8791 |
2021-06-11 13:31
|
black1.txt.ps1 c8e15e41f1b6c3c7e49caa7cc853cde0 Anti_VM Antivirus SMTP KeyLogger AntiDebug AntiVM Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://103.114.107.28/master/black/inc/a73043f92e1eba.php - rule_id: 1709
|
1
103.114.107.28 - mailcious
|
|
1
|
13.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8792 |
2021-06-11 13:39
|
logo.png 526d56017ef5105277fe0d366c95c39d PE File OS Processor Check PE32 VirusTotal Malware Malicious Traffic Tofsee DNS |
1
https://injuryless.com/?id=test22-PC_94DE278C3274
|
2
injuryless.com(193.178.169.243) 193.178.169.243
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8793 |
2021-06-11 15:54
|
http://Pokec.com 412faa550649436fb221474c3c314b1a AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM JPEG Format PNG Format MSOff Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
47
http://pokec.com/ http://www.pokec.com/ https://pokec.azet.sk/_next/static/chunks/polyfills-af28de04c604a2479390.js https://pokec.azet.sk/undefined?uri=http://pokec.azet.sk&type=jslogin https://pokec.azet.sk/assets/avatars/17.png https://pokec.azet.sk/favicon.ico https://pokec.azet.sk/assets/img/bg-waves-mobile-grey.svg https://pokec.azet.sk/assets/avatars/8.png https://pokec.azet.sk/assets/avatars/6.png https://pokec.azet.sk/assets/img/ic-sent-messages.svg https://pokec.azet.sk/assets/img/ic-ringier.svg https://pokec.azet.sk/_next/static/ydGyyGJgG-dmmXVyuMvAA/_ssgManifest.js https://pokec.azet.sk/assets/img/pokec-logo.svg https://pokec.azet.sk/assets/img/ic-heart.svg https://pokec.azet.sk/fonts/Caveat/caveat-v10-latin-ext-regular.eot? https://t1.aimg.sk/pokec/fotoalbumy/05/502536637_6091aeebb2797c365ef356a1c64c556b.jpg?t=Lzg4eDExMA%3D%3D&h=2cYG6sxbFVkeDWM35jMV0w&e=2145916800 https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-700.eot? https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-800.eot? https://pokec.azet.sk/fonts/Inter/inter-v3-latin-ext-regular.eot? https://pokec.azet.sk/ https://pokec.azet.sk/assets/img/ic-votes-stretko.svg https://pokec.azet.sk/assets/img/bg-wave-shadow.svg https://pokec.azet.sk/_next/static/chunks/425e3f4a36ea5717a0d8f810b5936844d2fc80ab.b946dff1c19b17008f16.js https://t3.aimg.sk/pokec/mobimg/05/1416650876.png?t=&h=a_l2UNC1NfSHo8gmiespIw&e=2145916800 https://pokec.azet.sk/_next/static/chunks/main-fb1867f8372b983c506e.js https://pokec.azet.sk/assets/img/external-link.svg https://pokec.azet.sk/assets/img/ic-appstore-small.svg https://pokec.azet.sk/assets/img/ic-uploaded-photos.svg https://pokec.azet.sk/assets/img/ic-scroll.svg https://pokec.azet.sk/_next/static/ydGyyGJgG-dmmXVyuMvAA/_buildManifest.js https://pokec.azet.sk/assets/avatars/2.png https://pokec.azet.sk/_next/static/chunks/pages/index-a19b5677ea4b34d0cf3c.js https://pokec.azet.sk/assets/img/google_play.svg https://pokec.azet.sk/assets/img/ic-sent-rp.svg https://pokec.azet.sk/assets/img/outline-status-eye.svg https://t2.aimg.sk/pokec/fotoalbumy/01/470490537_0f7b3cd204048064915142adbf3c7544.jpg?t=Lzg4eDExMA%3D%3D&h=Lvk-2GLRtOx_I4nGZhdR1g&e=2145916800 https://pokec.azet.sk/assets/img/ic-pokec-app.svg https://pokec.azet.sk/assets/avatars/11.png https://pokec.azet.sk/_next/static/chunks/pages/_app-901831d2b44b56f7a7d9.js https://pokec.azet.sk/assets/avatars/10.png https://pokec.azet.sk/assets/img/ic-arrow-disabled.svg https://pokec.azet.sk/fonts/Caveat/caveat-v10-latin-ext-regular.woff https://pokec.azet.sk/undefined?uri=http://undefinedundefined&type=jslogin https://pokec.azet.sk/_next/static/chunks/1857d7a50db43a71dad3aa13f46bad8d13f5b7e7.eb5c5a09f1fbb9aceaad.js https://t4.aimg.sk/pokec/fotoalbumy/05/449392053_2f01e5764f387be1c69651ececbe132c.jpg?t=Lzg4eDExMA%3D%3D&h=JQ69l6MrzomkooN8eo745g&e=2145916800 https://pokec.azet.sk/_next/static/chunks/webpack-147ea3ada7109f6dc0bb.js https://pokec.azet.sk/_next/static/chunks/framework.399b4f594eb85e2c7155.js
|
10
t3.aimg.sk(91.235.53.24) pokec.com(91.235.53.86) t1.aimg.sk(91.235.53.24) t2.aimg.sk(91.235.53.24) www.pokec.com(91.235.53.86) t4.aimg.sk(91.235.53.24) pokec.azet.sk(91.235.52.11) 91.235.53.86 91.235.52.11 91.235.53.24
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8794 |
2021-06-11 16:00
|
http://b.ns36.de AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
b.ns36.de(91.195.240.7) 91.195.240.7
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8795 |
2021-06-11 16:22
|
index2.html be8764f2800cc28a19b745fd6f81dba9 AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
33
https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1 https://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js https://www2.bing.com/ipv6test/test https://www.bing.com/rp/B0oC6BX98v6fWz1fuvaeRm9bOak.png https://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js https://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js https://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js https://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js https://www.bing.com/orgid/idtoken/conditional https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=6b267c39-7342-4a85-89ec-b4cb1cb52718&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%229D12532635294F00A7B04ABD98369983%22%7d https://www.bing.com/ https://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js https://www.bing.com/rp/nD3Dxxt3XsvojhRsXFq3RJI2wTE.gz.js https://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js https://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js https://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js https://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js https://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js https://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js https://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1623395708&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=1042&id=264960&checkda=1 https://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js https://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":846,"BP":1164,"CT":1233,"IL":1},"ad":[-1,-1,1365,899,1365,899,0]}&P=SERP&DA=HKGE01 https://www.bing.com/ipv6test/test?FORM=MONITR https://www.bing.com/sa/simg/favicon-2x.ico https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698471%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22width%22%3A%221365%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22W%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22height%22%3A%22899%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRH%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221623395694987%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A3877%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1623395698864%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1623395699131%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D https://www.bing.com/th?id=OHR.GlenEtive_ROW5856952083_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp https://www.bing.com/rp/6sxhavkE4_SZHA_K4rwWmg67vF0.gz.js https://www.bing.com/fd/ls/lsp.aspx https://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js https://www.bing.com/fd/ls/lsp.aspx? https://www.bing.com/rp/pCNhfy2VQinsKZ9KIqxtGogwDv0.gz.js
|
7
login.live.com(40.126.37.6) login.microsoftonline.com(40.126.52.148) tootirrruahapowsadassa.com(104.21.94.22) www2.bing.com(13.107.21.200) 20.190.163.18 40.126.52.3 104.21.94.22
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8796 |
2021-06-11 16:37
|
M0011.cab bfd9adc75c1b260cbc0aea6e544f080d Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8797 |
2021-06-11 17:20
|
http://kf.carthage2s.com/XtmkL... b4e2699346ce3d5f87374a32403e3464 AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 MSOffice File Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
1
http://kf.carthage2s.com/XtmkLSmftnsk6TlB.exe
|
2
kf.carthage2s.com(41.231.5.212) 41.231.5.212
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
39 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8798 |
2021-06-11 17:44
|
XtmkLSmftnsk6TlB.exe b4e2699346ce3d5f87374a32403e3464 AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library Antivirus AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.8 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8799 |
2021-06-12 11:05
|
oCs.txt.html 57ae0fd6b13d1be4fdc0e1171a9ea4d8 VBScript PowerShell Obfuscated File VirusTotal Malware DNS crashed |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8800 |
2021-06-12 11:15
|
Clean_lol123.txt.html a3b75be1163014e2f01e87adc2d49724 Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
3
https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT
https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt
https://ia601406.us.archive.org/32/items/run-02-02-02/Run_02_02_02.TXT
|
2
ia601406.us.archive.org(207.241.227.126) 207.241.227.126
|
|
|
6.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8801 |
2021-06-12 11:25
|
RFL_0769002.exe 3c88c6ef1a906bc81fc6b5b7fc478e0c AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
1
http://www.quangcaosonthach.com/gw2/?DVldV=nK+cpShbKNzMzU5qLnlc+tBFBddRBf6O1ztjvSAMnluiyaRb30M36lbYqq0lmPBz7QeF2Hp1&mnSl=Txlh
|
2
www.quangcaosonthach.com(103.237.145.7) 103.237.145.7
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8802 |
2021-06-12 11:27
|
rfl_01098752.exe d2a8ef4a18e3c6dc377daf765b37a9ca AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself DNS |
1
http://www.hsxytz.com/gw2/?wPT=L1XyuERUZAN7GjmZXl9lGC0xuXxteQ1a6payECjBCuYlsCvzsyZNPLPzNw9teZKdXe1TvUf8&oXN=6lSd02cp
|
2
www.hsxytz.com(154.84.115.227) 154.84.115.227
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8803 |
2021-06-12 11:28
|
ner.exe 4e99138abad19c9cba519e39083831c5 Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
1
|
|
|
4.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8804 |
2021-06-12 11:29
|
290-App19.exe 2648886dbd37ccc239ca91bd3d2f4e5f AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.71) 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8805 |
2021-06-12 12:44
|
x.exe b8764252ff52d8b29685298a9eda35f1 Antivirus PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|