9496 |
2021-06-30 10:17
|
bluex.exe ace1d8ad9db9b4b8d98ae7396ab4d5f2 PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9497 |
2021-06-30 10:17
|
aguerox.exe c38c193cb4f5ffe0f659b9cce043b1bb RAT Generic Malware UPX Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FA4DEFF2106AB0A1524B9B592AF88526.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-731ABFA8AA5B9C377C95A520839E3883.html - rule_id: 2406
|
2
kakosidobrosam.gq(104.21.67.197) - mailcious 172.67.180.37 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
13.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9498 |
2021-06-30 10:20
|
ZxSp2w7H.ps1 ac961c6f90b90686d00f09c720399dd8 Generic Malware Antivirus DLL .NET DLL PE32 PE File VirusTotal Malware Check memory Creates executable files unpack itself Windows utilities AppData folder Windows DNS Cryptographic key |
|
|
|
|
4.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9499 |
2021-06-30 10:20
|
obi1.exe 43a524a3213879698691d619cc4f5d27 RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 131.186.113.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9500 |
2021-06-30 14:29
|
https://kaisjovrnal.blogspot.c... 474dedf0f24f38ce94bcce0d2d59b1b7 AntiDebug AntiVM JPEG Format MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
11
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc9.ttf https://kaisjovrnal.blogspot.com/favicon.ico https://fonts.gstatic.com/s/roboto/v27/KFOjCnqEu92Fr1Mu51TjASc6CsE.ttf https://kaisjovrnal.blogspot.com/responsive/sprite_v1_6.css.svg https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js https://kaisjovrnal.blogspot.com/ https://themes.googleusercontent.com/image?id=L1lcAxxz0CLgsDzixEprHJ2F38TyEjCyE3RSAjynQDks0lT1BDc1OxXKaTEdLc89HPvdB11X9FDw&options=w1600 https://resources.blogblog.com/blogblog/data/res/2297987710-indie_compiled.js https://www.blogger.com/img/blogger_logo_round_35.png https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxP.ttf https://www.blogger.com/static/v1/widgets/4165186901-widgets.js
|
12
resources.blogblog.com(172.217.27.73) www.gstatic.com(172.217.175.3) themes.googleusercontent.com(172.217.25.65) fonts.gstatic.com(142.250.196.99) kaisjovrnal.blogspot.com(172.217.175.225) www.blogger.com(172.217.27.73) 142.250.207.67 142.250.207.73 142.250.204.129 172.217.174.193 142.250.66.41 142.250.204.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9501 |
2021-06-30 14:53
|
https://kaisjovrnal.blogspot.c... e9079b1ff20c9e6a353f61c0d9ed9183 AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
22
https://www.blogger.com/comment-iframe.g?blogID=1521588183554530350&postID=6589977583955789967&skin=contempo&blogspotRpcToken=9903348&bpli=1 https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc9.ttf https://kaisjovrnal.blogspot.com/favicon.ico https://resources.blogblog.com/img/anon36.png https://www.google.com/js/bg/aFukL30eGpEGGXzCT1fXiEnMRwdzyrC8pd_N-0af-RM.js https://www.blogger.com/img/responsive/sprite_comment_v1.css.svg https://fonts.gstatic.com/s/roboto/v27/KFOjCnqEu92Fr1Mu51TjASc6CsE.ttf https://kaisjovrnal.blogspot.com/responsive/sprite_v1_6.css.svg https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js https://resources.blogblog.com/img/blank.gif https://www.blogger.com/img/blogger_logo_round_35.png https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D1521588183554530350%26postID%3D6589977583955789967%26skin%3Dcontempo%26blogspotRpcToken%3D9903348%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D1521588183554530350%26postID%3D6589977583955789967%26skin%3Dcontempo%26blogspotRpcToken%3D9903348%26bpli%3D1&passive=true&go=true https://resources.blogblog.com/blogblog/data/res/2297987710-indie_compiled.js https://www.blogger.com/static/v1/widgets/4165186901-widgets.js https://www.blogger.com/static/v1/jsbin/1639926472-comment_from_post_iframe.js https://kaisjovrnal.blogspot.com/2021/06/7.html https://www.blogblog.com/indie/mspin_black_large.svg https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxP.ttf https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&bgint=aFukL30eGpEGGXzCT1fXiEnMRwdzyrC8pd_N-0af-RM https://www.blogger.com/static/v1/jsbin/3378424095-cmt__ko.js https://www.blogger.com/comment-iframe.g?blogID=1521588183554530350&postID=6589977583955789967&skin=contempo&blogspotRpcToken=9903348 https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1521588183554530350&zx=5ace77a7-6cf2-4433-8b2a-490d3b377c51
|
17
resources.blogblog.com(172.217.27.73) www.google.com(172.217.25.228) www.gstatic.com(172.217.27.67) themes.googleusercontent.com(172.217.25.65) accounts.google.com(172.217.175.45) www.blogblog.com(172.217.27.73) fonts.gstatic.com(142.250.196.99) kaisjovrnal.blogspot.com(172.217.175.225) - mailcious www.blogger.com(172.217.27.73) 142.250.204.35 172.217.163.228 172.217.31.225 172.217.174.201 172.217.161.163 172.217.161.169 142.250.199.77 142.250.66.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9502 |
2021-06-30 14:59
|
................................. 77a7546a06aea8e26df1dc493897e63b RTF File doc AntiDebug AntiVM LokiBot Malware download Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://manvim.co/fd1/fre.php http://103.89.91.124/rdf/vbc.exe
|
3
manvim.co(165.232.183.193) - mailcious 103.89.91.124 165.232.183.193
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9503 |
2021-06-30 15:06
|
kaisjovrnal.blogspot.com.vbs dd18c535de1431b53642cd31813906a4Malware Malicious Traffic buffers extracted WMI wscript.exe payload download Creates shortcut Creates executable files Tofsee Windows ComputerName DNS |
2
http://taesan109.myartsonline.com/about/post/info.php?w=na&ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86) - rule_id: 2410 https://www.daum.net/favicon.ico
|
4
taesan109.myartsonline.com(185.176.43.98) - mailcious www.daum.net(203.133.167.81) 211.231.99.17 185.176.43.98 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
1
http://taesan109.myartsonline.com/about/post/info.php
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9504 |
2021-06-30 15:09
|
vbc.exe b9f3efaa0601ad882c2409c0a18c5840 Raccoon Stealer Malicious Packer Malicious Library OS Processor Check PE32 PE File PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9505 |
2021-06-30 18:18
|
elR3UpuhG0s20yL.exe a7f717072a0d35f306a3ff529570800d RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9506 |
2021-06-30 18:18
|
kl.exe 8354ceaa7ac81f8e475f3f2e8756d282 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
3
http://www.weareabound.com/lvno/?-ZP=W6RpsLp8e&v6A=M0LmWm//ZArtIv130hWydy/DKY2TwS5w871tpMdqWRY525nyXqghfI683hyjUlLIGT31asR9 http://www.avolveathlete.com/lvno/?-ZP=W6RpsLp8e&v6A=t3Ce00tSwkeKYppuBLfRF1A/AfNTT8LaaJuV0vr8FAYbhOF6J1iYrA9eFtM96v5X/7tF9cCa http://www.foreverflourishingbeauty.com/lvno/?v6A=sKR8bCukz0+J3IfB4+tMzJz8DrEuTKjhsiQ44QxvTEppZkCTm29rIJc1dYWsrOvrvWz44o1y&-ZP=W6RpsLp8e
|
4
www.weareabound.com(34.102.136.180) www.avolveathlete.com(34.102.136.180) www.foreverflourishingbeauty.com(34.102.136.180) 34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9507 |
2021-06-30 18:20
|
vbc.exe 961c7c87514eedb683ab4b64d1c3ae6a RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9508 |
2021-06-30 18:23
|
nn.exe 8b044cbf9b624f6e661b20909a7ae5b2 PWS .NET framework Generic Malware UPX Antivirus .NET EXE PE32 PE File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
|
|
|
|
6.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9509 |
2021-06-30 18:24
|
ny.exe 705ad720b2435fcdb0aaa33b5ae1210c Generic Malware Antivirus .NET EXE PE32 PE File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9510 |
2021-06-30 18:26
|
w.exe dbc7dec63082150e42c786fbc47dea8a PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.szlandas.com/wlns/?SVE=GKZWCMEw3T5aOBpNO42YjE/TaP1B6pPd2pbjYzDF3p7yhpxX2M2GLn3QuEoCBwC+72ICaQ2c&oX=Txo8n04xDBsp http://www.guniverse.net/wlns/?SVE=obmV34E+VnU01louI7hyDBOk8azyZSyy8u3EY5X02UVoxZoekQW179fH12awdQjVw+iljCJU&oX=Txo8n04xDBsp http://www.theircouture.com/wlns/?SVE=vbQ70DSOjBu6wXqoiLl8xulYFqbBUo6FNBZyPPsJA5VA6onbJOTBpmYGjXjMfEPpp2tfldem&oX=Txo8n04xDBsp
|
6
www.szlandas.com(160.124.142.64) www.theircouture.com(192.187.111.220) www.guniverse.net(213.186.33.5) 81.17.18.195 - suspicious 213.186.33.5 - mailcious 160.124.142.64
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|