8461 |
2021-06-02 09:37
|
free-olddd.exe d3444e2455ec7c3120279e1848a12810 AsyncRAT backdoor PWS .NET framework AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.adultpeace.com/p2io/?DVld2=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&6l=TjPx - rule_id: 1554 http://www.bigplatesmallwallet.com/p2io/?DVld2=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&6l=TjPx - rule_id: 1563 http://www.adultpeace.com/p2io/ - rule_id: 1554 http://www.69-1hn7uc.net/p2io/ http://www.hfjxhs.com/p2io/ - rule_id: 1561 http://www.ruhexuangou.com/p2io/?DVld2=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&6l=TjPx - rule_id: 1557 http://www.newmopeds.com/p2io/?DVld2=bSK1RxPLajIrf62nOJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN0cIL5FJcRS/4igqPa1G&6l=TjPx http://www.hfjxhs.com/p2io/?DVld2=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&6l=TjPx - rule_id: 1561 http://www.69-1hn7uc.net/p2io/?DVld2=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&6l=TjPx http://www.xzklrhy.com/p2io/?DVld2=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&6l=TjPx http://www.ruhexuangou.com/p2io/ - rule_id: 1557 http://www.newmopeds.com/p2io/ http://www.malcorinmobiliaria.com/p2io/ http://www.bigplatesmallwallet.com/p2io/ - rule_id: 1563 http://www.xzklrhy.com/p2io/ http://www.malcorinmobiliaria.com/p2io/?DVld2=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&6l=TjPx
|
20
www.malcorinmobiliaria.com(160.121.176.84) www.ruhexuangou.com(23.82.57.32) www.tricqr.com() - mailcious www.newmopeds.com(52.58.78.16) www.bigplatesmallwallet.com(66.235.200.147) www.foxwaybrasil.com() www.hfjxhs.com(156.241.53.161) www.69-1hn7uc.net(163.43.122.113) www.adultpeace.com(163.44.239.73) www.xzklrhy.com(156.255.140.216) www.hiddenwholesale.com(44.227.76.166) 44.227.76.166 - mailcious 156.255.140.216 160.121.176.84 66.235.200.147 - phishing 163.44.239.73 - mailcious 52.58.78.16 - mailcious 163.43.122.113 23.82.57.32 - mailcious 156.241.53.161 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET DROP Spamhaus DROP Listed Traffic Inbound group 17
|
8
http://www.adultpeace.com/p2io/ http://www.bigplatesmallwallet.com/p2io/ http://www.adultpeace.com/p2io/ http://www.hfjxhs.com/p2io/ http://www.ruhexuangou.com/p2io/ http://www.hfjxhs.com/p2io/ http://www.ruhexuangou.com/p2io/ http://www.bigplatesmallwallet.com/p2io/
|
8.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8462 |
2021-06-02 09:38
|
22.txt.ps1 bf6117d4fad0497d063372f909130b52 Antivirus SMTP KeyLogger AntiDebug AntiVM Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://103.114.107.28/me/web22/inc/4e9ab3daa297f6.php
|
1
|
|
|
13.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8463 |
2021-06-02 09:38
|
cc200-766.exe 105ffd15c074e777f79563cf0021269d AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8464 |
2021-06-02 09:40
|
vbc.exe 541369bff43470b5cb1056745b7eec92 PE File PE32 VirusTotal Malware DNS |
|
|
|
|
1.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8465 |
2021-06-02 09:41
|
six.exe 2a48970e8253b99331a5ca1d84352a22 AsyncRAT backdoor PWS .NET framework Generic Malware Anti_VM Malicious Library DNS SMTP AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
2
ararat.mangospot.net(185.140.53.216) 185.140.53.216
|
|
|
15.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8466 |
2021-06-02 09:43
|
free.exe 346db6be65f107fc0929e16671f064aa AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8467 |
2021-06-02 09:43
|
nano.docx 370c5933c34e634ee403ab76247c4161 RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed Downloader |
3
http://gaag.ddns.net/imo/six.exe http://bit.do/fQWAm http://bit.do/
|
6
bit.do(54.83.52.76) - mailcious gaag.ddns.net(23.95.122.53) ararat.mangospot.net(185.140.53.216) 23.95.122.53 - mailcious 54.83.52.76 - suspicious 185.140.53.216
|
4
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Possible RTF File With Obfuscated Version Header ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
3.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8468 |
2021-06-02 09:45
|
free-098.exe 0c6debc3cc51f3b1c2937626148ea5f8 PWS .NET framework AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8469 |
2021-06-02 09:45
|
cc200-998.exe 9287afea22d334d75e2780cbee5da87c PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8470 |
2021-06-02 09:48
|
loki.docx b611e891cb9f097c7c357bb2c0e4ead3 RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Exploit DNS DDNS crashed Downloader |
3
http://gaag.ddns.net/imo/ana.exe http://bit.do/fQWAj http://bit.do/
|
4
bit.do(54.83.52.76) - mailcious gaag.ddns.net(23.95.122.53) 23.95.122.53 - mailcious 54.83.52.76 - suspicious
|
3
ET INFO Possible RTF File With Obfuscated Version Header ET POLICY DNS Query to DynDNS Domain *.ddns .net ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8471 |
2021-06-02 09:49
|
free-000999.exe 62e1e922414f00b84ec0566c748b6649 AsyncRAT backdoor PWS .NET framework ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
18
http://www.xzklrhy.com/p2io/?CR=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&RZ=dnrxW2q8aPEXL2o http://www.biztekno.com/p2io/ http://www.biztekno.com/p2io/?CR=IctutJlBoNuiRzjg9eJAOxuhjWEnlD6jXMGlUqS5/LzI4DrjbzOHsOs+aKVDYU94ARKAVZYk&RZ=dnrxW2q8aPEXL2o http://www.liminaltechnology.com/p2io/?CR=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&RZ=dnrxW2q8aPEXL2o - rule_id: 1548 http://www.hfjxhs.com/p2io/?CR=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&RZ=dnrxW2q8aPEXL2o - rule_id: 1561 http://www.69-1hn7uc.net/p2io/ http://www.hfjxhs.com/p2io/ - rule_id: 1561 http://www.liminaltechnology.com/p2io/ - rule_id: 1548 http://www.ruhexuangou.com/p2io/?CR=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&RZ=dnrxW2q8aPEXL2o - rule_id: 1557 http://www.69-1hn7uc.net/p2io/?CR=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&RZ=dnrxW2q8aPEXL2o http://www.micheldrake.com/p2io/?CR=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&RZ=dnrxW2q8aPEXL2o - rule_id: 1550 http://www.vectoroutlines.com/p2io/ - rule_id: 1549 http://www.swayam-moj.com/p2io/ http://www.ruhexuangou.com/p2io/ - rule_id: 1557 http://www.vectoroutlines.com/p2io/?CR=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&RZ=dnrxW2q8aPEXL2o - rule_id: 1549 http://www.swayam-moj.com/p2io/?CR=0YkKA47ytgNTTKqC7kPMKR9IRaKfA7HvmA7dw67lGMbK4Ohl/Dwg+4NiV6Vw2XjcgeSDEO3B&RZ=dnrxW2q8aPEXL2o http://www.xzklrhy.com/p2io/ http://www.micheldrake.com/p2io/ - rule_id: 1550
|
19
www.vectoroutlines.com(198.54.126.105) www.ruhexuangou.com(23.82.57.32) www.liminaltechnology.com(185.111.89.170) www.biztekno.com(151.106.118.75) www.tricqr.com() - mailcious www.micheldrake.com(192.0.78.25) www.hfjxhs.com(156.241.53.161) www.69-1hn7uc.net(163.43.122.126) www.swayam-moj.com(199.195.117.147) www.xzklrhy.com(156.255.140.216) 156.241.53.161 - mailcious 198.54.126.105 - mailcious 156.255.140.216 185.111.89.170 - mailcious 199.195.117.147 - malware 163.43.122.126 151.106.118.75 192.0.78.24 - mailcious 23.82.57.32 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
10
http://www.liminaltechnology.com/p2io/ http://www.hfjxhs.com/p2io/ http://www.hfjxhs.com/p2io/ http://www.liminaltechnology.com/p2io/ http://www.ruhexuangou.com/p2io/ http://www.micheldrake.com/p2io/ http://www.vectoroutlines.com/p2io/ http://www.ruhexuangou.com/p2io/ http://www.vectoroutlines.com/p2io/ http://www.micheldrake.com/p2io/
|
8.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8472 |
2021-06-02 09:51
|
RequestForQuote.exe 623de5211f56f514f6f149a414d5d6a9 AsyncRAT backdoor PWS .NET framework Generic Malware Anti_VM Malicious Library Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell PDB suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8473 |
2021-06-02 09:52
|
andre34.exe 8e92a33277fce903f46b4551b9871f8d AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8474 |
2021-06-02 10:02
|
freeold.exe 5108b268343f682e45b04f1af1dab2e3 NetWire RAT Admin Tool Sysinternals Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.4 |
M |
47 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8475 |
2021-06-02 10:14
|
6ha8ua.exe 77be0dd6570301acac3634801676b5d7 Ficker Stealer PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(92.62.115.177) - mailcious api.ipify.org(54.235.175.90) 23.21.128.92 92.62.115.177
|
3
ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY External IP Lookup (ipify .org)
|
|
8.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|