| 42016 |
2021-09-01 09:39
|
 vbc.exe 87c51ca97825602b25752753161f6ab4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.powerlinkme.com/imi7/
http://www.powerlinkme.com/imi7/?0T0lqH=M//sfA69f+etYomJd9U2YdUVkVopbLoRE9mfqGVotdj8O3ZNk+jc/j3Mry8rPUpRzBLqbT1f&OXolp=AZ3x_83h40wLUZM0
|
5
www.tuiseyingxiang.com(47.91.170.222)
www.powerlinkme.com(23.80.211.101)
www.okulekitaplari.com()
23.80.211.101
47.91.170.222 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42017 |
2021-09-01 09:39
|
 system32.exe a5c58ba5c48f9cb8ab45cd5847a8cb08
RAT PWS .NET framework Generic Malware HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows Browser Cryptographic key crashed |
2
http://iplogger.org/1WsDi7
https://iplogger.org/1WsDi7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42018 |
2021-09-01 09:37
|
 Glary_Utilities.exe 61ed372e749496ecbb31e17bc90a0422
Raccoon Stealer Gen1 BitCoin Generic Malware WinRAR Malicious Library UPX ASPack AntiDebug AntiVM PE File OS Processor Check PE32 DLL VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder Windows RCE Cryptographic key crashed |
1
http://dns16-microsoft-health.com:4762/
|
2
dns16-microsoft-health.com(45.137.152.34) - mailcious
45.137.152.34
|
|
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42019 |
2021-09-01 09:36
|
 vbc.exe 3b0b40fc6119f8ac909a86a6522e8e4a
Generic Malware AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://pomf.lain.la/f/khbytn1s
|
2
pomf.lain.la(107.191.99.49) - mailcious
198.244.149.184
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42020 |
2021-09-01 09:34
|
 foxmail.exe a2f0a07f9490f1f79e845525246e6250
PWS .NET framework email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42021 |
2021-09-01 09:34
|
 win101.exe 801affd34ae1974fd0965e7c1128eb96
Generic Malware Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.meridianopolitico.com/d6b4/?OXolp=Mk+xgxxMFq35RtCV/s1lAC9Od9t6BRTzkK3YJigL61KDkS5U9vEs0v6vAvJo+stnW/rREfuU&Txo=O0DPaBdh7tsX0d
|
3
www.patlichen.com()
www.meridianopolitico.com(50.117.40.106)
50.117.40.106
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42022 |
2021-09-01 09:26
|
 D1ztFQ.exe 2403d45817a791f882e157fa75bf2d5c
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42023 |
2021-09-01 09:24
|
 vbc.exe 79ddde2396171f22269c3be17e82c76b
AutoIt UPX PE File PE32 Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42024 |
2021-09-01 09:24
|
 vbc.exe 29cf935bafff5bf4047f666dd4bc69e2
Schwerer AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42025 |
2021-09-01 07:43
|
 win767.exe be748577200ac649a36bf877a9e95f12
Schwerer AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://pomf.lain.la/f/kt1nmuh
|
2
pomf.lain.la(167.114.3.98)
107.191.99.49
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42026 |
2021-09-01 07:41
|
 p.wbk 9d2cc34c3b6319a79a8c32881c8759ec
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed |
1
http://192.3.122.133/Pman/win767.exe
|
3
pomf.lain.la(198.244.149.184)
167.114.3.98
192.3.122.133 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42027 |
2021-09-01 07:39
|
 vbc.exe 94db0490bbaf3752ea87c1785513dccb
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42028 |
2021-09-01 07:36
|
 invoice.wbk 75410d9d9ab02c713cd6dc1c59da787c
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://checkvim.com/fd11/fre.php
http://103.140.251.93/axis/vbc.exe
|
3
checkvim.com(185.251.88.222)
103.140.251.93
185.251.88.222
|
14
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Fake 404 Response
|
|
5.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42029 |
2021-08-31 17:40
|
 nwannezx.exe 4cb380f10d27e9b5ba3c8cc7b121cfc9
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(158.101.44.242)
193.122.130.0
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42030 |
2021-08-31 17:38
|
 tpzx.exe 3a0c4ac73fba3367b8876d4019dc4ddc
PWS .NET framework Generic Malware ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows DNS Cryptographic key |
1
https://telete.in/timkamrstones - rule_id: 4546
|
3
telete.in(195.201.225.248) - mailcious
107.180.56.180 - malware
195.201.225.248 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://telete.in/timkamrstones
|
8.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|