| 10576 |
2021-07-28 09:32
|
 klSsrzxwsbxeJQh.exe 3be1fa609b4f6efa9d30b5c75810f863
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
7
http://www.dalebutano.com/b82a/?-Zu8_b3=gKD5NtC4fTioSfvShA99CplHn7GAjP5PgTVMkmQmDTrQ8HiYIISuHZbyn54CbjgFr4dPN0pw&CxoHs=2djDG
http://www.repealpna.com/b82a/?-Zu8_b3=DBv2YLvGrBtFA7FbYJy8uwrDKeq7CRQfo+DeXBIDG2YxtdcabQ4Q6OC20Uy8UEh4HQ5M9gfq&CxoHs=2djDG
http://www.trezteez.com/b82a/?-Zu8_b3=49RwCysUuDnRjl2LzJV0pYvjhbXcAyM06fZnSyKV1Ay0CoGqVm4fxVEDF1QJbP04QPGVlTao&CxoHs=2djDG
http://www.parkwood.tech/b82a/?-Zu8_b3=/z3n6R4FpACLUBikktWDutW0f/kH6c8C8uxQKlzAMorBwXKy2lD7+KF2nPN/AvmXhUjvVlqe&CxoHs=2djDG
http://www.lovelyeses.com/b82a/?-Zu8_b3=OC3hoU/XNWa0efefcJmWpJz0GTIPKMi50H4GFwqlWKmZvMtXJleuqbV5htVM8MuOPJTWhmSI&CxoHs=2djDG
http://www.sarelawadisangh.com/b82a/?-Zu8_b3=a+bqJ2vu31tEFtvRwR6YfsjFBpbGq/WRpEN6RQ+Ukl8hEdGo9kZKgxp4opP13Jph7fgRNUAx&CxoHs=2djDG
http://www.lianhx.com/b82a/?-Zu8_b3=8aVkre+BWHUUtaDJCJiiyu9h9wCPC7z8QPIIJxDkdgUC2V5jvv20aTETpNVjnX8FlLkILQGQ&CxoHs=2djDG
|
16
www.smugfantasyfootball.com()
www.sarelawadisangh.com(66.29.132.67)
www.repealpna.com(104.196.52.162)
www.parkwood.tech(34.102.136.180)
www.dalebutano.com(91.195.240.13)
www.lianhx.com(104.252.121.226)
www.organowantcreator.com()
www.trezteez.com(23.227.38.74)
www.gehdeinweg.club()
www.lovelyeses.com(23.227.38.74)
104.252.121.226
91.195.240.13 - phishing
34.102.136.180 - mailcious
23.227.38.74 - mailcious
104.196.52.162
66.29.132.67
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10577 |
2021-07-28 09:34
|
 .audiodg.exe 66da45ed268a07990768ee03d70e4502
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx - rule_id: 2584
|
1
185.227.139.18 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
14.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10578 |
2021-07-28 09:35
|
 vbc.exe 18e38eae3d407418b879271c9b5736bd
UPX Malicious Library PE32 PE File FormBook Emotet Malware download VirusTotal Malware Buffer PE Code Injection Malicious Traffic buffers extracted ICMP traffic RWX flags setting unpack itself Tofsee Remote Code Execution |
13
http://www.brightimewatches.com/bsk9/ - rule_id: 2990
http://www.mycupofteainnovations.com/bsk9/ - rule_id: 2987
http://www.mycupofteainnovations.com/bsk9/?t8o4nPp=Si5ZJRft9DXQG2cDg3004meRUKMojHlA9AsgkzbvAOzWsE4N89OHu/2KBDAzoyeOENkp7ks8&jPj8q=Klh8 - rule_id: 2987
http://www.texttalktv.com/bsk9/?t8o4nPp=1ZhD0vtF2duhbIhiPjCtKCwSgB3qgGhCJxQx1JqwbXK1OmkrsYZcetPPHcWMEPEbw96IhHtQ&jPj8q=Klh8
http://www.tombison.com/bsk9/
http://www.tombison.com/bsk9/?t8o4nPp=ogtt1MRFxFLond3QItB5pQGTqAA1l5pj16H7SQAv8iWZ8sAVaMDbEFV2t+4JtDPR25+GXpiQ&jPj8q=Klh8
http://www.brightimewatches.com/bsk9/?t8o4nPp=kaXVI8mGssjTav/La5mnkdXKeQWIgX/VfzBlfkVGxIFVCgMTzil3/n4Sv05bj+iGu4kpHiKs&jPj8q=Klh8 - rule_id: 2990
http://www.designtechnician.com/bsk9/
http://www.designtechnician.com/bsk9/?t8o4nPp=TvVK73TRf5j6s1n7h7T5c3CBRbgVn1dkElf2PsyhDBWyU3z8P+JBq7DG4FpqoYni6N2IZF7Y&jPj8q=Klh8
http://www.ds-117.com/bsk9/
http://www.ds-117.com/bsk9/?t8o4nPp=hooPU96Upk2pq/4iMoeF2F/+J701iyWmziTSNhhyumhkPjSDDokaN9dimgHfx2T3RL15aR4L&jPj8q=Klh8
http://www.texttalktv.com/bsk9/
https://cdn.discordapp.com/attachments/862558875870036001/869107915900989440/Mnwgrkqawpzldlsoxhgayuiojpposxx
|
16
www.zc168sl.com()
www.texttalktv.com(34.102.136.180)
www.mycupofteainnovations.com(182.50.132.242)
www.tombison.com(208.109.22.100)
www.brightimewatches.com(64.34.75.141)
www.designtechnician.com(88.214.207.96)
cdn.discordapp.com(162.159.129.233) - malware
www.ds-117.com(34.102.136.180)
www.kevops.xyz()
www.postyachtforsale.info()
162.159.134.233 - malware
64.34.75.141 - mailcious
34.102.136.180 - mailcious
182.50.132.242 - mailcious
88.214.207.96 - mailcious
208.109.22.100
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.brightimewatches.com/bsk9/
http://www.mycupofteainnovations.com/bsk9/
http://www.mycupofteainnovations.com/bsk9/
http://www.brightimewatches.com/bsk9/
|
8.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10579 |
2021-07-28 09:35
|
direction.png.exe 499200f6a8e223c057c6e16701740721
UPX PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.0 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10580 |
2021-07-28 09:36
|
 dllhost.exe 56784137661c7e02c6c0e36b8fd217de
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10581 |
2021-07-28 09:37
|
 .svchost.exe 098d627a93cd7687f54c4bd1c342e00d
Generic Malware Malicious Packer UPX PE32 PE File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10582 |
2021-07-28 09:38
|
 .csrss.exe f3a4f1cc5720b34b682d65f04bd122fe
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10583 |
2021-07-28 09:38
|
 KLcaCYuAidZMbBJ.exe 77e9f5464c103f8fedf6ae500d87dd32
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10584 |
2021-07-28 09:40
|
 EBN.exe 4ff2f77e4d4cf8207749dd70205c6551
Generic Malware Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName DNS DDNS |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0)
132.226.247.73
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
9.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10585 |
2021-07-28 09:43
|
 HAM.exe d9b7fb50628a76fe7603d82f6f0c0bd8
Generic Malware Malicious Packer DNS AntiDebug AntiVM PE32 .NET EXE PE File Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
godisgood1.hopto.org(103.167.85.222) - mailcious
103.167.85.222
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10586 |
2021-07-28 09:45
|
 porto.pdf.exe 8dd7c961c9cdbd69e9a5d86d7809fc50
Emotet Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://38.110.100.104/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/
https://138.34.28.219/index.html - rule_id: 2677
https://138.34.28.219/cookiechecker?uri=/rob112/TEST22-PC_W617601.FFDA4B5123BB5AAFD6D6B3F691D7C683/5/file/ - rule_id: 2675
|
12
185.56.76.28 - mailcious
60.51.47.65 - mailcious
204.138.26.60 - mailcious
74.85.157.139 - mailcious
38.110.103.124 - mailcious
38.110.103.136 - mailcious
185.56.76.108 - mailcious
185.56.76.72
38.110.100.104 - mailcious
185.56.76.94 - mailcious
138.34.28.219 - mailcious
24.162.214.166 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 16
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
3
https://138.34.28.219/login.cgi
https://138.34.28.219/index.html
https://138.34.28.219/cookiechecker
|
8.8 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10587 |
2021-07-28 11:33
|
direction.png.exe 499200f6a8e223c057c6e16701740721
Generic Malware Malicious Packer UPX Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.0 |
M |
22 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10588 |
2021-07-28 13:29
|
Delegation Visit.exe 80ac2514cd9b41ea87c35610596165e4
RAT PWS .NET framework Generic Malware Anti_VM PDF PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder ComputerName DNS |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
3
swupmf.adobe.com(23.201.36.139)
23.212.12.57
161.97.164.143
|
|
|
7.2 |
|
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10589 |
2021-07-28 13:32
|
https://support.apple.com/kb/H... 65dea483ccf0f75d0b58c8892163538c
DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
55
https://www.apple.com/wss/fonts/SF-Pro-Display/v1/sf-pro-display_semibold.woff
https://support.apple.com/favicon.ico
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_regular.woff
https://support.apple.com/clientside/build/FujiStitchPath.js
https://www.apple.com/wss/fonts/SF-Pro-Display/v1/sf-pro-display_light.woff
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_thin.ttf
https://support.apple.com/clientside/build/app-ht.css
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_regular-italic.woff
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/mac/image_large.svg
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_thin.woff
https://km.support.apple.com/clientside/build/launch.js
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/ipad/image_large.svg
https://www.apple.com/wss/fonts/SF-Pro-Icons/v1/SFProIcons_medium.woff
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_medium-italic.woff
https://support.apple.com/ko-kr/HT201222
https://www.apple.com/wss/fonts/SF-Pro-Display/v1/sf-pro-display_thin.woff
https://www.apple.com/wss/fonts/SF-Pro-Display/v1/sf-pro-display_regular.woff
https://support.apple.com/kb/HT201222
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_thin-italic.woff
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/bag/image_large.svg
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/watch/image_large.svg
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_semibold.woff
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_light.woff
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/music/image_large.svg
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_semibold-italic.woff
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/apple/image_large.svg
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/support/image_large.svg
https://www.apple.com/ac/globalnav/5/ko_KR/scripts/ac-globalnav.built.js
https://www.apple.com/ac/globalnav/5/ko_KR/styles/ac-globalnav.built.css
https://www.apple.com/wss/fonts/SF-Pro-Icons/v1/SFProIcons_light.woff
https://support.apple.com/clientside/build/nn.js
https://www.apple.com/wss/fonts/SF-Pro-KR/v1/SFProKR_thin.woff
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/search/image_large.svg
https://www.apple.com/ac/globalnav/5/ko_KR/images/globalnav/links/iphone/image_large.svg
https://support.apple.com/etc/designs/support/publish/JS/pattern/accsoffer.js
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_ultralight.ttf
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/breadcrumbs/separator/icon_large.svg
https://www.apple.com/ac/globalfooter/3/ko_KR/styles/ac-globalfooter.built.css
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_text.woff
https://www.apple.com/wss/fonts/SF-Pro-Icons/v1/SFProIcons_regular.woff
https://support.apple.com/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_medium.woff
https://support.apple.com/etc/designs/support/publish/CSS/pattern/accs-offer.css
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_light-italic.woff
https://www.apple.com/wss/fonts/SF-Pro-KR/v1/SFProKR_semibold.woff
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_text.ttf
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/breadcrumbs/apple/icon_large.svg
https://www.apple.com/wss/fonts?families=:SF+Pro+KR,v1:200,300,400,500,600|SF+Pro,v1:200,300,400,500,600|SF+Pro+Icons,v1
https://www.apple.com/wss/fonts/SF-Pro-KR/v1/SFProKR_medium.woff
https://www.apple.com/ac/globalfooter/3/ko_KR/assets/ac-footer/legacy/appleicons_ultralight.woff
https://www.apple.com/wss/fonts/SF-Pro-Display/v1/sf-pro-display_medium.woff
https://support.apple.com/clientside/build/app-ht-route.js
https://www.apple.com/wss/fonts/SF-Pro-Icons/v1/SFProIcons_semibold.woff
https://www.apple.com/wss/fonts/SF-Pro-Text/v1/sf-pro-text_thin.woff
https://www.apple.com/search-services/suggestions/defaultlinks/?src=globalnav_support&locale=ko_KR
|
5
km.support.apple.com(104.75.11.183)
support.apple.com(104.75.11.183)
www.apple.com(104.74.192.158)
23.53.225.218
104.75.11.183
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10590 |
2021-07-28 13:33
|
Conf Pts.pdf _ _ _.pdf.exe 028e4fe5858806375cef3fe66b45b5f8
NPKI RAT Generic Malware PDF PE32 .NET EXE PE File VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself AppData folder WriteConsoleW Windows |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
3
swupmf.adobe.com(23.201.36.139)
23.201.36.139
23.212.12.57
|
|
|
5.6 |
|
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|