| 7996 |
2021-05-12 12:12
|
 Wurlies.txt 03c03933b86d29746d552924c98716f2
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07ECAFF71F1BA5DD99BA2A8FC48898B0.html - rule_id: 1070
|
2
mmwrlridbhmibnr.ml(172.67.220.147) - mailcious
104.21.86.143
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7997 |
2021-05-12 12:12
|
 mobii.txt aa94a9e0f856bbe5195e5e721fe8b532
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
7
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EEC279DBCBA0C0CE17E741F5C0B1F0BE.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E81034F64EBA344DC31E3E3D72E849B5.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E2304DCD5B5C3352E705442E9DABC84C.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-307E578725C4F3AA44F824BA2753FDB2.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7D77BFB8D680A99A3DEC3EF11B63CBC1.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-00C6707A4C3680722D987A5BB7114B0B.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-16116FCB016B7CAA5050F3DB0E637327.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious
104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
7
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
4.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7998 |
2021-05-12 12:14
|
 Taxicab.txt df92371c2f2a4b170d14e2b22b352d26
AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic suspicious TLD Tofsee DNS |
1
https://u0s.runboot.ru/SystemServiceModelDispatcherXPathMessageFunctionCorrelationData62451
|
2
u0s.runboot.ru(217.107.34.191)
217.107.34.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7999 |
2021-05-12 12:15
|
 vladislave.txt b3d1b93214e413218bcbbb3102719de5
Gen1 Gen2 PE File PE32 OS Processor Check DLL PNG Format PE64 VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8000 |
2021-05-12 12:16
|
 r1o.exe c71735c5ec39ab472178ab89a3ee7d35
Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
12.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8001 |
2021-05-12 12:16
|
 mobianshi.txt c5b088a8ef675fa7576197f7faa07b40
AntiDebug AntiVM .NET EXE OS Processor Check PE File PE32 GIF Format Malware download njRAT NetWireRC VirusTotal Malware AutoRuns suspicious privilege Checks debugger WMI Creates shortcut Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS crashed |
|
2
modoba.duckdns.org(103.133.105.179)
103.133.105.179 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Bladabindi/njRAT CnC Command (ll)
|
|
6.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8002 |
2021-05-12 12:19
|
 Wurlies.txt 03c03933b86d29746d552924c98716f2
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07ECAFF71F1BA5DD99BA2A8FC48898B0.html - rule_id: 1070
|
3
mmwrlridbhmibnr.ml(104.21.86.143) - mailcious
103.133.105.179 - mailcious
172.67.220.147 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
1
http://mmwrlridbhmibnr.ml/liverpool-fc-news/
|
3.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8003 |
2021-05-12 12:19
|
 savfx.exe 1808130c6c566d8ecb43af894d4f873d
AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS crashed |
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AC7B19FF32C64F7ABCE78DA696EEE6EC.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E9016EAF0BF81460BF9945CE5449D7A1.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D81AC84B6212DE1116323F4E802355E6.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-468148C620A22B5D67000517FAC984F3.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious
104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
5.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8004 |
2021-05-12 12:31
|
 2roxy.txt 2f4bcc44bf320f3cd7e8961802ffe3e5
BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132//
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
185.215.113.54 - malware
104.26.12.31
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
16.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8005 |
2021-05-12 14:37
|
 r1o.exe c71735c5ec39ab472178ab89a3ee7d35
Eredel Stealer Extended Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.6 |
M |
23 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8006 |
2021-05-12 15:42
|
http://premcogroup.com/bin/sui... a7a26d57df53b79b97f904d5b5133f66
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File PE File PE32 VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
premcogroup.com(162.214.101.129) - malware
162.214.101.129 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
|
|
5.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8007 |
2021-05-12 17:37
|
 kn.exe 5003ed514f5ec9f0c5fbbc8994dfbfe7
AsyncRAT backdoor Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
wespeaktruthtoman.sytes.net(79.134.225.47)
79.134.225.47
|
|
|
14.0 |
|
18 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8008 |
2021-05-12 17:40
|
 regasm.exe 6b3468846687f41fbeb6c00d1fe50108
PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bncoporations.ml/Bn1/fre.php
|
2
bncoporations.ml(172.67.173.200)
172.67.173.200
|
9
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8009 |
2021-05-12 17:40
|
 navy.exe 10658be2265bb9cdebd98f80c6449d7f
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8010 |
2021-05-12 17:43
|
 invoice_886558.doc 4a267c16665e6730c7eb3b5db26c0fcb
RTF File doc LokiBot Malware download Vulnerability VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://nbnbnstdyewagedevibx.dns.army/bnbdoc/regasm.exe
http://bit.do/fQKsw
http://bncoporations.ml/Bn1/fre.php
|
6
bit.do(54.83.52.76) - mailcious
nbnbnstdyewagedevibx.dns.army(103.153.77.121)
bncoporations.ml(104.21.55.224)
103.153.77.121 - malware
54.83.52.76 - suspicious
172.67.173.200
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|