| 42166 |
2021-08-26 08:45
|
 loader2.exe fbae05d8fbfbb56b2a96afabfcaab501
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/VcDkZic
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42167 |
2021-08-26 08:44
|
 ppp.exe 570a3dc73ebd68dab57a9e3212cb0641
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
|
2
www.google.com(172.217.27.68)
172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42168 |
2021-08-26 08:42
|
 dock.exe ba5199b37d013a27f8b20ae1d19545ab
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42169 |
2021-08-26 08:41
|
 heloo.exe a803d6ca253630ad1c7d2d23623ce731
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.27.68)
216.58.220.132
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42170 |
2021-08-26 08:38
|
 vbc.exe c1e872d6aea9f4c23401047114261837
RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
https://pastebin.pl/view/raw/ae498e11
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42171 |
2021-08-26 08:37
|
 bill.exe 27ee757d743631d49dcb3c6d7c90dfbe
Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 Emotet VirusTotal Malware Buffer PE Code Injection buffers extracted RWX flags setting unpack itself Tofsee |
3
https://nt6sqq.sn.files.1drv.com/y4mpp6wUwjjYpF4pJniIr2AqktLZQdVZPN-jgBBWBFh7P-N2J5U63HcpYSm4fKhAjnjkwoMYxNRz-4o9ZMAfl5d6jYdkP8kofLXfZ4ETyf86DYdlpvPQt1q8sXKXeD8AOON52ygaix7bOyQsYQLDW8IwcAGNctzDhNEOYScupe6bvC5WkYHiIsb1aUO4cU49ZgLxOd9GoFlIFka1neO_ecypA/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21131&authkey=AF_kkRi5NlE5DPw
https://nt6sqq.sn.files.1drv.com/y4mNVtGZzPYcR78EMlHGKNeHHQWKO_LnuQ1sDFBUs6Lj3A1RV9mR-XMaYq1uifSmbA5tl-PXhY-ytxbNy2KAAQ0BtrjOZPq4M9x-1FXOOgwySy0ztqS2CymrSFH8vBcnyeTC4Q-miXdvWUEuIF1YDSxr5FOCbL6s1gQplbX3KYtkLd_ijTY273zj85pzJPECKcJxDwW8qGCF7CeAamESQdJfw/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1
|
4
nt6sqq.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42172 |
2021-08-26 08:35
|
 Raz.exe c518288f75b3d5ee671193c32f88be3c
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces suspicious process WriteConsoleW ComputerName DNS |
11
http://www.georginagio.com/mo8t/?LhK0X=angZ+Y0u/w7Z/TuCpsmHRHDESCHOpIzBBxJ5COk5Kt3pehY0OULoSNEnB8HtWHzp2CF1TK7M&D8Ox3=zL04q8-8dVE
http://www.fuktup.club/mo8t/?LhK0X=/BULcWSIquHw8OnHYa1/+V07ppn/VY6rSam2XeNzI1+drEQXZIJrCmOjFwfk2jftDTnFLONn&D8Ox3=zL04q8-8dVE
http://www.calliejordan.com/mo8t/?LhK0X=gBVcGZ89JmLGng6bIzV4A8VInd6tGrNwPQJgNYnKPaAkz9RCsm77ZBEufIpMBFuq3u1hvwqi&D8Ox3=zL04q8-8dVE
http://185.215.150.75/vb/694
http://www.holosuitevrx.com/mo8t/?LhK0X=ZsW/3i1cHZI9pMd2tvhqDqMrI9K1cjHPdl7nqjwrKew66cBikxPL5QRBR2LLCc0YA0dDcQ3m&D8Ox3=zL04q8-8dVE
http://www.jty-ultrasic.com/mo8t/?LhK0X=ZqLP20hbuiuQErs99NpDE5oM9XDCPLJ0BVw/TWTcl/Gf5NbfSY4NUmmGLWCADMlxmT0NLMSF&D8Ox3=zL04q8-8dVE
http://www.richmassageinmotion.com/mo8t/?LhK0X=BuUfcB/+1IZ/Sf/SESafMakCEEDLABXjAOvgrdZxu5qT8Fo8YhfE4uWB0JtZeaj4cSpvF2Vp&D8Ox3=zL04q8-8dVE
http://www.nextspace1.com/mo8t/?LhK0X=6Z9QXWq/qq006lZcE85CxQscgOTgcQH2WDY+xfHfUnR9LV7ALlyoU1ax6AzcyM8q+mavW9CB&D8Ox3=zL04q8-8dVE
http://www.everythingrenovations.com/mo8t/?LhK0X=ovzwrDjk4I7ii8/Y6/7Qssa0VrTJ9YZURKwG7s1UGohjSlDFcB/GrJYNa7j2UjdZMxXvdOI/&D8Ox3=zL04q8-8dVE
http://www.cleanasbest.com/mo8t/?LhK0X=lmOg1M8cTGagr354ZA8MEH4ZvZLLrjFdZSILQauwX2JcQzcrfDJGddPH01G19MzW5SXAeemD&D8Ox3=zL04q8-8dVE
http://www.yizi.info/mo8t/?LhK0X=GvOD1CfQ6BrZ6OCdJ92aE8EB6DZf1GexsQ+RxqliISDVcz3cUK5DaTv6gS633/wIfEUjYB4U&D8Ox3=zL04q8-8dVE
|
23
www.georginagio.com(34.98.99.30)
www.ymh18.xyz(47.91.170.222)
www.nextspace1.com(34.80.190.141)
www.cleanasbest.com(213.186.33.5)
www.holosuitevrx.com(34.98.99.30)
www.everythingrenovations.com(198.185.159.145)
www.fuktup.club(51.68.212.133)
www.richmassageinmotion.com(216.239.38.21)
www.jty-ultrasic.com(156.237.128.77)
www.yizi.info(172.67.211.91)
www.calliejordan.com(208.91.197.46)
www.lunarpixelmon.com()
51.68.212.133
156.237.128.77
172.67.211.91
208.91.197.46 - mailcious
198.49.23.145 - mailcious
216.239.32.21 - mailcious
213.186.33.5 - mailcious
47.91.170.222 - mailcious
34.98.99.30 - phishing
34.80.190.141 - mailcious
185.215.150.75
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42173 |
2021-08-26 08:33
|
 vbc.exe 7a2484277599f27801079f9bbda665c1
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z - rule_id: 4356
|
2
51.89.96.41
65.21.223.84 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42174 |
2021-08-26 08:31
|
 vbc.exe 61d4b8cc54596921d5cbed6d4209377f
Generic Malware PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
9.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42175 |
2021-08-26 08:30
|
 ZXCXZCsssssssssssASDFasdfEWSDF... ca8ed36764b826bde1321643b68f439f
RAT Generic Malware DNS Socket Create Service BitCoin Escalate priviledges KeyLogger Code injection ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 PE64 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName Firmware |
|
2
xmr.2miners.com(51.89.96.41)
51.89.96.41
|
|
|
12.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42176 |
2021-08-26 08:29
|
 svchost.exe 483289c26f2b9e864a886572aea47f0c
RAT Generic Malware Malicious Library PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42177 |
2021-08-26 05:53
|
http://equusrunvineyards.com/I... 2d7eff43e6fe7e7b4985625183560f69
DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://equusrunvineyards.com/Img/HBN.exe
|
2
equusrunvineyards.com(184.154.130.114)
184.154.130.114 - phishing
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
|
|
4.6 |
|
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42178 |
2021-08-25 23:00
|
 vbc.bin 24c4788a737cda143d0edac9c711994d
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/PBjmKcXj
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42179 |
2021-08-25 11:08
|
 mmserv32.exe e0ef479792b1fbbea0b7504a910e186d
RAT Generic Malware Antivirus Malicious Packer PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42180 |
2021-08-25 10:50
|
 0824_5462188871.doc 5c30204489626cb763f29c04e82f9e74
Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|