| 42826 |
2021-08-17 09:59
|
 rundll32.exe 3a77a27df8d701a07b76d63091465c11
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42827 |
2021-08-17 09:58
|
 dow-01.exe 815a3dbde4d501e96222d6de9b0be3fc
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
18
http://www.setadragon.com/wufn/?wPT=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&oXN=6lSd02cp - rule_id: 3486
http://www.rootmoover.com/wufn/ - rule_id: 3570
http://www.theforumonline.com/wufn/
http://www.joneshondaservice.com/wufn/?wPT=cHwUMaOvOUl4mR2wsbRfLYaultZ7TSeYo2Z/vCzCk8dNTOF36Jse9g+x5El8dvRa2DMYrrKS&oXN=6lSd02cp - rule_id: 3491
http://www.talleresmulticar.com/wufn/
http://www.recipesdunnright.com/wufn/
http://www.mybodysaver.com/wufn/ - rule_id: 3227
http://www.recipesdunnright.com/wufn/?wPT=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&oXN=6lSd02cp
http://www.talleresmulticar.com/wufn/?wPT=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&oXN=6lSd02cp
http://www.laterlifelendingsupermarket.com/wufn/?wPT=JK53FQapth9VDdSHXGajN0L5nsR3wCbJsKyzCV6oZDicv5erkPKtybHomSqu7DQ5sf8AoARo&oXN=6lSd02cp - rule_id: 3501
http://www.mybodysaver.com/wufn/?wPT=iAyrziyFF9RqM6kqTrR2Gz8v85ou6HqcZ1qFLOyqSC08U8XZpeh2g5fFjWykbq8K9Lt/Vzcu&oXN=6lSd02cp - rule_id: 3227
http://www.joneshondaservice.com/wufn/ - rule_id: 3491
http://www.zwq.xyz/wufn/?wPT=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&oXN=6lSd02cp - rule_id: 3226
http://www.theforumonline.com/wufn/?wPT=oMJPIIffiJ/xnzh2dmE4H4v++ePVGdJ47Cs+qN5CdohcdEg0FINWW3sNxjaQaIOEvkNj7L2f&oXN=6lSd02cp
http://www.zwq.xyz/wufn/ - rule_id: 3226
http://www.setadragon.com/wufn/ - rule_id: 3486
http://www.laterlifelendingsupermarket.com/wufn/ - rule_id: 3501
http://www.rootmoover.com/wufn/?wPT=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&oXN=6lSd02cp - rule_id: 3570
|
18
www.theforumonline.com(69.163.228.182)
www.joneshondaservice.com(50.87.249.29)
www.mybodysaver.com(172.67.177.211)
www.zwq.xyz(103.139.0.32)
www.talleresmulticar.com(35.214.181.99)
www.setadragon.com(209.99.40.222)
www.recipesdunnright.com(66.235.200.147)
www.rootmoover.com(23.227.38.74)
www.laterlifelendingsupermarket.com(85.233.160.23)
103.139.0.32 - mailcious
66.235.200.147 - phishing
69.163.228.182
85.233.160.23 - mailcious
35.214.181.99
209.99.40.222 - mailcious
172.67.177.211 - mailcious
23.227.38.74 - mailcious
50.87.249.29 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
12
http://www.setadragon.com/wufn/
http://www.rootmoover.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.mybodysaver.com/wufn/
http://www.laterlifelendingsupermarket.com/wufn/
http://www.mybodysaver.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.zwq.xyz/wufn/
http://www.zwq.xyz/wufn/
http://www.setadragon.com/wufn/
http://www.laterlifelendingsupermarket.com/wufn/
http://www.rootmoover.com/wufn/
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42828 |
2021-08-17 09:56
|
 bobbyzx.exe 37a5f6cc78f098591dd05bf7dccbdcc5
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42829 |
2021-08-17 09:56
|
 dow-2.exe 79ccfb5a40b349d6012a35b7072f9f1a
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
16
http://www.feathertiara.net/wufn/?b6=kBuwGfiPz7ySFvcjUzLnibr355l72ljuv5/5hH3ZydAEXYL8DZHvf8y8kbj1LoIM4KSTAosX&DbG=_DKdFj
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.theforumonline.com/wufn/?b6=oMJPIIffiJ/xnzh2dmE4H4v++ePVGdJ47Cs+qN5CdohcdEg0FINWW3sNxjaQaIOEvkNj7L2f&DbG=_DKdFj
http://www.theforumonline.com/wufn/
http://www.cummingsforum.com/wufn/?b6=PGuDT0srb8+GzzH8GojBu9jJOM86wXlCLaZQF9oyMbXQcbHCqOG6UzGQhd2hamBsdTomrrU0&DbG=_DKdFj - rule_id: 3523
http://www.talleresmulticar.com/wufn/
http://www.reshemporium.com/wufn/
http://www.cummingsforum.com/wufn/ - rule_id: 3523
http://www.reshemporium.com/wufn/?b6=wp/rTAq+nefw0Ut8gBAFiAOZsxmfnTEjPBWm4zxzbrCD8Q+PSp7/6kESKmxQvFdTe2TjazgW&DbG=_DKdFj
http://www.talleresmulticar.com/wufn/?b6=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&DbG=_DKdFj
http://www.zwq.xyz/wufn/?b6=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&DbG=_DKdFj - rule_id: 3226
http://www.feathertiara.net/wufn/
http://www.mimortgageexpert.com/wufn/?b6=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&DbG=_DKdFj - rule_id: 2911
http://www.mimortgageexpert.com/wufn/ - rule_id: 2911
http://www.zwq.xyz/wufn/ - rule_id: 3226
http://www.gaigoilaocai.com/wufn/?b6=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&DbG=_DKdFj - rule_id: 2912
|
17
www.theforumonline.com(69.163.228.182)
www.mimortgageexpert.com(100.24.208.97)
www.zwq.xyz(103.139.0.32)
www.neosinder.com()
www.talleresmulticar.com(35.214.181.99)
www.feathertiara.net(154.220.112.199)
www.gaigoilaocai.com(104.21.84.71)
www.organicdiscover.com()
www.reshemporium.com(34.102.136.180)
www.cummingsforum.com(34.102.136.180)
103.139.0.32 - mailcious
69.163.228.182
35.214.181.99
34.102.136.180 - mailcious
154.220.112.199
100.24.208.97
104.21.84.71
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
8
http://www.gaigoilaocai.com/wufn/
http://www.cummingsforum.com/wufn/
http://www.cummingsforum.com/wufn/
http://www.zwq.xyz/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.zwq.xyz/wufn/
http://www.gaigoilaocai.com/wufn/
|
8.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42830 |
2021-08-17 09:54
|
 bHiq3IZ1xoLA.php ffc642eb82de920453e88f647fb4c246
Malicious Packer Malicious Library PE File DLL PE32 unpack itself Windows crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42831 |
2021-08-17 09:48
|
 dow.exe fc610878793ee9ee26ed44da1549f4f8
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
8
http://www.mimortgageexpert.com/wufn/?zZhxv2=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&U6ht=NvsduruhTd5tbZY - rule_id: 2911
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.hk6628.com/wufn/ - rule_id: 2909
http://www.gaigoilaocai.com/wufn/?zZhxv2=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&U6ht=NvsduruhTd5tbZY - rule_id: 2912
http://www.martabaroagency.com/wufn/ - rule_id: 2915
http://www.martabaroagency.com/wufn/?zZhxv2=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&U6ht=NvsduruhTd5tbZY - rule_id: 2915
http://www.hk6628.com/wufn/?zZhxv2=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&U6ht=NvsduruhTd5tbZY - rule_id: 2909
http://www.mimortgageexpert.com/wufn/ - rule_id: 2911
|
13
www.collegevillepaareahomes.com() - mailcious
www.martabaroagency.com(185.14.56.84)
www.mimortgageexpert.com(100.24.208.97)
www.hk6628.com(34.102.136.180)
www.organicdiscover.com()
www.chinanl168.com() - mailcious
www.gaigoilaocai.com(172.67.187.204)
www.cuadorcoast.com(156.231.25.88)
156.231.25.88 - mailcious
34.102.136.180 - mailcious
185.14.56.84 - mailcious
100.24.208.97
104.21.84.71
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.mimortgageexpert.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.hk6628.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.martabaroagency.com/wufn/
http://www.martabaroagency.com/wufn/
http://www.hk6628.com/wufn/
http://www.mimortgageexpert.com/wufn/
|
9.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42832 |
2021-08-17 09:45
|
 planes.exe fa98ed9794e56f5598319a77831d6339
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42833 |
2021-08-17 09:43
|
 zxcvb.exe 2cae1b3be4c37e8f0ca5dac99dbbac17
PWS Loki[b] Loki.m RAT Gen1 Gen2 Generic Malware UPX Malicious Library Malicious Packer DNS Socket KeyLogger HTTP Internet API ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL OS Processor Check GIF Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
13
http://kullasa.ac.ug/nss3.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/d657180f13db0ff9b8ee6da6bdfe300a7ea52ed9
http://kullasa.ac.ug/msvcp140.dll
http://kullasa.ac.ug/
http://myproskxa.ac.ug/index.php
http://185.163.45.248/
http://kullasa.ac.ug/vcruntime140.dll
http://kullasa.ac.ug/softokn3.dll
http://kullasa.ac.ug/mozglue.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/cd7c869b70884aeb0988dc2ac3b497411564fd4d
http://kullasa.ac.ug/main.php
http://kullasa.ac.ug/sqlite3.dll
http://kullasa.ac.ug/freebl3.dll
|
6
kullasa.ac.ug(185.215.113.77)
myproskxa.ac.ug(185.215.113.77)
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
185.215.113.77 - malware
185.163.45.248
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
24.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42834 |
2021-08-17 09:42
|
 vbc.exe 3244a92cbba0f5edcae4ea2f2f0d1b7d
UPX Malicious Library PE File PE32 VirusTotal Malware unpack itself RCE |
|
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42835 |
2021-08-17 09:40
|
 .wininit.exe 73c3916832698d6d47cde8593d7816f8
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.clansix.xyz/ixwn/?tXU=HKquMzrDdPUL5WCzLxokwwg1M44kElHO2J0O+BGWZnhJatCoGneWRy54iWfWyTz0dcXiGEhv&UlSp=GVgTURZ0B4_lZB
http://www.clansix.xyz/ixwn/
|
4
www.clansix.xyz(199.59.242.153) - mailcious
www.china-zhongzhi.com(45.192.251.62)
199.59.242.153 - mailcious
45.192.251.62
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42836 |
2021-08-17 09:36
|
 mazx.exe 1423f1e7d436fa26d50fd804f5b93431
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.alphamillls.com/mxwf/?D8k8=8vU0MhDguONSVZAFdaETy8wVZ8V0psLBFo6hXJA6TygAJBDGiYZVt84widBx7fwwbqBQDNAu&uTxXA=Apm8lx
http://www.orders-cialis.info/mxwf/?D8k8=5ldtLAd4WjWQpBn2D9at1Sp5llf8TUCQYgmbUZbfSF6mwcPpZP54RYPSSKh/3i002J3HIC53&uTxXA=Apm8lx
http://www.sierp.com/mxwf/?D8k8=Ao4ZudGNGCCq/bz1F1jp8r1nNp3jUASgPiEiflfcY9lwBGukS/0V2qMMjZrQt7h4MdjTjHfn&uTxXA=Apm8lx - rule_id: 3878
|
6
www.orders-cialis.info(161.97.100.26)
www.sierp.com(52.58.78.16)
www.alphamillls.com(2.57.90.16)
52.58.78.16 - mailcious
2.57.90.16 - mailcious
161.97.100.26
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.sierp.com/mxwf/
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42837 |
2021-08-17 09:34
|
 plugmanzx.exe ec9dc86cbda5ad0a0b6c79654e361642
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
blackbladeinc52.ddns.net(103.147.185.89)
103.147.185.89
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42838 |
2021-08-17 09:33
|
 sufile.exe 0ca116299ae13d37e2368d09f208fd2d
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42839 |
2021-08-17 09:26
|
 unknown.exe fe51eac852001236448794e51ba22956
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 suspicious privilege MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42840 |
2021-08-17 09:25
|
 Simplydisk_TPEB_Tariff_CtoC_16... fd7075efa74442ec550ba1b0613f0db3
Malicious Packer Malicious Library PE File DLL PE32 VirusTotal Malware Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities suspicious process Tofsee Windows ComputerName crashed |
5
https://cdn.discordapp.com/attachments/876792192524501045/876810977381847040/222_mod.dll
https://cdn.discordapp.com/attachments/876792192524501045/876811276905480202/222_mod.dll
https://beklear.net/wp-content/plugins/nhpakbigch/9YfqVdDVOAG.php
https://cdn.discordapp.com/attachments/876792192524501045/876811874048565268/222_mod.dll
https://cdn.discordapp.com/attachments/876792192524501045/876811523593482320/222_mod.dll
|
4
beklear.net(172.67.197.185)
cdn.discordapp.com(162.159.129.233) - malware
104.21.84.227
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|