| 42781 |
2021-08-18 11:20
|
 cd13.exe af366ca287f4fff65e730d609d3f6bd2
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://198.98.49.129:23948/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
198.98.49.129
|
2
SURICATA HTTP unable to match response to request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42782 |
2021-08-18 11:19
|
 rcd.exe 679b38d3297913cec51412919546f0fc
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://198.98.49.129:23948/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
198.98.49.129
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42783 |
2021-08-18 11:07
|
 vbc.exe 24de92095889ef49c35dcc6f687627e5
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
https://pastebin.pl/view/raw/2281be39
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42784 |
2021-08-18 11:06
|
 fdseventeen.exe 5c978476aaf6e02c5cd840da6b550bb6
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd17/fre.php
|
2
manvim.co(193.187.173.105) - mailcious
193.187.173.105
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42785 |
2021-08-18 11:03
|
 anthonyzx.exe 2c47f030311ad86019602b0da8298332
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42786 |
2021-08-18 11:03
|
 tmt.exe c12b9137c5ceccee311215cbd5a8d7b2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42787 |
2021-08-18 11:03
|
 vbc.exe a9c17b30c3c8d1ab73368929ce6a9ccd
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
14
http://www.delhibudokankarate.com/6mam/?P48tW=Dhv3NEq6R5NPQZs0dIik/SqBuvIY1/ydOcIgQc1Go12Tt/gNYl4yWQ2VA57WdGuU8YdfRGOR&KR-LRr=VTW8eX4xAtX - rule_id: 4168
http://www.mobiessence.com/6mam/?P48tW=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&KR-LRr=VTW8eX4xAtX - rule_id: 3578
http://www.lawmetricssolicitors.com/6mam/?P48tW=4Gj0yn3nr4YWFpZH4qn2bQ/Mf+Y/K54EnXCw/FRHgkyWUNrW3vdYTE+qdBaiGkNQ4kKGGQ8H&KR-LRr=VTW8eX4xAtX - rule_id: 3575
http://www.kykyryky.art/6mam/?P48tW=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&KR-LRr=VTW8eX4xAtX - rule_id: 3577
http://www.adenxsdesign.com/6mam/?P48tW=tU44klL44EKqmodFv/jg5nrIY8m9SPufik0gg789I5xKoKlf2FGRw1yhbPhqQNhokqqERcg/&KR-LRr=VTW8eX4xAtX - rule_id: 4003
http://www.cannamalism.com/6mam/?P48tW=kn71xoO9iU2mX4j71h7bz8HHhkUEjJyTF2/azklG2erytyCHrh0zJMDeYoghQinFk6RtaMTe&KR-LRr=VTW8eX4xAtX - rule_id: 3576
http://www.bransolute.com/6mam/?P48tW=3lOIhqUq6P+U3Pv+KiDZArCwgFDmfekdTy2Nm2rSf3PvYUYfwCDamY7ww9DFIoj1y02HC7Ks&KR-LRr=VTW8eX4xAtX - rule_id: 3581
http://www.riveraitc.com/6mam/?P48tW=SnhjisI499lOsf3YfO532EwcXneBDaw7KeLS1bDcRf/9DFIScc8FKAxpINBYBIfoUHjDmPpQ&KR-LRr=VTW8eX4xAtX - rule_id: 4005
http://www.ilovemehoodie.com/6mam/?P48tW=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&KR-LRr=VTW8eX4xAtX - rule_id: 4001
http://www.fuzhourexian.com/6mam/?P48tW=qbpZFH7voKbXHHWLfMfEAiwyGaz4A1Dlq6aJ6MnbqPgDgfYDR2UnLoNROh/k48NFxcmn1xi3&KR-LRr=VTW8eX4xAtX - rule_id: 3580
http://www.envirotechpropertiesltd.com/6mam/?P48tW=YBYrB5Ucm7S+XdfKOAf3sqA5fkKZ062k5RXT8xg/v1kRVTyEaAKCnyzwvrlUA7NS++0u+6AB&KR-LRr=VTW8eX4xAtX
https://dkbp0q.sn.files.1drv.com/y4mrMcJrhX3NS3j0HI9CmsynkzscYSv_j_iG0h1PkCA9fSFqb31FN3Rs9U3ozYt6s-bL6yaEBA40CFCVyBRNoGmZW36gpV5owlcwq84wnAx4ukteCnDJGxxxHu63HyYNZRKJcWZAwikI9GXq1HYzdM6wwnfUeQX2C2Y_qVBMmz8chgIp_VSAgovTegxBpZnAsqnKG78TUBNMSGY3aMVVAVSbw/Gvxbhgpirujajjglqjoceyevinvvtyb?download&psid=1
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21121&authkey=AITqAZYmBhxHYRs
https://dkbp0q.sn.files.1drv.com/y4mk8x3V8lsTnH8fK4NVgwbdpZN0dVecv_1w63fnJBjVOBdbbs9xAIxConjlhOTx--JIrGvI4C6u6Dq1yELyHvd8es9OWD5BwXQFcph34vaRWCvKPVZdKsOO_drRSM8a4gUZ0nq7ZBEh2CPvo3VcDxQQx05VyisqlgR3EszThf8bYuIoASeUj90xT4LP-cDr0TrvDU43fyT7RZrqWuxq94B9w/Gvxbhgpirujajjglqjoceyevinvvtyb?download&psid=1
|
29
www.opticatervisof.com() - mailcious
www.delhibudokankarate.com(154.215.87.120)
www.cannamalism.com(34.102.136.180)
onedrive.live.com(13.107.42.13) - mailcious
www.fuzhourexian.com(47.245.33.84)
www.mobiessence.com(52.58.78.16)
www.adenxsdesign.com(217.160.0.46)
www.geekotronic.com()
www.riveraitc.com(23.227.38.74)
www.envirotechpropertiesltd.com(198.49.23.144)
www.apacshift.support() - mailcious
www.bransolute.com(192.185.236.169)
dkbp0q.sn.files.1drv.com(13.107.42.12)
www.candlewooddmc.com() - mailcious
www.ilovemehoodie.com(23.227.38.74)
www.lawmetricssolicitors.com(173.214.172.82)
www.kykyryky.art(194.67.71.40)
154.215.87.120 - mailcious
52.58.78.16 - mailcious
47.245.33.84 - mailcious
173.214.172.82
194.67.71.40
13.107.42.13 - mailcious
13.107.42.12 - malware
192.185.236.169 - mailcious
34.102.136.180 - mailcious
217.160.0.46 - mailcious
23.227.38.74 - mailcious
198.185.159.144 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
10
http://www.delhibudokankarate.com/6mam/
http://www.mobiessence.com/6mam/
http://www.lawmetricssolicitors.com/6mam/
http://www.kykyryky.art/6mam/
http://www.adenxsdesign.com/6mam/
http://www.cannamalism.com/6mam/
http://www.bransolute.com/6mam/
http://www.riveraitc.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.fuzhourexian.com/6mam/
|
10.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42788 |
2021-08-18 11:00
|
 whesilozx.exe 15ff0a4c0f9b8083b0fee0ddb8a8ceb3
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42789 |
2021-08-18 10:59
|
 formbookzx.exe 168d0c902497a9cbf6281aca78482cb3
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.ubique.works/m3n0/?kxl0drr=XY3fYCvwORbGPxtSxSQVDy8D/DgP/Q6U0jLqL/9Ze9Gbp745YUdIHr8LMFFepVyh6OzcG5cB&jBZ4=KneX-
http://www.yourvert.com/m3n0/?kxl0drr=p+Rf1CG7FauHpJE9Y14QZTSs7HiMaFYzpVM6h2kAD3Nie/rbK1Hom73EVwMq0sJBPNaGWXc5&jBZ4=KneX-
http://www.terrasombrafarms.com/m3n0/?kxl0drr=Lll3djfmpqf4gVsKwJ7EBNIIhBMOoCJsh2K73HLJEVynFnO3uZpJKx+f/nkW8ApCIX9e9JyW&jBZ4=KneX-
|
6
www.yourvert.com(13.58.168.69)
www.terrasombrafarms.com(104.21.45.157)
www.ubique.works(52.220.193.16)
172.67.216.104
178.128.124.245
3.133.163.136
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42790 |
2021-08-18 10:59
|
 sunnyzx.exe 799c3c52ef032c42c3bb3eb8cad03e95
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
132.226.8.169
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42791 |
2021-08-18 10:56
|
 Proliv12345.exe 37682e0e7a16ecef1a19f44177e8b583
PWS .NET framework NPKI Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
|
2
ns3.ru.web.msk.host(194.226.139.38)
194.226.139.38
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42792 |
2021-08-18 10:56
|
 installs3.exe 30d75d7d5fe9cea029423a625f4e7802
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
5.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42793 |
2021-08-18 09:44
|
Has US policy toward the Pales... 5711989af8510851baf4fec63d67d1e3
Admin Tool (Sysinternals etc ...) UPX Malicious Library Malicious Packer PDF PE File OS Processor Check PE32 GIF Format VirusTotal Malware suspicious privilege MachineGuid Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser ComputerName RCE DNS crashed |
|
1
|
1
ET INFO Observed DNS Query to .work TLD
|
|
8.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42794 |
2021-08-18 09:42
|
 PROG8300_projectExecutable.exe dba25831a9434a39e84717c9f8f6ba57
Gen2 Gen1 UPX Malicious Library PE File OS Processor Check PE32 PE64 DLL VirusTotal Malware Malicious Traffic Creates executable files WriteConsoleW |
1
http://www.securityresearch.ca/infected/8K3F19/ServiceUpdater.exe
|
2
www.securityresearch.ca(64.235.108.186)
64.235.108.186
|
|
|
2.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42795 |
2021-08-17 18:04
|
 1508.exe aa5c3aa529d2ad5bf85d45e21408717d
RAT Generic Malware Anti_VM UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName RCE Firmware DNS Cryptographic key crashed |
2
http://46.28.204.54:27605/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.13.31
46.28.204.54
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
9.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|