| 9496 |
2021-06-30 10:17
|
 bluex.exe ace1d8ad9db9b4b8d98ae7396ab4d5f2
PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9497 |
2021-06-30 10:17
|
 aguerox.exe c38c193cb4f5ffe0f659b9cce043b1bb
RAT Generic Malware UPX Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA4DEFF2106AB0A1524B9B592AF88526.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-731ABFA8AA5B9C377C95A520839E3883.html - rule_id: 2406
|
2
kakosidobrosam.gq(104.21.67.197) - mailcious
172.67.180.37 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
|
13.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9498 |
2021-06-30 10:20
|
 ZxSp2w7H.ps1 ac961c6f90b90686d00f09c720399dd8
Generic Malware Antivirus DLL .NET DLL PE32 PE File VirusTotal Malware Check memory Creates executable files unpack itself Windows utilities AppData folder Windows DNS Cryptographic key |
|
|
|
|
4.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9499 |
2021-06-30 10:20
|
 obi1.exe 43a524a3213879698691d619cc4f5d27
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
131.186.113.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9500 |
2021-06-30 14:29
|
https://kaisjovrnal.blogspot.c... 474dedf0f24f38ce94bcce0d2d59b1b7
AntiDebug AntiVM JPEG Format MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
11
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc9.ttf
https://kaisjovrnal.blogspot.com/favicon.ico
https://fonts.gstatic.com/s/roboto/v27/KFOjCnqEu92Fr1Mu51TjASc6CsE.ttf
https://kaisjovrnal.blogspot.com/responsive/sprite_v1_6.css.svg
https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js
https://kaisjovrnal.blogspot.com/
https://themes.googleusercontent.com/image?id=L1lcAxxz0CLgsDzixEprHJ2F38TyEjCyE3RSAjynQDks0lT1BDc1OxXKaTEdLc89HPvdB11X9FDw&options=w1600
https://resources.blogblog.com/blogblog/data/res/2297987710-indie_compiled.js
https://www.blogger.com/img/blogger_logo_round_35.png
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxP.ttf
https://www.blogger.com/static/v1/widgets/4165186901-widgets.js
|
12
resources.blogblog.com(172.217.27.73)
www.gstatic.com(172.217.175.3)
themes.googleusercontent.com(172.217.25.65)
fonts.gstatic.com(142.250.196.99)
kaisjovrnal.blogspot.com(172.217.175.225)
www.blogger.com(172.217.27.73)
142.250.207.67
142.250.207.73
142.250.204.129
172.217.174.193
142.250.66.41
142.250.204.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9501 |
2021-06-30 14:53
|
https://kaisjovrnal.blogspot.c... e9079b1ff20c9e6a353f61c0d9ed9183
AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
22
https://www.blogger.com/comment-iframe.g?blogID=1521588183554530350&postID=6589977583955789967&skin=contempo&blogspotRpcToken=9903348&bpli=1
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc9.ttf
https://kaisjovrnal.blogspot.com/favicon.ico
https://resources.blogblog.com/img/anon36.png
https://www.google.com/js/bg/aFukL30eGpEGGXzCT1fXiEnMRwdzyrC8pd_N-0af-RM.js
https://www.blogger.com/img/responsive/sprite_comment_v1.css.svg
https://fonts.gstatic.com/s/roboto/v27/KFOjCnqEu92Fr1Mu51TjASc6CsE.ttf
https://kaisjovrnal.blogspot.com/responsive/sprite_v1_6.css.svg
https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js
https://resources.blogblog.com/img/blank.gif
https://www.blogger.com/img/blogger_logo_round_35.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D1521588183554530350%26postID%3D6589977583955789967%26skin%3Dcontempo%26blogspotRpcToken%3D9903348%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D1521588183554530350%26postID%3D6589977583955789967%26skin%3Dcontempo%26blogspotRpcToken%3D9903348%26bpli%3D1&passive=true&go=true
https://resources.blogblog.com/blogblog/data/res/2297987710-indie_compiled.js
https://www.blogger.com/static/v1/widgets/4165186901-widgets.js
https://www.blogger.com/static/v1/jsbin/1639926472-comment_from_post_iframe.js
https://kaisjovrnal.blogspot.com/2021/06/7.html
https://www.blogblog.com/indie/mspin_black_large.svg
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxP.ttf
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&bgint=aFukL30eGpEGGXzCT1fXiEnMRwdzyrC8pd_N-0af-RM
https://www.blogger.com/static/v1/jsbin/3378424095-cmt__ko.js
https://www.blogger.com/comment-iframe.g?blogID=1521588183554530350&postID=6589977583955789967&skin=contempo&blogspotRpcToken=9903348
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1521588183554530350&zx=5ace77a7-6cf2-4433-8b2a-490d3b377c51
|
17
resources.blogblog.com(172.217.27.73)
www.google.com(172.217.25.228)
www.gstatic.com(172.217.27.67)
themes.googleusercontent.com(172.217.25.65)
accounts.google.com(172.217.175.45)
www.blogblog.com(172.217.27.73)
fonts.gstatic.com(142.250.196.99)
kaisjovrnal.blogspot.com(172.217.175.225) - mailcious
www.blogger.com(172.217.27.73)
142.250.204.35
172.217.163.228
172.217.31.225
172.217.174.201
172.217.161.163
172.217.161.169
142.250.199.77
142.250.66.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9502 |
2021-06-30 14:59
|
 ................................. 77a7546a06aea8e26df1dc493897e63b
RTF File doc AntiDebug AntiVM LokiBot Malware download Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://manvim.co/fd1/fre.php
http://103.89.91.124/rdf/vbc.exe
|
3
manvim.co(165.232.183.193) - mailcious
103.89.91.124
165.232.183.193
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9503 |
2021-06-30 15:06
|
 kaisjovrnal.blogspot.com.vbs dd18c535de1431b53642cd31813906a4Malware Malicious Traffic buffers extracted WMI wscript.exe payload download Creates shortcut Creates executable files Tofsee Windows ComputerName DNS |
2
http://taesan109.myartsonline.com/about/post/info.php?w=na&ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86) - rule_id: 2410
https://www.daum.net/favicon.ico
|
4
taesan109.myartsonline.com(185.176.43.98) - mailcious
www.daum.net(203.133.167.81)
211.231.99.17
185.176.43.98 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
1
http://taesan109.myartsonline.com/about/post/info.php
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9504 |
2021-06-30 15:09
|
 vbc.exe b9f3efaa0601ad882c2409c0a18c5840
Raccoon Stealer Malicious Packer Malicious Library OS Processor Check PE32 PE File PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9505 |
2021-06-30 18:18
|
 elR3UpuhG0s20yL.exe a7f717072a0d35f306a3ff529570800d
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9506 |
2021-06-30 18:18
|
 kl.exe 8354ceaa7ac81f8e475f3f2e8756d282
Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
3
http://www.weareabound.com/lvno/?-ZP=W6RpsLp8e&v6A=M0LmWm//ZArtIv130hWydy/DKY2TwS5w871tpMdqWRY525nyXqghfI683hyjUlLIGT31asR9
http://www.avolveathlete.com/lvno/?-ZP=W6RpsLp8e&v6A=t3Ce00tSwkeKYppuBLfRF1A/AfNTT8LaaJuV0vr8FAYbhOF6J1iYrA9eFtM96v5X/7tF9cCa
http://www.foreverflourishingbeauty.com/lvno/?v6A=sKR8bCukz0+J3IfB4+tMzJz8DrEuTKjhsiQ44QxvTEppZkCTm29rIJc1dYWsrOvrvWz44o1y&-ZP=W6RpsLp8e
|
4
www.weareabound.com(34.102.136.180)
www.avolveathlete.com(34.102.136.180)
www.foreverflourishingbeauty.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9507 |
2021-06-30 18:20
|
 vbc.exe 961c7c87514eedb683ab4b64d1c3ae6a
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9508 |
2021-06-30 18:23
|
 nn.exe 8b044cbf9b624f6e661b20909a7ae5b2
PWS .NET framework Generic Malware UPX Antivirus .NET EXE PE32 PE File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
|
|
|
|
6.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9509 |
2021-06-30 18:24
|
 ny.exe 705ad720b2435fcdb0aaa33b5ae1210c
Generic Malware Antivirus .NET EXE PE32 PE File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9510 |
2021-06-30 18:26
|
 w.exe dbc7dec63082150e42c786fbc47dea8a
PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.szlandas.com/wlns/?SVE=GKZWCMEw3T5aOBpNO42YjE/TaP1B6pPd2pbjYzDF3p7yhpxX2M2GLn3QuEoCBwC+72ICaQ2c&oX=Txo8n04xDBsp
http://www.guniverse.net/wlns/?SVE=obmV34E+VnU01louI7hyDBOk8azyZSyy8u3EY5X02UVoxZoekQW179fH12awdQjVw+iljCJU&oX=Txo8n04xDBsp
http://www.theircouture.com/wlns/?SVE=vbQ70DSOjBu6wXqoiLl8xulYFqbBUo6FNBZyPPsJA5VA6onbJOTBpmYGjXjMfEPpp2tfldem&oX=Txo8n04xDBsp
|
6
www.szlandas.com(160.124.142.64)
www.theircouture.com(192.187.111.220)
www.guniverse.net(213.186.33.5)
81.17.18.195 - suspicious
213.186.33.5 - mailcious
160.124.142.64
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|