| 42301 |
2021-08-31 11:16
|
 vbc.exe 5353b45c9539a13e90412b00cffd5a5a
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
https://a.tmp.ninja/dqVxvyvo
|
3
a.tmp.ninja(198.251.89.86) - mailcious
172.67.188.154
198.251.89.86 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42302 |
2021-08-31 11:14
|
 osamazx.exe a17a64737d92abc4c83b976aaaad4f36
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42303 |
2021-08-31 11:12
|
 vbc.exe aa17e1f1f3f2b6b46064b5f425b5a12d
RAT Generic Malware Antivirus Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 GIF Format Malware download VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed Downloader |
1
|
5
www.google.com(172.217.175.4)
172.217.24.68
13.107.21.200
142.250.196.132
193.169.255.212 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42304 |
2021-08-31 11:12
|
 vbc.exe aca08c69a22e6f4f07cb44a74e7b9dac
Malicious Library PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Tofsee |
29
http://www.o-distribs.com/ecuu/
http://www.listenstech.com/ecuu/?uTuD=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4587
http://www.805thaifood.com/ecuu/
http://www.805thaifood.com/ecuu/?uTuD=hUTHBcYuod6wePbk0fg23NzqxmOoeRrbfmFgVJWVpfKHZh9llzJ0TA90NFAjaWRAYOQ0Eh2G&Kj9ht=AVPd7xKPhhkxdz5p
http://www.tasteofourneighborhood.com/ecuu/?uTuD=2bt83kpOuVtEIWyxUzi5DXhitRFjdhq2G+J/5YNEy7Qmu4jdCi+MNXaEKclGMLIx7+ZhZc0n&Kj9ht=AVPd7xKPhhkxdz5p
http://www.poorwhitetrashlivesmatter.net/ecuu/
http://www.empirerack.com/ecuu/
http://www.workabhaile.com/ecuu/
http://www.listenstech.com/ecuu/ - rule_id: 4587
http://www.manufacturedinjapan.com/ecuu/?uTuD=cm4EhB+xSusT2ZEgdpayhNT4zIjmvrOEKqQy1IzKW+qeT4TFPzigSNFvZaza7qmlNOHW0cnS&Kj9ht=AVPd7xKPhhkxdz5p
http://www.empirerack.com/ecuu/?uTuD=GEQTnerqhYYOZeP3k5oh8uqumDp4pVGJvED355C55gboS73ReFUlDy35EJLcN622X6ywqSXw&Kj9ht=AVPd7xKPhhkxdz5p
http://www.tasteofourneighborhood.com/ecuu/
http://www.polaritelibrairie.com/ecuu/ - rule_id: 4591
http://www.o-distribs.com/ecuu/?uTuD=2fFFpbMyLUJzYlZhDT8vOGOwgFBPZS+/I9qabDuA36nCGLx7k9QeIlc/dOLT21aoTTouS1Gs&Kj9ht=AVPd7xKPhhkxdz5p
http://www.aquarius-twins.com/ecuu/?uTuD=i70bI06xK+671wXcZeZFUnUbIG41m3pyCPaR/31xF3WgPXN1BCrK4K5oBTRoN80eF7TYmcNc&Kj9ht=AVPd7xKPhhkxdz5p
http://www.workabhaile.com/ecuu/?uTuD=psKvWxiJggpO43FMpV003tzUv9VXMXoP5rDQMzIOVpzQQ6MlN6hUAQTlmRRdHO4IMuWhrhTy&Kj9ht=AVPd7xKPhhkxdz5p
http://www.manufacturedinjapan.com/ecuu/
http://www.safeandsoundyachtservices.com/ecuu/?uTuD=Ze9u3c+JrkZMLd1iq8wEeNDhA8GBJvow2hjXqHEmaYUNXZ6LBYmY4Z/ain7TyThB0L5b8kMi&Kj9ht=AVPd7xKPhhkxdz5p
http://www.redcountrypodcast.com/ecuu/
http://www.polaritelibrairie.com/ecuu/?uTuD=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4591
http://www.aquarius-twins.com/ecuu/
http://www.redcountrypodcast.com/ecuu/?uTuD=C0rihD2hGnnRrpjswzT7uhuHD8PfbnuKKC7ou16TN5COtT4jGgPjFjduvIv/h6aCIOoNM/lg&Kj9ht=AVPd7xKPhhkxdz5p
http://www.poorwhitetrashlivesmatter.net/ecuu/?uTuD=Pl7Wo/Sc18YTVh4ZfRYn9GaIW3hmPNugWLqq+bwHPa7GGyOQcNaR6G/8c/+q5jU1tNJ+hTp8&Kj9ht=AVPd7xKPhhkxdz5p
http://www.safeandsoundyachtservices.com/ecuu/
http://www.enovexcorp.com/ecuu/?uTuD=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4589
http://www.enovexcorp.com/ecuu/ - rule_id: 4589
https://aceddq.bn.files.1drv.com/y4mmFuLrAmiQhwfiUX_9q9QkYs5bdmG7KRDr6ypX2gbItT1YDleYPEezFf9YGdUc9RoGpprgEYOf1PWKbcCYE6yO6x-iBBL3_2wsh8Em8fejrqpmtT9AbJj_kB-ykvyAre0Oz-9t5XOgmvYDpSytJYC5F7yj1YPgkcRA_y1K7e8We0sXJIPUZjpuM3fHrJA4ZfsWuX2n5pd2KqRsrHirYt5qQ/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1
https://aceddq.bn.files.1drv.com/y4mnpzWq6nzESCeTlyX6547ecopygeoPVjTDPAiQ9qtDwqKns_kP9pal2sQV_WuqgOO1zDsyHgp0sFy8YUdVjz71GDq104jzsUljyKtvmHCmfkbdVcy0zDBruyz9JD3tzOgvgfADgk_UjNKTo5sKr19jQOwO3cmSXkqy9mipCj5i6pi8Ku67RZxJ81TTfPg2Ot43h_6RY8Ap802urbBvPCs2w/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1
https://onedrive.live.com/download?cid=D020578D515FAC65&resid=D020578D515FAC65%21111&authkey=AP6lzi_AotrWkq8
|
27
www.o-distribs.com(62.4.7.10)
onedrive.live.com(13.107.42.13) - mailcious
aceddq.bn.files.1drv.com(13.107.42.12)
www.tasteofourneighborhood.com(34.102.136.180)
www.safeandsoundyachtservices.com(34.102.136.180)
www.workabhaile.com(209.99.40.222)
www.empirerack.com(156.237.251.107)
www.polaritelibrairie.com(34.102.136.180)
www.aquarius-twins.com(194.230.72.206)
www.betsysobiech.com()
www.805thaifood.com(182.50.132.242)
www.redcountrypodcast.com(34.102.136.180)
www.manufacturedinjapan.com(183.181.81.33)
www.poorwhitetrashlivesmatter.net(34.102.136.180)
www.enovexcorp.com(104.21.6.147)
www.listenstech.com(3.223.115.185)
183.181.81.33
13.107.42.13 - mailcious
13.107.42.12 - malware
209.99.40.222 - mailcious
34.102.136.180 - mailcious
172.67.134.229
156.237.251.107
182.50.132.242 - mailcious
194.230.72.206
3.223.115.185 - mailcious
62.4.7.10
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.listenstech.com/ecuu/
http://www.listenstech.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.enovexcorp.com/ecuu/
http://www.enovexcorp.com/ecuu/
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42305 |
2021-08-31 11:12
|
 b3A6h.exe bc867757658b294a9d7fbfd2d967e477
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42306 |
2021-08-31 11:10
|
 arinzezx.exe bbb076c1946e425146450691549f030b
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.247.73)
193.122.130.0
172.67.188.154
91.193.75.238
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42307 |
2021-08-31 11:10
|
 vbc.exe fdb84298836a2682cf6ed805bc8852de
RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File .NET EXE PE32 GIF Format Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
6
discoveryvipshinjiru2law.ooguy.com(91.193.75.238)
www.google.com(216.58.220.100)
142.250.66.132
172.217.24.68
13.107.21.200
91.193.75.238
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Possible NanoCore C2 60B
|
|
15.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42308 |
2021-08-31 11:10
|
 catzx.exe 5b86fcaf5ab130c47731cc168a2ca852
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
tzitziklishop.ddns.net(103.89.89.134) - mailcious
103.89.89.134
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
13.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42309 |
2021-08-31 11:05
|
 bin.exe b8a04e2c814ff33e4375bcea671ea6f7
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42310 |
2021-08-31 11:05
|
 bobbyzx.exe 5ecf99b81c8f50209f007541dfca08c1
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42311 |
2021-08-31 11:04
|
 vbc.exe 3d1d650b2318cdddaf5e92447ba76b56
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.apexexprtwaterfilters.com/sqwo/?9r8tLzUh=gFy/qMCEMcB6Hf1nawozuv5uJH4MDdN9p150ATU12nKhcCpmr8edoJhVpn8/X23UeOD/1ow9&IR-8bP=D8bDa
http://www.xn--lmqz72a50cuz9a2o4a.com/sqwo/?9r8tLzUh=Le1mh7KuJ/kNkffB/K9G7OkCYRWEntjBtjRwXnIqHjrXv6YIrlJQ4Fqguq963VDFFK8vuOwx&IR-8bP=D8bDa
http://www.nfdianqi.com/sqwo/?9r8tLzUh=eq7caouCPspIuf1GNTzxuvP+gOV7dNnqMT4Ig5YmH3TwSpIB4svgnRWz6X/LFmUB1MkO9fh1&IR-8bP=D8bDa
http://www.socialbutterfliesny.com/sqwo/?9r8tLzUh=E1tPMx1iIWJaiJ54PmsntZlI55/upwId2ZJWTdUBVNBkPOpaNZRRBf+5oCbBXDWEKmHyakPo&IR-8bP=D8bDa
http://www.communityalliances.info/sqwo/?9r8tLzUh=x54d9I76edU/y4+H+MS1pXoHUOdqhv+JR+acb22Tmy+0nkyiVIO9O6VgjqYOpouAOLXq4LwK&IR-8bP=D8bDa
http://www.leadershifts.academy/sqwo/?9r8tLzUh=B/sIr30tyQjkGcM27UQ/kCgS5OE5Y2iVRQHF9/Hu5JH95hjU3xoBeLTP2fsjLFv7Fq8YbDGW&IR-8bP=D8bDa
http://www.glamandtan.net/sqwo/?9r8tLzUh=JhW4WKUAk7xlkEEDulhqKZMy2L/keqwe9HdINH+9b6LvJc3qx9ABslN47JV5O7XZ+76PGcj5&IR-8bP=D8bDa
http://www.ulrich-wiederspahn.net/sqwo/?9r8tLzUh=0BYlXpKY4gB4a1aUse83N3qGFM9EGQdnDLmOB01zn8viaChOorVXHYfTKREeOl7J3cb90Fve&IR-8bP=D8bDa
http://www.brefjefaisdutrail.com/sqwo/?9r8tLzUh=6hqREpBLH7SRGbOhk1p98fViE97+Kj2Tl3lrkq31txPAXznAyq/bcksAiAuYnK40u/C0lqfr&IR-8bP=D8bDa
http://www.templatelive.com/sqwo/?9r8tLzUh=dFeO523bKyO5b7Y9epEOyjukxxvWufGG3IfqbIdqil7LvMkjFT5MxZiHJRkc5L7YNlJnDZ0f&IR-8bP=D8bDa
|
18
www.nfdianqi.com(156.241.53.147)
www.templatelive.com(162.241.68.246)
www.leadershifts.academy(34.102.136.180)
www.brefjefaisdutrail.com(209.99.40.222)
www.socialbutterfliesny.com(198.49.23.144)
www.xn--lmqz72a50cuz9a2o4a.com(154.210.188.165)
www.glamandtan.net(209.99.40.222)
www.apexexprtwaterfilters.com(34.102.136.180)
www.communityalliances.info(182.50.132.242)
www.ulrich-wiederspahn.net(35.207.168.47)
35.207.168.47
156.241.53.147
154.210.188.165
162.241.68.246
34.102.136.180 - mailcious
182.50.132.242 - mailcious
209.99.40.222 - mailcious
198.185.159.144 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42312 |
2021-08-31 11:03
|
 job.exe 00208f1aa6ebd03ebf70e847b6f690c8
Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42313 |
2021-08-31 10:53
|
 AXC.exe 75fc478585b12d3a8f0216b1b28c6944
Generic Malware UPX PE File PE32 Malware download VirusTotal Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself suspicious process anti-virtualization Windows DNS keylogger |
|
3
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu(78.129.249.105) - mailcious
78.129.249.105 - mailcious
103.133.111.149 - malware
|
1
ET MALWARE Generic .bin download from Dotted Quad
|
|
8.0 |
M |
28 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42314 |
2021-08-31 10:44
|
 AXC.exe 0cb653b63f1f96cc5b362096cede91e4
UPX Malicious Packer PE File PE32 Malware download VirusTotal Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself suspicious process anti-virtualization Windows DNS |
|
1
103.133.111.149 - malware
|
1
ET MALWARE Generic .bin download from Dotted Quad
|
|
7.4 |
M |
20 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42315 |
2021-08-31 09:40
|
 WARZONE.exe 953055e0715e637ff0f7fe84b126eac9
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|