| 10396 |
2021-07-23 07:45
|
 ffp.exe 8d92d0894c3af0058365264f87117f93
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB RWX flags setting unpack itself ComputerName |
|
1
|
|
|
2.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10397 |
2021-07-23 07:59
|
 vbc.exe 78534ba4abd0468144c93031db340139
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.cooperseyewear.com/wten/
http://www.hqs.xyz/wten/?af-8_FRh=oShqX8ozSaLnT/sPQ03i2E5y96WwwgaKxOoyntimszskFDeKs6d6ROBZziWe1pCyV7PXOHJJ&UlSp=GVgTZXS0Kvx0RZ
http://www.yourchanceisnow.com/wten/?af-8_FRh=IyHE2bBJVzSV0Kd01SvdFEIzHSgJWEhDz/0nlATlZYPCnWDk0OwsF0JdwnUyAlSL5vrlAFTY&UlSp=GVgTZXS0Kvx0RZ
http://www.yourchanceisnow.com/wten/
http://www.hqs.xyz/wten/
http://www.cooperseyewear.com/wten/?af-8_FRh=THr9Rz+cAlxpJ8dxH3Js0HD77G+gXFVnYY7ecCmngghuj/1dom/+vZtWxYtGb7sHHRozcbGl&UlSp=GVgTZXS0Kvx0RZ
http://www.hamrharddrive.com/wten/?af-8_FRh=/15B2naq7dsCbpBMrzNELOKQnq5h4qzdwtgstjIpMcs021IKd1TFNIOMsSBp6pfik2oQtS+a&UlSp=GVgTZXS0Kvx0RZ
http://www.the-level.net/wten/?af-8_FRh=IHtSwyFi9AeAZOxvqJwcTujIadv1z4e9A03dia3LkLZE+Zb468NERde70wEjVr7G2chd4ID3&UlSp=GVgTZXS0Kvx0RZ
http://www.the-level.net/wten/
http://www.hamrharddrive.com/wten/
|
12
www.yourchanceisnow.com(198.54.117.211)
www.hamrharddrive.com(34.102.136.180)
www.arknmhsc.com()
www.hqs.xyz(52.128.23.153)
www.thinbluelion.com()
www.cooperseyewear.com(34.102.136.180)
www.the-level.net(107.180.0.207)
www.kolpath.com()
52.128.23.153 - mailcious
34.102.136.180 - mailcious
107.180.0.207
198.54.117.216 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10398 |
2021-07-23 09:12
|
0722_1626110026.xls b9b909ba415fd197adabd75170b9c7f8
Generic Malware VBA_macro Malicious Library DNS Socket ScreenShot AntiDebug AntiVM MSOffice File Browser Info Stealer Malware download FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Collect installed applications Check virtual network interfaces suspicious process suspicious TLD sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Windows Browser ComputerName Software |
5
http://api.ipify.org/?format=xml
http://api.ipify.org/
http://tholeferli.com/8/forum.php
http://s0lom0n.ru/7hsjfd9w4refsd.exe
http://pospvisis.com/
|
8
s0lom0n.ru(8.211.241.0) - malware
pospvisis.com(95.213.179.67) - mailcious
api.ipify.org(54.225.78.40)
tholeferli.com(194.147.115.74) - mailcious
8.211.241.0 - malware
50.16.239.65
194.147.115.74 - mailcious
95.213.179.67
|
6
ET POLICY External IP Lookup api.ipify.org
ET INFO Packed Executable Download
ET POLICY External IP Lookup (ipify .org)
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
17.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10399 |
2021-07-23 09:14
|
 .audiodg.exe a0339a15a2f219b54b3c1a6b4afbc6be
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software crashed |
1
http://vikinproducts.com/Mrlogs/fre.php
|
2
vikinproducts.com(104.21.26.2)
172.67.168.51
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10400 |
2021-07-23 09:14
|
 aguerox.exe bad05e5a760ce7c6044eb5107f2163c6
PWS .NET framework RAT Generic Malware AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.bostonpeach.com/lmsa/?tZU0=yJEePeoRMkw+8si03T9OJzX5RSMm7XBqZznat+bpeiJvNOrptbD0752/OOWV6+M+/6+Y8fSl&Unt8E=GTdPPh0XeT3ldb
|
2
www.bostonpeach.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10401 |
2021-07-23 09:16
|
 doc.doc 1e19621b261fcc2b09d28b0a79f14a60
RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
5
http://www.salivasolve.com/jn7g/?xVMtB8oh=LjSwbA7FwlWPZY8aZVplIy66ddjBjMzLn1RIC02GaXcy/I7AmoIAjniGIlflMFRohJW66HhH&1bw=L6AdkJ8PtTAtvfC0
http://www.applicableturnout.club/jn7g/?xVMtB8oh=glmGBNdCkiCskfWPQNiz8/M636PPa3GMNzPNreJNwRj1HUn8AepddB6bH6RJObWfdwwZWwQB&1bw=L6AdkJ8PtTAtvfC0
http://www.formatohd.xyz/jn7g/?xVMtB8oh=rBF8etPQjoWBTHIpYleE6n5rMk1/4doO857OEMSviIYg2eKF3uhinNCweNEOV5ZmhoRIN+nm&1bw=L6AdkJ8PtTAtvfC0
http://www.wanpoo1.com/jn7g/?xVMtB8oh=f1txrUsdtgvlRZfFl/3qwcMnsDpxot63EHJ4FRyTveGHsTWl8LNXqx1DgUF91kvu8hbR5MKR&1bw=L6AdkJ8PtTAtvfC0
https://cdn.discordapp.com/attachments/858793322087710753/863898136854003722/me.jpg
|
14
www.salivasolve.com(34.102.136.180)
www.wanpoo1.com(202.210.8.155)
www.formatohd.xyz(154.127.54.62)
google.com(172.217.175.46)
www.applicableturnout.club(104.21.59.61)
www.langers.email()
cdn.discordapp.com(162.159.134.233) - malware
162.159.134.233 - malware
154.127.54.62
202.210.8.155
172.245.119.43 - mailcious
34.102.136.180 - mailcious
142.250.204.46
104.21.59.61
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10402 |
2021-07-23 09:17
|
 ambinx.exe 699e56ea4da0b0865fc33308a8b09df9
RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64E2AFC3C41BFC6E2E057BE15631BC.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BD83B9F0CAED87B27A45BF230BEF3A3A.html - rule_id: 2706
|
2
bakercost.gq(172.67.156.203) - mailcious
104.21.13.164 - mailcious
|
3
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
|
14.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10403 |
2021-07-23 09:19
|
 whesilox.exe facd1c07ffcfb16de518d0c977814d92
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key DDNS |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(216.146.43.71)
158.101.44.242
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
9.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10404 |
2021-07-23 09:19
|
 adv.part1 d24fe7e4e78520c4fc930c5dc4e330f2
UPX Malicious Library PE32 OS Processor Check PE File Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
4
https://138.34.28.35/cookiechecker?uri=/rob111/TEST22-PC_W617601.F2FEBBFA99D3C5BBED733B40F3BC1FB1/5/file/
https://138.34.28.35/login.cgi?uri=/index.html
https://38.110.103.136/rob111/TEST22-PC_W617601.F2FEBBFA99D3C5BBED733B40F3BC1FB1/5/file/
https://138.34.28.35/index.html
|
5
185.56.76.28 - mailcious
138.34.28.35
204.138.26.60 - mailcious
38.110.103.136 - mailcious
80.15.2.105 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
|
|
7.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10405 |
2021-07-23 09:20
|
0722_2011508733.xls 150585947077c079116a856eb0adcde0
Generic Malware VBA_macro Malicious Library MSOffice File VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://tholeferli.com/8/forum.php
|
4
api.ipify.org(23.21.224.49)
tholeferli.com(194.147.115.74) - mailcious
194.147.115.74 - mailcious
50.19.92.227
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.8 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10406 |
2021-07-23 09:20
|
 .csrss.exe 4e7c50fb3577f51f87e113c2fc40d5e7
RedLine Stealer Generic Malware UPX Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10407 |
2021-07-23 09:21
|
 BuildDID.exe 41aff158bfefe4084b88da1cb7caa13b
RAT BitCoin Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Cryptographic key Software crashed |
2
http://eafovanaud.xyz/
https://api.ip.sb/geoip
|
4
eafovanaud.xyz(212.224.105.80)
api.ip.sb(104.26.13.31)
104.26.12.31
212.224.105.80
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
11.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10408 |
2021-07-23 09:23
|
 princedanx.exe 0e715db2198ff670f4bf0e88e0e9b547
NPKI Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
2
http://www.9999cpa.com/np0c/?9rn0nZSH=Xc4gsXAk3IHDrVIHDvtdejK8+qUwopMqGUG+MGqfVh8du46kyhhWoLgOpS/zDo5f/D0kqWOP&w2=jFQp7bm0P
http://www.gardencontainerbar.com/np0c/?9rn0nZSH=4SS0YrDhm3EhcBUp2XT9vvUikGmlknyryJwYvMc5XUwVAYebqhhl4Z78mi8dTaDdQcbaP7l7&w2=jFQp7bm0P
|
4
www.9999cpa.com(204.11.58.194)
www.gardencontainerbar.com(185.151.30.138)
185.151.30.138
204.11.58.194 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10409 |
2021-07-23 09:23
|
 Build2DID.exe 69dd97850f63fac1927313fb9983ab58
RAT BitCoin Generic Malware UPX AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://195.149.87.39:20170/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
172.67.75.172
195.149.87.39
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10410 |
2021-07-23 09:25
|
 lv.exe a6a8f833fdd0b5f4ee7b46714a3d20c7
RedLine Stealer Gen1 Gen2 Malicious Library UPX Malicious Packer PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|