9121 |
2021-06-23 09:21
|
vbc.exe 501b60e1f6bc866c767e57456884dc09 AgentTesla AsyncRAT backdoor browser info stealer Generic Malware Google Chrome User Data Admin Tool (Sysinternals etc ...) Malicious Library Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE Fi VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
abjhqm11.duckdns.org(194.5.98.203) 194.5.98.203
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9122 |
2021-06-23 09:23
|
new%20one.exe 1cced9999ff0a6e2c7e02fd76298a42b Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
wekeepworking12.sytes.net() - mailcious wekeepworking.sytes.net(79.134.225.100) - mailcious 79.134.225.100
|
|
|
15.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9123 |
2021-06-23 09:25
|
kzlsh1rsoz84.jpg.ps1 24d47b0f765c2d68a125b8321039a9e3 Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW DNS |
|
|
|
|
1.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9124 |
2021-06-23 09:28
|
vbc.exe fa0d69a3ff0a272e9e16c1fcac400a6a PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
1
http://www.ebike-ny.com/nf2/?TVg8Al=uFNXBt2HlNPd&Ulm=Sh6rMvMaevG5ZeEBRcbJejQMoaFrjLMs2ThNvE/ohJ7mYOKSTFVcl4HguxAOzQ7i3k1avvkX
|
2
www.ebike-ny.com(107.167.77.27) 107.167.77.27
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9125 |
2021-06-23 09:30
|
f.wbk f3f36f774b41a24a168a80e70415f66d RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://www.rplelectro.com/nf2/?Otxx6B=vZR8ILqhSn-tyL&o2=SiSpeeLFY77TtJjZyI87qW2Ff5zo/75wOvnhs+VI+xwUJWIYrtaoBqedqga9mNubv3+j+Qit http://192.227.196.133/fid/vbc.exe
|
3
www.rplelectro.com(47.91.205.63) 47.91.202.66 192.227.196.133
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
|
4.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9126 |
2021-06-23 09:30
|
vbc-04.exe 0e77117506e45cb650b1363ba40c1e55 PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
10
http://www.brunoecatarina.com/p2io/?RvE=OHUffbgvv2IRIzjH29fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDtXSpGXNdq06DpgCyNqt&Mfg=lHNl - rule_id: 1728 http://www.adultpeace.com/p2io/ - rule_id: 1554 http://www.malcorinmobiliaria.com/p2io/?RvE=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&Mfg=lHNl - rule_id: 1719 http://www.aideliveryrobot.com/p2io/ - rule_id: 1727 http://www.defenestration.world/p2io/ http://www.defenestration.world/p2io/?RvE=lrOqxb+TUC8Po5HmYZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU5HJ8/bv+r3dcUpLXcCA&Mfg=lHNl http://www.aideliveryrobot.com/p2io/?RvE=xikLqsON4SLys5Ctbg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYLyVZkm9Sn2R1rpOJsEg&Mfg=lHNl - rule_id: 1727 http://www.adultpeace.com/p2io/?RvE=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Mfg=lHNl - rule_id: 1554 http://www.malcorinmobiliaria.com/p2io/ - rule_id: 1719 http://www.brunoecatarina.com/p2io/ - rule_id: 1728
|
14
www.malcorinmobiliaria.com(160.121.176.84) www.aideliveryrobot.com(35.186.238.101) www.adultpeace.com(163.44.239.73) www.mercuryaid.net() www.defenestration.world(99.83.154.118) www.lucytime.com(160.124.11.194) www.brunoecatarina.com(54.85.86.211) www.m678.xyz() 35.186.238.101 - mailcious 160.121.176.84 - mailcious 163.44.239.73 - mailcious 160.124.11.194 99.83.154.118 54.85.86.211 - mailcious
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 18 ET INFO HTTP Request to Suspicious *.world Domain ET INFO Observed DNS Query to .world TLD ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.brunoecatarina.com/p2io/ http://www.adultpeace.com/p2io/ http://www.malcorinmobiliaria.com/p2io/ http://www.aideliveryrobot.com/p2io/ http://www.aideliveryrobot.com/p2io/ http://www.adultpeace.com/p2io/ http://www.malcorinmobiliaria.com/p2io/ http://www.brunoecatarina.com/p2io/
|
8.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9127 |
2021-06-23 16:34
|
vbc.exe 7847f6a1330398c7ca2252a78b6eac35 Loki PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
2
http://bnbrokenhead.cf/Bn4/fre.php - rule_id: 2192 http://bnbrokenhead.cf/Bn4/fre.php
|
2
bnbrokenhead.cf(104.21.2.166) 104.21.2.166
|
9
ET INFO DNS Query for Suspicious .cf Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.cf Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://bnbrokenhead.cf/Bn4/fre.php
|
8.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9128 |
2021-06-23 16:34
|
audio.exe b6ab9db1c2c1e606268a6f613cfcdf3d AsyncRAT backdoor PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware WriteConsoleW IP Check ComputerName DNS DDNS |
1
|
4
microsoftupdate001.duckdns.org(54.233.121.202) ip-api.com(208.95.112.1) 208.95.112.1 54.233.121.202
|
2
ET POLICY External IP Lookup ip-api.com ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
3.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9129 |
2021-06-24 07:22
|
...............dot d553bd422c8d3621e21049ccc2ebe680 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.125.191.125/ww/vbc.exe
|
2
bnbrokenhead.cf() 103.125.191.125
|
7
ET INFO DNS Query for Suspicious .cf Domain ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9130 |
2021-06-24 07:39
|
1.doc 7e6957c41128e2ef269aa08a1d7ede24 VBA_macro DNS |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9131 |
2021-06-24 08:54
|
مدمج الفصل الأول+الثاني+ الثال... 11fdd27279a2a41a93b3ef63dd1ff548 Anti_VM PE File PE32 PE64 Browser Info Stealer Emotet VirusTotal Malware Buffer PE AutoRuns MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself sandbox evasion installed browsers check Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
|
|
|
|
13.0 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9132 |
2021-06-24 09:03
|
RK12_EC_0.1.8.exe bdaf8a45432e2fc3a8acf75588f2723e PE File OS Processor Check PE32 PE64 DLL VirusTotal Malware PDB Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Creates autorun.inf Windows ComputerName Remote Code Execution DNS crashed |
|
|
|
|
8.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9133 |
2021-06-24 09:05
|
p6.exe d743980983fcf12b1427f5ea550094da Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows DNS |
|
1
OIgLHlcstBsg.OIgLHlcstBsg()
|
|
|
7.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9134 |
2021-06-24 09:06
|
hussanx.exe aa2bd93add61460d059367e41d89195c PE File PE32 Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9135 |
2021-06-24 09:06
|
5bff9e596f542e5fe90ad8847f5bd5... 2d58dc67350666f9c2ccf6ecb273afcb PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|