| 9511 |
2021-06-30 18:27
|
 sza.scr 1c1b93412ab9925460ee78ebf5c76a15
Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
9
http://195.133.40.227/az//4.jpg
http://195.133.40.227/az//6.jpg
http://195.133.40.227/az//2.jpg
http://195.133.40.227/az//main.php
http://195.133.40.227/az//5.jpg
http://195.133.40.227/az//7.jpg
http://195.133.40.227/az//1.jpg
http://195.133.40.227/az//3.jpg
http://195.133.40.227/az/
|
1
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9512 |
2021-06-30 18:28
|
 sm.exe 93ba3f6589d1765284d285257ef2b3b7
Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
2
http://www.ninkatsu-stepbystep.com/csls/?uZxT=XPjTRh4P&2dcTO=ElCUMwgfBgXOjBuGE/teBUnaUqYehI6Y2gk1NYE7zTjPFaA4+euTdzDuANJ9U4ovFV76Tfg8
http://www.inspiredpractice.net/csls/?uZxT=XPjTRh4P&2dcTO=AA0fyBWbZnHHrKdAI0jA8QbX+M95wQKAQ1+Q+mJpiVVvwFVAUEAf7+rrMKZePAKl9+bar05A
|
5
www.inspiredpractice.net(182.50.132.242)
www.ninkatsu-stepbystep.com(202.210.8.148)
www.hack-cloud.icu()
202.210.8.148
182.50.132.242 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9513 |
2021-06-30 18:28
|
 zk.exe 97a3aa2b0a6e0a26fca4db32eaaec5ef
PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
2
http://www.doshjpft.icu/lvno/?CR=xcRNZPxNHyHareFnl3uARUXWRuKrrRVMn2tb6jYVj31HQksvWGQZJa1xkqXuEYsGywL+tDz0&RZ3=dhrxPpcXOFuDHpA
http://www.newyearin.com/lvno/?CR=zujNaLwadosC862oYrhQ9YkLT50Mhjh6zIUWZbXMql8MJxUX27nri42Hi8CZRWCsLhUQqglv&RZ3=dhrxPpcXOFuDHpA
|
5
www.businessearlywarningsystems.com()
www.doshjpft.icu(47.57.3.252)
www.newyearin.com(108.177.163.198)
47.57.3.252
108.177.163.198
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9514 |
2021-06-30 18:31
|
 vin.exe 4c273ea74257fef4e25796421320b5fd
Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS crashed |
3
http://www.toughcookie.love/vn3b/?u6u0=hBZ87r4HS6D&LZQL=9BMdMx2jD9TLJewezHgjwBnSXRzCaJZ4dU0aDHkAou+6sTUeGhJPvuU1YrnoJYZaI2bj7L7d
http://www.marvinlucassuperpac.com/vn3b/?u6u0=hBZ87r4HS6D&LZQL=Q1VJuWd39DPAgscqM6Elj9PGWuHe2EkCiMDZRkj4lg6eUq4bMPZ2btcIL+vfRg1ArZ2wrs8q
http://www.theexpertinsuranceagency.com/vn3b/?LZQL=VtbJmj+MIjfmoC3A9zODeVnbxq5aGUN6TH6Avp691dvIuKphHjAieugYigDV10RxqdWW/xpp&u6u0=hBZ87r4HS6D
|
6
www.toughcookie.love(145.239.37.162)
www.theexpertinsuranceagency.com(34.102.136.180)
www.marvinlucassuperpac.com(50.31.98.39)
50.31.98.39
34.102.136.180 - mailcious
145.239.37.162 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9515 |
2021-06-30 18:31
|
 v.exe fb7152e24744c5dcde84318931ca8946
PWS .NET framework Generic Malware UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.lifeafterbobby.com/vn3b/?a6A=ukz3ZcSyHr/GIf2N108Ax5ccAg3Q9VRV0tpzhLkblml9ey4voFbA7o6uSo3NbjIhjtnPLi9d&D8S=_FND6l
http://www.trust-red.net/vn3b/?a6A=7v3Rtst9q+y60iNonvc1rMV0zdwSKue1HEt/9m2h8VeztM3zw9MVZAdCdDzUvrLHeQyE64Dr&D8S=_FND6l
http://www.wygouji.com/vn3b/?a6A=DLf0HnWZCZ1ZQBgw+IkRC778n0lxE+hQtcSQcM/mZD+sLSLyVLz3ydLY2cpsP2/jYu9qgGHQ&D8S=_FND6l
|
6
www.lifeafterbobby.com(156.240.33.142)
www.trust-red.net(185.98.131.227)
www.wygouji.com(142.111.242.143)
156.240.33.142
185.98.131.227
142.111.242.143
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9516 |
2021-06-30 18:33
|
 ou.exe 8d1a835aec4a08b9f3bd3be40c3de3e4
Gen1 Generic Malware AntiDebug AntiVM .NET EXE PE32 PE File DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
11
http://195.133.40.227/az//4.jpg
http://195.133.40.227/az//6.jpg
http://195.133.40.227/az//2.jpg
http://195.133.40.227/az//main.php - rule_id: 2421
http://195.133.40.227/az//main.php
http://195.133.40.227/az//5.jpg
http://195.133.40.227/az//7.jpg
http://195.133.40.227/az//1.jpg
http://195.133.40.227/az//3.jpg
http://195.133.40.227/az/ - rule_id: 2420
http://195.133.40.227/az/
|
2
50.31.98.39
195.133.40.227
|
5
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://195.133.40.227/az//main.php
http://195.133.40.227/az/
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9517 |
2021-07-01 06:41
|
 ab.exe d6f3ec9f9650c5a9f881e76c16115315
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
13.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9518 |
2021-07-01 06:41
|
 nd.exe 8ebc020b149eb9d1b9334e5738e162ed
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9519 |
2021-07-01 06:43
|
 bd.exe b06e8bd5506008defc38137bd8c3bac5
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9520 |
2021-07-01 06:44
|
 c.wbk 0a3c83c66f87b9bcd8472d49ffd75c3a
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.89.89.17/llb/vbc.exe
http://manvim.co/fd5/fre.php
|
3
manvim.co(165.227.225.62) - mailcious
165.227.225.62
103.89.89.17 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Checkin
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9521 |
2021-07-01 06:46
|
 mn.exe 8164a1349e8383533cf3558270c76a02
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9522 |
2021-07-01 06:48
|
 mb.exe d93f569ff54a1dd918388389b5007099
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9523 |
2021-07-01 06:51
|
 ................................. 526215ad42e660832313d9f2d354b507
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://198.12.107.38/tcp/vbc.exe
http://www.pandemiccraftee.com/usur/?9rjLtF=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F&oZ9D=p2Jp60_HftETTVb0
http://www.pandemiccraftee.com/usur/
|
5
www.costadelmarmexicangrill.com(208.93.159.61)
www.pandemiccraftee.com(34.102.136.180)
208.93.159.61
34.102.136.180 - mailcious
198.12.107.38 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9524 |
2021-07-01 06:53
|
 bm.exe ebdb74e01f6747c5e3e215a404e70fb6
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
9.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9525 |
2021-07-01 06:55
|
 ob.exe 9d70ca0ef03453c63283af5f52e1a2f5
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|