| 9241 |
2021-06-24 20:16
|
 howdidyou.exe 94bbee3cdbcc598b4fc638b6ece1f35e
AsyncRAT backdoor Generic Malware PE File .NET EXE PE32 JPEG Format VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee ComputerName DNS |
1
https://discord.com/api/webhooks/855705156444094504/wI1ePCkz2YUM4Gk-hmnvocsg-XyNz-ww21jnKAq4w7yoaBPG_FvuwcJx8DAT7mXsf-Ha
|
2
discord.com(162.159.136.232) - mailcious
162.159.136.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9242 |
2021-06-24 20:18
|
 shell.exe 708c8a452d02d46ed6a1c16486a7a206
Malicious Library PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
4.2 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9243 |
2021-06-24 20:19
|
 cc7.exe 07bb44fb4c5ac3056106e66919b2de96
Gen1 Gen2 Generic Malware PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory Creates executable files AppData folder WriteConsoleW |
|
|
|
|
2.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9244 |
2021-06-24 20:19
|
 proxy-IRXC-setup.exe fd21878da4856b1d35cc873540d7f6f2
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9245 |
2021-06-24 20:20
|
 OCC.doc dc836881ad266d654325720a8341eec7
MSOffice File Vulnerability unpack itself DNS |
|
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9246 |
2021-06-24 20:21
|
9d8aa271.png 7a72d5e6044805ea4d2f37bdbdc0ab2d
MSOffice File VirusTotal Malware |
|
|
|
|
1.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9247 |
2021-06-24 20:21
|
 PianoScrap.exe 2e765a8048bcd67f293f11db938e77c3
NPKI North Korea Gen1 Gen2 Emotet Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM Antivirus VMProtect Http API AntiDebug AntiVM PE File PE32 DLL OS Processor Check .NET DLL MSOffice File PNG Format GIF Format PE64 .NET EXE Malware download VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk suspicious TLD sandbox evasion VMware China anti-virtualization VM Disk Size Check installed browsers check Ransomware GameoverP2P Interception Zeus Windows Browser Advertising ComputerName Trojan Banking Firmware DNS crashed |
68
http://kl.hnayg.com/zkactive/ctl/v2/qinfo.html?uid=74a6032aa894c3a537de6d362f685c90
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS3J2uI8vbMMQdZCObew1G35NkGWUaxY/rEhS0OVoP9qkuI3l6VXz7nvGHW5yib/KwA%3D%3D
http://report.uchiha.ltd/
http://mxreport.whooyan.com/
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS8VsD0RJ%2BB/azLdXTIBJEaZEgoZX6k3g9qcj6f1izDRQaHEbdKVMY0KnIblHwcjmrg%3D%3D
http://g.zapi.binghuokeji.cn/?r=/v3/pp/lf&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
http://down.wdmuz.com/wy/wyp1.dat
http://union.juzizm.com/api/count/setup2
http://dl.binghuokeji.cn/d/imgs/syyng.png
http://down.gametoplist.top/60b5f24b88583/IMedia-553.exe
http://tj.rxgif.cn/api/logs
http://tj.rxgif.cn/api/live/server
http://down.wdmuz.com/wy/wyp1.dat?48507900
http://g.zapi.binghuokeji.cn/microtime/
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r1
http://shdl.wdmuz.com/bjlc/87cbca115561d04afe4c965dd803098a.cdd?rand=85070
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5
http://g.zapi.binghuokeji.cn/?r=/v3/cp/t&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
http://down1.abckantu.com/11a9df7ff83a058afaadb5a09da594ae.data
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6
http://down.rxgif.cn/ddxm/Setup_10011.exe
http://download.52pcfree.com/k52zip/k52zip20210520-220-21.exe
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2
http://g.zapi.binghuokeji.cn/?r=/v3/pp/l&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
http://config.i.duba.net/rcmdsoft/11/1/sencecfg.dat
http://down1.thorzip.muxin.fun/report/queryinfo.xml
http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.json
http://g.zapi.binghuokeji.cn/?r=/v3/cp/i&p=SxInsX/RJYZFLz7ztyfMIDL%2BGa9IB3Wjc0bUqn3/WR3cqUoBQ1fPqp/GqBYrObWp/4LvN/YAJhMOXv%2BfLeFo3w%3D%3D
http://down1.thorzip.muxin.fun/logo/v1.0.0.2/ShellExtStrategyDll64.gif
http://tj.wdmuz.com/lc-spbj.php?uid=262f2de5d68b2fac5ccaac65dbf7853f&qid=null&softname=bangong&softid=shanzip&softver=
http://config.i.duba.net/rcmdsoft/db/kzip_install_pushdb02.zip
http://down.rxgif.cn/DBlink/LnockRarsly.exe
http://cdn-office.lanshan.com/package/tui/downloadtool/office/OfficeDownloaderInstall_0_100016_lanshan.exe
http://xz.8dashi.com/qd/mastercfgoo.ini?v2021062544904
http://down2.thorzip.muxin.fun/60fffd6d5d24aa987a843c4d3a0980b4.data
http://down.rxgif.cn/ddcfg/ddcfgs.ini
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/l2
http://infoc0.duba.net/nep/v1/
http://g.zapi.binghuokeji.cn/?r=/v3/cp/c&p=PHOja0XI6Hpo1VJzU/gs6k0Ptg8TIvoCwg%2Bx8C0Vu7iDJfI9mnwYtk%2BKuGb/ttx2TQpoRsLAIagyRsjWT58KK4i1X1%2BYNCfaVA3ifMdOA48%3D
http://tj.wdmuz.com/pipil.php
http://infoc2.duba.net/c/
http://union.infoc.duba.net/nep/v1/
http://down1.abckantu.com/shouheng_1/abckantu_2722097895_shouheng_001.exe
http://dl.binghuokeji.cn/img/mtcf.png
http://s.syzs.qq.com/channel/6/17100/syzs03_1000219144.exe
http://download.52pcfree.com/fastpdf/Fastpdf_setup_ver21042017.420.1.1.1.exe
http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r2
http://dl.binghuokeji.cn/FlashZip/tsk_bjrj
http://dn.earpan.com/store/pic_soft45181.exe
http://dl.binghuokeji.cn/d/ghwuxPEi/FlashZip_2710.exe
http://g.zapi.binghuokeji.cn/?r=/v3/pp/tl&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
http://down2.thorzip.muxin.fun/tiangua_2/leishenzip_247915520_tiangua_001.exe
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s3
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1
http://info.52pcfree.com/c/
http://tj.rxgif.cn/api/down/dd
http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS4JsN/4dJva6ouBTswyspvZHobJcEPjUq0ampBCtF858ClIqSQQ5jhcq7JuelnnYNQ%3D%3D
http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5
http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
http://g.zapi.binghuokeji.cn/?r=/v3/cp/r&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
http://down1.thorzip.muxin.fun/shell2.json
http://g.zapi.binghuokeji.cn/?r=/v3/cp/u&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1
http://dbsu.cmcm.com/uv?t=1624564187
http://dl.binghuokeji.cn/img/tbmsc.jpg
|
60
shdl.wdmuz.com(119.206.200.180)
g.zapi.binghuokeji.cn(163.171.198.117)
union.infoc.duba.net(193.112.235.183)
report.thorzip.muxin.fun()
dl.binghuokeji.cn(119.206.200.180)
down1.thorzip.muxin.fun(119.39.80.117)
download.52pcfree.com(125.77.167.184)
dbsu.cmcm.com(111.230.160.42)
mxreport.whooyan.com(101.200.147.119)
dn.earpan.com(61.172.205.219)
down.wdmuz.com(119.206.200.181)
down1.abckantu.com(42.56.79.236)
u-d-office.lanshan.com(49.233.242.159)
cdn-office.lanshan.com(14.204.144.133)
tj.wdmuz.com(106.75.31.186)
p.zapi.binghuokeji.cn(163.171.198.117)
www.baidu.com(119.63.197.139)
info.52pcfree.com(139.199.214.236)
s.syzs.qq.com(211.152.132.122)
union.juzizm.com(106.75.135.138)
down.rxgif.cn(119.206.200.180)
api.mxgcat.wang(42.56.79.236)
report.uchiha.ltd(47.95.193.173)
config.i.duba.net(180.97.251.192)
infoc0.duba.net(119.29.47.96)
xz.8dashi.com(119.206.200.180)
tj.rxgif.cn(106.75.135.138)
down.gametoplist.top(218.12.76.151)
kl.hnayg.com(59.110.159.69)
down2.thorzip.muxin.fun(119.36.226.154)
infoc2.duba.net(111.230.117.40)
47.95.193.173
202.122.145.86
111.230.160.42
59.110.159.69
119.206.200.180 - malware
111.230.117.40
139.199.214.236
42.56.79.236
119.6.229.138 - malware
211.159.130.115
106.75.31.186
119.36.33.98
49.233.242.159
119.39.80.117 - malware
125.77.167.183
123.57.234.67
36.248.43.220 - malware
119.36.226.154
211.91.160.215 - malware
61.172.205.219 - malware
163.171.198.117
119.206.200.181 - malware
123.56.69.34
211.159.130.100
106.75.135.138
211.152.132.122
119.63.197.151
180.97.251.192
120.52.95.242 - malware
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET MALWARE Suspicious Download Setup_ exe
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
|
|
27.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9248 |
2021-06-24 20:23
|
 OCC.docx 7f98269245bb2988e09f2e9cd0c2dca7Vulnerability unpack itself DNS |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9249 |
2021-06-24 20:35
|
 partsoffer.exe e15787ea22a793ff3c4d414c18234fec
PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
|
|
|
3.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9250 |
2021-06-24 20:35
|
 server.exe 912047706a95ccffb31c4adb912e0adb
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware AutoRuns Check memory Windows DNS |
|
1
|
|
|
3.2 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9251 |
2021-06-24 20:35
|
 Syringas.exe caaeb152d528c8c52126d6678a8ce6f5
AsyncRAT backdoor BitCoin Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://193.29.104.98:62315/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
193.29.104.98
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9252 |
2021-06-24 20:39
|
 setup.txt c838695f44eab49e39fdddf95e7a8278
Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
4.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9253 |
2021-06-24 20:39
|
 system7.mainform.exe 6e52f9066149d3383f769009fa97ee6a
Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
2.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9254 |
2021-06-24 20:39
|
 fc8edf706344462ab7b600ae29d554... 6f1fe99a6ffc835b50874a63711d2482
VBA_macro MSOffice File VirusTotal Malware unpack itself |
|
|
|
|
2.8 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9255 |
2021-06-24 20:40
|
 xxs.exe 84ca8eab52cffba95a26159fcba9d1b9
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.blowuin.com/wlns/?Rfm=kqh7r8ylgS3zHL1GIAw/iISI3Ruz0mzNrNj/DvCk+DiaPMdHZWMr1tcS75k91vx/gv/9MhU8&E6A=8pMxBp
http://www.robinsonuas.com/wlns/?Rfm=1/cHY6o3y2kTfnImlOu2zDDBy3QA1LzHHg6SRmwmJGbZFdy9dxCYPVknHFO77fV8z6zDjSzB&E6A=8pMxBp
|
7
www.robinsonuas.com(34.199.107.45)
www.pokemonteambuilder.team(34.197.205.97)
www.blowuin.com(184.168.131.241)
34.197.205.97
1.15.15.44
184.168.131.241 - mailcious
18.205.135.125
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|