| 42811 |
2021-08-17 17:39
|
 kl.exe 78ce66dca7949aa8182c81b20ae321a0
RAT Generic Malware Themida Packer UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://188.124.36.242:25802/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.13.31
188.124.36.242
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42812 |
2021-08-17 17:34
|
 vbc.exe ed42831e07a3c0a9f2240b6475f4ba3c
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42813 |
2021-08-17 17:11
|
http://edgedl.me.gvt1.com/edge... 1c8529a4577541f11238a25ce76c343e
DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fp54i2dusearlozqtsnasgv6xa_2659/jflookgnkcckhobaglndicnbbgbonegd_2659_all_mxdmmez5xo4y35xwfdotsvn5um.crx3
|
2
edgedl.me.gvt1.com(34.104.35.123)
34.104.35.123
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42814 |
2021-08-17 16:17
|
 out.pdf 34d276c510abbf0cc876c261b0521236
PDF |
|
|
|
|
|
|
|
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42815 |
2021-08-17 14:44
|
 2.dll 37e26534b70abd664cfed4961ad6ecbf
TA551 BazarLoader UPX PE File OS Processor Check DLL PE32 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
6 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42816 |
2021-08-17 13:36
|
 vbc.exe 8396573aa3039b144f584107f785b321
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
3
105.27.205.34 - mailcious
60.51.47.65 - mailcious
36.66.188.251
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42817 |
2021-08-17 13:36
|
 2.dll 37e26534b70abd664cfed4961ad6ecbf
UPX AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
11
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/file/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/10/62/GHKKBYXXMBGPF/7/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/NAT%20status/client%20is%20behind%20NAT/0/
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JykWxsK5VFuVU0IzRFQuDFfZ/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArhCatD3P7BP%5Cpb2lv.dmo/0/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/user/test22/0/
https://ident.me/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ldB1JbjZnVLztVnX55JJf5j/
https://36.66.188.251/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabc64/
https://105.27.205.34/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabb64/
|
8
ident.me(176.58.123.25)
105.27.205.34 - mailcious
194.146.249.137 - mailcious
176.58.123.25
185.56.175.122 - mailcious
60.51.47.65 - mailcious
79.106.115.107
36.66.188.251
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
10.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42818 |
2021-08-17 13:35
|
 vbc.exe 2875b6d653a9311f91e1a2f28e5538e1
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
6
http://www.beastninjas.com/6mam/?yVMpQN-P=oQhTdcG35KVC+c6Wc2Ae/5c2EVHHJUmgpuEXLTkVZHJt0CPiQFk8QVOcUVYqLYUeTWjjNSS/&1bz=o8rLp - rule_id: 3583
http://www.mobiessence.com/6mam/?yVMpQN-P=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&1bz=o8rLp - rule_id: 3578
http://www.besport24.com/6mam/?yVMpQN-P=G66iPt+xvrTiSrnWMSNY3jIG1auw/RAx4P7alq3BxDAHCc2pRDbTwTzLPU1dODy6kKEhnUhc&1bz=o8rLp - rule_id: 3890
http://www.delhibudokankarate.com/6mam/?yVMpQN-P=Dhv3NEq6R5NPQZs0dIik/SqBuvIY1/ydOcIgQc1Go12Tt/gNYl4yWQ2VA57WdGuU8YdfRGOR&1bz=o8rLp
http://www.ilovemehoodie.com/6mam/?yVMpQN-P=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&1bz=o8rLp - rule_id: 4001
http://www.elglink99.com/6mam/?yVMpQN-P=SLcUjScG5RnOVZMPBoDDz2hKjpXj+iqBcro/vPi5ifNBMfCnXfAsQjLgCQAIbn3ZI+l2ZT4E&1bz=o8rLp - rule_id: 3999
|
14
www.delhibudokankarate.com(154.215.87.120)
www.elglink99.com(199.59.242.153)
www.mobiessence.com(52.58.78.16)
www.beastninjas.com(34.102.136.180)
www.f9fui8.xyz()
www.apacshift.support()
www.besport24.com(51.83.52.226)
www.ilovemehoodie.com(23.227.38.74)
154.215.87.120
52.58.78.16 - mailcious
34.102.136.180 - mailcious
199.59.242.153 - mailcious
51.83.52.226 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
5
http://www.beastninjas.com/6mam/
http://www.mobiessence.com/6mam/
http://www.besport24.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.elglink99.com/6mam/
|
9.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42819 |
2021-08-17 10:20
|
Quranic Arabic Language Course... 6af2470805fe10cf881871a6babf9986VirusTotal Malware RWX flags setting unpack itself Tofsee |
2
https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/
https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/files-3607001e/
|
2
behr.ppinewsagency.live(185.163.45.63) - mailcious
185.163.45.63 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42820 |
2021-08-17 10:15
|
 zxcv.EXE 575f6a65c28682f88fa808ba8e862d7f
PWS Loki[b] Loki.m Raccoon Stealer Gen1 Gen2 Generic Malware UPX Malicious Library Malicious Packer DNS Socket KeyLogger HTTP Internet API ScreenShot Http API Steal credential AntiDebug AntiVM PE File PE32 DLL OS Processor Check GIF Format JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
13
http://kullasa.ac.ug/nss3.dll
http://kullasa.ac.ug/main.php
http://kullasa.ac.ug/
http://kullasa.ac.ug/msvcp140.dll
http://185.163.45.248/
http://kullasa.ac.ug/vcruntime140.dll
http://kullasa.ac.ug/softokn3.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/1153e21497e2a00af6fcd2be846b1953a66f76ab
http://kullasa.ac.ug/mozglue.dll
http://kullasa.ac.ug/sqlite3.dll
http://myproskxa.ac.ug/index.php
http://kullasa.ac.ug/freebl3.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/cc451af81c78b4f59363dcc043c781304dfe0ce1
|
6
kullasa.ac.ug(185.215.113.77)
myproskxa.ac.ug(185.215.113.77)
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
185.215.113.77 - malware
185.163.45.248
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
21.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42821 |
2021-08-17 10:07
|
 dllhost.exe 5ee375628c34cd0aa0833e24bc31087a
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
2
www.generlitravel.com()
www.betternatureproducts.net()
|
|
|
7.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42822 |
2021-08-17 10:05
|
 vbc.exe 61521d238c7c60ca7e91881ffda4a5fa
UPX Malicious Library PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://everydaywegrind.ga/BN22/fre.php
|
1
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
7.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42823 |
2021-08-17 10:03
|
 .svchost.exe c8f7096833654a62280f5897fccfde65
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process VMware anti-virtualization Windows ComputerName Cryptographic key Software |
1
http://www.glendalesocialmediaagency.com/nff/?O0DHs=E6fLQbQj7XlE7pKggeHtmkhlLAH8o5Ikh6AParAHUnAgUAgt+y3sQatBmkz+P0Uh2HxyM3jL&uTxX=ApmHH4
|
4
www.glendalesocialmediaagency.com(34.102.136.180)
www.cuesticksandsupplies.com()
www.shinseikai.site()
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42824 |
2021-08-17 10:01
|
 vbc.exe 2e11cb22fcff3e1fbf803fea30380e75
UPX Malicious Library PE File PE32 VirusTotal Malware unpack itself Tofsee RCE crashed |
1
https://cdn.discordapp.com/attachments/872498603363536989/876731431555059753/Zmlkqojaxmhcbtpljtjnfjssfmlwqrp
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42825 |
2021-08-17 09:59
|
 dow-0.exe 53d55c75030ff7d58afd45080fa00dd2
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself Windows utilities AppData folder Windows |
10
http://www.zwq.xyz/wufn/?kDHl=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&KtxD=PnCTGx9Pf - rule_id: 3226
http://www.gaigoilaocai.com/wufn/?kDHl=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&KtxD=PnCTGx9Pf - rule_id: 2912
http://www.iqpt.info/wufn/?kDHl=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&KtxD=PnCTGx9Pf - rule_id: 2910
http://www.solanohomebuyerclass.com/wufn/?kDHl=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&KtxD=PnCTGx9Pf
http://www.mimortgageexpert.com/wufn/?kDHl=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&KtxD=PnCTGx9Pf - rule_id: 2911
http://www.recipesdunnright.com/wufn/?kDHl=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&KtxD=PnCTGx9Pf
http://www.talleresmulticar.com/wufn/?kDHl=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&KtxD=PnCTGx9Pf
http://www.setadragon.com/wufn/?kDHl=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&KtxD=PnCTGx9Pf - rule_id: 3486
http://www.rootmoover.com/wufn/?kDHl=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&KtxD=PnCTGx9Pf - rule_id: 3570
http://www.hk6628.com/wufn/?kDHl=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&KtxD=PnCTGx9Pf - rule_id: 2909
|
25
www.hsicclassactionsettlement.com() - mailcious
www.sctsmney.com() - mailcious
www.solanohomebuyerclass.com(182.50.132.242)
www.mimortgageexpert.com(100.24.208.97)
www.hk6628.com(34.102.136.180)
www.qq4004.com() - mailcious
www.recipesdunnright.com(66.235.200.147)
www.iqpt.info(67.199.248.13)
www.organicdiscover.com()
www.setadragon.com(209.99.40.222)
www.gaigoilaocai.com(172.67.187.204)
www.kyg-cpa.com() - mailcious
www.rootmoover.com(23.227.38.74)
www.talleresmulticar.com(35.214.181.99)
www.zwq.xyz(103.139.0.32)
103.139.0.32 - mailcious
66.235.200.147 - phishing
35.214.181.99
209.99.40.222 - mailcious
34.102.136.180 - mailcious
35.172.94.1 - phishing
198.71.232.3 - mailcious
172.67.187.204 - mailcious
23.227.38.74 - mailcious
67.199.248.13 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
7
http://www.zwq.xyz/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.iqpt.info/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.setadragon.com/wufn/
http://www.rootmoover.com/wufn/
http://www.hk6628.com/wufn/
|
5.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|