9631 |
2021-07-03 08:59
|
eh.txt 8bc1da669ee262bf1e25dee032525abd Antivirus ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9632 |
2021-07-03 09:09
|
eh.txt 8bc1da669ee262bf1e25dee032525abd Antivirus DNS crashed |
|
10
aus.thunderbird.net(99.86.202.75) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(99.86.202.75) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.202.125 99.86.144.100 35.244.181.201 99.86.144.82 99.86.144.46
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9633 |
2021-07-03 09:13
|
eh.txt 8bc1da669ee262bf1e25dee032525abd NPKI Antivirus Malware Malicious Traffic DNS |
3
http://ripzi.getenjoyment.net/le/post.php http://ripzi.getenjoyment.net/le/eh.down http://ripzi.getenjoyment.net/le/del.php?filename=eh
|
13
aus.thunderbird.net(99.86.202.75) ripzi.getenjoyment.net(185.176.43.98) - mailcious d2js2viceajwla.cloudfront.net(99.86.202.125) aus5.mozilla.org(35.244.181.201) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.202.125 99.86.144.100 99.86.202.23 185.176.43.98 - mailcious 35.244.181.201 99.86.144.82 99.86.144.46
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9634 |
2021-07-03 09:20
|
file.exe 5a3bc03f57ab36fb016ab8c6c8d248f2 PE File OS Processor Check PE32 PDB unpack itself Remote Code Execution DNS |
|
10
aus.thunderbird.net(99.86.202.125) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(99.86.202.125) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.202.125 99.86.144.100 35.244.181.201 99.86.144.82 99.86.144.46
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9635 |
2021-07-03 09:21
|
lv.exe 376e493eb862c62bcf5cfe24a281c92e Gen1 Gen2 UPX Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 DLL VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
RxPnPvfmFUtTEvFmmUtNlebCY.RxPnPvfmFUtTEvFmmUtNlebCY()
|
|
|
7.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9636 |
2021-07-03 09:23
|
lv.exe 35b76b8187301dece290bd83c7a3a5e3 Gen1 Gen2 UPX Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 DLL VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS |
|
11
aus.thunderbird.net(99.86.202.125) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(99.86.202.75) WYEnXVSECgshKtHcubAXXu.WYEnXVSECgshKtHcubAXXu() prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.144.100 35.244.181.201 99.86.202.75 99.86.144.82 99.86.144.46
|
|
|
7.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9637 |
2021-07-03 09:25
|
file10.exe d83c2c4caf2fa8d32233d0cbc4322782 RAT PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS crashed |
5
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C01EC4A57619A16E6AEAA0F47B55BDA9.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4BE99CBE54A285D972B1192483666889.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B70EB8889C1E5B3277197714B6942614.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-885F730E823499F80A764E9EC20A7875.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C4A8B2A795B9148BEAA8D315AA468649.html - rule_id: 2406
|
12
aus.thunderbird.net(99.86.202.75) kakosidobrosam.gq(172.67.180.37) - mailcious d2js2viceajwla.cloudfront.net(99.86.202.23) aus5.mozilla.org(35.244.181.201) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 104.21.67.197 99.86.202.125 99.86.144.100 35.244.181.201 99.86.144.82 99.86.144.46
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
4.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9638 |
2021-07-03 09:34
|
YPlX4My0iUBh3V.php 1fa2d8db24799c93d9b6aa37e05f5525 Emotet UPX PE File OS Processor Check PE32 VirusTotal Malware Malicious Traffic DNS |
1
http://23.227.203.229/pixel
|
1
|
|
|
3.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9639 |
2021-07-03 09:34
|
payload.exe 428687522dd0cd2318e36b46396af8a1 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 Malware download NetWireRC VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself BitRAT Windows ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
2
faithheals.duckdns.org(45.133.1.212) 45.133.1.212
|
3
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
11.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9640 |
2021-07-03 09:36
|
oggga.exe 46ad2980c5c0a22c927e227242d56dbf PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
8.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9641 |
2021-07-03 09:37
|
ashleybuildx.exe b018f2519897f7994bd5354e19af33a3 PWS Loki[b] Loki[m] RAT UPX Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
3
http://63.141.228.141/32.php/YjfkU88ZV6lc0 - rule_id: 1900 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6BC591F9F89EB77D1DAFF4C00F04173A.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-919B462C75623F1A7B32AE9C59E21906.html - rule_id: 2406
|
3
kakosidobrosam.gq(104.21.67.197) - mailcious 63.141.228.141 - mailcious 104.21.67.197
|
9
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2
|
3
http://63.141.228.141/32.php https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
17.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9642 |
2021-07-03 09:39
|
DiIGFbP6W.php ac34aeef6269a81bbf30358a50b4d8ea PE File DLL PE32 VirusTotal Malware |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9643 |
2021-07-03 09:42
|
document.exe 311ca6d33f3d0826e8c36830e873f22e PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9644 |
2021-07-03 09:44
|
wrc2.exe bcde62a5f00acfb323a4b08e7b1ac178 PWS .NET framework RAT Generic Malware Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9645 |
2021-07-03 09:44
|
okman.exe 9be97fca4c22d1911bef95e5a9cbf158 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|