| 10426 |
2021-07-23 09:43
|
 onedrive.exe d0aa862e7e3d80ed48ab0bfe0eb3dec8
RAT Generic Malware Malicious Packer PE32 .NET EXE PE File Malware download njRAT VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
2
musicnote.soundcast.me(88.99.99.222) - malware
88.99.99.222 - malware
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10427 |
2021-07-23 09:44
|
 pool-1.exe 04ea3fcf816b22f98adf5267204615f0
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.essentiallyourscandles.com/p2io/?GPJ=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&oX=Txo8nZfpMrz4 - rule_id: 1553
http://www.thriveglucose.com/p2io/?GPJ=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&oX=Txo8nZfpMrz4 - rule_id: 1568
http://www.cmannouncements.com/p2io/?GPJ=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&oX=Txo8nZfpMrz4 - rule_id: 1572
http://www.xzklrhy.com/p2io/?GPJ=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&oX=Txo8nZfpMrz4 - rule_id: 1696
http://www.austinpavingcompany.com/p2io/?GPJ=/p3UPvDrJtL2ffqgClQIzlUqVjEGCGPFDq2Hn6OfZmbiCDMT5Q5+tgpZIm5/Lurlq5QKJ4pz&oX=Txo8nZfpMrz4
http://www.yunlimall.com/p2io/?GPJ=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&oX=Txo8nZfpMrz4 - rule_id: 1551
http://www.adultpeace.com/p2io/?GPJ=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&oX=Txo8nZfpMrz4 - rule_id: 1554
http://www.hiddenwholesale.com/p2io/?GPJ=es7Y2j6fi7ykzyYZtmEK+cycNhd4T49F/AgpmDgn764GP1PGHDawcWJ0S7F8IUbT02LeJAjO&oX=Txo8nZfpMrz4 - rule_id: 1730
http://www.painhut.com/p2io/?GPJ=403u/w6DmQ0SdXY5uvN4cykoFcXgffqxcXVyEVQEiHIwKr5fFLVOKqQhRyqqhxyR2hkDTO+v&oX=Txo8nZfpMrz4 - rule_id: 2156
|
18
www.thriveglucose.com(184.168.131.241)
www.adultpeace.com(163.44.239.73)
www.painhut.com(3.130.158.209) - mailcious
www.cmannouncements.com(74.220.199.8)
www.austinpavingcompany.com(74.220.199.6)
www.essentiallyourscandles.com(23.227.38.74)
www.xzklrhy.com(156.255.140.216)
www.yunlimall.com(142.111.47.2)
www.hiddenwholesale.com(44.227.65.245) - mailcious
44.227.76.166 - mailcious
163.44.239.73 - mailcious
184.168.131.241 - mailcious
156.255.140.216 - mailcious
3.136.2.34
74.220.199.6 - mailcious
23.227.38.74 - mailcious
142.111.47.2 - mailcious
74.220.199.8 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.essentiallyourscandles.com/p2io/
http://www.thriveglucose.com/p2io/
http://www.cmannouncements.com/p2io/
http://www.xzklrhy.com/p2io/
http://www.yunlimall.com/p2io/
http://www.adultpeace.com/p2io/
http://www.hiddenwholesale.com/p2io/
http://www.painhut.com/p2io/
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10428 |
2021-07-23 09:45
|
 3.txt 83be60383dbe5cd4e9b29cdfedab74eb
Antivirus ScreenShot AntiDebug AntiVM VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10429 |
2021-07-23 09:45
|
 okilo.exe e85a0e1e81acbcea6a0e10eeedf32f6d
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10430 |
2021-07-23 09:47
|
faster4upc.exe 888ab99280a081717ec5c5749266d1bd
PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10431 |
2021-07-23 09:47
|
 sw.wbk 7f52a50297c5622ebf51bcae89ad71fd
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://198.46.132.159/sww/sw/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10432 |
2021-07-23 09:49
|
 vbc.exe 422e50c25edd184233d2b19609cb1e05
PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://postmasterupdate.gq/BN1/fre.php
|
1
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10433 |
2021-07-23 09:50
|
 Invoice_53907801.xls 2c13b06a4c6d4d880060037edf641ad5
Dridex VBA_macro Malicious Library MSOffice File PE32 DLL PE File VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows |
1
http://waunake.com:8088/app/oQE8Qo7.png
|
2
waunake.com(128.199.243.169) - mailcious
128.199.243.169 - malware
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10434 |
2021-07-23 09:52
|
 sharp.exe de630bb125976ff343544b5645ea3ea1
Antivirus KeyLogger ScreenShot AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
2
http://www.austincitytexas.com/jn7g/?Sh=aE5JEFN/Jxx5Gq9WNyX3Gcm0X8aguKkgxF9hQucWPr7ZHAqwGlLVnccuu5Xo8MgQ5rftJ6QJ&RX=dnHxRbdHWxS4Yx5
https://cdn.discordapp.com/attachments/858793322087710753/863898136854003722/me.jpg
|
8
www.856380176.xyz(103.88.34.80)
google.com(172.217.175.46)
www.austincitytexas.com(184.168.131.241)
cdn.discordapp.com(162.159.135.233) - malware
172.217.26.142
162.159.129.233 - malware
184.168.131.241 - mailcious
103.88.34.80 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
14.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10435 |
2021-07-23 09:53
|
 pool-2.exe 734a568749c7879e5ca5ea2b8e082f5e
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
7
http://www.frystmor.city/wufn/?GVTD=eWg3OYora75B6Z+tLCzm5f6Ri2Qy6T4wPAbOFkNyDPrqSJvJlKf467sJrNVRbgaUTepkudSS&a48=tXIxBnJhDxNl
http://www.zwq.xyz/wufn/?GVTD=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&a48=tXIxBnJhDxNl
http://www.gaigoilaocai.com/wufn/?GVTD=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&a48=tXIxBnJhDxNl - rule_id: 2912
http://www.hk6628.com/wufn/?GVTD=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&a48=tXIxBnJhDxNl - rule_id: 2909
http://www.mybodysaver.com/wufn/?GVTD=iAyrziyFF9RqM6kqTrR2Gz8v85ou6HqcZ1qFLOyqSC08U8XZpeh2g5fFjWykbq8K9Lt/Vzcu&a48=tXIxBnJhDxNl
http://www.mimortgageexpert.com/wufn/?GVTD=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&a48=tXIxBnJhDxNl - rule_id: 2911
http://www.missk-hair.com/wufn/?GVTD=QA5BBw7ly3XV7rdL6v5wAQQVSDS/++tcHMtweDJAOMn1tktoEPZ8Vzb9/TOWS61k0EB1U5q0&a48=tXIxBnJhDxNl
|
15
www.mimortgageexpert.com(100.24.208.97)
www.qq4004.com()
www.missk-hair.com(91.216.107.201)
www.hk6628.com(34.102.136.180)
www.mybodysaver.com(172.67.177.211)
www.zwq.xyz(52.128.23.153)
www.gaigoilaocai.com(104.21.84.71)
www.frystmor.city(198.54.117.215)
198.54.117.218 - mailcious
52.128.23.153 - mailcious
34.102.136.180 - mailcious
91.216.107.201
100.24.208.97
104.21.84.71
104.21.91.185
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
3
http://www.gaigoilaocai.com/wufn/
http://www.hk6628.com/wufn/
http://www.mimortgageexpert.com/wufn/
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10436 |
2021-07-23 09:54
|
 Encoding.txt.vbs 9849195d7fe53ea210a2115dc190207fVirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10437 |
2021-07-23 09:54
|
 usermasabikx.exe dc6a5d1b3accb015fe2b6f91176c57c5
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10438 |
2021-07-23 09:57
|
 templezx.exe 2a325a8d5588a4a0f59bedc75142082a
RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E4E6A7073947C246631C2ED5D5DF9DD4.html - rule_id: 2706
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2C78B2CBD412685DEABF12E54C7A0F43.html - rule_id: 2706
|
2
bakercost.gq(104.21.13.164) - mailcious
172.67.156.203
|
3
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://bakercost.gq/liverpool-fc-news/features/
https://bakercost.gq/liverpool-fc-news/features/
|
16.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10439 |
2021-07-23 09:58
|
 Server.exe f4777ed999fd8352227e750ac0e1b85d
njRAT backdoor Generic Malware PE32 .NET EXE PE File Malware download njRAT VirusTotal Malware ICMP traffic WriteConsoleW |
|
2
musicnote.soundcast.me(88.99.99.222) - malware
88.99.99.222 - malware
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
2.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10440 |
2021-07-23 10:01
|
 mazxfrnd.exe 679e61e35641582d91f79ec97752b2a5
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|