| 42001 |
2021-09-01 14:15
|
 0831_4532643085.doc f25c56cf3b503d96df86b4bb2c39f479
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://buichely.com/8/forum.php
|
4
api.ipify.org(54.225.219.20)
buichely.com(185.230.91.127) - mailcious
50.19.119.155
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42002 |
2021-09-01 14:14
|
 0831_4435052411.doc 004b4634de3991a6de6a2c756a83e6ff
Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42003 |
2021-09-01 14:06
|
Scan HP Jet 371302-83.exe d703b3cc46820009bb6c4ab14666ea9e
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces human activity check Tofsee Windows DNS Cryptographic key DDNS crashed |
1
|
4
rebornx.duckdns.org(194.5.98.5) - mailcious
www.google.com(172.217.161.68)
142.250.66.100
194.5.98.5 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
|
25 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42004 |
2021-09-01 13:50
|
Scan HP Jet 371302-83.7z 2c5b2473879d30de86142c75a96ce789
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.4 |
|
16 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42005 |
2021-09-01 10:04
|
 yui7653_pdf.exe 734a89ad96b20660a5cc97dad178fdbc
AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee DNS |
1
https://pomf.lain.la/f/cenqjp15
|
3
pomf.lain.la(107.191.99.49) - mailcious
167.114.3.98 - mailcious
185.15.196.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42006 |
2021-09-01 10:01
|
 StaticArrayInitTypeSize52.exe 69b982b35f003dc6e9ca1e4b5ace2274
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
checkip.dyndns.org(158.101.44.242)
freegeoip.app(104.21.19.200)
api.telegram.org(149.154.167.220)
216.146.43.70 - suspicious
172.67.188.154
149.154.167.220
|
5
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO TLS Handshake Failure
|
|
12.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42007 |
2021-09-01 10:00
|
 JKd.txt.ps1 72b9eedf6b1effb1f41c3ee79e89eb98
Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42008 |
2021-09-01 09:50
|
 vbc.exe 04179ebbab706ca5b7d7eda0becd3abc
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
8
http://www.godspeedcheckout.com/utrf/?Mfd=YML6/4MbFaucvPXElRZzyjtyBDATZONUVEP0rukyNV7mVwlwfr0MKlD7TeqeK4zM4Y3EYRGq&rVj4Z=8pDDGD
http://www.alissapagelsminor.com/utrf/?Mfd=s7erYgESKr9m+mzxA/Q9UnpXdzsFrxDJZ/xrFu9DkcgPYBzGfkjQ2CYvjt6ZaVjEFZ88uL+J&rVj4Z=8pDDGD
http://www.merchwatcher.com/utrf/?Mfd=Vad6uiVCVQosa9/mMY+DSKEiZ4Jv5RPcsLzWpF9Fiou154vFmBtZmKNHtjvNv+8WA9b5ndEt&rVj4Z=8pDDGD
http://www.tijprintersolution.com/utrf/?Mfd=L2svVb92Me7XPiVF7aaorHdCyxGEk9sqT+LYZOj9a4pmUmwib36vvLRubxA8uAZ/BnXkUSVN&rVj4Z=8pDDGD - rule_id: 4706
http://www.astoriahotelbarcelona.com/utrf/?Mfd=/lvtB4BzNB+XSoc6maQY1pAmtDeeU5aaQ3ZY2TWN2TbQpQK9MzOytDPVTjOJ5T+hHcAWeXpA&rVj4Z=8pDDGD
http://www.spyrodinero.com/utrf/?Mfd=KQbHNIk3IOJpZvsSnT4OJ/X4/hEQqeZz8HC9HeygUUs08q8KumgzMZqNo+5TDnVW3UvDLF98&rVj4Z=8pDDGD - rule_id: 4707
http://www.fouralarmtechnology.com/utrf/?Mfd=aYwwqrlB15XqomXBiKKKrsegDxHiZBo0iQoRomjSnJfsLuFqj/vzEqUBUmKicJvkhKlZCqBV&rVj4Z=8pDDGD
http://www.beerstars.club/utrf/?Mfd=h1yjKFJ6FSP2Kh1jUAIvko6y6HNcV42PvaaxpdnymUUjCSM4Nx5Ku1RzDekWBf9g27Re0JFu&rVj4Z=8pDDGD
|
20
www.godspeedcheckout.com(162.241.61.219)
www.merchwatcher.com(34.98.99.30)
www.tvactivations.online()
www.spyrodinero.com(208.91.197.46) - mailcious
www.tijprintersolution.com(104.42.16.175) - mailcious
www.beerstars.club(63.250.43.5)
www.astoriahotelbarcelona.com(91.210.235.214)
www.fouralarmtechnology.com(34.102.136.180)
www.gol-investissement.com() - mailcious
www.nongnongqingyi.com()
www.alissapagelsminor.com(198.49.23.144)
104.42.16.175 - mailcious
208.91.197.46 - mailcious
198.49.23.145 - mailcious
91.210.235.214
34.102.136.180 - mailcious
63.250.43.6
162.241.61.219
34.98.99.30 - phishing
104.21.19.200
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.tijprintersolution.com/utrf/
http://www.spyrodinero.com/utrf/
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42009 |
2021-09-01 09:47
|
 kelvinzx.exe bb1daddaf3592e05e82b0ab73e7ecd11
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
2
www.nongnongqingyi.com()
www.minuit-trois.com()
|
|
|
7.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42010 |
2021-09-01 09:47
|
 pattern.exe dcef208fcdac3345c6899a478d16980f
Emotet NPKI Gen2 Gen1 Formbook Generic Malware Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library Anti_VM ASPack PE File PE32 MSOffice File JPEG Format OS Processor Check DLL PNG Format Emotet VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic unpack itself Windows utilities suspicious process WriteConsoleW shadowcopy delete Turn off Windows Error Recovery notification window IP Check Tofsee Ransomware Windows ComputerName crashed |
4
http://iplogger.org/1L3ig7.gz
http://geoiptool.com/
https://iplogger.org/1L3ig7.gz
https://www.geodatatool.com/
|
5
www.geodatatool.com(158.69.65.151)
geoiptool.com(158.69.65.151)
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
158.69.65.151
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Geo Location IP info online service (geoiptool.com)
|
|
14.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42011 |
2021-09-01 09:46
|
 DOGGY.exe acbc7c1dedc73fdd72ccbaaca2318430
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key crashed |
2
http://google.com/
http://www.google.com/
|
4
google.com(216.58.220.142)
www.google.com(172.217.25.228)
172.217.161.142
172.217.25.228 - suspicious
|
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42012 |
2021-09-01 09:43
|
 rozezx.exe d9167b13f4f747f5e9b18a6688a7064e
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.simgeasansor.com.tr(185.15.196.172)
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
216.146.43.70 - suspicious
185.15.196.172
104.21.19.200
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
|
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42013 |
2021-09-01 09:41
|
 binbobbyzx.exe 63b4bbbb2c1b18487c673abcfcff9fff
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.maedazouen-osaka.com/g0ib/?Mvdl=Y0KAwGFF7aeiUaXqGXtzE1r6FISNPFrGB685Z2xEnT7rwx7wj+Z0quRc/4NDShlxc6aW+ibn&QPXl7=GdPL
http://www.stickyflasks.com/g0ib/?Mvdl=ZWuaS7WofFbkvxyzet/9Sha7YIdf1NUVm0nCdNVXeFpr4IHHq2QjGgDhYkF3CGr6lmNA7Cmu&QPXl7=GdPL
http://www.lifeofaroma.com/g0ib/?Mvdl=eGvHNFMMHGiXXF9RTNFfS4KI7T0Hg4PlR5l/Ac1Au3uAREYhIrjqRt2sRRHGWT6dq8ueFK+P&QPXl7=GdPL
|
6
www.stickyflasks.com(66.96.162.147)
www.lifeofaroma.com(157.7.107.216)
www.maedazouen-osaka.com(150.95.255.38)
157.7.107.216
150.95.255.38 - mailcious
66.96.162.147
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42014 |
2021-09-01 09:39
|
 vbc.exe 87c51ca97825602b25752753161f6ab4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.powerlinkme.com/imi7/
http://www.powerlinkme.com/imi7/?0T0lqH=M//sfA69f+etYomJd9U2YdUVkVopbLoRE9mfqGVotdj8O3ZNk+jc/j3Mry8rPUpRzBLqbT1f&OXolp=AZ3x_83h40wLUZM0
|
5
www.tuiseyingxiang.com(47.91.170.222)
www.powerlinkme.com(23.80.211.101)
www.okulekitaplari.com()
23.80.211.101
47.91.170.222 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42015 |
2021-09-01 09:39
|
 system32.exe a5c58ba5c48f9cb8ab45cd5847a8cb08
RAT PWS .NET framework Generic Malware HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows Browser Cryptographic key crashed |
2
http://iplogger.org/1WsDi7
https://iplogger.org/1WsDi7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|