10426 |
2021-07-23 09:43
|
onedrive.exe d0aa862e7e3d80ed48ab0bfe0eb3dec8 RAT Generic Malware Malicious Packer PE32 .NET EXE PE File Malware download njRAT VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
2
musicnote.soundcast.me(88.99.99.222) - malware 88.99.99.222 - malware
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10427 |
2021-07-23 09:44
|
pool-1.exe 04ea3fcf816b22f98adf5267204615f0 PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.essentiallyourscandles.com/p2io/?GPJ=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&oX=Txo8nZfpMrz4 - rule_id: 1553 http://www.thriveglucose.com/p2io/?GPJ=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&oX=Txo8nZfpMrz4 - rule_id: 1568 http://www.cmannouncements.com/p2io/?GPJ=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&oX=Txo8nZfpMrz4 - rule_id: 1572 http://www.xzklrhy.com/p2io/?GPJ=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&oX=Txo8nZfpMrz4 - rule_id: 1696 http://www.austinpavingcompany.com/p2io/?GPJ=/p3UPvDrJtL2ffqgClQIzlUqVjEGCGPFDq2Hn6OfZmbiCDMT5Q5+tgpZIm5/Lurlq5QKJ4pz&oX=Txo8nZfpMrz4 http://www.yunlimall.com/p2io/?GPJ=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&oX=Txo8nZfpMrz4 - rule_id: 1551 http://www.adultpeace.com/p2io/?GPJ=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&oX=Txo8nZfpMrz4 - rule_id: 1554 http://www.hiddenwholesale.com/p2io/?GPJ=es7Y2j6fi7ykzyYZtmEK+cycNhd4T49F/AgpmDgn764GP1PGHDawcWJ0S7F8IUbT02LeJAjO&oX=Txo8nZfpMrz4 - rule_id: 1730 http://www.painhut.com/p2io/?GPJ=403u/w6DmQ0SdXY5uvN4cykoFcXgffqxcXVyEVQEiHIwKr5fFLVOKqQhRyqqhxyR2hkDTO+v&oX=Txo8nZfpMrz4 - rule_id: 2156
|
18
www.thriveglucose.com(184.168.131.241) www.adultpeace.com(163.44.239.73) www.painhut.com(3.130.158.209) - mailcious www.cmannouncements.com(74.220.199.8) www.austinpavingcompany.com(74.220.199.6) www.essentiallyourscandles.com(23.227.38.74) www.xzklrhy.com(156.255.140.216) www.yunlimall.com(142.111.47.2) www.hiddenwholesale.com(44.227.65.245) - mailcious 44.227.76.166 - mailcious 163.44.239.73 - mailcious 184.168.131.241 - mailcious 156.255.140.216 - mailcious 3.136.2.34 74.220.199.6 - mailcious 23.227.38.74 - mailcious 142.111.47.2 - mailcious 74.220.199.8 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.essentiallyourscandles.com/p2io/ http://www.thriveglucose.com/p2io/ http://www.cmannouncements.com/p2io/ http://www.xzklrhy.com/p2io/ http://www.yunlimall.com/p2io/ http://www.adultpeace.com/p2io/ http://www.hiddenwholesale.com/p2io/ http://www.painhut.com/p2io/
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10428 |
2021-07-23 09:45
|
3.txt 83be60383dbe5cd4e9b29cdfedab74eb Antivirus ScreenShot AntiDebug AntiVM VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10429 |
2021-07-23 09:45
|
okilo.exe e85a0e1e81acbcea6a0e10eeedf32f6d PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10430 |
2021-07-23 09:47
|
faster4upc.exe 888ab99280a081717ec5c5749266d1bd PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10431 |
2021-07-23 09:47
|
sw.wbk 7f52a50297c5622ebf51bcae89ad71fd RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://198.46.132.159/sww/sw/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10432 |
2021-07-23 09:49
|
vbc.exe 422e50c25edd184233d2b19609cb1e05 PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://postmasterupdate.gq/BN1/fre.php
|
1
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10433 |
2021-07-23 09:50
|
Invoice_53907801.xls 2c13b06a4c6d4d880060037edf641ad5 Dridex VBA_macro Malicious Library MSOffice File PE32 DLL PE File VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself suspicious process Windows |
1
http://waunake.com:8088/app/oQE8Qo7.png
|
2
waunake.com(128.199.243.169) - mailcious 128.199.243.169 - malware
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10434 |
2021-07-23 09:52
|
sharp.exe de630bb125976ff343544b5645ea3ea1 Antivirus KeyLogger ScreenShot AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
2
http://www.austincitytexas.com/jn7g/?Sh=aE5JEFN/Jxx5Gq9WNyX3Gcm0X8aguKkgxF9hQucWPr7ZHAqwGlLVnccuu5Xo8MgQ5rftJ6QJ&RX=dnHxRbdHWxS4Yx5 https://cdn.discordapp.com/attachments/858793322087710753/863898136854003722/me.jpg
|
8
www.856380176.xyz(103.88.34.80) google.com(172.217.175.46) www.austincitytexas.com(184.168.131.241) cdn.discordapp.com(162.159.135.233) - malware 172.217.26.142 162.159.129.233 - malware 184.168.131.241 - mailcious 103.88.34.80 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
14.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10435 |
2021-07-23 09:53
|
pool-2.exe 734a568749c7879e5ca5ea2b8e082f5e PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
7
http://www.frystmor.city/wufn/?GVTD=eWg3OYora75B6Z+tLCzm5f6Ri2Qy6T4wPAbOFkNyDPrqSJvJlKf467sJrNVRbgaUTepkudSS&a48=tXIxBnJhDxNl http://www.zwq.xyz/wufn/?GVTD=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&a48=tXIxBnJhDxNl http://www.gaigoilaocai.com/wufn/?GVTD=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&a48=tXIxBnJhDxNl - rule_id: 2912 http://www.hk6628.com/wufn/?GVTD=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&a48=tXIxBnJhDxNl - rule_id: 2909 http://www.mybodysaver.com/wufn/?GVTD=iAyrziyFF9RqM6kqTrR2Gz8v85ou6HqcZ1qFLOyqSC08U8XZpeh2g5fFjWykbq8K9Lt/Vzcu&a48=tXIxBnJhDxNl http://www.mimortgageexpert.com/wufn/?GVTD=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&a48=tXIxBnJhDxNl - rule_id: 2911 http://www.missk-hair.com/wufn/?GVTD=QA5BBw7ly3XV7rdL6v5wAQQVSDS/++tcHMtweDJAOMn1tktoEPZ8Vzb9/TOWS61k0EB1U5q0&a48=tXIxBnJhDxNl
|
15
www.mimortgageexpert.com(100.24.208.97) www.qq4004.com() www.missk-hair.com(91.216.107.201) www.hk6628.com(34.102.136.180) www.mybodysaver.com(172.67.177.211) www.zwq.xyz(52.128.23.153) www.gaigoilaocai.com(104.21.84.71) www.frystmor.city(198.54.117.215) 198.54.117.218 - mailcious 52.128.23.153 - mailcious 34.102.136.180 - mailcious 91.216.107.201 100.24.208.97 104.21.84.71 104.21.91.185
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
3
http://www.gaigoilaocai.com/wufn/ http://www.hk6628.com/wufn/ http://www.mimortgageexpert.com/wufn/
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10436 |
2021-07-23 09:54
|
Encoding.txt.vbs 9849195d7fe53ea210a2115dc190207fVirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10437 |
2021-07-23 09:54
|
usermasabikx.exe dc6a5d1b3accb015fe2b6f91176c57c5 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10438 |
2021-07-23 09:57
|
templezx.exe 2a325a8d5588a4a0f59bedc75142082a RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E4E6A7073947C246631C2ED5D5DF9DD4.html - rule_id: 2706 https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2C78B2CBD412685DEABF12E54C7A0F43.html - rule_id: 2706
|
2
bakercost.gq(104.21.13.164) - mailcious 172.67.156.203
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://bakercost.gq/liverpool-fc-news/features/ https://bakercost.gq/liverpool-fc-news/features/
|
16.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10439 |
2021-07-23 09:58
|
Server.exe f4777ed999fd8352227e750ac0e1b85d njRAT backdoor Generic Malware PE32 .NET EXE PE File Malware download njRAT VirusTotal Malware ICMP traffic WriteConsoleW |
|
2
musicnote.soundcast.me(88.99.99.222) - malware 88.99.99.222 - malware
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
2.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10440 |
2021-07-23 10:01
|
mazxfrnd.exe 679e61e35641582d91f79ec97752b2a5 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|