7981 |
2021-05-12 10:05
|
client1122.exe 7bf8da9ae283c60e226852fee7ad3d94 AsyncRAT backdoor .NET EXE PE File PE32 GIF Format VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW Firewall state off VM Disk Size Check Ransomware Windows ComputerName DNS crashed |
|
|
|
|
14.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7982 |
2021-05-12 10:06
|
document.txt efc7d9d7dc23103bf17976ebdb444aa6 AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
2
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-609AC0E067ACFE44F4F0AC18503914A6.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-54B563C56CAD1112B6E6B71A2C0615C6.html - rule_id: 680
|
2
asdcqwdwqx.gq(172.67.160.253) - mailcious 172.67.160.253
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
2
http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/
|
3.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7983 |
2021-05-12 10:08
|
RFQ ARN-PO-2020-11-00073 MINE.... ef7d61928153c7ac6dc3d692e9c42fccVirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7984 |
2021-05-12 10:12
|
slot Charges.exe 5830b69895c4f5b70d2f5c94cd718fa6 PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
10
http://www.ultimatepoolwater.com/u8nw/ http://www.rafbar.com/u8nw/?ArR=GTZNlL4srifKV7o+w2siTAOBcwC+lUBY5oxqGvkubCu3nseBJgD5e0+L6/JLHdvG2vg5MIvg&I6A=4hLpNJ http://www.bloodtypealpha.com/u8nw/ http://www.lifehakershagirl.online/u8nw/?ArR=EXiYcxo4bbCmOiu8jraNZMcl9Xa41Px+Bk+bYaDVKnF62kAJD39G59r42R29jKW5593tei3D&I6A=4hLpNJ http://www.customessayjojo.com/u8nw/?ArR=VD0G0CGdCcqSJGj9F5ozBooVoq7ayOcemun/I6O/ytbQ1s6HP9Wd06MBA5a//0vZR3htC47K&I6A=4hLpNJ http://www.bloodtypealpha.com/u8nw/?ArR=yoc8xqwT44MyZdAyBAA1pFVBjk8JhV1KxJr6rO/M4XaWItqc4FsSwgggqnIeqmBydcMzsW89&I6A=4hLpNJ http://www.ultimatepoolwater.com/u8nw/?ArR=5pV3Y3LQlTAHcxwnvg+J5bdrE68HsxNUtav1EpPN7ScspS4D4Pk/4j83n4j7zgJV+i3d5aNd&I6A=4hLpNJ http://www.lifehakershagirl.online/u8nw/ http://www.customessayjojo.com/u8nw/ http://www.rafbar.com/u8nw/
|
16
www.lifehakershagirl.online(87.236.16.223) www.xtrator.com() www.healtybenenfitsplus.com(81.17.18.197) www.onyxcomputing.com() - mailcious www.bloodtypealpha.com(34.102.136.180) www.ebmulla.com(160.122.148.221) www.ultimatepoolwater.com(34.75.52.202) www.rafbar.com(52.58.78.16) www.customessayjojo.com(104.21.12.135) 52.58.78.16 - mailcious 34.75.52.202 104.21.12.135 34.102.136.180 - mailcious 87.236.16.223 - mailcious 81.17.18.197 - suspicious 160.122.148.221
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.0 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7985 |
2021-05-12 10:13
|
Fattura_01120879.xlsm 5bcdab4ff6b87ec09850a81bb992a58f VBA_macro VirusTotal Malware unpack itself DNS |
|
|
|
|
2.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7986 |
2021-05-12 10:17
|
driverrom.exe 3797a11eaffd59ce06f191120eac881b AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4165CC5DE259A94108011D4CFA1C1F5C.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(172.67.220.147) - mailcious 172.67.220.147 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7987 |
2021-05-12 10:17
|
stkara.txt 86ab74265ed0cac9e9978bb2d4d6efee AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
2
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-19EA17DBB1047205D6C99D18DD713B86.html - rule_id: 1151 http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0B0B0C91B3E36038AC7C2056F8343973.html - rule_id: 1151
|
2
xwjhdjylqeypyltby.ml(104.21.88.107) - mailcious 172.67.176.229 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://xwjhdjylqeypyltby.ml/liverpool-fc-news/ http://xwjhdjylqeypyltby.ml/liverpool-fc-news/
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7988 |
2021-05-12 10:19
|
stoniko.txt e085bf8e3657e12192d0932da7855217 AsyncRAT backdoor Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
11.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7989 |
2021-05-12 10:20
|
silenthill.txt b84fafbb835c20e62de5a658cf6dc0c1 AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
7
http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7A0F151B9D6915262056ECB168561B23.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EB86A9B74641CA3C83702B5FFCF938E0.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EAB9BAFC5F7E9E82AE180EFDAD75575B.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4F49A96AC6F3B36D6E19FA3DABB14F81.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D7A739907814AA27BE574C07BC8A5CAC.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07E38B691A0D0DF5A4AA5DD7D917D1BC.html - rule_id: 680 http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-63760867A0A2BA86953BF4C49B3AC736.html - rule_id: 680
|
2
asdcqwdwqx.gq(104.21.15.11) - mailcious 172.67.160.253
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
7
http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/ http://asdcqwdwqx.gq/liverpool-fc-news/
|
3.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7990 |
2021-05-12 10:22
|
bella.txt c6b9737dd5705a2ac1920c5cbac89abf AgentTesla Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName crashed |
|
1
KxYGnlNPQkvockntKh.KxYGnlNPQkvockntKh()
|
|
|
12.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7991 |
2021-05-12 10:27
|
racopp.txt a73349885f36cdef7315984ad948a1ab PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications AppData folder suspicious TLD installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
7
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/2c0e4a92a0d91cd2b863333fd026a43c7b0e00d6 http://34.89.59.109/ http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/7896a8713169d4ef7152ec7f2f4c9ea6f1776723 https://telete.in/hdmiprapor https://aven93r.ru/uploads/sync.exe https://aven93r.ru/uploads/procexp.exe https://aven93r.ru/uploads/bit.exe
|
5
aven93r.ru(172.67.158.218) telete.in(195.201.225.248) - mailcious 172.67.158.218 195.201.225.248 - mailcious 34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7992 |
2021-05-12 12:07
|
vbc.exe fcbe097d79c7051e75b2e5049bef5999 PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
9.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7993 |
2021-05-12 12:08
|
w2mobi.txt 20faf56c053933d409a50e202c45a633 AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-19EE49C5700776B030152E36ED2C554F.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(104.21.86.143) - mailcious 104.21.86.143
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7994 |
2021-05-12 12:09
|
Driveradamson.exe ccc7803389733e45ce179ae208242269 AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus Sniff Audio KeyLogger ScreenShot DGA DNS Socket Create Service HTTP Escalate priviledges FTP Code injection Http API Internet API Steal credential Downloader P2P AntiDebug AntiVM VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
15.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7995 |
2021-05-12 12:10
|
loadvict.txt fa2cb0991ac0fb9b2271c41fd7847d03 AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2AC0FD48514220D588C340E46174F847.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(172.67.220.147) - mailcious 104.21.86.143
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|