8836 |
2021-06-12 21:01
|
pdE2wzU92JHyzWh4.exe ba164765e442ec1933fd41743ca65773 njRAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces ComputerName DNS crashed |
1
|
2
www.google.com(142.250.196.132) 142.250.66.100
|
|
|
5.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8837 |
2021-06-12 21:01
|
PicturesLab.exe 23c3e480318751d3ae8ae72be0974cd3 njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8838 |
2021-06-12 21:03
|
I-Record.exe 0013b42646adc1c1f36a7f14573a608a njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8839 |
2021-06-14 09:52
|
svvchhost.exe 1f5c585d127ec40bedca025c08dc32c7 AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
6
http://www.antiqueson3rd.com/nins/ http://www.antiqueson3rd.com/nins/?8pDpHDNH=hj0t+7N6QO035gxZ3BNIMCOgqjuhuFQ3Zf1XwFhdxQ80AHD8gsE+UZ6ZE96w/lEkIUXZ11dQ&GzuD=WB_TdrPxU http://www.drtracielashley.academy/nins/ http://www.linuxtechusa.com/nins/?8pDpHDNH=lvQAqEWEGQZsqKrkw4k0D9t5C5CuIZEQ9GgBn8Dl3JCy+ly5g/eG5ltKGFug6d/EXI0b/st3&GzuD=WB_TdrPxU http://www.linuxtechusa.com/nins/ http://www.drtracielashley.academy/nins/?8pDpHDNH=T2Dp9VXLmCzcF/eGop652LLGv67Irv0YsY0DKJuQ/fvsdHqvIuEGYusOnlaUSOF3jV7XTZva&GzuD=WB_TdrPxU
|
9
www.markscrystalclearwindows.com() www.moremeafrica.com() www.antiqueson3rd.com(198.49.23.144) www.drtracielashley.academy(188.246.224.127) www.sugene-proloser.icu() www.linuxtechusa.com(34.208.62.71) 198.49.23.145 - mailcious 188.246.224.127 34.208.62.71
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8840 |
2021-06-14 09:53
|
http://timesharesgroup.com AgentTesla DGA DNS Socket HTTP KeyLogger Http API Internet API ScreenShot Downloader Create Service Sniff Audio Escalate priviledges FTP Hijack Network Code injection Steal credential P2P persistence AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://ww1.timesharesgroup.com/favicon.ico http://ww1.timesharesgroup.com/ http://img.sedoparking.com/templates/bg/arrows-1-colors-3.png http://www.google.com/adsense/domains/caf.js http://timesharesgroup.com/ http://parking.parklogic.com/page/enhance.js?pcId=2&domain=timesharesgroup.com https://www.google.com/afs/gen_204?client=dp-sedo86_3ph&output=uds_ads_only&zx=tuenhgb8jogg&pbt=er&errt=ads.domains&errv=17704288481237475822&errm=gAI&emsg='atob'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.
|
10
img.sedoparking.com(205.234.175.175) ww1.timesharesgroup.com(91.195.240.136) parking.parklogic.com(67.225.218.50) timesharesgroup.com(69.16.231.57) www.google.com(172.217.31.132) 204.93.150.152 - mailcious 142.250.66.132 91.195.240.136 - phishing 69.16.231.57 67.225.218.50 - suspicious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8841 |
2021-06-14 10:08
|
serrvicce.exe 6383d401a22fc0fef17b6b075f526321 BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://194.233.74.11:35496/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 194.233.74.11 172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8842 |
2021-06-14 10:10
|
wid.exe e590634fbc2e55249d2c4044d92dcad4 AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities Windows DNS |
24
http://www.si-kap.online/nins/?DhA83=CkSqssPNTasDN79T9paWU+w8Dp43Y49isEk5TFz6M3/S92L4zwE0l0xBU+hkPwAGg96e1e1+&EzuxZr=3fX4qpLxsHG http://www.changingworldchallenge.com/nins/?DhA83=tPHft+MKmNyiLuB67lxFs831Lq8HuLrHcu+ClDjBU6AWMXXKq7Y91D6zcRo3Fh5Q7Mm2/2t+&EzuxZr=3fX4qpLxsHG http://www.haliluyar.xyz/nins/ http://www.misskarennglishteacher.com/nins/ http://www.aadetermatology.com/nins/ http://www.narcadia.com/nins/?DhA83=yb9qtpoVqHr9lDBWmCm9l7ZOXplMYu5kv0Kyhwxks7MmcT7By8tHNoIBZAgWutH2kpTLjvhZ&EzuxZr=3fX4qpLxsHG http://www.misskarennglishteacher.com/nins/?DhA83=O+98Jw6eZ7NbJuFcce4/yalE9cOT96kaeohvA/SvXUMKdATZ5BcFa1rubDGlSWQxRhe59SRf&EzuxZr=3fX4qpLxsHG http://www.casadecarrico.com/nins/?DhA83=TlDyj4aXeYb/yIqk68E9FQh6xHtYrQt2HRt2PHWW+7HNTFn73Jd8ClQGY1DJW0uZUAbZo9/8&EzuxZr=3fX4qpLxsHG http://www.si-kap.online/nins/ http://www.clemence-pierre.com/nins/?DhA83=EszyM3kNUKrJxLiq6KpzQMfLVOfVJC4K9tU253nuZIF8QVLY1VS6tN78Lh0sQ+YOEd5HuPhX&EzuxZr=3fX4qpLxsHG http://www.privatefuels.com/nins/?DhA83=uXNGOfsLI12bTz44E36cX4MwES3RtUR21E++SDRctfGwaN17B5+mJk2vNinKSgydrRNKdYeg&EzuxZr=3fX4qpLxsHG http://www.haliluyar.xyz/nins/?DhA83=YUXYYGgWIwuMeCvspaiBZKJ5l8crr79sumMDpCMq2VudsK3c0ue+SoUng29hZMcwHVOQPJ7o&EzuxZr=3fX4qpLxsHG http://www.changingworldchallenge.com/nins/ http://www.clemence-pierre.com/nins/ http://www.empossibility.com/nins/?DhA83=ZDkz/Wa6bLk1DzTVPoiH7HRVt1XWz0wjMDJoDWbLSadZrFjaQI0w3nz9C3gDwEchxUVgalwE&EzuxZr=3fX4qpLxsHG http://www.casadecarrico.com/nins/ http://www.carbontechco.com/nins/?DhA83=HUf/tHvLTthIajyibWD2on43cvmHcAD3ebxpLUEpCLyjI/OknDbtUoK//JDLUEpAJdRV1G+M&EzuxZr=3fX4qpLxsHG http://www.empossibility.com/nins/ http://www.aadetermatology.com/nins/?DhA83=E7qqi5GaNpQBEnsoDrZAQhJaX6xfo3cK3ZUPzgQsnLzywMk85xGoO/SFKX2ftlPS9/5qgwjc&EzuxZr=3fX4qpLxsHG http://www.halalmine.com/nins/ http://www.narcadia.com/nins/ http://www.privatefuels.com/nins/ http://www.halalmine.com/nins/?DhA83=Dzpv8sGxy5uG7ln3FCcZzazm69TQ2VKW5er1rCDVub0C+e1wjNprgoSJwgAqIMNoIK4v1Cgh&EzuxZr=3fX4qpLxsHG http://www.carbontechco.com/nins/
|
27
www.clemence-pierre.com(52.57.95.72) www.changingworldchallenge.com(184.168.131.241) www.halalmine.com(34.102.136.180) www.si-kap.online(104.26.8.94) www.sugene-proloser.icu() www.aadetermatology.com(192.187.111.220) www.misskarennglishteacher.com(74.63.241.20) www.carbontechco.com(204.11.56.48) www.privatefuels.com(52.14.32.15) www.haliluyar.xyz(23.252.75.42) www.moremeafrica.com() www.empossibility.com(154.88.240.185) www.narcadia.com(154.215.207.123) www.casadecarrico.com(172.247.179.61) www.highticketfunnelhacks.com() 184.168.131.241 - mailcious 104.26.8.94 - phishing 34.102.136.180 - mailcious 13.59.53.244 154.88.240.185 172.247.179.61 204.11.56.48 - phishing 81.17.18.196 - mailcious 23.252.75.42 69.162.80.58 - suspicious 52.57.61.78 154.215.207.123
|
3
ET MALWARE FormBook CnC Checkin (GET) ET INFO DNS Query for Suspicious .icu Domain ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
13.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8843 |
2021-06-14 11:48
|
142.exe c6b4231c761948c19b91f86d7b48d0e2 PE File PE32 PNG Format MSOffice File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Creates autorun.inf DNS |
|
|
|
|
3.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8844 |
2021-06-14 11:49
|
CuaSoMU.exe 9154558e751f127a9ea12af0597fd4ce PE File .NET EXE PE32 Malware download VirusTotal DDoS Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName target |
4
http://bot.mufpt.vn/bot/botlogger.php http://bot.mufpt.vn/bot/proxy http://bot.mufpt.vn/bot/blog http://bot.mufpt.vn/bot/target
|
2
bot.mufpt.vn(103.114.104.219) 103.114.104.219
|
4
ET MALWARE Blue Bot DDoS Proxy Request ET MALWARE Blue Bot DDoS Blog Request ET MALWARE Blue Bot DDoS Target Request ET MALWARE Blue Bot DDoS Logger Request
|
|
4.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8845 |
2021-06-14 11:51
|
nexus.exe 0b1d339690aa42985c82aa77b266d6f6 DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key |
|
1
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
14.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8846 |
2021-06-14 12:08
|
ScreamSploit.exe 5c02be60d05b65e7b32e7e2050837a74 AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8847 |
2021-06-14 12:08
|
windowss.exe 171f87e916215ec4a0683cd7566033b4 PWS Loki[b] Loki[m] DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://hakimkoke.000webhostapp.com/PL341/index.php
|
2
hakimkoke.000webhostapp.com(145.14.144.42) 145.14.145.31 - malware
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
9.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8848 |
2021-06-14 12:22
|
file1.exe 6523cf4819682c2f900ce0b5d00be1c5 PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8849 |
2021-06-14 12:22
|
sssv.exe 005aa2cbb0cd7825ec33f851498723bd BitCoin AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://194.233.74.11:35496/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 104.26.12.31 194.233.74.11
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8850 |
2021-06-14 12:24
|
zhushou_gao_1773841.apk 11ec6185c4b71787a24cd0d1b8a73cc8VirusTotal Malware |
|
|
|
|
0.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|