| 8266 |
2021-05-23 17:40
|
 ALL.txt a140c5bb18fc4adb4a2f5d2a907de048
Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
1.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8267 |
2021-05-24 09:17
|
 ehn410274214523502210vlbxohwp4 bc5d3090b4ec7ece19ce132d14c0e111
VBA_macro MSOffice File VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
8
https://an9news.com/aokhf/XPXV7/
https://www.17geci.com/vi2w6/Z5i/
https://rubycityvietnam.com/wp-admin/1c0NVtp/
https://lami-jo.com/wp-admin/VMeklEt/
http://vayvontinchap5s.com/vayvon5s.com/YH3mx/
http://jiamini.us-east-1.elasticbeanstalk.com/static/P1Vcv/
http://wach8.com/cgi-bin/5JyZcRU/
http://stopnote.vhostgo.com/?host=wach8.com&refer=
|
14
an9news.com(34.102.136.180) - malware
www.17geci.com() - malware
jiamini.us-east-1.elasticbeanstalk.com(23.22.53.61) - malware
rubycityvietnam.com(45.252.248.29) - malware
vayvontinchap5s.com() - malware
wach8.com(218.247.67.211) - malware
stopnote.vhostgo.com(116.140.34.68)
lami-jo.com(35.209.32.159) - malware
23.22.53.61 - malware
218.247.67.211 - malware
34.102.136.180 - mailcious
116.140.34.68
45.252.248.29 - mailcious
35.209.32.159
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8268 |
2021-05-24 09:18
|
 wnspxzq@_27899.exe 9d24f3afa9e996bb1d87fbf12263c53f
Emotet PE File PE32 PNG Format VirusTotal Malware buffers extracted ICMP traffic unpack itself sandbox evasion Browser Remote Code Execution |
5
http://api.xp666.com/setup_api.php?softid=27899
http://download.xp666.com/dtazq/getlist
http://download.xp666.com/dtazq/dtico.zip
http://download.xp666.com/dtazq/wb
http://download.xp666.com/dtazq/cof/cfg.7z
|
4
download.xp666.com(58.215.155.241) - malware
api.xp666.com(203.107.36.186)
58.215.155.240
203.107.36.186
|
|
|
5.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8269 |
2021-05-24 09:22
|
 222333.exe d213c25eb7528fbc07f48fb9c151f0ed
PE File PE32 VirusTotal Malware Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
2
150.242.98.207
103.193.188.217 - malware
|
|
|
6.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8270 |
2021-05-24 11:38
|
 222333.exe d213c25eb7528fbc07f48fb9c151f0ed
Generic Malware PE File PE32 VirusTotal Malware Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
2
150.242.98.207 - mailcious
103.193.188.217 - malware
|
|
|
6.0 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8271 |
2021-05-24 15:03
|
 f3kmkuwbdpgytdc5.exe ae4a8c201b070ee94488bb8862ed4ec5
Generic Malware .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8272 |
2021-05-24 15:12
|
 f3kmkuwbdpgytdc5.exe ae4a8c201b070ee94488bb8862ed4ec5
njRAT Generic Malware .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8273 |
2021-05-24 15:14
|
 I-Record.exe 6f80701718727602e7196b1bba7fac1b
njRAT .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8274 |
2021-05-24 15:28
|
 PicturesLab.exe 02398f9746a8cdebb2bc1cb9ccb40e70
njRAT .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
53 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8275 |
2021-05-24 17:28
|
 run.exe 63a11a44eeb7ee8c76f834d4435f4af3
GhostCringe GhostRAT PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
2
http://139.155.178.173:888/System1.dll - rule_id: 1507
http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Dotted Quad Host DLL Request
|
1
http://139.155.178.173:888/System1.dll
|
9.0 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8276 |
2021-05-24 18:10
|
 LluwMXf8ngOwqea.exe 3517aa20f6e5641cd95afb5d9173e696
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8277 |
2021-05-24 18:11
|
 bin.exe dbb0d24252b09d49478c336e5d0ec994
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.cyrilgraze.com/p2io/?qR-HnluH=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy&TVg84P=yjR8IXLxMLv
http://www.dmgt4m2g8y2uh.net/p2io/?qR-HnluH=QtqXFq7HS/X4MIE9GXms050Yi4WsLwGmbpvB1Cdjo9kEhb/cEuRUaHG+vgNP8VkCpLdNveMs&TVg84P=yjR8IXLxMLv
http://www.cmannouncements.com/p2io/
http://www.adultpeace.com/p2io/?qR-HnluH=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&TVg84P=yjR8IXLxMLv
http://www.dmgt4m2g8y2uh.net/p2io/
http://www.adultpeace.com/p2io/
http://www.thriveglucose.com/p2io/
http://www.thriveglucose.com/p2io/?qR-HnluH=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&TVg84P=yjR8IXLxMLv
http://www.zmzcrossrt.xyz/p2io/
http://www.cyrilgraze.com/p2io/
http://www.pyithuhluttaw.net/p2io/?qR-HnluH=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&TVg84P=yjR8IXLxMLv
http://www.zmzcrossrt.xyz/p2io/?qR-HnluH=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&TVg84P=yjR8IXLxMLv
http://www.cmannouncements.com/p2io/?qR-HnluH=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&TVg84P=yjR8IXLxMLv
http://www.micheldrake.com/p2io/?qR-HnluH=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&TVg84P=yjR8IXLxMLv
http://www.pyithuhluttaw.net/p2io/
http://www.micheldrake.com/p2io/
|
19
www.adultpeace.com(163.44.239.73)
www.buylocalclub.info()
www.mercuryaid.net()
www.cmannouncements.com(69.195.83.71)
www.micheldrake.com(192.0.78.25)
www.zmzcrossrt.xyz(99.83.185.45)
www.pyithuhluttaw.net(103.91.67.83)
www.cyrilgraze.com(172.67.138.177)
www.thriveglucose.com(184.168.131.241)
www.m678.xyz()
www.dmgt4m2g8y2uh.net(103.120.13.242)
69.195.83.71
163.44.239.73
103.120.13.132
184.168.131.241 - mailcious
99.83.230.40 - mailcious
192.0.78.24 - mailcious
104.21.65.7
103.91.67.83
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8278 |
2021-05-24 18:13
|
 aYnQ4B6WoQm6DuG.exe 20afb202b5cfbb60dc7ff5f2509c3991
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8279 |
2021-05-24 18:14
|
 bin---09.exe c2db9ae19f2ed393fb6ae0703dc30b2c
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
17
http://www.adultpeace.com/p2io/?GF=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&llvt=fTRHzZwpYvUX0J
http://www.pyithuhluttaw.net/p2io/?GF=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&llvt=fTRHzZwpYvUX0J
http://www.adultpeace.com/p2io/
http://www.ololmychartlogin.com/p2io/
http://www.bigplatesmallwallet.com/p2io/?GF=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&llvt=fTRHzZwpYvUX0J
http://www.ololmychartlogin.com/p2io/?GF=2q6D4S4KFKmlXKAOo+dmfNOnFlWkohYFDzximTpdHsIuBKx0b3v/5p4ytrwsGJikHaDfqBb+&llvt=fTRHzZwpYvUX0J
http://www.alfenas.info/p2io/
http://www.alfenas.info/p2io/?GF=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&llvt=fTRHzZwpYvUX0J
http://www.leonardocarrillo.com/p2io/?GF=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&llvt=fTRHzZwpYvUX0J
http://www.hfjxhs.com/p2io/
http://www.ruhexuangou.com/p2io/?GF=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&llvt=fTRHzZwpYvUX0J
http://www.ruhexuangou.com/p2io/
http://www.essentiallyourscandles.com/p2io/
http://www.bigplatesmallwallet.com/p2io/
http://www.pyithuhluttaw.net/p2io/
http://www.essentiallyourscandles.com/p2io/?GF=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&llvt=fTRHzZwpYvUX0J
http://www.hfjxhs.com/p2io/?GF=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&llvt=fTRHzZwpYvUX0J
|
18
www.leonardocarrillo.com()
www.ruhexuangou.com(23.82.57.32)
www.adultpeace.com(163.44.239.73)
www.pyithuhluttaw.net(103.91.67.83)
www.bigplatesmallwallet.com(66.235.200.147)
www.essentiallyourscandles.com(23.227.38.74)
www.hfjxhs.com(156.241.53.161)
www.ololmychartlogin.com(23.82.12.29)
www.alfenas.info(34.102.136.180)
66.235.200.147 - phishing
163.44.239.73
156.241.53.161
209.99.40.222 - mailcious
34.102.136.180 - mailcious
23.82.57.32
23.82.12.29 - suspicious
23.227.38.74 - mailcious
103.91.67.83
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8280 |
2021-05-24 18:15
|
 YpB5uPa1YKwLPKt.exe 5c8003788c729d9c9d6f91c62aef10f4
PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|