8206 |
2021-05-21 08:43
|
netwire.exe 9d19dad3b71dfeec8276cb6e266365df PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8207 |
2021-05-21 09:57
|
img.dll d2fe28f11e61c88847055640d0d92b41 DLL PE File OS Processor Check PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself ComputerName DNS |
7
http://app3.maintorna.com/DOnp8FFIHxzkzO_2BI6as/Fk0cpZuJStBv_2Bf/7dz0Pm9_2FDrH_2/BzURhMGfKY7dgLun5s/iJYbzM_2F/OpXZ4LNbk_2Fg61I1stG/_2BebEv8Xkqy5n2biLH/11_2Bgm6kPAWWd2iIKpjRo/G4rSkBS3HoKhG/EYgrqAFJ/AL6M1PWxcCpetsvV1oiFf_2/BohAk_2FI9/F_2BEUu9lzeyW1whp/ZaCzXxb5vf_2/FOoMXHLhCrL/WImY_2FOZAtGK_/2BqWFJtD6Wmlrct1tJIXo/Od830PThv_2FVsVX/ZdVQms7bduFf4f_/2BtVaKPpdHSao2OHbP/E2qA5owZL/iyO_2FtU3PTxS9YRT_2F/mva4jJSu/N http://chat.billionady.com/6UJSnOoZaJnsH/_2FnSXfG/ln0aL5nX3zhg1UG0FK3qlut/6LZhHclyKd/I_2BKVhzQWMWrcGcT/ZTTdNTGlVi9S/I_2BAWt0RO9/er8HPcbpFhwm36/a1eGThTcirHujHLF1hMPY/2MVDtK4kSPDf6x73/kBOc3g9jxsxeT0e/L10KY1NatyOr4ZwtIc/K_2Fvjy1Q/srpejgSg7907lJY9reM9/9Qw_2Fjk1albXSiy4oJ/LgPFE2YVHTdPp_2FZsD8Cg/DFD_2BLO9r8Wh/t0A12sbi/Qajd6psuZy588mTQqbWqV2t/4O2zvkug11/4OSQHCtMtxkP1M2U5/58GKm53yW2ph/c23 http://chat.billionady.com/_2BajllG2W5QT7c_2BZ752/OUUsE0PdrCWti/u9hmphDr/_2F9VYvDpC09PqHzWQ_2FgV/MgOXJ_2BYm/vglQH6ZyKvTwcWC2l/9KkU02SFeC5O/8WYERoLeYTH/YXQmDuxxY7zygt/d5870sTfet2nG0xBg_2FD/l4lJZP2MJLjZmoGm/X_2Fqttce3zZyDw/zj6OUwPJSioOxqH_2F/X7tf_2ByV/RoBMC3jlcSkCJpfAFTXJ/J8J_2FU1gKyYAT49hXl/mKoGzzXRNmwQYbWjXJ42lM/PNnC61le0aduH/ZboUDnEv/R1TvWtf_2Bseqg4Yhb_2Fbs/TDEkt6dBpq/Bnv8PCQuC/dX1RYbcMw_2/BP http://chat.veminiare.com/lN4ZajfSnftzc7Dl/Zr0OE4FzP7c3zQB/jGkKqDLiYl_2FSgzkC/IsLtY5lOe/_2BINzYKsAYitV_2B6iY/_2F_2FO_2FOWTH4Lh5x/d7vtLNqHW83WIFHjo5ZqI6/bLVkD1v5Lpzxf/OkXnFjV9/kb3Qz61muiBunA_2BK_2BYp/xlKBbqYPKl/gKaNm2lkuGFA8P9JV/vYzvXLsNzSOI/em46rn0AL6j/jjz0pVdMfHPnpB/pekEVSPzfDDI8Yp_2FLSs/kgNdJBlnC_2Fv_2B/TPjSEeUbuWIEYoS/5ZCcazyYNbMYmcL5av/sa6JqQioU/5CLBEaoucjWJ4hu5ys4V/t_2FAeecmj0FnLw44/c http://app3.maintorna.com/8D1iapHyZLACTh/rcVgyTqKzXA6LpliF4YXu/XzM08QA0f3i7z2Ji/5n2Aq_2F0nnzvZE/fgvsm6sx70duziYeT2/m1YbOFs_2/BnZ3Nsio6pU1esvY2GaB/072K4jXWAaNHHzJBgKQ/cjz9OMjQ8jFdM66FM0X5PH/8sMCLzWI9KYKG/P9401_2B/4_2BUA4sQyYHR1erUXLu0MR/4bIIrt07vu/dFa8mj1HDypiDob48/HZYMjtUwOtXJ/8gnN_2Be1Gg/8xeLB6A3hV4xD1/yCLUivcQ_2FPo_2Bm4FLg/ULbhusSZkHt7XUYu/9_2BZcHorbO0foO/nV27I1E4VlAowLRgeiZl/xm http://chat.veminiare.com/XG7VMRXz6CIgQVN/FIntP9vcoEkPSFVbFS/fYS8e36TX/47lcuBGwy_2Fxx2vh551/lqWwG1U_2B_2B1jEskE/JXiowlyiqpwwViroADLTPB/X_2BWBHu8SYGn/eSBJSBRB/dF6BXDtumGC6qp3_2F77amm/xs_2BDlWuF/q_2BNO2mypx9x4I9I/Mf_2F_2BfEaM/dYEJV1IL6pP/veKpGWZ2qUuoLp/mkzQV4lPTU3MkaBkfEekk/35JqCIhlF2V6Q7CU/SlWE6mIgUZzrKTB/N1180MRdubkJqxJUKJ/yEKzRhHUc/jdp_2F6QzI8g8n2qM0o0/er4YGuEd4WrXPgZbwDl/HH_2BVJA9/DSh4 http://chat.veminiare.com/SWKRRoakONjHS/sJUvOXim/_2B9jP62X8_2FGlg4YDjd4d/qcmm7f7ClO/0z_2FBik6zsFUb_2B/mdQuBGZWJbZi/6xjwfL8HuMz/d_2FSpDSI_2BKI/JPFoCEypL2oX91Q4Ez8Ol/_2BbhoEWQeeBD5YI/8AKl5Z_2B2W818y/o2LGNPqkk0KZ7SqM_2/BMAI5eaIh/c2V1xT0MggHgb9EHebVm/6sBZ5NPXZp1FD_2B_2F/pWANEdjwYpo0P5KQDdAFKl/yUhTzhrbU_2BJ/rWTYGgor/1sg9sd85Eu4uYyHnSJDXAaK/pZxdrYlOCF/U5EegqM25eDBrssZ7s5/E3
|
5
chat.veminiare.com(35.247.240.15) app.buboleinov.com() app3.maintorna.com(35.247.240.15) - mailcious chat.billionady.com(35.247.240.15) 35.247.240.15
|
|
|
3.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8208 |
2021-05-21 09:57
|
file.exe 02e171ec492666d05afa7e86f10cd2a4 Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8209 |
2021-05-21 09:59
|
mixx.exe 53529b7a2bba1c28d654e484043206cb Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8210 |
2021-05-21 10:00
|
vbc.exe 6e1e56fd157c5d33cac5a84225561906 AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8211 |
2021-05-21 10:01
|
infostati2.exe 18b6e2c669dc078e297af35aaaa605fc Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8212 |
2021-05-21 10:02
|
................................. 478a959e356e377f88446ac0d6f09f98 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.12.107.38/p/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8213 |
2021-05-21 10:09
|
Doc1.docm 53e6579c2aad2ae7d6a3ce99045a114b VBA_macro VirusTotal Malware unpack itself Tofsee DNS |
1
https://occurrent-fatigues.000webhostapp.com/12_CNB_Programas_de_Becas-70212-em.txt
|
2
occurrent-fatigues.000webhostapp.com(145.14.145.120) - malware 145.14.145.67 - malware
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8214 |
2021-05-21 10:11
|
lv.exe 9a3bb80e21a22b3f2579bc6e27dc065b Gen1 NPKI Glupteba Gen2 Malicious Library PE File PE32 DLL OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
AfNqLwNNeSOlf.AfNqLwNNeSOlf()
|
|
|
8.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8215 |
2021-05-21 10:12
|
................................. 7d216963eff2efe2b5aa60ffdcaa5627 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://107.174.224.211/cdrive/vbc.exe
|
1
107.174.224.211 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8216 |
2021-05-21 10:14
|
Document%209863223.xls a3770e810232a6e15b4fd36a444ef8d4 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php - rule_id: 1445 https://euro-office.net/AwI3uwiwuU6.php - rule_id: 1468
|
20
samyberry.co.za(66.85.46.71) euro-office.net(198.38.82.90) - mailcious moayadcenter.com(192.99.147.163) - mailcious app.lead-concept.com(163.172.106.186) - mailcious welcometotheafterdeath.com(192.254.234.250) - mailcious specs2go.shawalzahid.com(158.69.144.71) - mailcious fotounirii.ro(89.35.173.76) - mailcious weeflow.com(5.135.142.22) - mailcious langgal.coop.np(192.185.110.229) lojamusic.com.br(162.241.2.234) - mailcious 192.185.110.229 5.135.142.22 - mailcious 192.99.147.163 - mailcious 198.38.82.90 - phishing 192.254.234.250 - mailcious 163.172.106.186 - mailcious 89.35.173.76 - mailcious 66.85.46.71 - mailcious 162.241.2.234 - mailcious 158.69.144.71 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php https://euro-office.net/AwI3uwiwuU6.php
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8217 |
2021-05-21 10:14
|
0520_9597866810567.doc 30e6824bbda52b477b50c80b2f96f855 VBA_macro DNS Socket ScreenShot AntiDebug AntiVM OS Processor Check MSOffice File Browser Info Stealer Malware download FTP Client Info Stealer Vulnerability VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious process suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Browser ComputerName DNS Software |
4
http://vaethemanic.com/8/forum.php
http://q09pi7.ru/6jkio9ukds.exe
http://api.ipify.org/?format=xml
http://api.ipify.org/
|
9
q09pi7.ru(8.211.5.232) - malware
sweyblidian.com(92.62.115.177) - mailcious
api.ipify.org(54.235.175.90)
vaethemanic.com(2.56.10.123) 8.211.5.232 - malware
2.56.10.123 - mailcious
50.16.192.84
139.155.178.173
92.62.115.177
|
6
ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY External IP Lookup (ipify .org) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET POLICY External IP Lookup api.ipify.org
|
|
20.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8218 |
2021-05-21 10:16
|
zapa1.exe ec3a138ffb5f8172efb8216b729a6813 AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
1
79.134.225.91 - mailcious
|
|
|
10.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8219 |
2021-05-21 10:16
|
0520_455268495140.doc c8b9b8a8fa820b1494a3ae1ad03733d9 VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php http://api.ipify.org/
|
4
api.ipify.org(54.243.154.178) vaethemanic.com(2.56.10.123) 2.56.10.123 - mailcious 54.225.169.203
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.6 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8220 |
2021-05-21 10:20
|
Sep.exe 262936a46f6130dcd0415a530d885080 Gen1 Gen2 PE File PE32 DLL OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AppData folder AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
8
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678 http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D http://43.129.230.36/System1.dll http://139.155.178.173:888/NetSyst96.dll http://43.129.230.36/8908.exe http://139.155.178.173:888/360diao.exe https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
|
6
users.qzone.qq.com(58.250.136.113) - mailcious ocsp.dcocsp.cn(163.181.22.232) 43.129.230.36 - malware 58.250.136.113 139.155.178.173 47.246.59.231 - malware
|
10
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server ET MALWARE Backdoor family PCRat/Gh0st CnC traffic ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 ET INFO Dotted Quad Host DLL Request ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
|
|
10.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|