| 9631 |
2021-07-03 08:59
|
 eh.txt 8bc1da669ee262bf1e25dee032525abd
Antivirus ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9632 |
2021-07-03 09:09
|
 eh.txt 8bc1da669ee262bf1e25dee032525abd
Antivirus DNS crashed |
|
10
aus.thunderbird.net(99.86.202.75)
aus5.mozilla.org(35.244.181.201)
d2js2viceajwla.cloudfront.net(99.86.202.75)
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
99.86.202.125
99.86.144.100
35.244.181.201
99.86.144.82
99.86.144.46
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9633 |
2021-07-03 09:13
|
 eh.txt 8bc1da669ee262bf1e25dee032525abd
NPKI Antivirus Malware Malicious Traffic DNS |
3
http://ripzi.getenjoyment.net/le/post.php
http://ripzi.getenjoyment.net/le/eh.down
http://ripzi.getenjoyment.net/le/del.php?filename=eh
|
13
aus.thunderbird.net(99.86.202.75)
ripzi.getenjoyment.net(185.176.43.98) - mailcious
d2js2viceajwla.cloudfront.net(99.86.202.125)
aus5.mozilla.org(35.244.181.201)
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
99.86.202.125
99.86.144.100
99.86.202.23
185.176.43.98 - mailcious
35.244.181.201
99.86.144.82
99.86.144.46
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9634 |
2021-07-03 09:20
|
 file.exe 5a3bc03f57ab36fb016ab8c6c8d248f2
PE File OS Processor Check PE32 PDB unpack itself Remote Code Execution DNS |
|
10
aus.thunderbird.net(99.86.202.125)
aus5.mozilla.org(35.244.181.201)
d2js2viceajwla.cloudfront.net(99.86.202.125)
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
99.86.202.125
99.86.144.100
35.244.181.201
99.86.144.82
99.86.144.46
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9635 |
2021-07-03 09:21
|
 lv.exe 376e493eb862c62bcf5cfe24a281c92e
Gen1 Gen2 UPX Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 DLL VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
RxPnPvfmFUtTEvFmmUtNlebCY.RxPnPvfmFUtTEvFmmUtNlebCY()
|
|
|
7.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9636 |
2021-07-03 09:23
|
 lv.exe 35b76b8187301dece290bd83c7a3a5e3
Gen1 Gen2 UPX Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 DLL VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS |
|
11
aus.thunderbird.net(99.86.202.125)
aus5.mozilla.org(35.244.181.201)
d2js2viceajwla.cloudfront.net(99.86.202.75)
WYEnXVSECgshKtHcubAXXu.WYEnXVSECgshKtHcubAXXu()
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
99.86.144.100
35.244.181.201
99.86.202.75
99.86.144.82
99.86.144.46
|
|
|
7.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9637 |
2021-07-03 09:25
|
 file10.exe d83c2c4caf2fa8d32233d0cbc4322782
RAT PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS crashed |
5
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C01EC4A57619A16E6AEAA0F47B55BDA9.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4BE99CBE54A285D972B1192483666889.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B70EB8889C1E5B3277197714B6942614.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-885F730E823499F80A764E9EC20A7875.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C4A8B2A795B9148BEAA8D315AA468649.html - rule_id: 2406
|
12
aus.thunderbird.net(99.86.202.75)
kakosidobrosam.gq(172.67.180.37) - mailcious
d2js2viceajwla.cloudfront.net(99.86.202.23)
aus5.mozilla.org(35.244.181.201)
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
104.21.67.197
99.86.202.125
99.86.144.100
35.244.181.201
99.86.144.82
99.86.144.46
|
3
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
|
4.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9638 |
2021-07-03 09:34
|
 YPlX4My0iUBh3V.php 1fa2d8db24799c93d9b6aa37e05f5525
Emotet UPX PE File OS Processor Check PE32 VirusTotal Malware Malicious Traffic DNS |
1
http://23.227.203.229/pixel
|
1
|
|
|
3.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9639 |
2021-07-03 09:34
|
 payload.exe 428687522dd0cd2318e36b46396af8a1
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 Malware download NetWireRC VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself BitRAT Windows ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
2
faithheals.duckdns.org(45.133.1.212)
45.133.1.212
|
3
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
|
|
11.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9640 |
2021-07-03 09:36
|
 oggga.exe 46ad2980c5c0a22c927e227242d56dbf
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
8.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9641 |
2021-07-03 09:37
|
 ashleybuildx.exe b018f2519897f7994bd5354e19af33a3
PWS Loki[b] Loki[m] RAT UPX Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
3
http://63.141.228.141/32.php/YjfkU88ZV6lc0 - rule_id: 1900
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6BC591F9F89EB77D1DAFF4C00F04173A.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-919B462C75623F1A7B32AE9C59E21906.html - rule_id: 2406
|
3
kakosidobrosam.gq(104.21.67.197) - mailcious
63.141.228.141 - mailcious
104.21.67.197
|
9
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
3
http://63.141.228.141/32.php
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
|
17.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9642 |
2021-07-03 09:39
|
 DiIGFbP6W.php ac34aeef6269a81bbf30358a50b4d8ea
PE File DLL PE32 VirusTotal Malware |
|
|
|
|
1.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9643 |
2021-07-03 09:42
|
 document.exe 311ca6d33f3d0826e8c36830e873f22e
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9644 |
2021-07-03 09:44
|
 wrc2.exe bcde62a5f00acfb323a4b08e7b1ac178
PWS .NET framework RAT Generic Malware Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9645 |
2021-07-03 09:44
|
 okman.exe 9be97fca4c22d1911bef95e5a9cbf158
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|