9916 |
2021-07-12 13:32
|
Jople.exe 0ed8664e0ae8bb176b6d0fc0251b608e PWS .NET framework RAT Generic Malware Antivirus Anti_VM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://185.230.143.117:28578/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 185.230.143.117
|
|
|
11.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9917 |
2021-07-12 14:19
|
Nwaba Loader.exe 83414529ad68ade52a9ce9ffae635c03 PWS .NET framework RAT Generic Malware PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
checkip.dyndns.org(216.146.43.70) freegeoip.app(172.67.188.154) api.telegram.org(149.154.167.220) 131.186.113.70 149.154.167.220 104.21.19.200
|
|
|
9.2 |
|
47 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9918 |
2021-07-12 15:25
|
app.exe 7b7bcf7dc5d1f4d0ea8f9c5d6a1b5868 PWS .NET framework Generic Malware PE64 PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion Windows Cryptographic key |
|
|
|
|
6.0 |
|
37 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9919 |
2021-07-12 15:26
|
크랙에픽.exe c491ceca4e45cfdc1750165291184542 PWS .NET framework RAT Generic Malware PE64 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9920 |
2021-07-12 17:51
|
AllGHCw6cF3MYVSkUrB.jpg.ps1 c8f2d014ff0529059a6c2d926aebd221 Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://the6hats.com/wp-content/themes/enfold/images/aBA9O8Kn7UyIZ6mX.jpg
|
2
the6hats.com(132.148.146.25) 132.148.146.25
|
|
|
9.2 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9921 |
2021-07-12 17:53
|
pktU9LoKSDqhtovq.jpg.ps1 ddf9445e77f1986432ef45aa96668fee Antivirus AntiDebug AntiVM VirusTotal Malware Code Injection Check memory buffers extracted unpack itself WriteConsoleW DNS DDNS |
|
2
coolbixb0y.ddns.net(147.189.170.240) 147.189.170.240
|
|
|
8.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9922 |
2021-07-12 17:56
|
Y4maQsKxdyy0hVxk.jpg.ps1 526985f2ac9ccb243a78a8512a7c19e6 Antivirus powershell Check memory Creates shortcut unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName Cryptographic key |
3
https://emegablog.com/wp-content/themes/news247/images/qc5LcKjE9CmvXWOP.lnk
https://emegablog.com/wp-content/themes/news247/images/TXmxpbG0vP0jI5yD.jpg
https://emegablog.com/wp-content/themes/news247/images/pktU9LoKSDqhtovq.jpg
|
2
emegablog.com(97.74.236.9) 97.74.236.9
|
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9923 |
2021-07-12 18:00
|
LzWZ0w70pWJ95p9s.jpg.ps1 b519cbc7b8fc2b686b5e469d48472540 Antivirus powershell Check memory Creates shortcut unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName Cryptographic key |
3
https://biplabbiprodas.com/wp-content/themes/jackryan/languages/0vZ7eGlY1GEXVt11.lnk
https://biplabbiprodas.com/wp-content/themes/jackryan/languages/DEVCuDqAcg1yn0N8.jpg
https://biplabbiprodas.com/wp-content/themes/jackryan/languages/ufatMWl1ocPLQWU5rCS.jpg
|
2
biplabbiprodas.com(107.180.105.101) 107.180.105.101
|
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9924 |
2021-07-12 18:02
|
VNPhone.exe fca673821522a3329ad3ab6308cf9692 Generic Malware UPX PE File PE32 PNG Format DLL VirusTotal Malware Malicious Traffic Check memory WMI Creates executable files ICMP traffic unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName |
4
https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=INFO https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST&AspxAutoDetectCookieSupport=1 https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=REQUEST
|
2
cdn.poopycloud.com(188.124.36.145) 188.124.36.145
|
|
|
6.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9925 |
2021-07-12 18:02
|
wininit.exe a954aade1438f60c08c42beb485199a9 PWS Loki[b] Loki[m] .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.227.139.18/dsaicosaicasdi.php/S4wFP8QBww9Tp - rule_id: 2584
|
1
185.227.139.18 - mailcious
|
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
14.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9926 |
2021-07-12 18:03
|
vbc.exe 41077f68c330f11f487c4c3d405fdc31 Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9927 |
2021-07-12 18:04
|
bobs.exe 1cf7ff77cf4ee7c4f4f6fb3d9bf088f7 PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9928 |
2021-07-12 18:07
|
Ops Afg post 9-11.doc 9100c65e4ed1ccf2fd148a70ff21c97fVirusTotal Malware unpack itself |
3
http://designerzebra.com/services/ http://designerzebra.com/services/check6 http://designerzebra.com/services
|
2
designerzebra.com(108.177.235.105) 108.177.235.105
|
|
|
2.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9929 |
2021-07-12 18:07
|
.wininit.exe b650c785537ad966290b270adfe56611 PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
22
http://www.kitchenchampsclub.com/u6bi/?tTrt=5ZNAqNMchTUtCj0WvgahB/Z3fs1EjHNti2Q5ao5aMi6L7i+lYTuSpkwByrAqOc3ys9mnWqbU&1bYxY=mTft4vx http://www.shopnjteamstersfc.com/u6bi/?tTrt=LKFyxH6c4sap+Xl/8VixBTOSCuttXzJo2gMR4EQPDCoBXSC8r5VIV45VWKEtM6oxySUBdt9N&1bYxY=mTft4vx http://www.shopnjteamstersfc.com/u6bi/ http://www.uluuclub.com/u6bi/ http://www.sidingzhou.com/u6bi/?tTrt=aVXymTii6ijc8DnH/8Ar+0aTxSdtTewvHKReP4Zdcep7TuE0CmY/F4sOIbp5s5JaaWphmVZP&1bYxY=mTft4vx http://www.sint-ecommerce.com/u6bi/?tTrt=w2s295loKfJMVFbGUdfcYliRI2chPZn4DGCH61iVg+VnO5bLmd7xwLXDYjltKqBsEq3wHVjr&1bYxY=mTft4vx - rule_id: 2626 http://www.sint-ecommerce.com/u6bi/?tTrt=w2s295loKfJMVFbGUdfcYliRI2chPZn4DGCH61iVg+VnO5bLmd7xwLXDYjltKqBsEq3wHVjr&1bYxY=mTft4vx http://www.accademiadelfuturo.net/u6bi/?tTrt=jNpQWPYOCEE/InbZC5O904ZPR+NUh1f8M62/9LGPpy5PMUVLqn3vNtLL5GSv5SmS/a58mCYm&1bYxY=mTft4vx http://www.2021cacondo.com/u6bi/?tTrt=OCatVl/HxP9LSoxl3pI1zJ3If3DnqK1+RysL2U+jvU6gCDAnxqUdLaoRZ60A7ltEpEYQWsLq&1bYxY=mTft4vx - rule_id: 2630 http://www.2021cacondo.com/u6bi/?tTrt=OCatVl/HxP9LSoxl3pI1zJ3If3DnqK1+RysL2U+jvU6gCDAnxqUdLaoRZ60A7ltEpEYQWsLq&1bYxY=mTft4vx http://www.kslife.net/u6bi/?tTrt=iNvyT4CqLMChP3e6Ge76qlbtGatm/FOjD6+EIrw4iNXlKmgdt1I05b7hDy3w2CW6vTCJ8tUN&1bYxY=mTft4vx - rule_id: 2629 http://www.kslife.net/u6bi/?tTrt=iNvyT4CqLMChP3e6Ge76qlbtGatm/FOjD6+EIrw4iNXlKmgdt1I05b7hDy3w2CW6vTCJ8tUN&1bYxY=mTft4vx http://www.sidingzhou.com/u6bi/ http://www.sint-ecommerce.com/u6bi/ - rule_id: 2626 http://www.sint-ecommerce.com/u6bi/ http://www.kslife.net/u6bi/ - rule_id: 2629 http://www.kslife.net/u6bi/ http://www.kitchenchampsclub.com/u6bi/ http://www.uluuclub.com/u6bi/?tTrt=14o2Zx8XrTHtbcw01fk3Ww5UUYjDZfSZMoRVLzjNmU7sqVPBG/wL8GxkrU1vvFuY/Bg1FPed&1bYxY=mTft4vx http://www.2021cacondo.com/u6bi/ - rule_id: 2630 http://www.2021cacondo.com/u6bi/ http://www.accademiadelfuturo.net/u6bi/
|
16
www.sidingzhou.com(47.56.121.218) www.uluuclub.com(34.102.136.180) www.kslife.net(154.214.113.130) www.kitchenchampsclub.com(154.201.188.49) www.2021cacondo.com(34.102.136.180) www.sint-ecommerce.com(217.160.0.209) www.tjbc-bearing.com() www.accademiadelfuturo.net(217.61.43.22) www.shopnjteamstersfc.com(23.227.38.74) 217.160.0.209 - malware 154.201.188.49 217.61.43.22 34.102.136.180 - mailcious 154.214.113.130 47.56.121.218 23.227.38.74 - mailcious
|
|
6
http://www.sint-ecommerce.com/u6bi/ http://www.2021cacondo.com/u6bi/ http://www.kslife.net/u6bi/ http://www.sint-ecommerce.com/u6bi/ http://www.kslife.net/u6bi/ http://www.2021cacondo.com/u6bi/
|
9.4 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9930 |
2021-07-13 07:32
|
http://192.227.158.111/fud.js c140a58ffaf225f718f458f7f3d5fb0c DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|