| 8461 |
2021-06-02 09:37
|
 free-olddd.exe d3444e2455ec7c3120279e1848a12810
AsyncRAT backdoor PWS .NET framework AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.adultpeace.com/p2io/?DVld2=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&6l=TjPx - rule_id: 1554
http://www.bigplatesmallwallet.com/p2io/?DVld2=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&6l=TjPx - rule_id: 1563
http://www.adultpeace.com/p2io/ - rule_id: 1554
http://www.69-1hn7uc.net/p2io/
http://www.hfjxhs.com/p2io/ - rule_id: 1561
http://www.ruhexuangou.com/p2io/?DVld2=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&6l=TjPx - rule_id: 1557
http://www.newmopeds.com/p2io/?DVld2=bSK1RxPLajIrf62nOJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN0cIL5FJcRS/4igqPa1G&6l=TjPx
http://www.hfjxhs.com/p2io/?DVld2=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&6l=TjPx - rule_id: 1561
http://www.69-1hn7uc.net/p2io/?DVld2=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&6l=TjPx
http://www.xzklrhy.com/p2io/?DVld2=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&6l=TjPx
http://www.ruhexuangou.com/p2io/ - rule_id: 1557
http://www.newmopeds.com/p2io/
http://www.malcorinmobiliaria.com/p2io/
http://www.bigplatesmallwallet.com/p2io/ - rule_id: 1563
http://www.xzklrhy.com/p2io/
http://www.malcorinmobiliaria.com/p2io/?DVld2=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&6l=TjPx
|
20
www.malcorinmobiliaria.com(160.121.176.84)
www.ruhexuangou.com(23.82.57.32)
www.tricqr.com() - mailcious
www.newmopeds.com(52.58.78.16)
www.bigplatesmallwallet.com(66.235.200.147)
www.foxwaybrasil.com()
www.hfjxhs.com(156.241.53.161)
www.69-1hn7uc.net(163.43.122.113)
www.adultpeace.com(163.44.239.73)
www.xzklrhy.com(156.255.140.216)
www.hiddenwholesale.com(44.227.76.166)
44.227.76.166 - mailcious
156.255.140.216
160.121.176.84
66.235.200.147 - phishing
163.44.239.73 - mailcious
52.58.78.16 - mailcious
163.43.122.113
23.82.57.32 - mailcious
156.241.53.161 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
|
8
http://www.adultpeace.com/p2io/
http://www.bigplatesmallwallet.com/p2io/
http://www.adultpeace.com/p2io/
http://www.hfjxhs.com/p2io/
http://www.ruhexuangou.com/p2io/
http://www.hfjxhs.com/p2io/
http://www.ruhexuangou.com/p2io/
http://www.bigplatesmallwallet.com/p2io/
|
8.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8462 |
2021-06-02 09:38
|
 22.txt.ps1 bf6117d4fad0497d063372f909130b52
Antivirus SMTP KeyLogger AntiDebug AntiVM Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://103.114.107.28/me/web22/inc/4e9ab3daa297f6.php
|
1
|
|
|
13.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8463 |
2021-06-02 09:38
|
 cc200-766.exe 105ffd15c074e777f79563cf0021269d
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8464 |
2021-06-02 09:40
|
 vbc.exe 541369bff43470b5cb1056745b7eec92
PE File PE32 VirusTotal Malware DNS |
|
|
|
|
1.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8465 |
2021-06-02 09:41
|
 six.exe 2a48970e8253b99331a5ca1d84352a22
AsyncRAT backdoor PWS .NET framework Generic Malware Anti_VM Malicious Library DNS SMTP AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
2
ararat.mangospot.net(185.140.53.216)
185.140.53.216
|
|
|
15.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8466 |
2021-06-02 09:43
|
 free.exe 346db6be65f107fc0929e16671f064aa
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8467 |
2021-06-02 09:43
|
 nano.docx 370c5933c34e634ee403ab76247c4161
RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed Downloader |
3
http://gaag.ddns.net/imo/six.exe
http://bit.do/fQWAm
http://bit.do/
|
6
bit.do(54.83.52.76) - mailcious
gaag.ddns.net(23.95.122.53)
ararat.mangospot.net(185.140.53.216)
23.95.122.53 - mailcious
54.83.52.76 - suspicious
185.140.53.216
|
4
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Possible RTF File With Obfuscated Version Header
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
3.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8468 |
2021-06-02 09:45
|
 free-098.exe 0c6debc3cc51f3b1c2937626148ea5f8
PWS .NET framework AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8469 |
2021-06-02 09:45
|
 cc200-998.exe 9287afea22d334d75e2780cbee5da87c
PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8470 |
2021-06-02 09:48
|
 loki.docx b611e891cb9f097c7c357bb2c0e4ead3
RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Exploit DNS DDNS crashed Downloader |
3
http://gaag.ddns.net/imo/ana.exe
http://bit.do/fQWAj
http://bit.do/
|
4
bit.do(54.83.52.76) - mailcious
gaag.ddns.net(23.95.122.53)
23.95.122.53 - mailcious
54.83.52.76 - suspicious
|
3
ET INFO Possible RTF File With Obfuscated Version Header
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8471 |
2021-06-02 09:49
|
 free-000999.exe 62e1e922414f00b84ec0566c748b6649
AsyncRAT backdoor PWS .NET framework ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
18
http://www.xzklrhy.com/p2io/?CR=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&RZ=dnrxW2q8aPEXL2o
http://www.biztekno.com/p2io/
http://www.biztekno.com/p2io/?CR=IctutJlBoNuiRzjg9eJAOxuhjWEnlD6jXMGlUqS5/LzI4DrjbzOHsOs+aKVDYU94ARKAVZYk&RZ=dnrxW2q8aPEXL2o
http://www.liminaltechnology.com/p2io/?CR=PfX6gvL1n2k6iJTsm2w17tv0qq3FBu3hWsZA38xYtqeUN4691F0nKiAgOKyjpkHMBi57ZW6+&RZ=dnrxW2q8aPEXL2o - rule_id: 1548
http://www.hfjxhs.com/p2io/?CR=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&RZ=dnrxW2q8aPEXL2o - rule_id: 1561
http://www.69-1hn7uc.net/p2io/
http://www.hfjxhs.com/p2io/ - rule_id: 1561
http://www.liminaltechnology.com/p2io/ - rule_id: 1548
http://www.ruhexuangou.com/p2io/?CR=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&RZ=dnrxW2q8aPEXL2o - rule_id: 1557
http://www.69-1hn7uc.net/p2io/?CR=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&RZ=dnrxW2q8aPEXL2o
http://www.micheldrake.com/p2io/?CR=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&RZ=dnrxW2q8aPEXL2o - rule_id: 1550
http://www.vectoroutlines.com/p2io/ - rule_id: 1549
http://www.swayam-moj.com/p2io/
http://www.ruhexuangou.com/p2io/ - rule_id: 1557
http://www.vectoroutlines.com/p2io/?CR=RfOK6jKjejKyxd8Ge5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG3jMmZvEd1BBCDsLyI+Y&RZ=dnrxW2q8aPEXL2o - rule_id: 1549
http://www.swayam-moj.com/p2io/?CR=0YkKA47ytgNTTKqC7kPMKR9IRaKfA7HvmA7dw67lGMbK4Ohl/Dwg+4NiV6Vw2XjcgeSDEO3B&RZ=dnrxW2q8aPEXL2o
http://www.xzklrhy.com/p2io/
http://www.micheldrake.com/p2io/ - rule_id: 1550
|
19
www.vectoroutlines.com(198.54.126.105)
www.ruhexuangou.com(23.82.57.32)
www.liminaltechnology.com(185.111.89.170)
www.biztekno.com(151.106.118.75)
www.tricqr.com() - mailcious
www.micheldrake.com(192.0.78.25)
www.hfjxhs.com(156.241.53.161)
www.69-1hn7uc.net(163.43.122.126)
www.swayam-moj.com(199.195.117.147)
www.xzklrhy.com(156.255.140.216)
156.241.53.161 - mailcious
198.54.126.105 - mailcious
156.255.140.216
185.111.89.170 - mailcious
199.195.117.147 - malware
163.43.122.126
151.106.118.75
192.0.78.24 - mailcious
23.82.57.32 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
10
http://www.liminaltechnology.com/p2io/
http://www.hfjxhs.com/p2io/
http://www.hfjxhs.com/p2io/
http://www.liminaltechnology.com/p2io/
http://www.ruhexuangou.com/p2io/
http://www.micheldrake.com/p2io/
http://www.vectoroutlines.com/p2io/
http://www.ruhexuangou.com/p2io/
http://www.vectoroutlines.com/p2io/
http://www.micheldrake.com/p2io/
|
8.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8472 |
2021-06-02 09:51
|
 RequestForQuote.exe 623de5211f56f514f6f149a414d5d6a9
AsyncRAT backdoor PWS .NET framework Generic Malware Anti_VM Malicious Library Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell PDB suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8473 |
2021-06-02 09:52
|
 andre34.exe 8e92a33277fce903f46b4551b9871f8d
AsyncRAT backdoor PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8474 |
2021-06-02 10:02
|
 freeold.exe 5108b268343f682e45b04f1af1dab2e3
NetWire RAT Admin Tool Sysinternals Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.4 |
M |
47 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8475 |
2021-06-02 10:14
|
 6ha8ua.exe 77be0dd6570301acac3634801676b5d7
Ficker Stealer PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(92.62.115.177) - mailcious
api.ipify.org(54.235.175.90)
23.21.128.92
92.62.115.177
|
3
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
|
|
8.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|