| 42121 |
2021-08-28 02:59
|
 bear.jpg.exe 1d9dcacc61aaacca64e3776e9bb06e94
Generic Malware UPX Antivirus PE File PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
paste.ee(104.26.5.223) - mailcious
104.26.5.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42122 |
2021-08-27 17:35
|
 .svchost.exe 2644b63346379dd60b63309ff086eeef
Generic Malware UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself RCE |
|
|
|
|
2.0 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42123 |
2021-08-27 16:10
|
 Hidden.exe a49b49fc0253c0dbbbd17e42bfbe9df6
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces IP Check installed browsers check Windows Browser ComputerName DNS DDNS crashed |
1
|
4
ipinfo.io(34.117.59.81)
chromeclusterspectr.ddns.net(179.43.187.164)
179.43.187.164 - malware
34.117.59.81
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET POLICY Possible External IP Lookup ipinfo.io
|
|
11.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42124 |
2021-08-27 16:08
|
 vbc.exe 47fa27443cb1abe987ca9f653754b6d0
Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS |
17
http://www.listenstech.com/ecuu/?iRIxln_=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Ixl0i=Xj0TQ4BXAfy
http://www.stathotshots.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.tehridam.com/ecuu/
http://www.tehridam.com/ecuu/?iRIxln_=52vxKUookbImOzTI7E+jd1wlXpyw0GfihJo0VkeqObbGxcjgEHmk7kL8PM63ES7BEXBsCGUk&Ixl0i=Xj0TQ4BXAfy
http://www.stathotshots.com/ecuu/?iRIxln_=+WjnV65xNgr8mdfi2OB5TPoJ/nBIB301k5X/uFoN60o83tEWRpQDVejEJi6ZuHqfRkIXe4Q7&Ixl0i=Xj0TQ4BXAfy
http://www.castro-online.run/ecuu/
http://www.listenstech.com/ecuu/
http://www.polaritelibrairie.com/ecuu/?iRIxln_=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Ixl0i=Xj0TQ4BXAfy
http://www.krsfpjuoekcd.info/ecuu/
http://www.castro-online.run/ecuu/?iRIxln_=d5lYEYpKw3U/V2Wa/g5CCF1s2ENwrat2UG5ZDi9BawppgyBx4RRR6Es6l3SZtkKIjt1O6P3x&Ixl0i=Xj0TQ4BXAfy
http://www.krsfpjuoekcd.info/ecuu/?iRIxln_=LU0+1QwVd10+6BiuHNRq5ZogeeHr3Gc/xefg/mY8SYFPV5dsCw2+/zWBWjZ/RXmecVxmw1+U&Ixl0i=Xj0TQ4BXAfy
http://www.enovexcorp.com/ecuu/?iRIxln_=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Ixl0i=Xj0TQ4BXAfy
http://www.enovexcorp.com/ecuu/
https://onedrive.live.com/download?cid=D020578D515FAC65&resid=D020578D515FAC65%21104&authkey=AMOx_K_UwyxYKo0
https://zaxuiw.bn.files.1drv.com/y4mczKrLDnsQEz11TssVLlJ_EmHP8NPIFvgyL9dMyO-_CRvwOF5ixEQUv5HOlguGr7JySkb4RSPdx0TUbwZidmY4JHXL6BFGpm62eW74qM9ev7lC2Y7_cT_dNov11bYggFneIywQyWK4S0kFV0qYaVxVtlb0ZGhKDczVwssjyv1iPbs9BtMQGvpyBz8fRWjVDzs9EupG4eoQcaRta3snZLbjQ/Zpxtgzabmpztljjjvtopqzqjfwgartu?download&psid=1
https://zaxuiw.bn.files.1drv.com/y4m1dOkFsGdv3_-vkq6uf-FuEQulLm5iYLjC3IAeR48S35ZBNv-16V26ZiLJUxqd6lnWtUqaBGD7PzxmSIu64bV3anJq8QtH2aGM6taCMrBo-tRYOZWwoBeEi9Ms7H_rdBYMZPyE6vnif-XyMcf80UxWX3R6c5sRMn2UrqqfeZBejBG2pdPA6W31zw4kW1lUYVAO-Gsf-3iYbj2Mi-vOokf2Q/Zpxtgzabmpztljjjvtopqzqjfwgartu?download&psid=1
|
21
www.krsfpjuoekcd.info(34.254.1.203)
www.castro-online.run(104.21.53.248)
onedrive.live.com(13.107.42.13) - mailcious
zaxuiw.bn.files.1drv.com(13.107.42.12)
www.tehridam.com(184.168.131.241)
www.polaritelibrairie.com(34.102.136.180)
www.gyiblrjd.icu(47.91.170.222)
www.listenstech.com(3.223.115.185)
www.stathotshots.com(34.98.99.30)
www.enovexcorp.com(172.67.134.229)
172.67.221.31
194.61.0.8 - malware
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
172.67.134.229
184.168.131.241 - mailcious
47.91.170.222 - mailcious
34.98.99.30 - phishing
3.223.115.185 - mailcious
34.254.1.203
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42125 |
2021-08-27 16:07
|
 Async.exe cfd0d3019414ab97ca0501e683121468
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS DDNS |
|
2
chromeclusterspectr.ddns.net(179.43.187.164)
179.43.187.164 - malware
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42126 |
2021-08-27 16:03
|
 XssVEsUTA4UMkp4.exe 4adabacc6bf40958b67967c7af0e3491
RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware IoC AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
3
http://qjqpqiamh.eternalhost.info//loader.txt
http://qjqpqiamh.eternalhost.info//cisCheckerstroke.php
http://qjqpqiamh.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
3
qjqpqiamh.eternalhost.info(194.61.0.8)
92.119.113.140 - malware
194.61.0.8 - malware
|
2
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
|
|
14.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42127 |
2021-08-27 16:01
|
 Ne82jq7vKJ7NcDn.exe 7852a7b27bdb9d5120ca3fa917d7f9ca
RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
3
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
2
sh1729062.b.had.su(92.119.113.140)
92.119.113.140 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42128 |
2021-08-27 15:58
|
 vbc.exe 7c1876b8b71c72e8e9fb2fd494020c67
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Tofsee |
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42129 |
2021-08-27 15:57
|
 odinakazx.exe 8e6f8cd375efaba9d88c2930af3dc10e
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.saradiba.com/9t6k/?Q2M=SaAIu3lDcv+vsCPEIS9ktArTHiKz1YFeYbUTdQKH4UquSylUrUTL+fcGQi1rQUC7DYHomt5O&D81d7=Abihu4dh7n2x1dkp
http://www.urne24.online/9t6k/?Q2M=XEZUsmhefmfw3QKQE5ZrpuI8N7oVWrtY0zr9qFGtaUataE1TE0DCRND7FOKibblEWaB5niCz&D81d7=Abihu4dh7n2x1dkp
http://www.schoolphysician.com/9t6k/?Q2M=aZxCmALwA5R5+eIwzrzpi1QpWfsvyjuzp/cxNNZ9Jwezj0NN8vNJ2pHGntbNv+WmK2oIJIQQ&D81d7=Abihu4dh7n2x1dkp
http://www.prosgra.com/9t6k/?Q2M=YfuNKs3Bp4F47rpu49Idp1lfSZU1BgghPs0n2TaEVn9WjWyXIXXb35zMgdSBzSSQ/y+/7+Gc&D81d7=Abihu4dh7n2x1dkp
http://www.duancanhoastralcity.com/9t6k/?Q2M=1USpb1Bk7NLatI5NohBEA9PujVfNP1PKGiDc81iHBltTqKOkZ5Hh2NRwQh24DsrsAEaWcebH&D81d7=Abihu4dh7n2x1dkp
http://www.bergenfiel.com/9t6k/?Q2M=s8oaEA8cRNw5vMBu8Wk/8KdaqRJ5o00PvD4f6j6ZUxj7LCZqhH83R1BxbYpwJodvEKoz6erO&D81d7=Abihu4dh7n2x1dkp
http://www.gsmits.com/9t6k/?Q2M=DHXsxYVj36jYo9XSI0k8aBI122PK8jbY2KWdAli3CiKs+89pIe70JNlIpSp++nfgfBz+S8aX&D81d7=Abihu4dh7n2x1dkp
http://www.360453.com/9t6k/?Q2M=MXszZjiL5m8KYwVoSSySw2FqEqiBnWUcZ0I4A0KIaxlfgU1OBx983PfdxSJageOZ61F/gpnc&D81d7=Abihu4dh7n2x1dkp
http://www.aattonline.com/9t6k/?Q2M=aJf7vz7Dx/mfgwFQoEPDi39K9rl7e15T/XCFbiUDsI43rh1ubaT7oKUwDh9OfXBPQgY/TkJX&D81d7=Abihu4dh7n2x1dkp
http://www.dheeclinical.com/9t6k/?Q2M=zn2Kb1z3vtYkfsTCUqtcWPMExFY7OxSYFyUydnPl9DXioHsibwlGw2F9p0OONFz0CLg9SXRH&D81d7=Abihu4dh7n2x1dkp
|
22
www.duancanhoastralcity.com(54.169.219.94)
www.saradiba.com(156.225.32.15)
www.schoolphysician.com(208.109.65.254)
www.gsmits.com(34.98.99.30)
www.dheeclinical.com(172.67.129.175)
www.urne24.online(89.31.143.1)
www.cpsolivera.com(166.88.88.81)
www.360453.com(103.110.62.64)
www.bergenfiel.com(192.187.111.219)
www.prosgra.com(47.89.240.186)
www.aattonline.com(165.3.91.100)
166.88.88.81
208.109.65.254
89.31.143.1 - mailcious
103.110.62.64
54.169.219.94
165.3.91.100
47.89.240.186
192.187.111.219 - mailcious
156.225.32.15
104.21.1.179
34.98.99.30 - phishing
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42130 |
2021-08-27 15:57
|
 .svchost.exe 2644b63346379dd60b63309ff086eeef
UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself RCE |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42131 |
2021-08-27 15:54
|
 nputty.exe 1b726484bea3d11852e96ef2494cce24
Generic Malware Malicious Packer PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself human activity check Windows ComputerName DNS DDNS |
|
4
dertrefg.duckdns.org(37.0.10.40)
hhjhtggfr.duckdns.org(192.169.69.26) - mailcious
192.169.69.26 - phishing
37.0.10.40
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42132 |
2021-08-27 15:53
|
 0fd9ce44914b3beda3c86ba2163945... 6d3d857dce2ce88c250574619f6a2f0a
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42133 |
2021-08-27 15:52
|
 DC.exe eb847438f988c2a2d52bcf0f0b439980
RAT PWS .NET framework Generic Malware Antivirus Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42134 |
2021-08-27 15:51
|
 mixer.exe 63b84dcd1b3804bcb9daeca03e14bfc6
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
4
api.ip.sb(172.67.75.172)
135.181.134.27 - mailcious
104.26.13.31
179.43.141.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42135 |
2021-08-27 15:50
|
 NvidiaShare1.exe 814f22a67e6d2046f532f973f197c649
RAT PWS .NET framework Generic Malware DGA DNS Socket Create Service SMTP Sniff Audio Escalate priviledges KeyLogger Code injection Internet API ScreenShot Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs Tofsee BitRAT Windows ComputerName DNS Cryptographic key crashed keylogger |
1
https://cdn.discordapp.com/attachments/875152353035157555/880421379307089940/Chrome.exe
|
5
cdn.discordapp.com(162.159.135.233) - malware
104.18.6.156
162.159.134.233 - malware
179.43.141.103
208.95.112.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
|
|
13.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|