| 7981 |
2021-05-12 10:05
|
 client1122.exe 7bf8da9ae283c60e226852fee7ad3d94
AsyncRAT backdoor .NET EXE PE File PE32 GIF Format VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW Firewall state off VM Disk Size Check Ransomware Windows ComputerName DNS crashed |
|
|
|
|
14.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7982 |
2021-05-12 10:06
|
 document.txt efc7d9d7dc23103bf17976ebdb444aa6
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
2
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-609AC0E067ACFE44F4F0AC18503914A6.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-54B563C56CAD1112B6E6B71A2C0615C6.html - rule_id: 680
|
2
asdcqwdwqx.gq(172.67.160.253) - mailcious
172.67.160.253
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
2
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
|
3.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7983 |
2021-05-12 10:08
|
RFQ ARN-PO-2020-11-00073 MINE.... ef7d61928153c7ac6dc3d692e9c42fccVirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7984 |
2021-05-12 10:12
|
slot Charges.exe 5830b69895c4f5b70d2f5c94cd718fa6
PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
10
http://www.ultimatepoolwater.com/u8nw/
http://www.rafbar.com/u8nw/?ArR=GTZNlL4srifKV7o+w2siTAOBcwC+lUBY5oxqGvkubCu3nseBJgD5e0+L6/JLHdvG2vg5MIvg&I6A=4hLpNJ
http://www.bloodtypealpha.com/u8nw/
http://www.lifehakershagirl.online/u8nw/?ArR=EXiYcxo4bbCmOiu8jraNZMcl9Xa41Px+Bk+bYaDVKnF62kAJD39G59r42R29jKW5593tei3D&I6A=4hLpNJ
http://www.customessayjojo.com/u8nw/?ArR=VD0G0CGdCcqSJGj9F5ozBooVoq7ayOcemun/I6O/ytbQ1s6HP9Wd06MBA5a//0vZR3htC47K&I6A=4hLpNJ
http://www.bloodtypealpha.com/u8nw/?ArR=yoc8xqwT44MyZdAyBAA1pFVBjk8JhV1KxJr6rO/M4XaWItqc4FsSwgggqnIeqmBydcMzsW89&I6A=4hLpNJ
http://www.ultimatepoolwater.com/u8nw/?ArR=5pV3Y3LQlTAHcxwnvg+J5bdrE68HsxNUtav1EpPN7ScspS4D4Pk/4j83n4j7zgJV+i3d5aNd&I6A=4hLpNJ
http://www.lifehakershagirl.online/u8nw/
http://www.customessayjojo.com/u8nw/
http://www.rafbar.com/u8nw/
|
16
www.lifehakershagirl.online(87.236.16.223)
www.xtrator.com()
www.healtybenenfitsplus.com(81.17.18.197)
www.onyxcomputing.com() - mailcious
www.bloodtypealpha.com(34.102.136.180)
www.ebmulla.com(160.122.148.221)
www.ultimatepoolwater.com(34.75.52.202)
www.rafbar.com(52.58.78.16)
www.customessayjojo.com(104.21.12.135)
52.58.78.16 - mailcious
34.75.52.202
104.21.12.135
34.102.136.180 - mailcious
87.236.16.223 - mailcious
81.17.18.197 - suspicious
160.122.148.221
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.0 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7985 |
2021-05-12 10:13
|
 Fattura_01120879.xlsm 5bcdab4ff6b87ec09850a81bb992a58f
VBA_macro VirusTotal Malware unpack itself DNS |
|
|
|
|
2.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7986 |
2021-05-12 10:17
|
 driverrom.exe 3797a11eaffd59ce06f191120eac881b
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4165CC5DE259A94108011D4CFA1C1F5C.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(172.67.220.147) - mailcious
172.67.220.147 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7987 |
2021-05-12 10:17
|
 stkara.txt 86ab74265ed0cac9e9978bb2d4d6efee
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
2
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-19EA17DBB1047205D6C99D18DD713B86.html - rule_id: 1151
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0B0B0C91B3E36038AC7C2056F8343973.html - rule_id: 1151
|
2
xwjhdjylqeypyltby.ml(104.21.88.107) - mailcious
172.67.176.229 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7988 |
2021-05-12 10:19
|
 stoniko.txt e085bf8e3657e12192d0932da7855217
AsyncRAT backdoor Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
11.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7989 |
2021-05-12 10:20
|
 silenthill.txt b84fafbb835c20e62de5a658cf6dc0c1
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
7
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7A0F151B9D6915262056ECB168561B23.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EB86A9B74641CA3C83702B5FFCF938E0.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EAB9BAFC5F7E9E82AE180EFDAD75575B.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4F49A96AC6F3B36D6E19FA3DABB14F81.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D7A739907814AA27BE574C07BC8A5CAC.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07E38B691A0D0DF5A4AA5DD7D917D1BC.html - rule_id: 680
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-63760867A0A2BA86953BF4C49B3AC736.html - rule_id: 680
|
2
asdcqwdwqx.gq(104.21.15.11) - mailcious
172.67.160.253
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
7
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
http://asdcqwdwqx.gq/liverpool-fc-news/
|
3.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7990 |
2021-05-12 10:22
|
 bella.txt c6b9737dd5705a2ac1920c5cbac89abf
AgentTesla Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName crashed |
|
1
KxYGnlNPQkvockntKh.KxYGnlNPQkvockntKh()
|
|
|
12.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7991 |
2021-05-12 10:27
|
 racopp.txt a73349885f36cdef7315984ad948a1ab
PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications AppData folder suspicious TLD installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
7
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/2c0e4a92a0d91cd2b863333fd026a43c7b0e00d6
http://34.89.59.109/
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/7896a8713169d4ef7152ec7f2f4c9ea6f1776723
https://telete.in/hdmiprapor
https://aven93r.ru/uploads/sync.exe
https://aven93r.ru/uploads/procexp.exe
https://aven93r.ru/uploads/bit.exe
|
5
aven93r.ru(172.67.158.218)
telete.in(195.201.225.248) - mailcious
172.67.158.218
195.201.225.248 - mailcious
34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7992 |
2021-05-12 12:07
|
 vbc.exe fcbe097d79c7051e75b2e5049bef5999
PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
9.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7993 |
2021-05-12 12:08
|
 w2mobi.txt 20faf56c053933d409a50e202c45a633
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-19EE49C5700776B030152E36ED2C554F.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(104.21.86.143) - mailcious
104.21.86.143
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7994 |
2021-05-12 12:09
|
 Driveradamson.exe ccc7803389733e45ce179ae208242269
AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus Sniff Audio KeyLogger ScreenShot DGA DNS Socket Create Service HTTP Escalate priviledges FTP Code injection Http API Internet API Steal credential Downloader P2P AntiDebug AntiVM VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
15.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7995 |
2021-05-12 12:10
|
 loadvict.txt fa2cb0991ac0fb9b2271c41fd7847d03
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2AC0FD48514220D588C340E46174F847.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(172.67.220.147) - mailcious
104.21.86.143
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|