| 8911 |
2021-06-15 10:59
|
 nnaf.exe f9f02646aeeaa754474089a00d07b0e5
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
2
www.google.com(172.217.31.132)
172.217.31.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8912 |
2021-06-15 11:00
|
 vbc.exe 616a10fdc3307fd483916e1b578c9f9c
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
|
|
|
8.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8913 |
2021-06-15 11:01
|
 IDownload.exe ecb919c46197e6af3661c1883035536a
AsyncRAT backdoor Gen1 PE File PE32 DLL .NET DLL GIF Format OS Processor Check .NET EXE PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName |
|
|
|
|
6.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8914 |
2021-06-15 11:03
|
 I-Record.exe 628507826e1b4f53cccc7d795a83a6e8
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8915 |
2021-06-15 11:03
|
 W10.exe 9925c832892716a17f2d2cfe504d6014
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
6
http://www.cailingji.com/nins/?Jt7=ZigJafU65g541z6AJQhLlB2ijeCUh9KrJrU7Ko5QeDMYzQNvsOCdRuuAImDEPqDTQy7GCcaq&EHL0Sj=gbWtof_PU4
http://www.cailingji.com/nins/
http://www.pairtty.com/nins/
http://www.pairtty.com/nins/?EHL0Sj=gbWtof_PU4&Jt7=Yl6ghbUTOfFKZlIjt511mlxxAGPGhY/iMYkKbpzmtvCXcyaHrmo2DgpfL2jY/vfvsLlUKrDJ
http://www.twelve11transportsllc.com/nins/
http://www.twelve11transportsllc.com/nins/?Jt7=CEm+UgykZ2D9b0nZca6rky8bSFFAZGTHBUEhJLBs1v2ReapgVSdxQAx7MIm2S8oE5Q7JWIIx&EHL0Sj=gbWtof_PU4
|
8
www.cailingji.com(13.59.53.244)
www.moremeafrica.com() - mailcious
www.pairtty.com(64.190.62.111)
www.imperiummetal.site()
www.twelve11transportsllc.com(34.80.190.141)
3.143.65.214 - mailcious
64.190.62.111 - mailcious
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8916 |
2021-06-15 11:05
|
 ultramediaburner.exe 6103ca066cd5345ec41feaf1a0fdadaf
AsyncRAT backdoor Gen1 PE File PE32 .NET EXE OS Processor Check GIF Format DLL PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser ComputerName |
|
|
|
|
4.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8917 |
2021-06-15 11:07
|
 VOKLIGHTD.exe 2b766f06adf2c73fb6da681572d72a6f
UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8918 |
2021-06-15 11:09
|
 VOKLIGHT.exe 9a86329fb7bd48fc778676e664d3d0be
NPKI UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8919 |
2021-06-15 13:08
|
 loader1.exe ca473ade92ba6526bf258bfeffc7248e
PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder sandbox evasion |
28
http://www.spinecompanion.com/bp3i/?hL3=UA97/2DLXKvRnJU1h5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLS3TF80ieNuahAh9dksl&opg=3foxnfH0Q0S0kj
http://www.woodlandsceinics.com/bp3i/
http://www.bancambios.network/bp3i/
http://www.woodlandsceinics.com/bp3i/?hL3=Dvte5eMh4FNlY5y4dnXfAFPL/8NXIF8YbtIAyCtpXIsx8mzur4SWz4GVMQCeSs9HFgJ9jJbz&opg=3foxnfH0Q0S0kj
http://www.jimmymasks.com/bp3i/
http://www.sportsiri.com/bp3i/?hL3=aSvVGLLpXGw3OAXV2aZVnJ1iJf4AHcjemKA4E5Yqpc3oSPveS9L08/xGI3+5sNlqw1RF4nLk&opg=3foxnfH0Q0S0kj - rule_id: 1841
http://www.xn--2o2b1z87x8sb.com/bp3i/?hL3=w0/TDHIc1+HezrcFGU9wSyY7ZohJU/wG9FEU96VZi51pjs1Dms3z4YPKKIrAiX80z3Y2jYtY&opg=3foxnfH0Q0S0kj - rule_id: 1840
http://www.5australiacl.com/bp3i/?hL3=hlnmpWaLZzqLg9zidSvt+F/U/z6DLEVPJskb4RYsomUGO653irWJR3qFMH9TKGvgkpiCGqB2&opg=3foxnfH0Q0S0kj
http://www.accelerator.sydney/bp3i/?hL3=5pzeLuL3qyMdskDBx9eOPWveezrEwfwg/RcpCnMq22iE3aWrSKVhMe7FGWAUc7no09HPCT8S&opg=3foxnfH0Q0S0kj - rule_id: 1853
http://www.accelerator.sydney/bp3i/?hL3=5pzeLuL3qyMdskDBx9eOPWveezrEwfwg/RcpCnMq22iE3aWrSKVhMe7FGWAUc7no09HPCT8S&opg=3foxnfH0Q0S0kj
http://www.amazingfinds4u.com/bp3i/?hL3=bHJAk3e2glQskLGcTBS4vnjCgYmn0W+yUItAHYRq6yKEhUAjOaA0BT1d8jwk1zuBKu571AZE&opg=3foxnfH0Q0S0kj
http://www.oceancollaborative.com/bp3i/ - rule_id: 1845
http://www.5australiacl.com/bp3i/
http://www.doodstore.net/bp3i/
http://www.jimmymasks.com/bp3i/?hL3=vg5JU+BuXPY7P8htzulhoqwJTr5Zsvmf06SFUFvrLdUMeNvvl7hYXpnUg5SknS6N/5SQFa8e&opg=3foxnfH0Q0S0kj
http://www.bancambios.network/bp3i/?hL3=So2Tvg858PudF6S1Cru7EIQwZdKNOPQNXuZSsJd01w7rfiOz13eukPZjJ6Gsx5OGTBQdT6aj&opg=3foxnfH0Q0S0kj
http://www.spinecompanion.com/bp3i/
http://www.underce.com/bp3i/?hL3=80R/aSnSgbRYdyr7r61KDuAjYp2ZOr6pxPEzYeucJoCeLW8wo5sSyEnb1mJuzTy6cctVr7FI&opg=3foxnfH0Q0S0kj
http://www.amazingfinds4u.com/bp3i/
http://www.accelerator.sydney/bp3i/ - rule_id: 1853
http://www.accelerator.sydney/bp3i/
http://www.underce.com/bp3i/
http://www.ilium-partners.com/bp3i/?hL3=bo80QDzEQyeGlZ8OUNyFMOAGqFcw71Q6/aO3zFCRtVVR0Kvd9F7XtEJsT/rJgDgTWE10iob7&opg=3foxnfH0Q0S0kj
http://www.xn--2o2b1z87x8sb.com/bp3i/ - rule_id: 1840
http://www.sportsiri.com/bp3i/ - rule_id: 1841
http://www.oceancollaborative.com/bp3i/?hL3=+tA82degRgcQ4mmnQvXabF4qHjy6FJLdLGPOjGCu1vH9ecmhDfriaGule7Kf6ooavhCfc5XG&opg=3foxnfH0Q0S0kj - rule_id: 1845
http://www.ilium-partners.com/bp3i/
http://www.doodstore.net/bp3i/?hL3=/O9fLU9dXI4Cg+gPjcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzVeygiwHPQAKsYvifEbO&opg=3foxnfH0Q0S0kj
|
28
www.oceancollaborative.com(184.168.131.241)
www.doodstore.net(67.199.248.13)
www.bancambios.network(185.224.138.83)
www.spinecompanion.com(217.70.184.50)
www.amazingfinds4u.com(66.235.200.29)
www.jimmymasks.com(45.33.23.183)
www.ilium-partners.com(155.133.138.10)
www.woodlandsceinics.com(103.224.182.242)
www.kesat-ya10.com() - mailcious
www.xn--2o2b1z87x8sb.com(203.245.44.109)
www.accelerator.sydney(198.54.117.212)
www.5australiacl.com(52.147.15.202)
www.sportsiri.com(34.102.136.180)
www.trickshow.club() - mailcious
www.underce.com(75.2.73.220)
155.133.138.10
203.245.44.109 - mailcious
184.168.131.241 - mailcious
66.235.200.29
198.54.117.212 - mailcious
52.147.15.202
34.102.136.180 - mailcious
217.70.184.50 - mailcious
45.79.19.196 - suspicious
185.224.138.83
75.2.73.220 - mailcious
67.199.248.13 - mailcious
103.224.182.242 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO BitNinja IO Security Check
|
8
http://www.sportsiri.com/bp3i/
http://www.xn--2o2b1z87x8sb.com/bp3i/
http://www.accelerator.sydney/bp3i/
http://www.oceancollaborative.com/bp3i/
http://www.accelerator.sydney/bp3i/
http://www.xn--2o2b1z87x8sb.com/bp3i/
http://www.sportsiri.com/bp3i/
http://www.oceancollaborative.com/bp3i/
|
5.2 |
M |
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8920 |
2021-06-15 21:23
|
 document-37-1849.xls c41a21a821bcdea1d3ab26ebef055eed
MSOffice File VirusTotal Malware Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel
|
2
austinheisey.com(51.195.123.188) - mailcious
51.195.123.188 - mailcious
|
|
|
6.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8921 |
2021-06-15 21:28
|
 imagen01.jpg 793707365df26450bc8642f518a540f0
PE File PE32 PE64 VirusTotal Malware Malicious Traffic buffers extracted Creates shortcut unpack itself Windows utilities suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Windows Tor DNS keylogger |
1
https://i.imgur.com/qOLD3Td.png
|
3
i.imgur.com(151.101.52.193) - mailcious
151.101.40.193 - mailcious
193.23.244.244 - mailcious
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY TOR Consensus Data Requested
SURICATA HTTP Request abnormal Content-Encoding header
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8922 |
2021-06-15 21:29
|
 dra.exe 45efa9779ec5f51bbc501dbb6bbbba3e
PE File PE32 DLL FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion |
22
http://www.hsrinspection.com/m3rc/
http://www.viviangee.net/m3rc/?b6A=Rplm9ZqkocxsD1M2zCYp9ODm03Tc7pnEYF+n5DVW0jtW3LTkfcu4r4feG1BsyNdfxHjYp08N&DbG=_FNHAz
http://www.kefeiping.com/m3rc/
http://www.maxitoto.com/m3rc/
http://www.santini7.com/m3rc/
http://www.freelancer.wales/m3rc/?b6A=vL/RHxiiiA6u7g+ZGZfobymAyKebmLvVPY5f78CFbN0fsGmg6D75zafzNEP9qK3SWFVf46aQ&DbG=_FNHAz
http://www.labarberiadesamu.com/m3rc/
http://www.doggyfacemask.com/m3rc/?b6A=UXOqYe4yz8Pi0UKgaUgsOC44vhizhugIUR06OG+umyYC3D+36kE8fDkh9IpHC0BszMvOWUcL&DbG=_FNHAz
http://www.viviangee.net/m3rc/
http://www.organicdiehards.com/m3rc/
http://www.saniorsterimist.com/m3rc/?b6A=vNvwbHLDs+IaKx0w1Hv/ZWBa+J7PIhB53QsaR9MgcX0xsiI0S4uabBM9pipP375GIXc2+Qx5&DbG=_FNHAz
http://www.organicdiehards.com/m3rc/?b6A=7l1dbUSMqiDCPeHOzPCqrsLFP4EMXlU6s3N8gk39dzqxxPEiSmIbwEBw6Wqnn9G2VeHN7XSQ&DbG=_FNHAz
http://www.freelancer.wales/m3rc/
http://www.mariozumbo.com/m3rc/
http://www.saniorsterimist.com/m3rc/
http://www.kefeiping.com/m3rc/?b6A=00f7XnZ77eR+ZPoUDpgH5WKnQHYwVtXdSNlA52O0h+x+ojc0ZxK0f0q8uWqAoTov+CMFjoRu&DbG=_FNHAz
http://www.labarberiadesamu.com/m3rc/?b6A=DZEGsv+h7s6k44YWTLVCOSGbjGwSX4OmVosSHww9KUAgDGuXS6X+MiKYVeg0pRrBRDIxpZD6&DbG=_FNHAz
http://www.mariozumbo.com/m3rc/?b6A=XCXzuKg2k9a+ogKZadqJ9sW19M+mbdj1MLj4Anh+qQwLyFIOTWXYYCXG+329GNYCuWcPru2M&DbG=_FNHAz
http://www.doggyfacemask.com/m3rc/
http://www.hsrinspection.com/m3rc/?b6A=6ivwu2O01wZybJFfZW4+p4/n/lkfFnP+AOXcDPKcKPOyCgcVYKILNBaN/8LndKKO88XlZXWQ&DbG=_FNHAz
http://www.maxitoto.com/m3rc/?b6A=pnku5hmj8WKU3hkmKLy4HZI7N1i3BR9gbmEPZX4a5A4ZTdSC9okSQVQ4zwXhC6gDMz3rcZyp&DbG=_FNHAz
http://www.santini7.com/m3rc/?b6A=FBhqxmBTCormjYJi3gM2ZGbMe05dgsPd8PijTuRmHntLbgLTqp/bgG26o8jehaWERBe+Zble&DbG=_FNHAz
|
24
www.6-8-8-8-8.website()
www.labarberiadesamu.com(54.237.120.40)
www.kefeiping.com(170.33.9.230)
www.doggyfacemask.com(34.102.136.180)
www.thelashingladybug.com()
www.organicdiehards.com(34.102.136.180)
www.viviangee.net(192.0.78.24)
www.freelancer.wales(176.74.27.65)
www.asconstructionin.com()
www.saniorsterimist.com(66.96.162.145)
www.danuvia.net()
www.maxitoto.com(3.223.115.185)
www.santini7.com(18.130.194.62)
www.hsrinspection.com(69.167.154.15)
www.mariozumbo.com(34.102.136.180)
66.96.162.145
170.33.9.230
54.237.120.40
34.102.136.180 - mailcious
18.130.194.62
176.74.27.65 - mailcious
3.223.115.185 - mailcious
192.0.78.25 - mailcious
69.167.154.15
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO BitNinja IO Security Check
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8923 |
2021-06-15 21:29
|
Document 81161221.xls d65c8d73d13ed5d4f2973631101c4b34
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php
https://ibnbatutta.pk/POS/scss/icons/weather-icons/css/Kn0LIwp9kdA7G.php
https://goodiesmariage.e-m2.net/wp-content/themes/a-one/woocommerce/global/pV8mYVETWrj.php
https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php
https://indusautomobile.com/products/products_files/cyHU7pVS.php
https://dev1.naturalgraphic.hu/wp-content/plugins/contact-form-7/includes/css/AelYw0GmG44Zz.php
https://mobile-landing.ishr.co.in/wp-content/plugins/widgetkit-for-elementor/vendor/appsero/4vab4JkBLp.php
https://event.cyberwoodz.site/wp-includes/js/tinymce/plugins/charmap/sWefpNQap.php
https://highend.pk/wp-content/plugins/goodlayers-core-twitter/twitteroauth/src/cCNoEJ4wXkpJ.php
https://test.amarcampus24.com/Facebook/HttpClients/certs/BO2MhgW1.php
|
18
indusautomobile.com(18.136.132.202)
zankzakartigosesportivos.com.br(191.252.106.110)
ibnbatutta.pk(18.136.132.202)
highend.pk(18.136.132.202)
test.amarcampus24.com(95.216.103.165)
mobile-landing.ishr.co.in(164.52.201.122)
goodiesmariage.e-m2.net(94.124.84.11)
dev1.naturalgraphic.hu(87.229.72.45)
ptti.dexsandbox.com(70.32.93.146)
event.cyberwoodz.site(119.18.54.94)
119.18.54.94
95.216.103.165 - phishing
94.124.84.11 - mailcious
70.32.93.146 - mailcious
164.52.201.122 - mailcious
191.252.106.110 - mailcious
87.229.72.45 - mailcious
18.136.132.202 - phishing
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8924 |
2021-06-15 22:10
|
ReferenciaCorreios798.msi 8a2af0e991663612e3569de186ec4ee7
Gen2 Antivirus OS Processor Check MSOffice File suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8925 |
2021-06-15 22:11
|
 covid.exe 74084608256e6e4c3434d17217d0993a
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|