7756 |
2021-04-30 09:24
|
5bef7b39fe02eabea2c02612758762... 6f203feba292f1322dae52e76dbf4ce4 VBA_macro VirusTotal Malware Malicious Traffic unpack itself DNS |
|
3
190.14.37.252 - malware 91.211.91.71 - malware 185.82.218.30 - malware
|
|
|
3.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7757 |
2021-04-30 09:31
|
s68r0hZ49vns9tk.exe 081bff782d62aebc69b61009e6000ab8 PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7758 |
2021-04-30 09:31
|
reg.dot d0c491b8eb3ea8f00a93af05ef1b8945 AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7759 |
2021-04-30 09:32
|
HBankers_Latest.hta 4324831d87b2b6e82e60406c4d07b42cVirusTotal Malware crashed |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
0.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7760 |
2021-04-30 09:33
|
280421-z1z.exe 2699077a996951eac7b369b6356ff296 PE File OS Processor Check PE32 VirusTotal Malware unpack itself Remote Code Execution |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7761 |
2021-04-30 09:36
|
8BmVIdYzvSw7AD3.exe 063f5233e489e4b13c2fcc62e1750705 PWS .NET framework AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7762 |
2021-04-30 09:38
|
HBankers_Latest.hta 4324831d87b2b6e82e60406c4d07b42c Antivirus AntiDebug AntiVM MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
https://ia601400.us.archive.org/31/items/bypass_20210428_0905/bypass.txt
|
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7763 |
2021-04-30 09:41
|
redbutton.png 79f0f44a27a3d1bdc7cdd7e7c248fb29 PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/tot90/TEST22-PC_W617601.F773CB1B97BB6C3311087FB95D3B54AB/5/kps/
|
4
103.54.41.193 - mailcious 103.66.72.217 - mailcious 154.79.245.158 - mailcious 103.124.173.35
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7764 |
2021-04-30 09:47
|
Company Details.ppam c8e1760af8a65590d26315a4ff144b62 VBA_macro PNG Format VirusTotal Malware powershell AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName DNS |
15
http://www.j.mp/ddsobpechateessentesathatesesjdw http://bit.ly/ddsobpechateessentesathatesesjdw https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html https://resources.blogblog.com/img/icon18_edit_allbkg.gif https://resources.blogblog.com/img/icon18_wrench_allbkg.png https://www.blogger.com/static/v1/widgets/1564291244-widgets.js https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js https://www.blogger.com/img/share_buttons_20_3.png https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
|
16
resources.blogblog.com(172.217.31.137) yahameinhunbusorkoinai.blogspot.com(172.217.175.65) google.com(216.58.220.142) ia601409.us.archive.org(207.241.227.129) accounts.google.com(216.58.220.141) bit.ly(67.199.248.10) - mailcious www.j.mp(67.199.248.17) - mailcious www.blogger.com(172.217.175.9) 207.241.227.129 142.250.199.65 142.250.66.109 67.199.248.17 - mailcious 67.199.248.10 - phishing 142.250.204.110 172.217.26.137 142.250.66.41
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7765 |
2021-04-30 09:48
|
cutscroll.png f5c29728fe1f4226a8dc603d788a0a6f PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/lib90/TEST22-PC_W617601.8F3740811540BBD5131268335F0573AB/5/kps/
|
2
103.54.41.193 - mailcious 178.134.47.166
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7766 |
2021-04-30 09:48
|
divine11111.html 2eeda876014265c8413ef0e565a96657 AntiDebug AntiVM PNG Format VBScript suspicious privilege MachineGuid Code Injection WMI wscript.exe payload download Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Dropper |
33
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://resources.blogblog.com/img/anon36.png https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog https://fonts.googleapis.com/css?family=Open+Sans:300 https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501 https://ia801408.us.archive.org/25/items/defender_202103/defender.txt - rule_id: 971 https://www.blogger.com/static/v1/widgets/1564291244-widgets.js https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff https://www.google-analytics.com/analytics.js https://www.blogger.com/img/share_buttons_20_3.png https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501&bpli=1 https://www.blogger.com/static/v1/v-css/281434096-static_pages.css https://resources.blogblog.com/img/blank.gif https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.google.com/css/maia.css https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&passive=true&go=true https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700 https://www.blogger.com/img/blogger-logotype-color-black-1x.png https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fyahameinhunbusorkoinai.blogspot.com%2Fp%2Fdivine11111.html&type=blog&bpli=1 https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd https://www.blogger.com/static/v1/jsbin/3544430843-cmt__en_gb.js https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css https://resources.blogblog.com/img/icon18_edit_allbkg.gif https://resources.blogblog.com/img/icon18_wrench_allbkg.png https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&passive=true&go=true https://www.google.com/js/bg/EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c.js
|
19
resources.blogblog.com(172.217.31.137) ia801408.us.archive.org(207.241.228.148) - mailcious www.google.com(172.217.161.68) www.gstatic.com(172.217.174.99) fonts.googleapis.com(172.217.25.106) archive.org(207.241.224.2) - mailcious accounts.google.com(216.58.220.141) www.google-analytics.com(172.217.161.78) fonts.gstatic.com(172.217.175.227) www.blogger.com(172.217.31.137) 172.217.163.234 142.250.204.105 207.241.228.148 - mailcious 142.250.66.35 142.250.66.141 172.217.31.233 172.217.24.68 172.217.163.238 172.217.161.131
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7767 |
2021-04-30 12:04
|
RaptoreumDigger.exe ddf9bb04a39bd8b450d6fb90a146df9c AsyncRAT backdoor PE File OS Processor Check PE64 PDB MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7768 |
2021-04-30 17:56
|
Project Korvus.exe e4cb6177f54802a8eb50817353622056 Ave Maria WARZONE RAT Antivirus OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution DNS Cryptographic key |
|
2
rosesfn-49817.portmap.host(193.161.193.99) 193.161.193.99 - mailcious
|
1
ET POLICY DNS Query to a Reverse Proxy Service Observed
|
|
10.8 |
|
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7769 |
2021-04-30 17:58
|
s.dot f62c1d955d66e2f33ed7f3abe9a44690 Loki RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
http://107.172.130.145/bh/svch.exe
|
3
meirback.co.uk(104.21.8.2) - mailcious 172.67.156.147 - mailcious
107.172.130.145 - malware
|
12
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7770 |
2021-04-30 17:59
|
kayx.exe 129e1d37b93430b4bd894b16c53cd6bc AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows crashed |
3
http://www.wirebeevehicles.com/bwk/?EDK8gDR=VOL7UDcQYRljSosxQOYPJG6yJtUQAld58UNriPOjT+IDxU4HyvwawJh1yPzk3AG9OprqJGoe&BZ=E2M4oNPx_Ln http://www.fragrancecollector.com/bwk/?EDK8gDR=LZ0Uj0vFRx/4vDVTGDC73qa8DXiw0WGVyXki5dqgklz7zfTX+bG4IBE0uelYToudE5/XdoAX&BZ=E2M4oNPx_Ln https://www.bing.com/
|
7
www.lovenfys.com() www.wirebeevehicles.com(148.66.138.166) www.fragrancecollector.com(74.208.236.213) www.google.com(172.217.174.100) 74.208.236.213 - mailcious 148.66.138.166 - mailcious 172.217.163.228
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|