8266 |
2021-05-23 17:40
|
ALL.txt a140c5bb18fc4adb4a2f5d2a907de048 Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
1.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8267 |
2021-05-24 09:17
|
ehn410274214523502210vlbxohwp4 bc5d3090b4ec7ece19ce132d14c0e111 VBA_macro MSOffice File VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
8
https://an9news.com/aokhf/XPXV7/
https://www.17geci.com/vi2w6/Z5i/
https://rubycityvietnam.com/wp-admin/1c0NVtp/
https://lami-jo.com/wp-admin/VMeklEt/
http://vayvontinchap5s.com/vayvon5s.com/YH3mx/
http://jiamini.us-east-1.elasticbeanstalk.com/static/P1Vcv/
http://wach8.com/cgi-bin/5JyZcRU/
http://stopnote.vhostgo.com/?host=wach8.com&refer=
|
14
an9news.com(34.102.136.180) - malware
www.17geci.com() - malware
jiamini.us-east-1.elasticbeanstalk.com(23.22.53.61) - malware
rubycityvietnam.com(45.252.248.29) - malware
vayvontinchap5s.com() - malware
wach8.com(218.247.67.211) - malware
stopnote.vhostgo.com(116.140.34.68)
lami-jo.com(35.209.32.159) - malware 23.22.53.61 - malware
218.247.67.211 - malware
34.102.136.180 - mailcious
116.140.34.68
45.252.248.29 - mailcious
35.209.32.159
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8268 |
2021-05-24 09:18
|
wnspxzq@_27899.exe 9d24f3afa9e996bb1d87fbf12263c53f Emotet PE File PE32 PNG Format VirusTotal Malware buffers extracted ICMP traffic unpack itself sandbox evasion Browser Remote Code Execution |
5
http://api.xp666.com/setup_api.php?softid=27899 http://download.xp666.com/dtazq/getlist http://download.xp666.com/dtazq/dtico.zip http://download.xp666.com/dtazq/wb http://download.xp666.com/dtazq/cof/cfg.7z
|
4
download.xp666.com(58.215.155.241) - malware api.xp666.com(203.107.36.186) 58.215.155.240 203.107.36.186
|
|
|
5.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8269 |
2021-05-24 09:22
|
222333.exe d213c25eb7528fbc07f48fb9c151f0ed PE File PE32 VirusTotal Malware Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
2
150.242.98.207 103.193.188.217 - malware
|
|
|
6.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8270 |
2021-05-24 11:38
|
222333.exe d213c25eb7528fbc07f48fb9c151f0ed Generic Malware PE File PE32 VirusTotal Malware Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
2
150.242.98.207 - mailcious 103.193.188.217 - malware
|
|
|
6.0 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8271 |
2021-05-24 15:03
|
f3kmkuwbdpgytdc5.exe ae4a8c201b070ee94488bb8862ed4ec5 Generic Malware .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8272 |
2021-05-24 15:12
|
f3kmkuwbdpgytdc5.exe ae4a8c201b070ee94488bb8862ed4ec5 njRAT Generic Malware .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8273 |
2021-05-24 15:14
|
I-Record.exe 6f80701718727602e7196b1bba7fac1b njRAT .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8274 |
2021-05-24 15:28
|
PicturesLab.exe 02398f9746a8cdebb2bc1cb9ccb40e70 njRAT .NET EXE PE File PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
53 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8275 |
2021-05-24 17:28
|
run.exe 63a11a44eeb7ee8c76f834d4435f4af3 GhostCringe GhostRAT PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
2
http://139.155.178.173:888/System1.dll - rule_id: 1507 http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server ET MALWARE Backdoor family PCRat/Gh0st CnC traffic ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO Dotted Quad Host DLL Request
|
1
http://139.155.178.173:888/System1.dll
|
9.0 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8276 |
2021-05-24 18:10
|
LluwMXf8ngOwqea.exe 3517aa20f6e5641cd95afb5d9173e696 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8277 |
2021-05-24 18:11
|
bin.exe dbb0d24252b09d49478c336e5d0ec994 PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.cyrilgraze.com/p2io/?qR-HnluH=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy&TVg84P=yjR8IXLxMLv http://www.dmgt4m2g8y2uh.net/p2io/?qR-HnluH=QtqXFq7HS/X4MIE9GXms050Yi4WsLwGmbpvB1Cdjo9kEhb/cEuRUaHG+vgNP8VkCpLdNveMs&TVg84P=yjR8IXLxMLv http://www.cmannouncements.com/p2io/ http://www.adultpeace.com/p2io/?qR-HnluH=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&TVg84P=yjR8IXLxMLv http://www.dmgt4m2g8y2uh.net/p2io/ http://www.adultpeace.com/p2io/ http://www.thriveglucose.com/p2io/ http://www.thriveglucose.com/p2io/?qR-HnluH=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&TVg84P=yjR8IXLxMLv http://www.zmzcrossrt.xyz/p2io/ http://www.cyrilgraze.com/p2io/ http://www.pyithuhluttaw.net/p2io/?qR-HnluH=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&TVg84P=yjR8IXLxMLv http://www.zmzcrossrt.xyz/p2io/?qR-HnluH=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&TVg84P=yjR8IXLxMLv http://www.cmannouncements.com/p2io/?qR-HnluH=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&TVg84P=yjR8IXLxMLv http://www.micheldrake.com/p2io/?qR-HnluH=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&TVg84P=yjR8IXLxMLv http://www.pyithuhluttaw.net/p2io/ http://www.micheldrake.com/p2io/
|
19
www.adultpeace.com(163.44.239.73) www.buylocalclub.info() www.mercuryaid.net() www.cmannouncements.com(69.195.83.71) www.micheldrake.com(192.0.78.25) www.zmzcrossrt.xyz(99.83.185.45) www.pyithuhluttaw.net(103.91.67.83) www.cyrilgraze.com(172.67.138.177) www.thriveglucose.com(184.168.131.241) www.m678.xyz() www.dmgt4m2g8y2uh.net(103.120.13.242) 69.195.83.71 163.44.239.73 103.120.13.132 184.168.131.241 - mailcious 99.83.230.40 - mailcious 192.0.78.24 - mailcious 104.21.65.7 103.91.67.83
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8278 |
2021-05-24 18:13
|
aYnQ4B6WoQm6DuG.exe 20afb202b5cfbb60dc7ff5f2509c3991 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8279 |
2021-05-24 18:14
|
bin---09.exe c2db9ae19f2ed393fb6ae0703dc30b2c PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
17
http://www.adultpeace.com/p2io/?GF=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&llvt=fTRHzZwpYvUX0J http://www.pyithuhluttaw.net/p2io/?GF=NEaCbUvvAYINigSHmrIJ7dR/yfSp7Xbba3vcNBHjwVcKt6Qbvd0czP/RWKD03CMJ7FmiFKIL&llvt=fTRHzZwpYvUX0J http://www.adultpeace.com/p2io/ http://www.ololmychartlogin.com/p2io/ http://www.bigplatesmallwallet.com/p2io/?GF=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&llvt=fTRHzZwpYvUX0J http://www.ololmychartlogin.com/p2io/?GF=2q6D4S4KFKmlXKAOo+dmfNOnFlWkohYFDzximTpdHsIuBKx0b3v/5p4ytrwsGJikHaDfqBb+&llvt=fTRHzZwpYvUX0J http://www.alfenas.info/p2io/ http://www.alfenas.info/p2io/?GF=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&llvt=fTRHzZwpYvUX0J http://www.leonardocarrillo.com/p2io/?GF=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&llvt=fTRHzZwpYvUX0J http://www.hfjxhs.com/p2io/ http://www.ruhexuangou.com/p2io/?GF=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&llvt=fTRHzZwpYvUX0J http://www.ruhexuangou.com/p2io/ http://www.essentiallyourscandles.com/p2io/ http://www.bigplatesmallwallet.com/p2io/ http://www.pyithuhluttaw.net/p2io/ http://www.essentiallyourscandles.com/p2io/?GF=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&llvt=fTRHzZwpYvUX0J http://www.hfjxhs.com/p2io/?GF=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&llvt=fTRHzZwpYvUX0J
|
18
www.leonardocarrillo.com() www.ruhexuangou.com(23.82.57.32) www.adultpeace.com(163.44.239.73) www.pyithuhluttaw.net(103.91.67.83) www.bigplatesmallwallet.com(66.235.200.147) www.essentiallyourscandles.com(23.227.38.74) www.hfjxhs.com(156.241.53.161) www.ololmychartlogin.com(23.82.12.29) www.alfenas.info(34.102.136.180) 66.235.200.147 - phishing 163.44.239.73 156.241.53.161 209.99.40.222 - mailcious 34.102.136.180 - mailcious 23.82.57.32 23.82.12.29 - suspicious 23.227.38.74 - mailcious 103.91.67.83
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8280 |
2021-05-24 18:15
|
YpB5uPa1YKwLPKt.exe 5c8003788c729d9c9d6f91c62aef10f4 PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|