| 10141 |
2021-07-16 09:33
|
https://popcash.net/world/go/1... 9177aeda6aa16261cf62756b9a50b95a
AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
11
https://skinfo.win/images/fire_icon1.png
https://skinfo.win/js/form.js
https://skinfo.win/favicon.ico
https://skinfo.win/js/timer.js
https://g.asiashow911.com/?rt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjYzOTY2MTIsImlkIjoiOTg1ZTUxNzctZTAzZi00YjkwLTg0ZjItYjgwMWQzZTZlNDMwIiwiaW1wIjoiNDViNTQ2N2MtMTA1Zi00NDc1LTlhMmMtZjFmOTcxNmE4OGZkIiwicCI6InBvcGNhc2gtcG9wcyIsInUiOiJIdHRwczovL3NraW5mby53aW4vIiwiaXAiOiIxNzUuMjA4LjEzNC4xNTAiLCJwcmlkIjoiNjBjMjgxYzM2MWQ2ZTI0ZWFhNzhlODMxIiwiY2lkIjoiNjBjMjgxYzM2MWQ2ZTI0ZWFhNzhlODM0IiwiY3JpZCI6IjYwZWJlNmMyNjFkNmUyMmMzZDZkY2Y3MSIsInNwaWQiOiI0MWJlMmRlZGMwMmYwMWFhNGM2OTBjNzI4NmQxMjRhMiJ9.5h1WEisP7wReqW1__ATyhGODTc1xFYyiHzw7Ky5vXvk
https://skinfo.win/
https://fonts.gstatic.com/s/opensans/v20/mem8YaGs126MiZpBA-UFVZ0d.woff
https://code.jquery.com/jquery-3.4.1.min.js
https://skinfo.win/images/skinMedica.png
https://fonts.googleapis.com/css?family=Open+Sans|Roboto&display=swap
https://skinfo.win/css/main.css
|
14
g.asiashow911.com(88.208.30.132)
ps.popcash.net(107.21.8.49) - mailcious
fonts.googleapis.com(172.217.24.138)
skinfo.win(194.113.74.230)
code.jquery.com(69.16.175.10)
popcash.net(104.27.206.92) - mailcious
fonts.gstatic.com(142.250.196.131)
172.217.24.138
142.250.196.131
69.16.175.42 - malware
194.113.74.230
104.27.207.92
107.21.8.49
88.208.30.132
|
|
|
5.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10142 |
2021-07-16 09:39
|
 Receipt-75163487.xls 9d35e17421e9a1c8458f32cd813bd27f
VBA_macro MSOffice File PE File PE32 VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows DNS crashed |
1
http://paymentadvisry.com:8088/plugins/file1.bin
|
2
paymentadvisry.com(128.199.243.169) - malware
163.172.213.69 - mailcious
|
|
|
5.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10143 |
2021-07-16 09:42
|
 updatetes.exe d541621eadca1e9da55cc595105cad28
UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10144 |
2021-07-16 09:42
|
 old.exe 2162abcdcff5c40d0b0e63362e9707a8
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10145 |
2021-07-16 09:42
|
 bDUIsdMCKmDB.exe a124473e6a614597adda867481e0aecc
PWS .NET framework RAT BitCoin Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName Cryptographic key Software crashed |
2
http://zasavaucov.xyz/
https://api.ip.sb/geoip
|
4
zasavaucov.xyz(185.125.18.50)
api.ip.sb(104.26.13.31)
185.125.18.50
104.26.13.31
|
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10146 |
2021-07-16 09:44
|
Сотрудники с офисным режимом р... 7fbbb25fbfc322167f51becfa7a130a2
VBA_macro UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory unpack itself AppData folder crashed |
|
|
|
|
3.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10147 |
2021-07-16 09:45
|
 old-0.exe e8f26456b49ff95faa5380c5ad029ddf
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
4
http://www.69-1hn7uc.net/p2io/ - rule_id: 1695
http://www.69-1hn7uc.net/p2io/?9rn=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&o2=jL3D_Ls0f - rule_id: 1695
http://www.leonardocarrillo.com/p2io/ - rule_id: 1541
http://www.leonardocarrillo.com/p2io/?9rn=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&o2=jL3D_Ls0f - rule_id: 1541
|
6
www.leonardocarrillo.com(172.107.55.6) - mailcious
www.pyithuhluttaw.net(103.91.67.83)
www.69-1hn7uc.net(163.43.122.125)
172.107.55.6
163.43.122.125
103.91.67.83 - mailcious
|
|
4
http://www.69-1hn7uc.net/p2io/
http://www.69-1hn7uc.net/p2io/
http://www.leonardocarrillo.com/p2io/
http://www.leonardocarrillo.com/p2io/
|
9.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10148 |
2021-07-16 09:47
|
 Invoice%2088468724%20from%20Qu... cf7f5baa644f2ab2cc64e58b95b667ca
VBA_macro MSOffice File PE File PE32 VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows crashed |
|
2
buyer-remindment.com(128.199.243.169) - malware
208.83.69.35 - malware
|
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10149 |
2021-07-16 09:49
|
 dllhost.exe 63f22ce2d1aef6fd06cf8d8ccdd7b402
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10150 |
2021-07-16 09:54
|
 details.bin 3c21cccff5c8aabf1977f2dbdaeaafe7
Malicious Packer PE File PE32 VirusTotal Malware PDB Windows crashed |
|
|
|
|
3.2 |
M |
48 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10151 |
2021-07-16 10:41
|
cojbhg.msi aae9d6c552101a930cf602166acaf863
RAT Generic Malware MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
6
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A5004E8FE4642635F3A5F9729F016D6C.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2CF94C6405A21F86FE26767B020F24F7.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-564C6866309DF88BE2B89EA3243190EF.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3ABE7E3A265370893E4E511F0CDF44A2.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3855D746CACAAC460046039CB72BF87C.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-98FD0424CD3EFD2E8F83A6BC0491BEF4.html - rule_id: 2706
|
2
bakercost.gq(104.21.13.164) - mailcious
104.21.13.164 - mailcious
|
|
6
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
|
2.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10152 |
2021-07-16 10:43
|
Сотрудники с офисным режимом р... 7fbbb25fbfc322167f51becfa7a130a2
VBA_macro UPX PE File OS Processor Check PE32 DLL VirusTotal Malware RWX flags setting unpack itself AppData folder crashed |
|
|
|
|
3.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10153 |
2021-07-16 13:31
|
 7t4dfgnmkk7.exe 270c3859591599642bd15167765246e3
Ficker Stealer UPX PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(50.16.216.118)
pospvisis.com(95.213.179.67) - mailcious
50.19.92.227
95.213.179.67
|
3
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
|
|
8.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10154 |
2021-07-16 13:34
|
prescribe .07.21.doc 843f6c0c24bfc31b6a19471935a092da
AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://airloweryd.com/adda/VbJkW1EuzDNQrIxQDvH/IDcQzbYyMGhWy06DDsSHeUAK3GHQkEbCL8w9/E1xx4lOEKH7E8cHocpfeqr0ZLSG0IPv9dSbLJ7VFg9tdg42g/k81pzGewugMThHD6HmhhV3/I9gjfu3RhqvK0Lzw9TIkWDWI5kGNNPWaOt9Vl6iE64QsjeM/Tx8tV7HlFYHyY5KNaUVj5pPO74xv3RG7he/Ba3uo8Ybu6HFexi9spmowa0zgOOp1OS9E6MvubDFn01/66956/4157/rymes2?sid=Qj9QvQEkA9&ref=4USoX5E3EMI&qatj0z=s03jN&DEz=lSAm&ref=3iiqNuFGEWNDfm0JE08XtyxLNf3&sid=2xPqjWeQeOwhE7hrUkCyPp6lM&ref=Bz&D5Zq=l44bPLuTuHocNX0&user=1pMhG
|
2
airloweryd.com(45.153.230.151)
45.153.230.151
|
|
|
6.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10155 |
2021-07-16 13:35
|
 boxDelInd.hta b78d223c21397820b567ed288e87a190VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://airloweryd.com/adda/VbJkW1EuzDNQrIxQDvH/IDcQzbYyMGhWy06DDsSHeUAK3GHQkEbCL8w9/E1xx4lOEKH7E8cHocpfeqr0ZLSG0IPv9dSbLJ7VFg9tdg42g/k81pzGewugMThHD6HmhhV3/I9gjfu3RhqvK0Lzw9TIkWDWI5kGNNPWaOt9Vl6iE64QsjeM/Tx8tV7HlFYHyY5KNaUVj5pPO74xv3RG7he/Ba3uo8Ybu6HFexi9spmowa0zgOOp1OS9E6MvubDFn01/66956/4157/rymes2?sid=Qj9QvQEkA9&ref=4USoX5E3EMI&qatj0z=s03jN&DEz=lSAm&ref=3iiqNuFGEWNDfm0JE08XtyxLNf3&sid=2xPqjWeQeOwhE7hrUkCyPp6lM&ref=Bz&D5Zq=l44bPLuTuHocNX0&user=1pMhG
|
2
airloweryd.com(45.153.230.151)
45.153.230.151
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|