| 42181 |
2021-08-25 10:50
|
 0824_2382378251.doc 7a8e664b6f6c528baeb7535fd67e266d
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
1
|
4
thookedaurce.com(185.230.91.127) - mailcious
api.ipify.org(23.23.109.56)
54.235.91.189
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42182 |
2021-08-25 10:23
|
 safman_setup.exe 72bbac2c87dff558073e6306f1552a39
RAT Gen1 Malicious Library UPX PE File PE32 OS Processor Check PE64 VirusTotal Malware Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
2.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42183 |
2021-08-25 10:20
|
 BIN.exe 5d4344f2c377b22297ddeb0c98fa3e4b
RAT Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
8
http://www.lifestylebykendra.com/n8ba/?nJ=fB7/mPW/ruvPmtL6yqh18GEo+pmrDDvkC2/sjgfP5cDoKdtRPCAp8bKliJ6x32STw1Q/kqMf&FX=5jUhfzdH4nzh1Hy
http://www.effthisshit.com/n8ba/?nJ=wvsH14ZSz0siwCJ0WZ7f577/2+XlynZuqKUxNHapwnMaKOPmHki2oQq42X6xgcg0wJFGMxWg&FX=5jUhfzdH4nzh1Hy
http://www.teamtacozzzz.com/n8ba/?nJ=uqosld0zfpGxpF7GdKEGpsNAFVDy7sF9OlzkJIZYKKMkxYJdqG4dKl671u+Sw1rnVpvrEbSg&FX=5jUhfzdH4nzh1Hy
http://www.realestatetriggers.com/n8ba/?nJ=n8TD7XnX89zuSbP58nBeh3tzZAQgQeWKsc2+IkWBltSEviQ+PLSZjVJvy6KT3dkrgmsNkIj4&FX=5jUhfzdH4nzh1Hy
http://www.luvlauricephotography.com/n8ba/?nJ=aWNKG/taKBNfCTuu4Vj0SXUYkQfuxKmtF2ZiRSbsdtsSpEbKckOota+0q4X8rvKC1g36gkpu&FX=5jUhfzdH4nzh1Hy
http://www.wata-6-rwem.net/n8ba/?nJ=3L5ihXTb1ZAIiZeQQ1ofy4E3vvyAqMsnNRcELDg21zBW0aHgJVTBKs4AxgBVBpUYHrcqdaDW&FX=5jUhfzdH4nzh1Hy
http://www.narrowpathwc.com/n8ba/?nJ=RqoVB/kTevwYNrpQ68VGCKAD0SwVXhGBA25gncTDeHVSc/TtzgJJgXlZbrh2RaVrYM4D7bqC&FX=5jUhfzdH4nzh1Hy - rule_id: 4154
http://www.wowmovies.today/n8ba/?nJ=aMSSVD0nNfZbrhMjVgmTME26uPdJofKdhkPkwitatQPtKeCql0jRJLGvKH9x7dpkGf+IfgZ0&FX=5jUhfzdH4nzh1Hy
|
18
www.shopliyonamaaghin.net() - mailcious
www.teamtacozzzz.com(34.102.136.180)
www.luvlauricephotography.com(208.91.197.13)
www.aprendelspr.com() - mailcious
www.nycabl.com()
www.realestatetriggers.com(34.98.99.30)
www.effthisshit.com(184.168.131.241)
www.lifestylebykendra.com(34.102.136.180)
www.wowmovies.today(99.83.154.118)
www.wata-6-rwem.net(163.43.122.116)
www.narrowpathwc.com(182.50.132.242)
163.43.122.116
208.91.197.13 - mailcious
184.168.131.241 - mailcious
34.102.136.180 - mailcious
99.83.154.118 - mailcious
182.50.132.242 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.narrowpathwc.com/n8ba/
|
10.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42184 |
2021-08-25 10:18
|
 lv.exe fdb87cedd4a67744dbd55009c66d010c
Emotet Gen1 NPKI Gen2 Generic Malware Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P p VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
ujzYUCxeWirjpFYgcWLYZFegxKw.ujzYUCxeWirjpFYgcWLYZFegxKw()
|
|
|
6.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42185 |
2021-08-25 10:15
|
 6cd26f8134bcddd31b61ed0a7.exe addf66c224aff122d02e27adb6f5830b
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42186 |
2021-08-25 10:13
|
 1.jpg ce84ceaeaf1cc750e79d1ce57c439639VirusTotal Malware |
|
|
|
|
0.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42187 |
2021-08-25 10:13
|
 2.jpg f02159415aeb4025c8a7c5ca93d7cb8eVirusTotal Malware |
|
|
|
|
0.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42188 |
2021-08-25 10:11
|
 4.jpg a47b5b874c854d84c5b7da81a06ae211
Antivirus VirusTotal Malware DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
1.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42189 |
2021-08-25 10:11
|
 file.exe 03903dd6bc470a44ed1cb27e4e965854
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42190 |
2021-08-25 10:09
|
 vbc.exe d48fbec5c6a2edf4893023951dd6c021
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
6
http://www.toniconnerskincare.com/ars4/?nflpdH=U5uSb6Wf/Orn2X36u30TAzTep9EEJbmgsA6FRh+xAmndl5C3XazwDI7hszE8DY3b5UFzxdNE&v2Jx4=3f-PJvLh7TaL-4D0
http://www.loansuvidahcendar.com/ars4/?nflpdH=QuvpKXmZGmCeUfgrsNY6MFwHNWt7PO5iErW0bGwBVlopLLZak+nU6B2Rv20ubhmpLvP5+9M2&v2Jx4=3f-PJvLh7TaL-4D0
http://www.prizevipforu.xyz/ars4/?nflpdH=sJo4DuSkVFkPhc0NXJdkJpigcFowV9+JtreJGGn9pXw3N8sclVWzfzFD8Yz5Lt6ouVf7NNlw&v2Jx4=3f-PJvLh7TaL-4D0
http://www.weelinked.com/ars4/?nflpdH=GTHaRcvuJVgH66YOjWxoyyOxpJQa/jbcd5dHHBj46gOXgvOgqPFlJs86IfdHkbMHPgCJdJBa&v2Jx4=3f-PJvLh7TaL-4D0
http://www.dhruvdhing.com/ars4/?nflpdH=3TTuzfoOGQ/ZUvJaXTHhqJnJRIjtMiOjlRvtsN7fHayofq2cQFGemuK9JCeegPBM6chVGc49&v2Jx4=3f-PJvLh7TaL-4D0
http://www.126020cp.com/ars4/?nflpdH=j0S2aw9Lyphb4Lf5G7ZbWu2J7qE5Z+C257pLquSeqd5Bv4YKvkozLvCFLxqtCxDBQLbdbruT&v2Jx4=3f-PJvLh7TaL-4D0
|
17
www.jetboard.center()
www.126020cp.com(154.90.33.98)
www.weelinked.com(2.57.90.16)
www.smileyon.com()
www.toniconnerskincare.com(182.50.132.242)
www.loansuvidahcendar.com(199.59.242.153)
www.320915.com()
www.prizevipforu.xyz(3.37.137.87)
www.limagedesigns.com()
www.dhruvdhing.com(198.24.151.139)
www.bigboreenterprises.com()
2.57.90.16 - mailcious
199.59.242.153 - mailcious
182.50.132.242 - mailcious
198.24.151.139
154.90.33.98
15.164.147.227
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
11.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42191 |
2021-08-25 10:09
|
 lv.exe f1b4d4902447ce5caab448a1ceea1279
Gen1 Gen2 Themida Packer Generic Malware Malicious Library Malicious Packer PE File PE32 GIF Format DLL OS Processor Check VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare AppData folder AntiVM_Disk VMware anti-virtualization VM Disk Size Check human activity check Windows ComputerName Firmware crashed |
|
1
|
|
|
9.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42192 |
2021-08-25 10:01
|
 vbc.exe 5ba5c0d5ca760b500600849aad55ffec
Generic Malware PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/mbg7yLEpVUXfM - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.2 |
M |
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42193 |
2021-08-25 09:58
|
 can.exe 941ffbcc54a5826dde6e2d35f2fc761d
Generic Malware PE File PE32 VirusTotal Malware WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42194 |
2021-08-25 09:23
|
 arasholit.exe 353ad3cb7e6b9237e7e7bb96e2b0e5a4
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
51.254.69.209
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42195 |
2021-08-25 09:23
|
 1.exe 8ed30c6c10b4ce0567bd443935666e7b
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
138.124.186.42
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|