10141 |
2021-07-16 09:33
|
https://popcash.net/world/go/1... 9177aeda6aa16261cf62756b9a50b95a AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
11
https://skinfo.win/images/fire_icon1.png https://skinfo.win/js/form.js https://skinfo.win/favicon.ico https://skinfo.win/js/timer.js https://g.asiashow911.com/?rt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjYzOTY2MTIsImlkIjoiOTg1ZTUxNzctZTAzZi00YjkwLTg0ZjItYjgwMWQzZTZlNDMwIiwiaW1wIjoiNDViNTQ2N2MtMTA1Zi00NDc1LTlhMmMtZjFmOTcxNmE4OGZkIiwicCI6InBvcGNhc2gtcG9wcyIsInUiOiJIdHRwczovL3NraW5mby53aW4vIiwiaXAiOiIxNzUuMjA4LjEzNC4xNTAiLCJwcmlkIjoiNjBjMjgxYzM2MWQ2ZTI0ZWFhNzhlODMxIiwiY2lkIjoiNjBjMjgxYzM2MWQ2ZTI0ZWFhNzhlODM0IiwiY3JpZCI6IjYwZWJlNmMyNjFkNmUyMmMzZDZkY2Y3MSIsInNwaWQiOiI0MWJlMmRlZGMwMmYwMWFhNGM2OTBjNzI4NmQxMjRhMiJ9.5h1WEisP7wReqW1__ATyhGODTc1xFYyiHzw7Ky5vXvk https://skinfo.win/ https://fonts.gstatic.com/s/opensans/v20/mem8YaGs126MiZpBA-UFVZ0d.woff https://code.jquery.com/jquery-3.4.1.min.js https://skinfo.win/images/skinMedica.png https://fonts.googleapis.com/css?family=Open+Sans|Roboto&display=swap https://skinfo.win/css/main.css
|
14
g.asiashow911.com(88.208.30.132) ps.popcash.net(107.21.8.49) - mailcious fonts.googleapis.com(172.217.24.138) skinfo.win(194.113.74.230) code.jquery.com(69.16.175.10) popcash.net(104.27.206.92) - mailcious fonts.gstatic.com(142.250.196.131) 172.217.24.138 142.250.196.131 69.16.175.42 - malware 194.113.74.230 104.27.207.92 107.21.8.49 88.208.30.132
|
|
|
5.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10142 |
2021-07-16 09:39
|
Receipt-75163487.xls 9d35e17421e9a1c8458f32cd813bd27f VBA_macro MSOffice File PE File PE32 VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows DNS crashed |
1
http://paymentadvisry.com:8088/plugins/file1.bin
|
2
paymentadvisry.com(128.199.243.169) - malware 163.172.213.69 - mailcious
|
|
|
5.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10143 |
2021-07-16 09:42
|
updatetes.exe d541621eadca1e9da55cc595105cad28 UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10144 |
2021-07-16 09:42
|
old.exe 2162abcdcff5c40d0b0e63362e9707a8 RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10145 |
2021-07-16 09:42
|
bDUIsdMCKmDB.exe a124473e6a614597adda867481e0aecc PWS .NET framework RAT BitCoin Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName Cryptographic key Software crashed |
2
http://zasavaucov.xyz/ https://api.ip.sb/geoip
|
4
zasavaucov.xyz(185.125.18.50) api.ip.sb(104.26.13.31) 185.125.18.50 104.26.13.31
|
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10146 |
2021-07-16 09:44
|
Сотрудники с офисным режимом р... 7fbbb25fbfc322167f51becfa7a130a2 VBA_macro UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Check memory unpack itself AppData folder crashed |
|
|
|
|
3.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10147 |
2021-07-16 09:45
|
old-0.exe e8f26456b49ff95faa5380c5ad029ddf RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
4
http://www.69-1hn7uc.net/p2io/ - rule_id: 1695 http://www.69-1hn7uc.net/p2io/?9rn=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&o2=jL3D_Ls0f - rule_id: 1695 http://www.leonardocarrillo.com/p2io/ - rule_id: 1541 http://www.leonardocarrillo.com/p2io/?9rn=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&o2=jL3D_Ls0f - rule_id: 1541
|
6
www.leonardocarrillo.com(172.107.55.6) - mailcious www.pyithuhluttaw.net(103.91.67.83) www.69-1hn7uc.net(163.43.122.125) 172.107.55.6 163.43.122.125 103.91.67.83 - mailcious
|
|
4
http://www.69-1hn7uc.net/p2io/ http://www.69-1hn7uc.net/p2io/ http://www.leonardocarrillo.com/p2io/ http://www.leonardocarrillo.com/p2io/
|
9.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10148 |
2021-07-16 09:47
|
Invoice%2088468724%20from%20Qu... cf7f5baa644f2ab2cc64e58b95b667ca VBA_macro MSOffice File PE File PE32 VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows crashed |
|
2
buyer-remindment.com(128.199.243.169) - malware 208.83.69.35 - malware
|
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10149 |
2021-07-16 09:49
|
dllhost.exe 63f22ce2d1aef6fd06cf8d8ccdd7b402 RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10150 |
2021-07-16 09:54
|
details.bin 3c21cccff5c8aabf1977f2dbdaeaafe7 Malicious Packer PE File PE32 VirusTotal Malware PDB Windows crashed |
|
|
|
|
3.2 |
M |
48 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10151 |
2021-07-16 10:41
|
cojbhg.msi aae9d6c552101a930cf602166acaf863 RAT Generic Malware MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
6
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A5004E8FE4642635F3A5F9729F016D6C.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2CF94C6405A21F86FE26767B020F24F7.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-564C6866309DF88BE2B89EA3243190EF.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3ABE7E3A265370893E4E511F0CDF44A2.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3855D746CACAAC460046039CB72BF87C.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-98FD0424CD3EFD2E8F83A6BC0491BEF4.html - rule_id: 2706
|
2
bakercost.gq(104.21.13.164) - mailcious 104.21.13.164 - mailcious
|
|
6
https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/
|
2.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10152 |
2021-07-16 10:43
|
Сотрудники с офисным режимом р... 7fbbb25fbfc322167f51becfa7a130a2 VBA_macro UPX PE File OS Processor Check PE32 DLL VirusTotal Malware RWX flags setting unpack itself AppData folder crashed |
|
|
|
|
3.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10153 |
2021-07-16 13:31
|
7t4dfgnmkk7.exe 270c3859591599642bd15167765246e3 Ficker Stealer UPX PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
api.ipify.org(50.16.216.118) pospvisis.com(95.213.179.67) - mailcious 50.19.92.227 95.213.179.67
|
3
ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY External IP Lookup (ipify .org)
|
|
8.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10154 |
2021-07-16 13:34
|
prescribe .07.21.doc 843f6c0c24bfc31b6a19471935a092da AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://airloweryd.com/adda/VbJkW1EuzDNQrIxQDvH/IDcQzbYyMGhWy06DDsSHeUAK3GHQkEbCL8w9/E1xx4lOEKH7E8cHocpfeqr0ZLSG0IPv9dSbLJ7VFg9tdg42g/k81pzGewugMThHD6HmhhV3/I9gjfu3RhqvK0Lzw9TIkWDWI5kGNNPWaOt9Vl6iE64QsjeM/Tx8tV7HlFYHyY5KNaUVj5pPO74xv3RG7he/Ba3uo8Ybu6HFexi9spmowa0zgOOp1OS9E6MvubDFn01/66956/4157/rymes2?sid=Qj9QvQEkA9&ref=4USoX5E3EMI&qatj0z=s03jN&DEz=lSAm&ref=3iiqNuFGEWNDfm0JE08XtyxLNf3&sid=2xPqjWeQeOwhE7hrUkCyPp6lM&ref=Bz&D5Zq=l44bPLuTuHocNX0&user=1pMhG
|
2
airloweryd.com(45.153.230.151) 45.153.230.151
|
|
|
6.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10155 |
2021-07-16 13:35
|
boxDelInd.hta b78d223c21397820b567ed288e87a190VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://airloweryd.com/adda/VbJkW1EuzDNQrIxQDvH/IDcQzbYyMGhWy06DDsSHeUAK3GHQkEbCL8w9/E1xx4lOEKH7E8cHocpfeqr0ZLSG0IPv9dSbLJ7VFg9tdg42g/k81pzGewugMThHD6HmhhV3/I9gjfu3RhqvK0Lzw9TIkWDWI5kGNNPWaOt9Vl6iE64QsjeM/Tx8tV7HlFYHyY5KNaUVj5pPO74xv3RG7he/Ba3uo8Ybu6HFexi9spmowa0zgOOp1OS9E6MvubDFn01/66956/4157/rymes2?sid=Qj9QvQEkA9&ref=4USoX5E3EMI&qatj0z=s03jN&DEz=lSAm&ref=3iiqNuFGEWNDfm0JE08XtyxLNf3&sid=2xPqjWeQeOwhE7hrUkCyPp6lM&ref=Bz&D5Zq=l44bPLuTuHocNX0&user=1pMhG
|
2
airloweryd.com(45.153.230.151) 45.153.230.151
|
|
|
2.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|