| 8791 |
2021-06-11 13:31
|
 black1.txt.ps1 c8e15e41f1b6c3c7e49caa7cc853cde0
Anti_VM Antivirus SMTP KeyLogger AntiDebug AntiVM Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://103.114.107.28/master/black/inc/a73043f92e1eba.php - rule_id: 1709
|
1
103.114.107.28 - mailcious
|
|
1
|
13.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8792 |
2021-06-11 13:39
|
 logo.png 526d56017ef5105277fe0d366c95c39d
PE File OS Processor Check PE32 VirusTotal Malware Malicious Traffic Tofsee DNS |
1
https://injuryless.com/?id=test22-PC_94DE278C3274
|
2
injuryless.com(193.178.169.243)
193.178.169.243
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8793 |
2021-06-11 15:54
|
http://Pokec.com 412faa550649436fb221474c3c314b1a
AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM JPEG Format PNG Format MSOff Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
47
http://pokec.com/
http://www.pokec.com/
https://pokec.azet.sk/_next/static/chunks/polyfills-af28de04c604a2479390.js
https://pokec.azet.sk/undefined?uri=http://pokec.azet.sk&type=jslogin
https://pokec.azet.sk/assets/avatars/17.png
https://pokec.azet.sk/favicon.ico
https://pokec.azet.sk/assets/img/bg-waves-mobile-grey.svg
https://pokec.azet.sk/assets/avatars/8.png
https://pokec.azet.sk/assets/avatars/6.png
https://pokec.azet.sk/assets/img/ic-sent-messages.svg
https://pokec.azet.sk/assets/img/ic-ringier.svg
https://pokec.azet.sk/_next/static/ydGyyGJgG-dmmXVyuMvAA/_ssgManifest.js
https://pokec.azet.sk/assets/img/pokec-logo.svg
https://pokec.azet.sk/assets/img/ic-heart.svg
https://pokec.azet.sk/fonts/Caveat/caveat-v10-latin-ext-regular.eot?
https://t1.aimg.sk/pokec/fotoalbumy/05/502536637_6091aeebb2797c365ef356a1c64c556b.jpg?t=Lzg4eDExMA%3D%3D&h=2cYG6sxbFVkeDWM35jMV0w&e=2145916800
https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-700.eot?
https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-800.eot?
https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-regular.eot?
https://pokec.azet.sk/
https://pokec.azet.sk/assets/img/ic-votes-stretko.svg
https://pokec.azet.sk/assets/img/bg-wave-shadow.svg
https://pokec.azet.sk/_next/static/chunks/425e3f4a36ea5717a0d8f810b5936844d2fc80ab.b946dff1c19b17008f16.js
https://t3.aimg.sk/pokec/mobimg/05/1416650876.png?t=&h=a_l2UNC1NfSHo8gmiespIw&e=2145916800
https://pokec.azet.sk/_next/static/chunks/main-fb1867f8372b983c506e.js
https://pokec.azet.sk/assets/img/external-link.svg
https://pokec.azet.sk/assets/img/ic-appstore-small.svg
https://pokec.azet.sk/assets/img/ic-uploaded-photos.svg
https://pokec.azet.sk/assets/img/ic-scroll.svg
https://pokec.azet.sk/_next/static/ydGyyGJgG-dmmXVyuMvAA/_buildManifest.js
https://pokec.azet.sk/assets/avatars/2.png
https://pokec.azet.sk/_next/static/chunks/pages/index-a19b5677ea4b34d0cf3c.js
https://pokec.azet.sk/assets/img/google_play.svg
https://pokec.azet.sk/assets/img/ic-sent-rp.svg
https://pokec.azet.sk/assets/img/outline-status-eye.svg
https://t2.aimg.sk/pokec/fotoalbumy/01/470490537_0f7b3cd204048064915142adbf3c7544.jpg?t=Lzg4eDExMA%3D%3D&h=Lvk-2GLRtOx_I4nGZhdR1g&e=2145916800
https://pokec.azet.sk/assets/img/ic-pokec-app.svg
https://pokec.azet.sk/assets/avatars/11.png
https://pokec.azet.sk/_next/static/chunks/pages/_app-901831d2b44b56f7a7d9.js
https://pokec.azet.sk/assets/avatars/10.png
https://pokec.azet.sk/assets/img/ic-arrow-disabled.svg
https://pokec.azet.sk/fonts/Caveat/caveat-v10-latin-ext-regular.woff
https://pokec.azet.sk/undefined?uri=http://undefinedundefined&type=jslogin
https://pokec.azet.sk/_next/static/chunks/1857d7a50db43a71dad3aa13f46bad8d13f5b7e7.eb5c5a09f1fbb9aceaad.js
https://t4.aimg.sk/pokec/fotoalbumy/05/449392053_2f01e5764f387be1c69651ececbe132c.jpg?t=Lzg4eDExMA%3D%3D&h=JQ69l6MrzomkooN8eo745g&e=2145916800
https://pokec.azet.sk/_next/static/chunks/webpack-147ea3ada7109f6dc0bb.js
https://pokec.azet.sk/_next/static/chunks/framework.399b4f594eb85e2c7155.js
|
10
t3.aimg.sk(91.235.53.24)
pokec.com(91.235.53.86)
t1.aimg.sk(91.235.53.24)
t2.aimg.sk(91.235.53.24)
www.pokec.com(91.235.53.86)
t4.aimg.sk(91.235.53.24)
pokec.azet.sk(91.235.52.11)
91.235.53.86
91.235.52.11
91.235.53.24
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8794 |
2021-06-11 16:00
|
http://b.ns36.de
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
b.ns36.de(91.195.240.7)
91.195.240.7
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8795 |
2021-06-11 16:22
|
index2.html be8764f2800cc28a19b745fd6f81dba9
AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
33
https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1
https://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js
https://www2.bing.com/ipv6test/test
https://www.bing.com/rp/B0oC6BX98v6fWz1fuvaeRm9bOak.png
https://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js
https://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js
https://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js
https://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js
https://www.bing.com/orgid/idtoken/conditional
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=6b267c39-7342-4a85-89ec-b4cb1cb52718&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%229D12532635294F00A7B04ABD98369983%22%7d
https://www.bing.com/
https://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js
https://www.bing.com/rp/nD3Dxxt3XsvojhRsXFq3RJI2wTE.gz.js
https://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js
https://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js
https://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js
https://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js
https://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js
https://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js
https://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1623395708&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=1042&id=264960&checkda=1
https://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js
https://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js
https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":846,"BP":1164,"CT":1233,"IL":1},"ad":[-1,-1,1365,899,1365,899,0]}&P=SERP&DA=HKGE01
https://www.bing.com/ipv6test/test?FORM=MONITR
https://www.bing.com/sa/simg/favicon-2x.ico
https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698471%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22width%22%3A%221365%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22W%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22height%22%3A%22899%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRH%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221623395694987%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A3877%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1623395698864%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1623395699131%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D
https://www.bing.com/th?id=OHR.GlenEtive_ROW5856952083_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp
https://www.bing.com/rp/6sxhavkE4_SZHA_K4rwWmg67vF0.gz.js
https://www.bing.com/fd/ls/lsp.aspx
https://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js
https://www.bing.com/fd/ls/lsp.aspx?
https://www.bing.com/rp/pCNhfy2VQinsKZ9KIqxtGogwDv0.gz.js
|
7
login.live.com(40.126.37.6)
login.microsoftonline.com(40.126.52.148)
tootirrruahapowsadassa.com(104.21.94.22)
www2.bing.com(13.107.21.200)
20.190.163.18
40.126.52.3
104.21.94.22
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8796 |
2021-06-11 16:37
|
M0011.cab bfd9adc75c1b260cbc0aea6e544f080d
Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8797 |
2021-06-11 17:20
|
http://kf.carthage2s.com/XtmkL... b4e2699346ce3d5f87374a32403e3464
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 MSOffice File Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
1
http://kf.carthage2s.com/XtmkLSmftnsk6TlB.exe
|
2
kf.carthage2s.com(41.231.5.212)
41.231.5.212
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
39 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8798 |
2021-06-11 17:44
|
 XtmkLSmftnsk6TlB.exe b4e2699346ce3d5f87374a32403e3464
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library Antivirus AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.8 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8799 |
2021-06-12 11:05
|
 oCs.txt.html 57ae0fd6b13d1be4fdc0e1171a9ea4d8
VBScript PowerShell Obfuscated File VirusTotal Malware DNS crashed |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8800 |
2021-06-12 11:15
|
 Clean_lol123.txt.html a3b75be1163014e2f01e87adc2d49724
Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
3
https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT
https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt
https://ia601406.us.archive.org/32/items/run-02-02-02/Run_02_02_02.TXT
|
2
ia601406.us.archive.org(207.241.227.126)
207.241.227.126
|
|
|
6.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8801 |
2021-06-12 11:25
|
 RFL_0769002.exe 3c88c6ef1a906bc81fc6b5b7fc478e0c
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
1
http://www.quangcaosonthach.com/gw2/?DVldV=nK+cpShbKNzMzU5qLnlc+tBFBddRBf6O1ztjvSAMnluiyaRb30M36lbYqq0lmPBz7QeF2Hp1&mnSl=Txlh
|
2
www.quangcaosonthach.com(103.237.145.7)
103.237.145.7
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8802 |
2021-06-12 11:27
|
 rfl_01098752.exe d2a8ef4a18e3c6dc377daf765b37a9ca
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself DNS |
1
http://www.hsxytz.com/gw2/?wPT=L1XyuERUZAN7GjmZXl9lGC0xuXxteQ1a6payECjBCuYlsCvzsyZNPLPzNw9teZKdXe1TvUf8&oXN=6lSd02cp
|
2
www.hsxytz.com(154.84.115.227)
154.84.115.227
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8803 |
2021-06-12 11:28
|
 ner.exe 4e99138abad19c9cba519e39083831c5
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
1
|
|
|
4.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8804 |
2021-06-12 11:29
|
 290-App19.exe 2648886dbd37ccc239ca91bd3d2f4e5f
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8805 |
2021-06-12 12:44
|
 x.exe b8764252ff52d8b29685298a9eda35f1
Antivirus PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|