8911 |
2021-06-15 10:59
|
nnaf.exe f9f02646aeeaa754474089a00d07b0e5 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
2
www.google.com(172.217.31.132) 172.217.31.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8912 |
2021-06-15 11:00
|
vbc.exe 616a10fdc3307fd483916e1b578c9f9c AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
|
|
|
8.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8913 |
2021-06-15 11:01
|
IDownload.exe ecb919c46197e6af3661c1883035536a AsyncRAT backdoor Gen1 PE File PE32 DLL .NET DLL GIF Format OS Processor Check .NET EXE PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName |
|
|
|
|
6.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8914 |
2021-06-15 11:03
|
I-Record.exe 628507826e1b4f53cccc7d795a83a6e8 AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8915 |
2021-06-15 11:03
|
W10.exe 9925c832892716a17f2d2cfe504d6014 AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
6
http://www.cailingji.com/nins/?Jt7=ZigJafU65g541z6AJQhLlB2ijeCUh9KrJrU7Ko5QeDMYzQNvsOCdRuuAImDEPqDTQy7GCcaq&EHL0Sj=gbWtof_PU4 http://www.cailingji.com/nins/ http://www.pairtty.com/nins/ http://www.pairtty.com/nins/?EHL0Sj=gbWtof_PU4&Jt7=Yl6ghbUTOfFKZlIjt511mlxxAGPGhY/iMYkKbpzmtvCXcyaHrmo2DgpfL2jY/vfvsLlUKrDJ http://www.twelve11transportsllc.com/nins/ http://www.twelve11transportsllc.com/nins/?Jt7=CEm+UgykZ2D9b0nZca6rky8bSFFAZGTHBUEhJLBs1v2ReapgVSdxQAx7MIm2S8oE5Q7JWIIx&EHL0Sj=gbWtof_PU4
|
8
www.cailingji.com(13.59.53.244) www.moremeafrica.com() - mailcious www.pairtty.com(64.190.62.111) www.imperiummetal.site() www.twelve11transportsllc.com(34.80.190.141) 3.143.65.214 - mailcious 64.190.62.111 - mailcious 34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8916 |
2021-06-15 11:05
|
ultramediaburner.exe 6103ca066cd5345ec41feaf1a0fdadaf AsyncRAT backdoor Gen1 PE File PE32 .NET EXE OS Processor Check GIF Format DLL PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser ComputerName |
|
|
|
|
4.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8917 |
2021-06-15 11:07
|
VOKLIGHTD.exe 2b766f06adf2c73fb6da681572d72a6f UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8918 |
2021-06-15 11:09
|
VOKLIGHT.exe 9a86329fb7bd48fc778676e664d3d0be NPKI UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8919 |
2021-06-15 13:08
|
loader1.exe ca473ade92ba6526bf258bfeffc7248e PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder sandbox evasion |
28
http://www.spinecompanion.com/bp3i/?hL3=UA97/2DLXKvRnJU1h5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLS3TF80ieNuahAh9dksl&opg=3foxnfH0Q0S0kj http://www.woodlandsceinics.com/bp3i/ http://www.bancambios.network/bp3i/ http://www.woodlandsceinics.com/bp3i/?hL3=Dvte5eMh4FNlY5y4dnXfAFPL/8NXIF8YbtIAyCtpXIsx8mzur4SWz4GVMQCeSs9HFgJ9jJbz&opg=3foxnfH0Q0S0kj http://www.jimmymasks.com/bp3i/ http://www.sportsiri.com/bp3i/?hL3=aSvVGLLpXGw3OAXV2aZVnJ1iJf4AHcjemKA4E5Yqpc3oSPveS9L08/xGI3+5sNlqw1RF4nLk&opg=3foxnfH0Q0S0kj - rule_id: 1841 http://www.xn--2o2b1z87x8sb.com/bp3i/?hL3=w0/TDHIc1+HezrcFGU9wSyY7ZohJU/wG9FEU96VZi51pjs1Dms3z4YPKKIrAiX80z3Y2jYtY&opg=3foxnfH0Q0S0kj - rule_id: 1840 http://www.5australiacl.com/bp3i/?hL3=hlnmpWaLZzqLg9zidSvt+F/U/z6DLEVPJskb4RYsomUGO653irWJR3qFMH9TKGvgkpiCGqB2&opg=3foxnfH0Q0S0kj http://www.accelerator.sydney/bp3i/?hL3=5pzeLuL3qyMdskDBx9eOPWveezrEwfwg/RcpCnMq22iE3aWrSKVhMe7FGWAUc7no09HPCT8S&opg=3foxnfH0Q0S0kj - rule_id: 1853 http://www.accelerator.sydney/bp3i/?hL3=5pzeLuL3qyMdskDBx9eOPWveezrEwfwg/RcpCnMq22iE3aWrSKVhMe7FGWAUc7no09HPCT8S&opg=3foxnfH0Q0S0kj http://www.amazingfinds4u.com/bp3i/?hL3=bHJAk3e2glQskLGcTBS4vnjCgYmn0W+yUItAHYRq6yKEhUAjOaA0BT1d8jwk1zuBKu571AZE&opg=3foxnfH0Q0S0kj http://www.oceancollaborative.com/bp3i/ - rule_id: 1845 http://www.5australiacl.com/bp3i/ http://www.doodstore.net/bp3i/ http://www.jimmymasks.com/bp3i/?hL3=vg5JU+BuXPY7P8htzulhoqwJTr5Zsvmf06SFUFvrLdUMeNvvl7hYXpnUg5SknS6N/5SQFa8e&opg=3foxnfH0Q0S0kj http://www.bancambios.network/bp3i/?hL3=So2Tvg858PudF6S1Cru7EIQwZdKNOPQNXuZSsJd01w7rfiOz13eukPZjJ6Gsx5OGTBQdT6aj&opg=3foxnfH0Q0S0kj http://www.spinecompanion.com/bp3i/ http://www.underce.com/bp3i/?hL3=80R/aSnSgbRYdyr7r61KDuAjYp2ZOr6pxPEzYeucJoCeLW8wo5sSyEnb1mJuzTy6cctVr7FI&opg=3foxnfH0Q0S0kj http://www.amazingfinds4u.com/bp3i/ http://www.accelerator.sydney/bp3i/ - rule_id: 1853 http://www.accelerator.sydney/bp3i/ http://www.underce.com/bp3i/ http://www.ilium-partners.com/bp3i/?hL3=bo80QDzEQyeGlZ8OUNyFMOAGqFcw71Q6/aO3zFCRtVVR0Kvd9F7XtEJsT/rJgDgTWE10iob7&opg=3foxnfH0Q0S0kj http://www.xn--2o2b1z87x8sb.com/bp3i/ - rule_id: 1840 http://www.sportsiri.com/bp3i/ - rule_id: 1841 http://www.oceancollaborative.com/bp3i/?hL3=+tA82degRgcQ4mmnQvXabF4qHjy6FJLdLGPOjGCu1vH9ecmhDfriaGule7Kf6ooavhCfc5XG&opg=3foxnfH0Q0S0kj - rule_id: 1845 http://www.ilium-partners.com/bp3i/ http://www.doodstore.net/bp3i/?hL3=/O9fLU9dXI4Cg+gPjcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzVeygiwHPQAKsYvifEbO&opg=3foxnfH0Q0S0kj
|
28
www.oceancollaborative.com(184.168.131.241) www.doodstore.net(67.199.248.13) www.bancambios.network(185.224.138.83) www.spinecompanion.com(217.70.184.50) www.amazingfinds4u.com(66.235.200.29) www.jimmymasks.com(45.33.23.183) www.ilium-partners.com(155.133.138.10) www.woodlandsceinics.com(103.224.182.242) www.kesat-ya10.com() - mailcious www.xn--2o2b1z87x8sb.com(203.245.44.109) www.accelerator.sydney(198.54.117.212) www.5australiacl.com(52.147.15.202) www.sportsiri.com(34.102.136.180) www.trickshow.club() - mailcious www.underce.com(75.2.73.220) 155.133.138.10 203.245.44.109 - mailcious 184.168.131.241 - mailcious 66.235.200.29 198.54.117.212 - mailcious 52.147.15.202 34.102.136.180 - mailcious 217.70.184.50 - mailcious 45.79.19.196 - suspicious 185.224.138.83 75.2.73.220 - mailcious 67.199.248.13 - mailcious 103.224.182.242 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET) ET INFO BitNinja IO Security Check
|
8
http://www.sportsiri.com/bp3i/ http://www.xn--2o2b1z87x8sb.com/bp3i/ http://www.accelerator.sydney/bp3i/ http://www.oceancollaborative.com/bp3i/ http://www.accelerator.sydney/bp3i/ http://www.xn--2o2b1z87x8sb.com/bp3i/ http://www.sportsiri.com/bp3i/ http://www.oceancollaborative.com/bp3i/
|
5.2 |
M |
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8920 |
2021-06-15 21:23
|
document-37-1849.xls c41a21a821bcdea1d3ab26ebef055eed MSOffice File VirusTotal Malware Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel
|
2
austinheisey.com(51.195.123.188) - mailcious 51.195.123.188 - mailcious
|
|
|
6.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8921 |
2021-06-15 21:28
|
imagen01.jpg 793707365df26450bc8642f518a540f0 PE File PE32 PE64 VirusTotal Malware Malicious Traffic buffers extracted Creates shortcut unpack itself Windows utilities suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Windows Tor DNS keylogger |
1
https://i.imgur.com/qOLD3Td.png
|
3
i.imgur.com(151.101.52.193) - mailcious 151.101.40.193 - mailcious 193.23.244.244 - mailcious
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY TOR Consensus Data Requested SURICATA HTTP Request abnormal Content-Encoding header
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8922 |
2021-06-15 21:29
|
dra.exe 45efa9779ec5f51bbc501dbb6bbbba3e PE File PE32 DLL FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder sandbox evasion |
22
http://www.hsrinspection.com/m3rc/ http://www.viviangee.net/m3rc/?b6A=Rplm9ZqkocxsD1M2zCYp9ODm03Tc7pnEYF+n5DVW0jtW3LTkfcu4r4feG1BsyNdfxHjYp08N&DbG=_FNHAz http://www.kefeiping.com/m3rc/ http://www.maxitoto.com/m3rc/ http://www.santini7.com/m3rc/ http://www.freelancer.wales/m3rc/?b6A=vL/RHxiiiA6u7g+ZGZfobymAyKebmLvVPY5f78CFbN0fsGmg6D75zafzNEP9qK3SWFVf46aQ&DbG=_FNHAz http://www.labarberiadesamu.com/m3rc/ http://www.doggyfacemask.com/m3rc/?b6A=UXOqYe4yz8Pi0UKgaUgsOC44vhizhugIUR06OG+umyYC3D+36kE8fDkh9IpHC0BszMvOWUcL&DbG=_FNHAz http://www.viviangee.net/m3rc/ http://www.organicdiehards.com/m3rc/ http://www.saniorsterimist.com/m3rc/?b6A=vNvwbHLDs+IaKx0w1Hv/ZWBa+J7PIhB53QsaR9MgcX0xsiI0S4uabBM9pipP375GIXc2+Qx5&DbG=_FNHAz http://www.organicdiehards.com/m3rc/?b6A=7l1dbUSMqiDCPeHOzPCqrsLFP4EMXlU6s3N8gk39dzqxxPEiSmIbwEBw6Wqnn9G2VeHN7XSQ&DbG=_FNHAz http://www.freelancer.wales/m3rc/ http://www.mariozumbo.com/m3rc/ http://www.saniorsterimist.com/m3rc/ http://www.kefeiping.com/m3rc/?b6A=00f7XnZ77eR+ZPoUDpgH5WKnQHYwVtXdSNlA52O0h+x+ojc0ZxK0f0q8uWqAoTov+CMFjoRu&DbG=_FNHAz http://www.labarberiadesamu.com/m3rc/?b6A=DZEGsv+h7s6k44YWTLVCOSGbjGwSX4OmVosSHww9KUAgDGuXS6X+MiKYVeg0pRrBRDIxpZD6&DbG=_FNHAz http://www.mariozumbo.com/m3rc/?b6A=XCXzuKg2k9a+ogKZadqJ9sW19M+mbdj1MLj4Anh+qQwLyFIOTWXYYCXG+329GNYCuWcPru2M&DbG=_FNHAz http://www.doggyfacemask.com/m3rc/ http://www.hsrinspection.com/m3rc/?b6A=6ivwu2O01wZybJFfZW4+p4/n/lkfFnP+AOXcDPKcKPOyCgcVYKILNBaN/8LndKKO88XlZXWQ&DbG=_FNHAz http://www.maxitoto.com/m3rc/?b6A=pnku5hmj8WKU3hkmKLy4HZI7N1i3BR9gbmEPZX4a5A4ZTdSC9okSQVQ4zwXhC6gDMz3rcZyp&DbG=_FNHAz http://www.santini7.com/m3rc/?b6A=FBhqxmBTCormjYJi3gM2ZGbMe05dgsPd8PijTuRmHntLbgLTqp/bgG26o8jehaWERBe+Zble&DbG=_FNHAz
|
24
www.6-8-8-8-8.website() www.labarberiadesamu.com(54.237.120.40) www.kefeiping.com(170.33.9.230) www.doggyfacemask.com(34.102.136.180) www.thelashingladybug.com() www.organicdiehards.com(34.102.136.180) www.viviangee.net(192.0.78.24) www.freelancer.wales(176.74.27.65) www.asconstructionin.com() www.saniorsterimist.com(66.96.162.145) www.danuvia.net() www.maxitoto.com(3.223.115.185) www.santini7.com(18.130.194.62) www.hsrinspection.com(69.167.154.15) www.mariozumbo.com(34.102.136.180) 66.96.162.145 170.33.9.230 54.237.120.40 34.102.136.180 - mailcious 18.130.194.62 176.74.27.65 - mailcious 3.223.115.185 - mailcious 192.0.78.25 - mailcious 69.167.154.15
|
2
ET MALWARE FormBook CnC Checkin (GET) ET INFO BitNinja IO Security Check
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8923 |
2021-06-15 21:29
|
Document 81161221.xls d65c8d73d13ed5d4f2973631101c4b34 VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php
https://ibnbatutta.pk/POS/scss/icons/weather-icons/css/Kn0LIwp9kdA7G.php
https://goodiesmariage.e-m2.net/wp-content/themes/a-one/woocommerce/global/pV8mYVETWrj.php
https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php
https://indusautomobile.com/products/products_files/cyHU7pVS.php
https://dev1.naturalgraphic.hu/wp-content/plugins/contact-form-7/includes/css/AelYw0GmG44Zz.php
https://mobile-landing.ishr.co.in/wp-content/plugins/widgetkit-for-elementor/vendor/appsero/4vab4JkBLp.php
https://event.cyberwoodz.site/wp-includes/js/tinymce/plugins/charmap/sWefpNQap.php
https://highend.pk/wp-content/plugins/goodlayers-core-twitter/twitteroauth/src/cCNoEJ4wXkpJ.php
https://test.amarcampus24.com/Facebook/HttpClients/certs/BO2MhgW1.php
|
18
indusautomobile.com(18.136.132.202)
zankzakartigosesportivos.com.br(191.252.106.110)
ibnbatutta.pk(18.136.132.202)
highend.pk(18.136.132.202)
test.amarcampus24.com(95.216.103.165)
mobile-landing.ishr.co.in(164.52.201.122)
goodiesmariage.e-m2.net(94.124.84.11)
dev1.naturalgraphic.hu(87.229.72.45)
ptti.dexsandbox.com(70.32.93.146)
event.cyberwoodz.site(119.18.54.94) 119.18.54.94
95.216.103.165 - phishing
94.124.84.11 - mailcious
70.32.93.146 - mailcious
164.52.201.122 - mailcious
191.252.106.110 - mailcious
87.229.72.45 - mailcious
18.136.132.202 - phishing
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8924 |
2021-06-15 22:10
|
ReferenciaCorreios798.msi 8a2af0e991663612e3569de186ec4ee7 Gen2 Antivirus OS Processor Check MSOffice File suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8925 |
2021-06-15 22:11
|
covid.exe 74084608256e6e4c3434d17217d0993a Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|