| 7411 |
2021-04-20 09:38
|
qtPrQU1KxWmlfKW.exe 2462f3500619d7caeb9ad8bc02e6bf0c
Malicious Packer Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
15.4 |
M |
38 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7412 |
2021-04-20 09:40
|
 Wvlvhrl.pdf 149b0568e10ba3994c5c88440221fb2e
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
12
http://vtqt.xyz/5.jpg
http://vtqt.xyz/7.jpg
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://vtqt.xyz/1.jpg
http://vtqt.xyz/
http://vtqt.xyz/3.jpg
http://vtqt.xyz/2.jpg
http://vtqt.xyz/4.jpg
http://vtqt.xyz/6.jpg
http://vtqt.xyz/main.php
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://yoursite.com/
|
6
www.yoursite.com(172.67.133.191)
vtqt.xyz(45.133.1.27)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.133.191
45.133.1.27
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7413 |
2021-04-20 09:40
|
 Mwjhem.pdf e3fb74ce4008f4d48cefbb730b6885a8FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS crashed |
8
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://www.chuhuu.com/spj6/?lhrLe=Sxo0xBu&EzrxB8oP=HjZyYsEZkwTC3D6yfhbMvXvrICKZ6yzTSz6vbOxKOKI1sAKeMZ8KkrJERMC6cBIgeMpULGI+
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.my-watch-strap.com/spj6/?lhrLe=Sxo0xBu&EzrxB8oP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX - rule_id: 1041
http://www.arsenismiaris.com/spj6/
http://www.my-watch-strap.com/spj6/ - rule_id: 1041
http://www.arsenismiaris.com/spj6/?EzrxB8oP=W+TzzxrzpAEFDFY3LS6IakzfITsHQ7mmEWozbE2zKffof0ZTrW2ibB75GbdT4oJXstOPeBkx&lhrLe=Sxo0xBu
http://www.chuhuu.com/spj6/
|
8
www.arsenismiaris.com(185.138.42.109)
www.chuhuu.com(23.227.38.74)
www.my-watch-strap.com(192.0.78.25)
www.cougarjack.net(161.77.93.90)
161.77.93.90
185.138.42.109
192.0.78.24 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.my-watch-strap.com/spj6/
http://www.my-watch-strap.com/spj6/
|
11.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7414 |
2021-04-20 09:40
|
 winlog.exe e0510b1d4dae20508467f238ba1e338e
AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://bncoporations.tk/Bn2/fre.php
|
3
bncoporations.tk(172.67.185.63)
172.67.188.154
172.67.185.63
|
9
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET DNS Query to a .tk domain - Likely Hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7415 |
2021-04-20 09:42
|
 Iyjomdb_Signed_.xls bebcbeef93c5ee64473336c98c6a13c4VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself Tofsee Interception Windows ComputerName DNS Cryptographic key crashed |
1
https://cdn.discordapp.com/attachments/775608373949235243/781771882017456178/Iyjobgr
|
5
discord.com(162.159.137.232) - mailcious
cdn.discordapp.com(162.159.133.233) - malware
162.159.136.232
162.159.135.233 - malware
104.21.19.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7416 |
2021-04-20 09:43
|
bin.pdf b4e443daba6d844cfaba63ca17ff5a09
Formbook FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
5
http://www.jackaldenryan.com/mjl/?1b8dslL=g6sPTNAL3mgpCWQ0FRZuVL/7WYiLDVS6v9pwOWJd1ASbxl44Tk/PEy/C5rbWI6WVrSdNiFU2&k2JxtP=fDKHaJePn
http://www.andreaventuroli.com/mjl/?1b8dslL=iJGKWFISZwSQg1uLjy3GkPfo0AvRDfMSkJjwfGPjpuhJRlweQ3FR0Icj/jcdMUWRXeAPcTxv&k2JxtP=fDKHaJePn
http://www.xn--4dbaigbvbe5b1a.net/mjl/?1b8dslL=5HBX4bLa6Nqegwwf+l3UdImug3s9XEBTL79kquwqULDyMYaAAcTGHmytCjfqntwnW8ZNuJlg&k2JxtP=fDKHaJePn
http://www.xsgtt.com/mjl/?1b8dslL=dlM18t5DF/C/Um8XUcV6tj6m52x7562KI247WUVPw5JGFAFaqNpU1mEgFqVzn1+hpoA+i8IG&k2JxtP=fDKHaJePn
http://www.assetscheck.com/mjl/?1b8dslL=eHo9oDo6Dce2KnqRhnYWkSypmDh+II/af8BPDJ4zOyOf2pyLycYOWkKzqo++M1zWRpdqTBjf&k2JxtP=fDKHaJePn
|
10
www.assetscheck.com(52.58.78.16)
www.xn--4dbaigbvbe5b1a.net(62.219.58.175)
www.andreaventuroli.com(50.31.176.181)
www.xsgtt.com(107.165.127.77)
www.jackaldenryan.com(104.21.50.29)
50.31.176.181
52.58.78.16 - mailcious
107.165.127.77
62.219.58.175
172.67.155.220
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7417 |
2021-04-20 09:44
|
 Zyxtp.pdf 2e2eba416b6ec3efaace0621e8e229d2FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs DNS crashed |
2
http://www.modernhub.info/mjl/?a6A=uph66JHsrNVGNCUaXy0CRaDonNXmoVh5zRt9w73BPeoSWHKtSCbsdH+sd/A90mvTrlKFb7J4&D8S=_FNl6X
http://www.stepsaudio.com/mjl/?a6A=5wA6ZAfOhSAkV9Q9C20cfTWDZDzzvC3eb7hTznAwP1bSJTbPDs7MPorxTKzxE4iNuImjDaAD&D8S=_FNl6X
|
4
www.stepsaudio.com(45.93.101.93)
www.modernhub.info(34.102.136.180)
45.93.101.93
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7418 |
2021-04-20 09:46
|
 Zeqenylvg.pdf d20d0d39b52c812da0ae519d68aa889b
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://45.144.225.201/5.jpg
http://45.144.225.201/7.jpg
http://45.144.225.201/main.php
http://45.144.225.201/1.jpg
http://45.144.225.201/
http://45.144.225.201/3.jpg
http://45.144.225.201/2.jpg
http://45.144.225.201/4.jpg
http://45.144.225.201/6.jpg
https://yoursite.com/
|
5
www.yoursite.com(172.67.133.191)
yoursite.com(104.21.14.15)
104.21.14.15
172.67.133.191
45.144.225.201 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7419 |
2021-04-20 09:48
|
 Zzsvkpq.pdf 542f3ea693d61187bd10db0376a6b3e7
Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://osiq.club/main.php
http://osiq.club/3.jpg
http://osiq.club/1.jpg
http://osiq.club/2.jpg
http://osiq.club/6.jpg
http://osiq.club/4.jpg
http://osiq.club/
http://osiq.club/7.jpg
http://osiq.club/5.jpg
https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15)
osiq.club(45.133.1.27)
yoursite.com(172.67.133.191)
172.67.133.191
45.133.1.27
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7420 |
2021-04-20 11:26
|
 DqPW3xsn1NfCPt4.exe fb9576c5e5f4cbfc8c4a754c6ffdfb81
Generic Malware VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
12.2 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7421 |
2021-04-20 15:23
|
 word.exe bfe860c06b77a5a1525654be5187d336VirusTotal Malware unpack itself sandbox evasion |
|
|
|
|
3.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7422 |
2021-04-20 15:50
|
setupapp.exe 73eb70ca5994df6e2766bb5b799f04ecVirusTotal Malware suspicious privilege WMI unpack itself Tofsee ComputerName DNS |
5
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7AbuFcy6rVsv90SWbhZYjX%2F1l2smGDcgr940AwiIF4k%3D&spr=https&se=2021-04-21T07%3A12%3A02Z&rscl=x-e2eid-d85b51fb-5af2448b-86391750-db8470b1-session-1ebff91c-856e4d36-a4b4e0af-5a74b6de
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9UUozfiE%2FOpxeeckU6eKE51prLyA7vjOQSQhv8%2F4Goc%3D&spr=https&se=2021-04-21T07%3A35%3A45Z&rscl=x-e2eid-1750f897-21ec47fd-858b9192-280e65c5-session-4d66908c-74d44857-ac54d7ee-2d4cedfc
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
|
16
sndvoices.com(172.67.216.130)
cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com()
vsblobprodscussu5shard10.blob.core.windows.net(20.150.39.196)
fotamene.com(172.67.128.242) - malware
spolaect.info(172.67.161.225)
msdl.microsoft.com(204.79.197.219)
lalemada.info(172.67.207.106)
vsblobprodscussu5shard58.blob.core.windows.net(13.84.56.16)
server10.sndvoices.com(172.67.216.130)
204.79.197.219
172.67.207.106
13.84.56.16
104.21.16.228
172.67.161.225
104.21.1.88
20.150.39.196
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7423 |
2021-04-20 15:56
|
Indian Cooking Recipe.doc 8c940517b09b4483abbf01905fea95bcVulnerability VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
|
|
|
4.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7424 |
2021-04-20 16:01
|
 참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4
VBA_macro Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7425 |
2021-04-20 16:08
|
Indian Cooking Recipe.doc 8c940517b09b4483abbf01905fea95bcVulnerability VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
|
|
|
4.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|