9646 |
2021-07-03 09:44
|
ashleybinx.exe c7a592e62fb6a5741c38a31b2fcee21b RAT Generic Malware UPX Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
28
http://www.waaaghstore.com/ushb/?mHIx40=d2db7vz8b4gdNrrt4qkzq0tG6Pmid53TShP84iPEhYJEnjJIFmT0kwvEdr2qbrsXJSoEJg75&_jAPiL=UfgdTxvpJHM http://www.shopcavo.com/ushb/ http://www.jjayphoto.com/ushb/?mHIx40=l2QH2d7PUWvRkU9SKQdvN0s95WcJxjd9CPijL6arS0ynTjqyQUYKcLuVD3sUO6nj8FIa5lUc&_jAPiL=UfgdTxvpJHM http://www.poetasamigosypensadores.com/ushb/?mHIx40=fbMAEC5I5bGZsvMeVZfdSh5kpbdGGNxOXI23Y+fwKREdh+1jMwB4L2byPtlzBsiu6rKFsHuZ&_jAPiL=UfgdTxvpJHM http://www.m-midas.com/ushb/?mHIx40=KETTpM1456fImzG2o/HCqgJBte/IHmJz01Qx96IPJzNgkPHHpmXueOKRfDyrAPg68mjcbOiZ&_jAPiL=UfgdTxvpJHM http://www.poetasamigosypensadores.com/ushb/ http://www.tigersonindonesia.com/ushb/?mHIx40=LS6MOTI15xEst6X5E3hLeUbVHph5If8WCZS1PbHDLcXlz/LjLfM6q15glOfELeIimIqtDGOZ&_jAPiL=UfgdTxvpJHM http://www.ossotasarim.com/ushb/?mHIx40=Kis9qagQgFI/pgEC90LDhBb2/hkn9V+B079wctmSP192jSk/5pov+dY2uUpHLbHPLnwA/Tk/&_jAPiL=UfgdTxvpJHM http://www.multitraditional.com/ushb/ http://www.waaaghstore.com/ushb/ http://www.shopcavo.com/ushb/?mHIx40=QYepAKqqZzG2kR/57317p6KhzVHBF5g+kyT5gGECjnJqX6eG1WlH3e963VsDQqp1ReenidM4&_jAPiL=UfgdTxvpJHM http://www.deliciousnukes.com/ushb/ http://www.dawnjarvisltd.com/ushb/ http://www.dawnjarvisltd.com/ushb/?mHIx40=3SmC3UZByhcbL2mGDdoUlUv2kDP+K/S2WzQTgf/dbZLTYyxdpUCpCwWiKx+wC7XxiANrTe4Z&_jAPiL=UfgdTxvpJHM http://www.m-midas.com/ushb/ http://www.seswebsite.com/ushb/?mHIx40=TZZwrrhqgDwgA3wgZEkIn+5Y0i33oms/xFRek6mxYnSgwbHptw7FsqII1T+6/LgkP21MZkXY&_jAPiL=UfgdTxvpJHM http://www.wxsocial.net/ushb/ http://www.tigersonindonesia.com/ushb/ http://www.seswebsite.com/ushb/ http://www.wounded-deer.com/ushb/ http://www.wounded-deer.com/ushb/?mHIx40=JW6wJS/fCyqdc2JhPnJNDDubHmZuYWrni9atbTQ1vgM5IXg85tcAFndz4NRwlP6sL42SfpTd&_jAPiL=UfgdTxvpJHM http://www.ossotasarim.com/ushb/ http://www.wxsocial.net/ushb/?mHIx40=jD+SQ9M5OhBQJ5/3QGxgtYDN3MBJME7yhC8sQwvm8GBIEkJ4Y0691HdGHFaX56NR4IeIxVKV&_jAPiL=UfgdTxvpJHM http://www.multitraditional.com/ushb/?mHIx40=Oc4WjS4DBu5AvhP85U59EprkqoXzMyfsJMpdZ9aVqZv/kvrlgbGtP2m1bh6Ukc03AoFAKmiH&_jAPiL=UfgdTxvpJHM http://www.deliciousnukes.com/ushb/?mHIx40=CoY64qMwiO6SnAqEo6cwd7vVtOzq42WOKh1biPKYD71bz+rRFAinell2lJMFOMTK0ellYB+l&_jAPiL=UfgdTxvpJHM http://www.jjayphoto.com/ushb/ https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E322EE0C66235D8B40A9334F1FF263B9.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F6E7D76D7517CFB3E9EF1C0C7D4E0D6D.html - rule_id: 2406
|
28
www.m-midas.com(194.63.249.211) www.wxsocial.net(184.168.131.241) www.dawnjarvisltd.com(205.201.132.26) www.tigersonindonesia.com(103.28.53.180) www.waaaghstore.com(34.80.190.141) www.poetasamigosypensadores.com(35.209.112.216) www.jjayphoto.com(154.215.102.140) www.templejc.space() kakosidobrosam.gq(104.21.67.197) - mailcious www.shopcavo.com(23.227.38.74) www.multitraditional.com(144.168.44.250) www.wounded-deer.com(23.227.38.74) www.seswebsite.com(107.178.171.23) www.deliciousnukes.com(34.102.136.180) www.ossotasarim.com(172.67.219.157) 35.209.112.216 104.21.17.25 184.168.131.241 - mailcious 104.21.67.197 154.215.102.140 194.63.249.211 34.102.136.180 - mailcious 103.28.53.180 - malware 107.178.171.23 34.80.190.141 - mailcious 205.201.140.137 23.227.38.74 - mailcious 144.168.44.250 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
12.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9647 |
2021-07-03 09:48
|
effot.exe 813d892f7d4f1ef7ae9da6a1d677887d PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9648 |
2021-07-03 09:48
|
pal.exe 0c928623c2a0cb13d70073d17a6960bb PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9649 |
2021-07-03 09:50
|
deck.exe 4dc9eb384017307b85f54d372bf7d0ac PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9650 |
2021-07-03 09:50
|
booby.exe 230a844ea89950512217bd427294daac PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9651 |
2021-07-03 09:52
|
jaspa.exe 7092ce6487d5b89554d2a87bf5afa273 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9652 |
2021-07-03 09:53
|
wealthx.exe 9bd23005277509c6ff0e28c226715313 RAT Generic Malware UPX Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-24CE7FE78D268B93DB4AD64C9B7971DD.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CBCFAE6F7B8D32422898307A805F1FED.html - rule_id: 2406
|
2
kakosidobrosam.gq(172.67.180.37) - mailcious 104.21.67.197
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
16.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9653 |
2021-07-03 09:55
|
mooris.exe d33862b61cc533c23945095736b28026 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9654 |
2021-07-03 09:55
|
father.exe d8d6d04820a117daf7babbe0b5a0d3fd PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9655 |
2021-07-03 09:57
|
okb.exe 104adec18013b544dfbf200023630eb2 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9656 |
2021-07-03 09:57
|
pop.exe 9be19a18b758c8c167a815d83fff506c PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9657 |
2021-07-03 09:59
|
yggg.exe 64b53dc7fa2ca1ff03f6dcb19537ce78 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9658 |
2021-07-03 10:02
|
ebaa.exe c7df3a988586b9a2d2fd027d88117237 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9659 |
2021-07-03 10:07
|
ironDOOM_ABhLqDYHF151.bin 720e88696ebf062a4f4a075dbc8c4806 AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS |
|
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9660 |
2021-07-03 10:14
|
https://0v2x.blogspot.com/p/10... c3a52061a5fe3b17ffab6fec221a17fc Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
23
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://0v2x.blogspot.com/p/10.html https://0v2x.blogspot.com/favicon.ico https://www.google.com/css/maia.css https://fonts.googleapis.com/css?family=Open+Sans:300 https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN_r8OUuhv.woff https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff https://www.google-analytics.com/analytics.js https://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1599313125304121436&zx=f2b04871-dcf0-4739-a1bd-fc5d5fa5bdf1 https://www.blogger.com/static/v1/v-css/281434096-static_pages.css https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.blogger.com/blogin.g?blogspotURL=https://0v2x.blogspot.com/p/10.html&type=blog https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700 https://www.blogger.com/img/blogger-logotype-color-black-1x.png https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js https://www.blogger.com/static/v1/widgets/4165186901-widgets.js https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2F0v2x.blogspot.com%2Fp%2F10.html&type=blog&bpli=1 https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://0v2x.blogspot.com/p/10.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://0v2x.blogspot.com/p/10.html%26type%3Dblog%26bpli%3D1&passive=true&go=true https://www.blogger.com/static/v1/jsbin/3775400722-ieretrofit.js https://resources.blogblog.com/img/icon18_wrench_allbkg.png
|
18
0v2x.blogspot.com(172.217.161.33) resources.blogblog.com(172.217.25.73) www.google.com(216.58.220.132) www.gstatic.com(172.217.25.67) fonts.googleapis.com(172.217.161.74) accounts.google.com(172.217.175.13) www.google-analytics.com(216.58.220.142) fonts.gstatic.com(216.58.220.131) www.blogger.com(172.217.25.73) 142.250.207.67 142.250.66.129 172.217.163.233 142.250.66.131 142.250.207.74 142.250.66.141 142.250.204.110 142.250.204.68 172.217.161.169
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|