724fe991f4f3b4026fb7be66
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41999 |
2021-09-01 17:55
|
swflash.cab b3e138191eeca0adcc05cb90bb4c76ff |
|
|
|
|
|
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42000 |
2021-09-01 14:18
|
 0831_8300668682.doc 25d3ac93606e135f18e4e96887fa3a44
hancitor Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://buichely.com/8/forum.php - rule_id: 4748
http://api.ipify.org/
|
4
api.ipify.org(54.235.88.121)
buichely.com(185.230.91.127) - mailcious
54.235.247.117
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://buichely.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|