| 8206 |
2021-05-21 08:43
|
 netwire.exe 9d19dad3b71dfeec8276cb6e266365df
PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8207 |
2021-05-21 09:57
|
 img.dll d2fe28f11e61c88847055640d0d92b41
DLL PE File OS Processor Check PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself ComputerName DNS |
7
http://app3.maintorna.com/DOnp8FFIHxzkzO_2BI6as/Fk0cpZuJStBv_2Bf/7dz0Pm9_2FDrH_2/BzURhMGfKY7dgLun5s/iJYbzM_2F/OpXZ4LNbk_2Fg61I1stG/_2BebEv8Xkqy5n2biLH/11_2Bgm6kPAWWd2iIKpjRo/G4rSkBS3HoKhG/EYgrqAFJ/AL6M1PWxcCpetsvV1oiFf_2/BohAk_2FI9/F_2BEUu9lzeyW1whp/ZaCzXxb5vf_2/FOoMXHLhCrL/WImY_2FOZAtGK_/2BqWFJtD6Wmlrct1tJIXo/Od830PThv_2FVsVX/ZdVQms7bduFf4f_/2BtVaKPpdHSao2OHbP/E2qA5owZL/iyO_2FtU3PTxS9YRT_2F/mva4jJSu/N
http://chat.billionady.com/6UJSnOoZaJnsH/_2FnSXfG/ln0aL5nX3zhg1UG0FK3qlut/6LZhHclyKd/I_2BKVhzQWMWrcGcT/ZTTdNTGlVi9S/I_2BAWt0RO9/er8HPcbpFhwm36/a1eGThTcirHujHLF1hMPY/2MVDtK4kSPDf6x73/kBOc3g9jxsxeT0e/L10KY1NatyOr4ZwtIc/K_2Fvjy1Q/srpejgSg7907lJY9reM9/9Qw_2Fjk1albXSiy4oJ/LgPFE2YVHTdPp_2FZsD8Cg/DFD_2BLO9r8Wh/t0A12sbi/Qajd6psuZy588mTQqbWqV2t/4O2zvkug11/4OSQHCtMtxkP1M2U5/58GKm53yW2ph/c23
http://chat.billionady.com/_2BajllG2W5QT7c_2BZ752/OUUsE0PdrCWti/u9hmphDr/_2F9VYvDpC09PqHzWQ_2FgV/MgOXJ_2BYm/vglQH6ZyKvTwcWC2l/9KkU02SFeC5O/8WYERoLeYTH/YXQmDuxxY7zygt/d5870sTfet2nG0xBg_2FD/l4lJZP2MJLjZmoGm/X_2Fqttce3zZyDw/zj6OUwPJSioOxqH_2F/X7tf_2ByV/RoBMC3jlcSkCJpfAFTXJ/J8J_2FU1gKyYAT49hXl/mKoGzzXRNmwQYbWjXJ42lM/PNnC61le0aduH/ZboUDnEv/R1TvWtf_2Bseqg4Yhb_2Fbs/TDEkt6dBpq/Bnv8PCQuC/dX1RYbcMw_2/BP
http://chat.veminiare.com/lN4ZajfSnftzc7Dl/Zr0OE4FzP7c3zQB/jGkKqDLiYl_2FSgzkC/IsLtY5lOe/_2BINzYKsAYitV_2B6iY/_2F_2FO_2FOWTH4Lh5x/d7vtLNqHW83WIFHjo5ZqI6/bLVkD1v5Lpzxf/OkXnFjV9/kb3Qz61muiBunA_2BK_2BYp/xlKBbqYPKl/gKaNm2lkuGFA8P9JV/vYzvXLsNzSOI/em46rn0AL6j/jjz0pVdMfHPnpB/pekEVSPzfDDI8Yp_2FLSs/kgNdJBlnC_2Fv_2B/TPjSEeUbuWIEYoS/5ZCcazyYNbMYmcL5av/sa6JqQioU/5CLBEaoucjWJ4hu5ys4V/t_2FAeecmj0FnLw44/c
http://app3.maintorna.com/8D1iapHyZLACTh/rcVgyTqKzXA6LpliF4YXu/XzM08QA0f3i7z2Ji/5n2Aq_2F0nnzvZE/fgvsm6sx70duziYeT2/m1YbOFs_2/BnZ3Nsio6pU1esvY2GaB/072K4jXWAaNHHzJBgKQ/cjz9OMjQ8jFdM66FM0X5PH/8sMCLzWI9KYKG/P9401_2B/4_2BUA4sQyYHR1erUXLu0MR/4bIIrt07vu/dFa8mj1HDypiDob48/HZYMjtUwOtXJ/8gnN_2Be1Gg/8xeLB6A3hV4xD1/yCLUivcQ_2FPo_2Bm4FLg/ULbhusSZkHt7XUYu/9_2BZcHorbO0foO/nV27I1E4VlAowLRgeiZl/xm
http://chat.veminiare.com/XG7VMRXz6CIgQVN/FIntP9vcoEkPSFVbFS/fYS8e36TX/47lcuBGwy_2Fxx2vh551/lqWwG1U_2B_2B1jEskE/JXiowlyiqpwwViroADLTPB/X_2BWBHu8SYGn/eSBJSBRB/dF6BXDtumGC6qp3_2F77amm/xs_2BDlWuF/q_2BNO2mypx9x4I9I/Mf_2F_2BfEaM/dYEJV1IL6pP/veKpGWZ2qUuoLp/mkzQV4lPTU3MkaBkfEekk/35JqCIhlF2V6Q7CU/SlWE6mIgUZzrKTB/N1180MRdubkJqxJUKJ/yEKzRhHUc/jdp_2F6QzI8g8n2qM0o0/er4YGuEd4WrXPgZbwDl/HH_2BVJA9/DSh4
http://chat.veminiare.com/SWKRRoakONjHS/sJUvOXim/_2B9jP62X8_2FGlg4YDjd4d/qcmm7f7ClO/0z_2FBik6zsFUb_2B/mdQuBGZWJbZi/6xjwfL8HuMz/d_2FSpDSI_2BKI/JPFoCEypL2oX91Q4Ez8Ol/_2BbhoEWQeeBD5YI/8AKl5Z_2B2W818y/o2LGNPqkk0KZ7SqM_2/BMAI5eaIh/c2V1xT0MggHgb9EHebVm/6sBZ5NPXZp1FD_2B_2F/pWANEdjwYpo0P5KQDdAFKl/yUhTzhrbU_2BJ/rWTYGgor/1sg9sd85Eu4uYyHnSJDXAaK/pZxdrYlOCF/U5EegqM25eDBrssZ7s5/E3
|
5
chat.veminiare.com(35.247.240.15)
app.buboleinov.com()
app3.maintorna.com(35.247.240.15) - mailcious
chat.billionady.com(35.247.240.15)
35.247.240.15
|
|
|
3.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8208 |
2021-05-21 09:57
|
 file.exe 02e171ec492666d05afa7e86f10cd2a4
Glupteba PE File OS Processor Check PE32 PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8209 |
2021-05-21 09:59
|
 mixx.exe 53529b7a2bba1c28d654e484043206cb
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8210 |
2021-05-21 10:00
|
 vbc.exe 6e1e56fd157c5d33cac5a84225561906
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8211 |
2021-05-21 10:01
|
 infostati2.exe 18b6e2c669dc078e297af35aaaa605fc
Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8212 |
2021-05-21 10:02
|
 ................................. 478a959e356e377f88446ac0d6f09f98
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.12.107.38/p/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8213 |
2021-05-21 10:09
|
 Doc1.docm 53e6579c2aad2ae7d6a3ce99045a114b
VBA_macro VirusTotal Malware unpack itself Tofsee DNS |
1
https://occurrent-fatigues.000webhostapp.com/12_CNB_Programas_de_Becas-70212-em.txt
|
2
occurrent-fatigues.000webhostapp.com(145.14.145.120) - malware
145.14.145.67 - malware
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8214 |
2021-05-21 10:11
|
 lv.exe 9a3bb80e21a22b3f2579bc6e27dc065b
Gen1 NPKI Glupteba Gen2 Malicious Library PE File PE32 DLL OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
AfNqLwNNeSOlf.AfNqLwNNeSOlf()
|
|
|
8.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8215 |
2021-05-21 10:12
|
 ................................. 7d216963eff2efe2b5aa60ffdcaa5627
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://107.174.224.211/cdrive/vbc.exe
|
1
107.174.224.211 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8216 |
2021-05-21 10:14
|
 Document%209863223.xls a3770e810232a6e15b4fd36a444ef8d4
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php - rule_id: 1445
https://euro-office.net/AwI3uwiwuU6.php - rule_id: 1468
|
20
samyberry.co.za(66.85.46.71)
euro-office.net(198.38.82.90) - mailcious
moayadcenter.com(192.99.147.163) - mailcious
app.lead-concept.com(163.172.106.186) - mailcious
welcometotheafterdeath.com(192.254.234.250) - mailcious
specs2go.shawalzahid.com(158.69.144.71) - mailcious
fotounirii.ro(89.35.173.76) - mailcious
weeflow.com(5.135.142.22) - mailcious
langgal.coop.np(192.185.110.229)
lojamusic.com.br(162.241.2.234) - mailcious
192.185.110.229
5.135.142.22 - mailcious
192.99.147.163 - mailcious
198.38.82.90 - phishing
192.254.234.250 - mailcious
163.172.106.186 - mailcious
89.35.173.76 - mailcious
66.85.46.71 - mailcious
162.241.2.234 - mailcious
158.69.144.71 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php
https://euro-office.net/AwI3uwiwuU6.php
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8217 |
2021-05-21 10:14
|
 0520_9597866810567.doc 30e6824bbda52b477b50c80b2f96f855
VBA_macro DNS Socket ScreenShot AntiDebug AntiVM OS Processor Check MSOffice File Browser Info Stealer Malware download FTP Client Info Stealer Vulnerability VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious process suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Browser ComputerName DNS Software |
4
http://vaethemanic.com/8/forum.php
http://q09pi7.ru/6jkio9ukds.exe
http://api.ipify.org/?format=xml
http://api.ipify.org/
|
9
q09pi7.ru(8.211.5.232) - malware
sweyblidian.com(92.62.115.177) - mailcious
api.ipify.org(54.235.175.90)
vaethemanic.com(2.56.10.123)
8.211.5.232 - malware
2.56.10.123 - mailcious
50.16.192.84
139.155.178.173
92.62.115.177
|
6
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup api.ipify.org
|
|
20.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8218 |
2021-05-21 10:16
|
 zapa1.exe ec3a138ffb5f8172efb8216b729a6813
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
1
79.134.225.91 - mailcious
|
|
|
10.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8219 |
2021-05-21 10:16
|
 0520_455268495140.doc c8b9b8a8fa820b1494a3ae1ad03733d9
VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php
http://api.ipify.org/
|
4
api.ipify.org(54.243.154.178)
vaethemanic.com(2.56.10.123)
2.56.10.123 - mailcious
54.225.169.203
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.6 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8220 |
2021-05-21 10:20
|
 Sep.exe 262936a46f6130dcd0415a530d885080
Gen1 Gen2 PE File PE32 DLL OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AppData folder AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
8
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
http://43.129.230.36/System1.dll
http://139.155.178.173:888/NetSyst96.dll
http://43.129.230.36/8908.exe
http://139.155.178.173:888/360diao.exe
https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
|
6
users.qzone.qq.com(58.250.136.113) - mailcious
ocsp.dcocsp.cn(163.181.22.232)
43.129.230.36 - malware
58.250.136.113
139.155.178.173
47.246.59.231 - malware
|
10
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
|
|
10.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|