9511 |
2021-06-30 18:27
|
sza.scr 1c1b93412ab9925460ee78ebf5c76a15 Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
9
http://195.133.40.227/az//4.jpg http://195.133.40.227/az//6.jpg http://195.133.40.227/az//2.jpg http://195.133.40.227/az//main.php http://195.133.40.227/az//5.jpg http://195.133.40.227/az//7.jpg http://195.133.40.227/az//1.jpg http://195.133.40.227/az//3.jpg http://195.133.40.227/az/
|
1
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9512 |
2021-06-30 18:28
|
sm.exe 93ba3f6589d1765284d285257ef2b3b7 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
2
http://www.ninkatsu-stepbystep.com/csls/?uZxT=XPjTRh4P&2dcTO=ElCUMwgfBgXOjBuGE/teBUnaUqYehI6Y2gk1NYE7zTjPFaA4+euTdzDuANJ9U4ovFV76Tfg8 http://www.inspiredpractice.net/csls/?uZxT=XPjTRh4P&2dcTO=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A
|
5
www.inspiredpractice.net(182.50.132.242) www.ninkatsu-stepbystep.com(202.210.8.148) www.hack-cloud.icu() 202.210.8.148 182.50.132.242 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9513 |
2021-06-30 18:28
|
zk.exe 97a3aa2b0a6e0a26fca4db32eaaec5ef PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.doshjpft.icu/lvno/?CR=xcRNZPxNHyHareFnl3uARUXWRuKrrRVMn2tb6jYVj31HQksvWGQZJa1xkqXuEYsGywL+tDz0&RZ3=dhrxPpcXOFuDHpA http://www.newyearin.com/lvno/?CR=zujNaLwadosC862oYrhQ9YkLT50Mhjh6zIUWZbXMql8MJxUX27nri42Hi8CZRWCsLhUQqglv&RZ3=dhrxPpcXOFuDHpA
|
5
www.businessearlywarningsystems.com() www.doshjpft.icu(47.57.3.252) www.newyearin.com(108.177.163.198) 47.57.3.252 108.177.163.198
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9514 |
2021-06-30 18:31
|
vin.exe 4c273ea74257fef4e25796421320b5fd Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
3
http://www.toughcookie.love/vn3b/?u6u0=hBZ87r4HS6D&LZQL=9BMdMx2jD9TLJewezHgjwBnSXRzCaJZ4dU0aDHkAou+6sTUeGhJPvuU1YrnoJYZaI2bj7L7d http://www.marvinlucassuperpac.com/vn3b/?u6u0=hBZ87r4HS6D&LZQL=Q1VJuWd39DPAgscqM6Elj9PGWuHe2EkCiMDZRkj4lg6eUq4bMPZ2btcIL+vfRg1ArZ2wrs8q http://www.theexpertinsuranceagency.com/vn3b/?LZQL=VtbJmj+MIjfmoC3A9zODeVnbxq5aGUN6TH6Avp691dvIuKphHjAieugYigDV10RxqdWW/xpp&u6u0=hBZ87r4HS6D
|
6
www.toughcookie.love(145.239.37.162) www.theexpertinsuranceagency.com(34.102.136.180) www.marvinlucassuperpac.com(50.31.98.39) 50.31.98.39 34.102.136.180 - mailcious 145.239.37.162 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9515 |
2021-06-30 18:31
|
v.exe fb7152e24744c5dcde84318931ca8946 PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.lifeafterbobby.com/vn3b/?a6A=ukz3ZcSyHr/GIf2N108Ax5ccAg3Q9VRV0tpzhLkblml9ey4voFbA7o6uSo3NbjIhjtnPLi9d&D8S=_FND6l http://www.trust-red.net/vn3b/?a6A=7v3Rtst9q+y60iNonvc1rMV0zdwSKue1HEt/9m2h8VeztM3zw9MVZAdCdDzUvrLHeQyE64Dr&D8S=_FND6l http://www.wygouji.com/vn3b/?a6A=DLf0HnWZCZ1ZQBgw+IkRC778n0lxE+hQtcSQcM/mZD+sLSLyVLz3ydLY2cpsP2/jYu9qgGHQ&D8S=_FND6l
|
6
www.lifeafterbobby.com(156.240.33.142) www.trust-red.net(185.98.131.227) www.wygouji.com(142.111.242.143) 156.240.33.142 185.98.131.227 142.111.242.143
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9516 |
2021-06-30 18:33
|
ou.exe 8d1a835aec4a08b9f3bd3be40c3de3e4 Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
11
http://195.133.40.227/az//4.jpg http://195.133.40.227/az//6.jpg http://195.133.40.227/az//2.jpg http://195.133.40.227/az//main.php - rule_id: 2421 http://195.133.40.227/az//main.php http://195.133.40.227/az//5.jpg http://195.133.40.227/az//7.jpg http://195.133.40.227/az//1.jpg http://195.133.40.227/az//3.jpg http://195.133.40.227/az/ - rule_id: 2420 http://195.133.40.227/az/
|
2
50.31.98.39 195.133.40.227
|
5
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://195.133.40.227/az//main.php http://195.133.40.227/az/
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9517 |
2021-07-01 06:41
|
ab.exe d6f3ec9f9650c5a9f881e76c16115315 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
13.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9518 |
2021-07-01 06:41
|
nd.exe 8ebc020b149eb9d1b9334e5738e162ed RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9519 |
2021-07-01 06:43
|
bd.exe b06e8bd5506008defc38137bd8c3bac5 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9520 |
2021-07-01 06:44
|
c.wbk 0a3c83c66f87b9bcd8472d49ffd75c3a RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.89.89.17/llb/vbc.exe http://manvim.co/fd5/fre.php
|
3
manvim.co(165.227.225.62) - mailcious 165.227.225.62 103.89.89.17 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET INFO Executable Download from dotted-quad Host ET MALWARE LokiBot Checkin ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9521 |
2021-07-01 06:46
|
mn.exe 8164a1349e8383533cf3558270c76a02 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9522 |
2021-07-01 06:48
|
mb.exe d93f569ff54a1dd918388389b5007099 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9523 |
2021-07-01 06:51
|
................................. 526215ad42e660832313d9f2d354b507 RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://198.12.107.38/tcp/vbc.exe http://www.pandemiccraftee.com/usur/?9rjLtF=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F&oZ9D=p2Jp60_HftETTVb0 http://www.pandemiccraftee.com/usur/
|
5
www.costadelmarmexicangrill.com(208.93.159.61) www.pandemiccraftee.com(34.102.136.180) 208.93.159.61 34.102.136.180 - mailcious 198.12.107.38 - malware
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE FormBook CnC Checkin (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9524 |
2021-07-01 06:53
|
bm.exe ebdb74e01f6747c5e3e215a404e70fb6 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
9.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9525 |
2021-07-01 06:55
|
ob.exe 9d70ca0ef03453c63283af5f52e1a2f5 RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|