| 42271 |
2021-08-24 08:24
|
 Saturn.exe 8bde7b905bea26c52a7576b133e11279
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42272 |
2021-08-24 08:22
|
 jquery.ps1 bb1166e6ffd66a072c8a58a2c377919c
Generic Malware Antivirus PE File .NET DLL DLL PE32 Check memory buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder Windows ComputerName Cryptographic key |
|
|
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42273 |
2021-08-23 19:25
|
 iqewbieiqbubqw.dll 58fab5a273bc3bdca01648663e4f7be2
RAT Generic Malware PE File .NET DLL DLL PE32 VirusTotal Malware PDB |
|
|
|
|
0.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42274 |
2021-08-23 19:25
|
 vbc.exe d64d6e211e21f9bc7f8bd2c68ea42b54
Malicious Library PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://brokenislegion.tk/BN1/fre.php
|
1
|
1
ET DNS Query to a .tk domain - Likely Hostile
|
|
6.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42275 |
2021-08-23 19:23
|
 lv.exe 7cb7086237327a68a89f9ffebbe5a228
Emotet Gen1 NPKI Gen2 Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiD AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
ujzYUCxeWirjpFYgcWLYZFegxKw.ujzYUCxeWirjpFYgcWLYZFegxKw()
|
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42276 |
2021-08-23 19:20
|
 kdotzx.exe 691180d2c31121f24a2fee1ee8a34b2c
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42277 |
2021-08-23 19:18
|
 vbc.exe 162c0de193b3ba1d3f873bb06a8bdd60
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42278 |
2021-08-23 19:18
|
 ksbgixgq.exe 5be9bfad00f219b0d219261448a57bda
PWS Loki[b] Loki.m AgentTesla RAT Gen1 Formbook browser info stealer Generic Malware UPX Malicious Library ASPack Malicious Packer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check DLL JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar Arkei VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee ArkeiStealer OskiStealer Stealer Windows Browser Email ComputerName DNS Software Password |
10
http://188.34.200.103/softokn3.dll
http://188.34.200.103/msvcp140.dll
http://188.34.200.103/903 - rule_id: 4371
http://188.34.200.103/freebl3.dll
http://188.34.200.103/nss3.dll
http://188.34.200.103/ - rule_id: 4372
http://188.34.200.103/vcruntime140.dll
http://u1452023.cp.regruhosting.ru/PE/steammaa.dll - rule_id: 4381
http://188.34.200.103/mozglue.dll
https://eduarroma.tumblr.com/ - rule_id: 4373
|
6
eduarroma.tumblr.com(74.114.154.18) - mailcious
u1452023.cp.regruhosting.ru(31.31.198.230) - malware
81.16.141.221 - malware
74.114.154.18 - mailcious
31.31.198.230 - malware
188.34.200.103 - mailcious
|
9
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
4
http://188.34.200.103/903
http://188.34.200.103/
http://u1452023.cp.regruhosting.ru/PE/steammaa.dll
https://eduarroma.tumblr.com/
|
18.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42279 |
2021-08-23 19:18
|
 dd.exe 7c207438745687fd62777e3b18535020
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows DNS Cryptographic key crashed |
13
http://www.maxridetubes.com/b8eu/ - rule_id: 3479
http://www.yummylipz.net/b8eu/?xPWDGpd=BJsIvBSedMRHPw6hRBySesvKf4cy5ptvtRL/e7MsGjTsJ8iq89FIxlkUleqlB63Tk93sEUrP&9rjLtF=fdh4ZfOXj - rule_id: 3480
http://www.jungbo33.xyz/b8eu/
http://www.yummylipz.net/b8eu/ - rule_id: 3480
http://www.1borefruit.com/b8eu/?xPWDGpd=A4LkB67AN0rT8RFmMquep8c2AsZvn5ORK54hnBFZVpIMXZD2YBNIRfDe8FOwTg2Lg5GqvZMM&9rjLtF=fdh4ZfOXj - rule_id: 2707
http://www.1borefruit.com/b8eu/ - rule_id: 2707
http://www.jungbo33.xyz/b8eu/?xPWDGpd=GmI8jSW8wZDXyHJ+nm+VctTqJjSDtJnwzb2V52lMmbj1mGO5nmJilKnf6++a1fzFRB1wzuIX&9rjLtF=fdh4ZfOXj
http://www.9adamtech.com/b8eu/
http://www.9adamtech.com/b8eu/?xPWDGpd=+AG5ppZmejnuTpk3EwZpZ/2iGE2KnSGG1FqIV7Cyt9/nDXZoOrQGfjtxiAY609lVsX0hRZhU&9rjLtF=fdh4ZfOXj
http://www.savorysinsation.com/b8eu/?xPWDGpd=ihOh3VcBgGscCIl7Gp9RUh0SxOyxg93S+dgnHrogWPYlTTM6Rq1HtngBBhu3Oex5wwxe+avC&9rjLtF=fdh4ZfOXj
http://www.maxridetubes.com/b8eu/?xPWDGpd=YDI1SWbbFRthc8Kjnqcv/XHNG8x6cigBY/xRhCdFgjBrhgoPW0KwDcLaM2HjMafBAr+1quYA&9rjLtF=fdh4ZfOXj - rule_id: 3479
http://www.savorysinsation.com/b8eu/
https://www.bing.com/
|
18
www.yummylipz.net(216.239.36.21)
www.jungbo33.xyz(99.83.154.118)
www.dongtaykethop.cloud()
www.9adamtech.com(34.102.136.180)
www.laurawmorrow.com() - mailcious
www.maxridetubes.com(104.21.39.205)
www.1borefruit.com(154.212.109.100) - mailcious
www.cataractmeds.com() - mailcious
www.google.com(172.217.174.100)
www.savorysinsation.com(104.19.152.75)
216.239.34.21 - mailcious
104.19.152.75
13.107.21.200
154.212.109.100 - mailcious
99.83.154.118 - mailcious
34.102.136.180 - mailcious
104.21.39.205 - mailcious
172.217.175.228
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .cloud TLD
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.maxridetubes.com/b8eu/
http://www.yummylipz.net/b8eu/
http://www.yummylipz.net/b8eu/
http://www.1borefruit.com/b8eu/
http://www.1borefruit.com/b8eu/
http://www.maxridetubes.com/b8eu/
|
14.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42280 |
2021-08-23 19:14
|
 sefile2.exe f403b3a7bba12aa247e7195e8bb9afe5
UPX Malicious Library PE File OS Processor Check PE32 PDB unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42281 |
2021-08-23 19:14
|
 kl8.exe 505468e6735f6b0bf0d37a937eb2d155
Generic Malware Themida Packer Anti_VM PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
188.124.36.242 - mailcious
|
|
|
7.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42282 |
2021-08-23 19:09
|
 r.exe 305c02b6842f5b81a6fa7a2aab07b00e
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic ICMP traffic unpack itself |
13
http://www.writingleagues.com/n58i/?-Zlpd6I=Z6pcotGHuwup7vEJjItj1SMHlg1lI5Bof4K5Wxog5cvylXCYemKJNG9ltyRUngPfK9sxmYhZ&2d=lnxdA
http://www.grandrapidsvirtualboatshow.com/n58i/?-Zlpd6I=OS+vzmTsnmN10NeNgCtuygPzY9t4uWhaxu5Nv18Vn7M4GGCiu5ByynyiNgJ6krK/bHgQrClL&2d=lnxdA
http://www.science-laboratory.info/n58i/?-Zlpd6I=/nrcVLyNbZ8bYrDk6/UlbutTqsEUanwD8p6K9ytcogSviWuK5Nx4baFKDnT+NePORnTimWea&2d=lnxdA
http://www.exdysis.com/n58i/?-Zlpd6I=ar/hIjdwXaCGf/zdCDkC4zsWp5P7JdaYWCx8Owc4v4wJnpGf9FeXfuCAHZspk67PmQf770IM&2d=lnxdA
http://www.mack3sleeve.com/n58i/?-Zlpd6I=qZci4eCxhQIq67bxmD8yxm5V81S+h6tSaZJP73tHPhAaZkJunDnOJhOERfLB6WVODJ1YcUPc&2d=lnxdA
http://www.fashionelixirs.com/n58i/?-Zlpd6I=2MarohCXJGtzO5KijtWpZ6tpmiifjax3IcswJvFbJYnD8s/zp8BDI56dCC/lebOR9voDqH90&2d=lnxdA
http://www.oldhousechicago.com/n58i/?-Zlpd6I=CK4+1XAVCoeZwyHbixU/1VMC/3ullPTgwlkVzkJuJ8wPuPx8xeqByV5EBcZtpXh2eT3NYNjS&2d=lnxdA
http://www.stlcityc.com/n58i/?-Zlpd6I=uzwaBAU/pBgcbN1zupTtS4xKhn/JfyJ+hchnD3b71uo3p2+6HxfOIRQU6DCQj21baC8sD6fO&2d=lnxdA
http://www.5923599.com/n58i/?-Zlpd6I=WfKFfWUZkc85OmL1xKrDJMWuh4MURh0lzQfSoppYt54ugY1RFf52IxAuWjoc55Oi676SGeLg&2d=lnxdA
http://www.nl-cafe.com/n58i/?-Zlpd6I=dWyvCTk6qzBk5tQTWdvNT7b5/8qdhAsQ/biP+tl913DTpQRW05YYrZEgjkVCG8NuIqrlrrLw&2d=lnxdA
http://www.verisignwebsite-verified.com/n58i/?-Zlpd6I=XTVW7Jo2gvRqiEaI/sIMQWbMhFkMtGnqkQB68uCXOe+MAHXwIzjfWh0i/TEE6wJi9coosj2z&2d=lnxdA
http://www.floortak.co.uk/n58i/?-Zlpd6I=pQmM9Y5t5dxvkFXQKfmWGEE0N5/IJF3moBqOslL4HJEdPUTnkZQuk/UltHUu3hWKDkbYR94e&2d=lnxdA
http://www.citysucces.com/n58i/?-Zlpd6I=KZIzYVxAQpcTYtobWmj1UPG5K5R9NnHuf0RrbShrXmsvVrVhxvmYdjAsOWtc/dkVV+rflXZO&2d=lnxdA
|
26
www.stlcityc.com(103.139.0.32)
www.mack3sleeve.com(34.102.136.180)
www.writingleagues.com(204.11.56.48)
www.science-laboratory.info(209.99.40.222)
www.nl-cafe.com(23.226.52.164)
www.grandrapidsvirtualboatshow.com(34.102.136.180)
www.fashionelixirs.com(184.168.131.241)
www.goddessruby.com()
www.oldhousechicago.com(45.83.86.245)
www.rlxagva.com()
www.5923599.com(45.142.156.44)
www.citysucces.com(184.168.131.241)
www.verisignwebsite-verified.com(185.196.8.122)
www.exdysis.com(34.98.99.30)
www.floortak.co.uk(85.233.160.22)
103.139.0.32 - mailcious
185.196.8.122 - phishing
184.168.131.241 - mailcious
23.226.52.164
209.99.40.222 - mailcious
34.102.136.180 - mailcious
45.142.156.44 - mailcious
85.233.160.22 - mailcious
45.83.86.245
204.11.56.48 - phishing
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42283 |
2021-08-23 19:01
|
 Pk52FX0q62R4XoO.dll f0242add3e62b4bda6a1f3e38e98a73d
Malicious Library Malicious Packer PE File DLL PE32 VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42284 |
2021-08-23 18:58
|
 taxve_710451_20210816_93407095... 9a812ebcc070d2a63465ebb416ba8b95VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
5
https://cdn.discordapp.com/attachments/876792192524501045/876837688651681843/1.dll
https://cdn.discordapp.com/attachments/876792192524501045/876837576193998848/1.dll
https://cdn.discordapp.com/attachments/876792192524501045/876837913906774076/1.dll
https://lamisionerafm.com/images/Pk52FX0q62R4XoO.php
https://investtomontenegro.com/wp-content/plugins/wordpress-seo/lib/migrations/8dXd8jlaax.php
|
6
investtomontenegro.com(34.94.136.184) - mailcious
lamisionerafm.com(51.222.42.168)
cdn.discordapp.com(162.159.129.233) - malware
34.94.136.184 - mailcious
51.222.42.168 - mailcious
162.159.130.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42285 |
2021-08-23 18:54
|
Fattura_01557972.xls 5f25557c3a67cc816c456e44f9a89bbe
VBA_macro KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|