| 9121 |
2021-06-23 09:21
|
 vbc.exe 501b60e1f6bc866c767e57456884dc09
AgentTesla AsyncRAT backdoor browser info stealer Generic Malware Google Chrome User Data Admin Tool (Sysinternals etc ...) Malicious Library Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE Fi VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
|
2
abjhqm11.duckdns.org(194.5.98.203)
194.5.98.203
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9122 |
2021-06-23 09:23
|
 new%20one.exe 1cced9999ff0a6e2c7e02fd76298a42b
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
wekeepworking12.sytes.net() - mailcious
wekeepworking.sytes.net(79.134.225.100) - mailcious
79.134.225.100
|
|
|
15.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9123 |
2021-06-23 09:25
|
 kzlsh1rsoz84.jpg.ps1 24d47b0f765c2d68a125b8321039a9e3
Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW DNS |
|
|
|
|
1.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9124 |
2021-06-23 09:28
|
 vbc.exe fa0d69a3ff0a272e9e16c1fcac400a6a
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
1
http://www.ebike-ny.com/nf2/?TVg8Al=uFNXBt2HlNPd&Ulm=Sh6rMvMaevG5ZeEBRcbJejQMoaFrjLMs2ThNvE/ohJ7mYOKSTFVcl4HguxAOzQ7i3k1avvkX
|
2
www.ebike-ny.com(107.167.77.27)
107.167.77.27
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9125 |
2021-06-23 09:30
|
 f.wbk f3f36f774b41a24a168a80e70415f66d
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://www.rplelectro.com/nf2/?Otxx6B=vZR8ILqhSn-tyL&o2=SiSpeeLFY77TtJjZyI87qW2Ff5zo/75wOvnhs+VI+xwUJWIYrtaoBqedqga9mNubv3+j+Qit
http://192.227.196.133/fid/vbc.exe
|
3
www.rplelectro.com(47.91.205.63)
47.91.202.66
192.227.196.133
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9126 |
2021-06-23 09:30
|
 vbc-04.exe 0e77117506e45cb650b1363ba40c1e55
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
10
http://www.brunoecatarina.com/p2io/?RvE=OHUffbgvv2IRIzjH29fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDtXSpGXNdq06DpgCyNqt&Mfg=lHNl - rule_id: 1728
http://www.adultpeace.com/p2io/ - rule_id: 1554
http://www.malcorinmobiliaria.com/p2io/?RvE=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&Mfg=lHNl - rule_id: 1719
http://www.aideliveryrobot.com/p2io/ - rule_id: 1727
http://www.defenestration.world/p2io/
http://www.defenestration.world/p2io/?RvE=lrOqxb+TUC8Po5HmYZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU5HJ8/bv+r3dcUpLXcCA&Mfg=lHNl
http://www.aideliveryrobot.com/p2io/?RvE=xikLqsON4SLys5Ctbg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYLyVZkm9Sn2R1rpOJsEg&Mfg=lHNl - rule_id: 1727
http://www.adultpeace.com/p2io/?RvE=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Mfg=lHNl - rule_id: 1554
http://www.malcorinmobiliaria.com/p2io/ - rule_id: 1719
http://www.brunoecatarina.com/p2io/ - rule_id: 1728
|
14
www.malcorinmobiliaria.com(160.121.176.84)
www.aideliveryrobot.com(35.186.238.101)
www.adultpeace.com(163.44.239.73)
www.mercuryaid.net()
www.defenestration.world(99.83.154.118)
www.lucytime.com(160.124.11.194)
www.brunoecatarina.com(54.85.86.211)
www.m678.xyz()
35.186.238.101 - mailcious
160.121.176.84 - mailcious
163.44.239.73 - mailcious
160.124.11.194
99.83.154.118
54.85.86.211 - mailcious
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 18
ET INFO HTTP Request to Suspicious *.world Domain
ET INFO Observed DNS Query to .world TLD
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.brunoecatarina.com/p2io/
http://www.adultpeace.com/p2io/
http://www.malcorinmobiliaria.com/p2io/
http://www.aideliveryrobot.com/p2io/
http://www.aideliveryrobot.com/p2io/
http://www.adultpeace.com/p2io/
http://www.malcorinmobiliaria.com/p2io/
http://www.brunoecatarina.com/p2io/
|
8.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9127 |
2021-06-23 16:34
|
 vbc.exe 7847f6a1330398c7ca2252a78b6eac35
Loki PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
2
http://bnbrokenhead.cf/Bn4/fre.php - rule_id: 2192
http://bnbrokenhead.cf/Bn4/fre.php
|
2
bnbrokenhead.cf(104.21.2.166)
104.21.2.166
|
9
ET INFO DNS Query for Suspicious .cf Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.cf Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://bnbrokenhead.cf/Bn4/fre.php
|
8.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9128 |
2021-06-23 16:34
|
 audio.exe b6ab9db1c2c1e606268a6f613cfcdf3d
AsyncRAT backdoor PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware WriteConsoleW IP Check ComputerName DNS DDNS |
1
|
4
microsoftupdate001.duckdns.org(54.233.121.202)
ip-api.com(208.95.112.1)
208.95.112.1
54.233.121.202
|
2
ET POLICY External IP Lookup ip-api.com
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
3.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9129 |
2021-06-24 07:22
|
 ...............dot d553bd422c8d3621e21049ccc2ebe680
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.125.191.125/ww/vbc.exe
|
2
bnbrokenhead.cf()
103.125.191.125
|
7
ET INFO DNS Query for Suspicious .cf Domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9130 |
2021-06-24 07:39
|
 1.doc 7e6957c41128e2ef269aa08a1d7ede24
VBA_macro DNS |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9131 |
2021-06-24 08:54
|
مدمج الفصل الأول+الثاني+ الثال... 11fdd27279a2a41a93b3ef63dd1ff548
Anti_VM PE File PE32 PE64 Browser Info Stealer Emotet VirusTotal Malware Buffer PE AutoRuns MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself sandbox evasion installed browsers check Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
|
|
|
|
13.0 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9132 |
2021-06-24 09:03
|
 RK12_EC_0.1.8.exe bdaf8a45432e2fc3a8acf75588f2723e
PE File OS Processor Check PE32 PE64 DLL VirusTotal Malware PDB Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Creates autorun.inf Windows ComputerName Remote Code Execution DNS crashed |
|
|
|
|
8.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9133 |
2021-06-24 09:05
|
 p6.exe d743980983fcf12b1427f5ea550094da
Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows DNS |
|
1
OIgLHlcstBsg.OIgLHlcstBsg()
|
|
|
7.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9134 |
2021-06-24 09:06
|
 hussanx.exe aa2bd93add61460d059367e41d89195c
PE File PE32 Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9135 |
2021-06-24 09:06
|
 5bff9e596f542e5fe90ad8847f5bd5... 2d58dc67350666f9c2ccf6ecb273afcb
PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|