9241 |
2021-06-24 20:16
|
howdidyou.exe 94bbee3cdbcc598b4fc638b6ece1f35e AsyncRAT backdoor Generic Malware PE File .NET EXE PE32 JPEG Format VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee ComputerName DNS |
1
https://discord.com/api/webhooks/855705156444094504/wI1ePCkz2YUM4Gk-hmnvocsg-XyNz-ww21jnKAq4w7yoaBPG_FvuwcJx8DAT7mXsf-Ha
|
2
discord.com(162.159.136.232) - mailcious 162.159.136.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9242 |
2021-06-24 20:18
|
shell.exe 708c8a452d02d46ed6a1c16486a7a206 Malicious Library PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
4.2 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9243 |
2021-06-24 20:19
|
cc7.exe 07bb44fb4c5ac3056106e66919b2de96 Gen1 Gen2 Generic Malware PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory Creates executable files AppData folder WriteConsoleW |
|
|
|
|
2.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9244 |
2021-06-24 20:19
|
proxy-IRXC-setup.exe fd21878da4856b1d35cc873540d7f6f2 Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9245 |
2021-06-24 20:20
|
OCC.doc dc836881ad266d654325720a8341eec7 MSOffice File Vulnerability unpack itself DNS |
|
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9246 |
2021-06-24 20:21
|
9d8aa271.png 7a72d5e6044805ea4d2f37bdbdc0ab2d MSOffice File VirusTotal Malware |
|
|
|
|
1.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9247 |
2021-06-24 20:21
|
PianoScrap.exe 2e765a8048bcd67f293f11db938e77c3 NPKI North Korea Gen1 Gen2 Emotet Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM Antivirus VMProtect Http API AntiDebug AntiVM PE File PE32 DLL OS Processor Check .NET DLL MSOffice File PNG Format GIF Format PE64 .NET EXE Malware download VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk suspicious TLD sandbox evasion VMware China anti-virtualization VM Disk Size Check installed browsers check Ransomware GameoverP2P Interception Zeus Windows Browser Advertising ComputerName Trojan Banking Firmware DNS crashed |
68
http://kl.hnayg.com/zkactive/ctl/v2/qinfo.html?uid=74a6032aa894c3a537de6d362f685c90 http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS3J2uI8vbMMQdZCObew1G35NkGWUaxY/rEhS0OVoP9qkuI3l6VXz7nvGHW5yib/KwA%3D%3D http://report.uchiha.ltd/ http://mxreport.whooyan.com/ http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS8VsD0RJ%2BB/azLdXTIBJEaZEgoZX6k3g9qcj6f1izDRQaHEbdKVMY0KnIblHwcjmrg%3D%3D http://g.zapi.binghuokeji.cn/?r=/v3/pp/lf&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg http://down.wdmuz.com/wy/wyp1.dat http://union.juzizm.com/api/count/setup2 http://dl.binghuokeji.cn/d/imgs/syyng.png http://down.gametoplist.top/60b5f24b88583/IMedia-553.exe http://tj.rxgif.cn/api/logs http://tj.rxgif.cn/api/live/server http://down.wdmuz.com/wy/wyp1.dat?48507900 http://g.zapi.binghuokeji.cn/microtime/ http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r1 http://shdl.wdmuz.com/bjlc/87cbca115561d04afe4c965dd803098a.cdd?rand=85070 http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1 http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5 http://g.zapi.binghuokeji.cn/?r=/v3/cp/t&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK http://down1.abckantu.com/11a9df7ff83a058afaadb5a09da594ae.data http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6 http://down.rxgif.cn/ddxm/Setup_10011.exe http://download.52pcfree.com/k52zip/k52zip20210520-220-21.exe http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2 http://g.zapi.binghuokeji.cn/?r=/v3/pp/l&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg http://config.i.duba.net/rcmdsoft/11/1/sencecfg.dat http://down1.thorzip.muxin.fun/report/queryinfo.xml http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.json http://g.zapi.binghuokeji.cn/?r=/v3/cp/i&p=SxInsX/RJYZFLz7ztyfMIDL%2BGa9IB3Wjc0bUqn3/WR3cqUoBQ1fPqp/GqBYrObWp/4LvN/YAJhMOXv%2BfLeFo3w%3D%3D http://down1.thorzip.muxin.fun/logo/v1.0.0.2/ShellExtStrategyDll64.gif http://tj.wdmuz.com/lc-spbj.php?uid=262f2de5d68b2fac5ccaac65dbf7853f&qid=null&softname=bangong&softid=shanzip&softver= http://config.i.duba.net/rcmdsoft/db/kzip_install_pushdb02.zip http://down.rxgif.cn/DBlink/LnockRarsly.exe http://cdn-office.lanshan.com/package/tui/downloadtool/office/OfficeDownloaderInstall_0_100016_lanshan.exe http://xz.8dashi.com/qd/mastercfgoo.ini?v2021062544904 http://down2.thorzip.muxin.fun/60fffd6d5d24aa987a843c4d3a0980b4.data http://down.rxgif.cn/ddcfg/ddcfgs.ini http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/l2 http://infoc0.duba.net/nep/v1/ http://g.zapi.binghuokeji.cn/?r=/v3/cp/c&p=PHOja0XI6Hpo1VJzU/gs6k0Ptg8TIvoCwg%2Bx8C0Vu7iDJfI9mnwYtk%2BKuGb/ttx2TQpoRsLAIagyRsjWT58KK4i1X1%2BYNCfaVA3ifMdOA48%3D http://tj.wdmuz.com/pipil.php http://infoc2.duba.net/c/ http://union.infoc.duba.net/nep/v1/ http://down1.abckantu.com/shouheng_1/abckantu_2722097895_shouheng_001.exe http://dl.binghuokeji.cn/img/mtcf.png http://s.syzs.qq.com/channel/6/17100/syzs03_1000219144.exe http://download.52pcfree.com/fastpdf/Fastpdf_setup_ver21042017.420.1.1.1.exe http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r2 http://dl.binghuokeji.cn/FlashZip/tsk_bjrj http://dn.earpan.com/store/pic_soft45181.exe http://dl.binghuokeji.cn/d/ghwuxPEi/FlashZip_2710.exe http://g.zapi.binghuokeji.cn/?r=/v3/pp/tl&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK http://down2.thorzip.muxin.fun/tiangua_2/leishenzip_247915520_tiangua_001.exe http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4 http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s3 http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1 http://info.52pcfree.com/c/ http://tj.rxgif.cn/api/down/dd http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS4JsN/4dJva6ouBTswyspvZHobJcEPjUq0ampBCtF858ClIqSQQ5jhcq7JuelnnYNQ%3D%3D http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5 http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17 http://g.zapi.binghuokeji.cn/?r=/v3/cp/r&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK http://down1.thorzip.muxin.fun/shell2.json http://g.zapi.binghuokeji.cn/?r=/v3/cp/u&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17 http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1 http://dbsu.cmcm.com/uv?t=1624564187 http://dl.binghuokeji.cn/img/tbmsc.jpg
|
60
shdl.wdmuz.com(119.206.200.180) g.zapi.binghuokeji.cn(163.171.198.117) union.infoc.duba.net(193.112.235.183) report.thorzip.muxin.fun() dl.binghuokeji.cn(119.206.200.180) down1.thorzip.muxin.fun(119.39.80.117) download.52pcfree.com(125.77.167.184) dbsu.cmcm.com(111.230.160.42) mxreport.whooyan.com(101.200.147.119) dn.earpan.com(61.172.205.219) down.wdmuz.com(119.206.200.181) down1.abckantu.com(42.56.79.236) u-d-office.lanshan.com(49.233.242.159) cdn-office.lanshan.com(14.204.144.133) tj.wdmuz.com(106.75.31.186) p.zapi.binghuokeji.cn(163.171.198.117) www.baidu.com(119.63.197.139) info.52pcfree.com(139.199.214.236) s.syzs.qq.com(211.152.132.122) union.juzizm.com(106.75.135.138) down.rxgif.cn(119.206.200.180) api.mxgcat.wang(42.56.79.236) report.uchiha.ltd(47.95.193.173) config.i.duba.net(180.97.251.192) infoc0.duba.net(119.29.47.96) xz.8dashi.com(119.206.200.180) tj.rxgif.cn(106.75.135.138) down.gametoplist.top(218.12.76.151) kl.hnayg.com(59.110.159.69) down2.thorzip.muxin.fun(119.36.226.154) infoc2.duba.net(111.230.117.40) 47.95.193.173 202.122.145.86 111.230.160.42 59.110.159.69 119.206.200.180 - malware 111.230.117.40 139.199.214.236 42.56.79.236 119.6.229.138 - malware 211.159.130.115 106.75.31.186 119.36.33.98 49.233.242.159 119.39.80.117 - malware 125.77.167.183 123.57.234.67 36.248.43.220 - malware 119.36.226.154 211.91.160.215 - malware 61.172.205.219 - malware 163.171.198.117 119.206.200.181 - malware 123.56.69.34 211.159.130.100 106.75.135.138 211.152.132.122 119.63.197.151 180.97.251.192 120.52.95.242 - malware
|
9
ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET MALWARE Suspicious Download Setup_ exe ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
|
|
27.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9248 |
2021-06-24 20:23
|
OCC.docx 7f98269245bb2988e09f2e9cd0c2dca7Vulnerability unpack itself DNS |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9249 |
2021-06-24 20:35
|
partsoffer.exe e15787ea22a793ff3c4d414c18234fec PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
|
|
|
3.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9250 |
2021-06-24 20:35
|
server.exe 912047706a95ccffb31c4adb912e0adb Malicious Library PE File OS Processor Check PE32 VirusTotal Malware AutoRuns Check memory Windows DNS |
|
1
|
|
|
3.2 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9251 |
2021-06-24 20:35
|
Syringas.exe caaeb152d528c8c52126d6678a8ce6f5 AsyncRAT backdoor BitCoin Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://193.29.104.98:62315/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 104.26.12.31 193.29.104.98
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.8 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9252 |
2021-06-24 20:39
|
setup.txt c838695f44eab49e39fdddf95e7a8278 Generic Malware Malicious Packer PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
4.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9253 |
2021-06-24 20:39
|
system7.mainform.exe 6e52f9066149d3383f769009fa97ee6a Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
|
|
|
2.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9254 |
2021-06-24 20:39
|
fc8edf706344462ab7b600ae29d554... 6f1fe99a6ffc835b50874a63711d2482 VBA_macro MSOffice File VirusTotal Malware unpack itself |
|
|
|
|
2.8 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9255 |
2021-06-24 20:40
|
xxs.exe 84ca8eab52cffba95a26159fcba9d1b9 PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.blowuin.com/wlns/?Rfm=kqh7r8ylgS3zHL1GIAw/iISI3Ruz0mzNrNj/DvCk+DiaPMdHZWMr1tcS75k91vx/gv/9MhU8&E6A=8pMxBp http://www.robinsonuas.com/wlns/?Rfm=1/cHY6o3y2kTfnImlOu2zDDBy3QA1LzHHg6SRmwmJGbZFdy9dxCYPVknHFO77fV8z6zDjSzB&E6A=8pMxBp
|
7
www.robinsonuas.com(34.199.107.45) www.pokemonteambuilder.team(34.197.205.97) www.blowuin.com(184.168.131.241) 34.197.205.97 1.15.15.44 184.168.131.241 - mailcious 18.205.135.125
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|