10396 |
2021-07-23 07:45
|
ffp.exe 8d92d0894c3af0058365264f87117f93 UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB RWX flags setting unpack itself ComputerName |
|
1
|
|
|
2.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10397 |
2021-07-23 07:59
|
vbc.exe 78534ba4abd0468144c93031db340139 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.cooperseyewear.com/wten/ http://www.hqs.xyz/wten/?af-8_FRh=oShqX8ozSaLnT/sPQ03i2E5y96WwwgaKxOoyntimszskFDeKs6d6ROBZziWe1pCyV7PXOHJJ&UlSp=GVgTZXS0Kvx0RZ http://www.yourchanceisnow.com/wten/?af-8_FRh=IyHE2bBJVzSV0Kd01SvdFEIzHSgJWEhDz/0nlATlZYPCnWDk0OwsF0JdwnUyAlSL5vrlAFTY&UlSp=GVgTZXS0Kvx0RZ http://www.yourchanceisnow.com/wten/ http://www.hqs.xyz/wten/ http://www.cooperseyewear.com/wten/?af-8_FRh=THr9Rz+cAlxpJ8dxH3Js0HD77G+gXFVnYY7ecCmngghuj/1dom/+vZtWxYtGb7sHHRozcbGl&UlSp=GVgTZXS0Kvx0RZ http://www.hamrharddrive.com/wten/?af-8_FRh=/15B2naq7dsCbpBMrzNELOKQnq5h4qzdwtgstjIpMcs021IKd1TFNIOMsSBp6pfik2oQtS+a&UlSp=GVgTZXS0Kvx0RZ http://www.the-level.net/wten/?af-8_FRh=IHtSwyFi9AeAZOxvqJwcTujIadv1z4e9A03dia3LkLZE+Zb468NERde70wEjVr7G2chd4ID3&UlSp=GVgTZXS0Kvx0RZ http://www.the-level.net/wten/ http://www.hamrharddrive.com/wten/
|
12
www.yourchanceisnow.com(198.54.117.211) www.hamrharddrive.com(34.102.136.180) www.arknmhsc.com() www.hqs.xyz(52.128.23.153) www.thinbluelion.com() www.cooperseyewear.com(34.102.136.180) www.the-level.net(107.180.0.207) www.kolpath.com() 52.128.23.153 - mailcious 34.102.136.180 - mailcious 107.180.0.207 198.54.117.216 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10398 |
2021-07-23 09:12
|
0722_1626110026.xls b9b909ba415fd197adabd75170b9c7f8 Generic Malware VBA_macro Malicious Library DNS Socket ScreenShot AntiDebug AntiVM MSOffice File Browser Info Stealer Malware download FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Collect installed applications Check virtual network interfaces suspicious process suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Browser ComputerName Software |
5
http://api.ipify.org/?format=xml
http://api.ipify.org/
http://tholeferli.com/8/forum.php
http://s0lom0n.ru/7hsjfd9w4refsd.exe
http://pospvisis.com/
|
8
s0lom0n.ru(8.211.241.0) - malware
pospvisis.com(95.213.179.67) - mailcious
api.ipify.org(54.225.78.40)
tholeferli.com(194.147.115.74) - mailcious 8.211.241.0 - malware
50.16.239.65
194.147.115.74 - mailcious
95.213.179.67
|
6
ET POLICY External IP Lookup api.ipify.org ET INFO Packed Executable Download ET POLICY External IP Lookup (ipify .org) ET MALWARE Win32/Ficker Stealer Activity ET MALWARE Win32/Ficker Stealer Activity M3 ET POLICY PE EXE or DLL Windows file download HTTP
|
|
17.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10399 |
2021-07-23 09:14
|
.audiodg.exe a0339a15a2f219b54b3c1a6b4afbc6be PWS Loki[b] Loki[m] .NET framework RAT Generic Malware DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software crashed |
1
http://vikinproducts.com/Mrlogs/fre.php
|
2
vikinproducts.com(104.21.26.2) 172.67.168.51
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10400 |
2021-07-23 09:14
|
aguerox.exe bad05e5a760ce7c6044eb5107f2163c6 PWS .NET framework RAT Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.bostonpeach.com/lmsa/?tZU0=yJEePeoRMkw+8si03T9OJzX5RSMm7XBqZznat+bpeiJvNOrptbD0752/OOWV6+M+/6+Y8fSl&Unt8E=GTdPPh0XeT3ldb
|
2
www.bostonpeach.com(34.102.136.180) 34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10401 |
2021-07-23 09:16
|
doc.doc 1e19621b261fcc2b09d28b0a79f14a60 RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
5
http://www.salivasolve.com/jn7g/?xVMtB8oh=LjSwbA7FwlWPZY8aZVplIy66ddjBjMzLn1RIC02GaXcy/I7AmoIAjniGIlflMFRohJW66HhH&1bw=L6AdkJ8PtTAtvfC0 http://www.applicableturnout.club/jn7g/?xVMtB8oh=glmGBNdCkiCskfWPQNiz8/M636PPa3GMNzPNreJNwRj1HUn8AepddB6bH6RJObWfdwwZWwQB&1bw=L6AdkJ8PtTAtvfC0 http://www.formatohd.xyz/jn7g/?xVMtB8oh=rBF8etPQjoWBTHIpYleE6n5rMk1/4doO857OEMSviIYg2eKF3uhinNCweNEOV5ZmhoRIN+nm&1bw=L6AdkJ8PtTAtvfC0 http://www.wanpoo1.com/jn7g/?xVMtB8oh=f1txrUsdtgvlRZfFl/3qwcMnsDpxot63EHJ4FRyTveGHsTWl8LNXqx1DgUF91kvu8hbR5MKR&1bw=L6AdkJ8PtTAtvfC0 https://cdn.discordapp.com/attachments/858793322087710753/863898136854003722/me.jpg
|
14
www.salivasolve.com(34.102.136.180) www.wanpoo1.com(202.210.8.155) www.formatohd.xyz(154.127.54.62) google.com(172.217.175.46) www.applicableturnout.club(104.21.59.61) www.langers.email() cdn.discordapp.com(162.159.134.233) - malware 162.159.134.233 - malware 154.127.54.62 202.210.8.155 172.245.119.43 - mailcious 34.102.136.180 - mailcious 142.250.204.46 104.21.59.61
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10402 |
2021-07-23 09:17
|
ambinx.exe 699e56ea4da0b0865fc33308a8b09df9 RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64E2AFC3C41BFC6E2E057BE15631BC.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BD83B9F0CAED87B27A45BF230BEF3A3A.html - rule_id: 2706
|
2
bakercost.gq(172.67.156.203) - mailcious 104.21.13.164 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/
|
14.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10403 |
2021-07-23 09:19
|
whesilox.exe facd1c07ffcfb16de518d0c977814d92 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key DDNS |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(216.146.43.71) 158.101.44.242
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org
|
|
9.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10404 |
2021-07-23 09:19
|
adv.part1 d24fe7e4e78520c4fc930c5dc4e330f2 UPX Malicious Library PE32 OS Processor Check PE File Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
4
https://138.34.28.35/cookiechecker?uri=/rob111/TEST22-PC_W617601.F2FEBBFA99D3C5BBED733B40F3BC1FB1/5/file/ https://138.34.28.35/login.cgi?uri=/index.html https://38.110.103.136/rob111/TEST22-PC_W617601.F2FEBBFA99D3C5BBED733B40F3BC1FB1/5/file/ https://138.34.28.35/index.html
|
5
185.56.76.28 - mailcious 138.34.28.35 204.138.26.60 - mailcious 38.110.103.136 - mailcious 80.15.2.105 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET INFO TLS Handshake Failure
|
|
7.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10405 |
2021-07-23 09:20
|
0722_2011508733.xls 150585947077c079116a856eb0adcde0 Generic Malware VBA_macro Malicious Library MSOffice File VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://tholeferli.com/8/forum.php
|
4
api.ipify.org(23.21.224.49)
tholeferli.com(194.147.115.74) - mailcious 194.147.115.74 - mailcious
50.19.92.227
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.8 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10406 |
2021-07-23 09:20
|
.csrss.exe 4e7c50fb3577f51f87e113c2fc40d5e7 RedLine Stealer Generic Malware UPX Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10407 |
2021-07-23 09:21
|
BuildDID.exe 41aff158bfefe4084b88da1cb7caa13b RAT BitCoin Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Cryptographic key Software crashed |
2
http://eafovanaud.xyz/ https://api.ip.sb/geoip
|
4
eafovanaud.xyz(212.224.105.80) api.ip.sb(104.26.13.31) 104.26.12.31 212.224.105.80
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
11.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10408 |
2021-07-23 09:23
|
princedanx.exe 0e715db2198ff670f4bf0e88e0e9b547 NPKI Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
2
http://www.9999cpa.com/np0c/?9rn0nZSH=Xc4gsXAk3IHDrVIHDvtdejK8+qUwopMqGUG+MGqfVh8du46kyhhWoLgOpS/zDo5f/D0kqWOP&w2=jFQp7bm0P http://www.gardencontainerbar.com/np0c/?9rn0nZSH=4SS0YrDhm3EhcBUp2XT9vvUikGmlknyryJwYvMc5XUwVAYebqhhl4Z78mi8dTaDdQcbaP7l7&w2=jFQp7bm0P
|
4
www.9999cpa.com(204.11.58.194) www.gardencontainerbar.com(185.151.30.138) 185.151.30.138 204.11.58.194 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10409 |
2021-07-23 09:23
|
Build2DID.exe 69dd97850f63fac1927313fb9983ab58 RAT BitCoin Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://195.149.87.39:20170/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 172.67.75.172 195.149.87.39
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10410 |
2021-07-23 09:25
|
lv.exe a6a8f833fdd0b5f4ee7b46714a3d20c7 RedLine Stealer Gen1 Gen2 Malicious Library UPX Malicious Packer PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|