| 10666 |
2021-07-29 12:29
|
 avatar_fjub.png 07c0e9bc0a6e4336ed6ca2aeed444063
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10667 |
2021-07-29 12:30
|
 button_nved5.png d85acbbe7007a1fd45395f41ea1e8d17
Generic Malware Malicious Library PE32 DLL PE File |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10668 |
2021-07-29 12:30
|
 filler_lfsbou.png a6a50cc203d6ca41ecce2afd17ba0b28
Generic Malware Malicious Library PE32 DLL PE File |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10669 |
2021-07-29 12:32
|
 vbc.exe 6bfe2fb7f8d57f8ed975854b2d95c6bd
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software crashed |
1
http://sureflt.com/imt/fre.php
|
2
sureflt.com(111.90.156.102)
111.90.156.102
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10670 |
2021-07-30 10:25
|
 .audiodg.exe fc030e6077d1a645b2bb1e0d77cc778d
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10671 |
2021-07-30 10:27
|
 vbc.exe 9d92fb1d9dc509364b324872a133a5ac
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows DNS Cryptographic key crashed |
7
http://www.thaenablers.com/p1nr/?sBvD8D=cAX9NHYQnbzybTmuNWVJ06luNzB8snIgXRxRycWBtqyFmm0R3R5hddFvCi3C+yaHA9cLu6dY&APcT7P=djFDfJXHkHmL
http://www.mpoweru.life/p1nr/?sBvD8D=ZjHCDoNujluw6lRi64KwBSxMvDNX6e2GPzmHgKq0UAaVqhNvy38CjBjjIT6ZBEO9afFQxO8l&APcT7P=djFDfJXHkHmL
http://www.cydip.com/p1nr/?sBvD8D=ZGaWET/m5aRCM9pakCj6ctG5V4spLUeE07bass/N5tQ/1dOLPCE7TRyiJFuh9iNzw4wcgE0D&APcT7P=djFDfJXHkHmL - rule_id: 3347
http://www.norarahimian.net/p1nr/?sBvD8D=7d35Bw0Mn1rBnRMaVERGURzt1iGn4oZRCs4xgIP3mxtfyv7AvC3Y7Vv/TSFiGrtXZAEdE9D3&APcT7P=djFDfJXHkHmL
http://www.caodongmei.com/p1nr/?sBvD8D=R1Tu5om0bIatwqHgCXtKllC2e9hqKP6J2OwsqOpsoo9g0cnj7hFHf9ulgsmwuY+fwUnD3npC&APcT7P=djFDfJXHkHmL
http://www.stgilespantry.com/p1nr/?sBvD8D=ro1pg1ieSPLRQQJXGE2GvVgViR5v9blhYSuVVUpFJTfP14kyUBrbAPUBeXdLFqhiFoAhPEFb&APcT7P=djFDfJXHkHmL
http://www.xn--dlicatbikini-beb.com/p1nr/?sBvD8D=+vXCLrdUYWGMLSeAc6EIZLxRod90t7CXA7cMjBJFBKwrYW2mpEPoYe/XiCHVxQKQoYcICdck&APcT7P=djFDfJXHkHmL
|
13
www.mpoweru.life(34.102.136.180)
www.stgilespantry.com(182.50.132.242)
www.norarahimian.net(198.54.117.218)
www.caodongmei.com(45.39.199.67)
www.xn--dlicatbikini-beb.com(34.102.136.180)
www.thaenablers.com(34.102.136.180)
www.cydip.com(123.206.44.194)
www.thafresnelgroup.com()
198.54.117.210 - mailcious
34.102.136.180 - mailcious
45.39.199.67
182.50.132.242 - mailcious
123.206.44.194 - mailcious
|
3
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to Suspicious *.life Domain
|
1
http://www.cydip.com/p1nr/
|
9.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10672 |
2021-07-30 10:28
|
 ksvchost.exe 0f9f7906389dee17c4606dd2cad2d214
Generic Malware UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10673 |
2021-07-30 10:28
|
 vbc.exe 90d7398bd4bb66384b309201ce5f20f0
PWS Loki[b] Loki[m] Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
|
1
sureflt.com(10.0.0.1) - mailcious
|
|
|
13.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10674 |
2021-07-30 10:30
|
 DhcpcommonFontsession.exe 999142f2751bd4d2d1da9a2d558029d3
RAT Generic Malware Malicious Packer UPX PE32 OS Processor Check .NET EXE PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk suspicious TLD VM Disk Size Check Windows ComputerName crashed |
2
http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&c94b13721d27475b87989d1218641657=8a5330c20f60bd9030c0fb85bd67f5dd&6d3d78b8326f23a9c284d79a7473fb93=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW
http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&a7e9471faeb4abd8b84476365044b7b2=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W&397c91ac345c79dff31763c1f8c0fb27=d1nIiojI0gDMzYzMzQ2Y1MmZ0QWY5UjNjVjZkFGO3QzNyQjMwYjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIldTOxU2M3EWZmRGNlNjMiNjMjRTY3ETNxQmZhZjMwMjIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIhRjZiFGMwUDNmRTMjdTMzUDZmdTM1YTY5ETZ5ETOhNjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJNVT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDOwMjNzMDZjVzYmRDZhlTN2MWNmRWY4cDN3IDNyAjNiwiI1AjNzkjZ0MTYiNGZxQDZzMjZmNjY3QjZ1ITM3UTMiZzN3YmYyczYxIiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W
|
2
api.samp-loader.ru(95.181.163.93)
95.181.163.93
|
|
|
6.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10675 |
2021-07-30 10:32
|
 brokerhostperffontSavesdhcp.ex... 840eb0664fe0d3fa68c8f16e0b1d970e
RAT Generic Malware Malicious Packer UPX PE32 OS Processor Check .NET EXE PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS crashed keylogger |
2
http://188.120.254.68/Autolocalscreen/phprecordpool/antiPythonCamlog/frame/Djangocore/framehtoprule/support/tracegame/poollog/recordframePython/htopbootplugindata/Pollgenerator.php?SA9CQiRcIWzannTU=yID&n7NmjTDGksvsOdT1nl=uB&04e6ef400dffe4ad5b9e9bd4fda318ee=hFGZ4Y2MlBzMhFWY4ETZjZGZmhDNxEzMhZjZwUWNiVjNhJWMkBDMjRjM3YDO5MTO2IDOxMTN&56d76a4877bf6096e52e2b9b2c725a7c=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&59d2958dce619cc14e5d1ddb6fcbc0ee=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOikTNkRjYkhDZkRTOlJTOjNmZyQ2NzkDZlJWO4UmNlBTOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiAjZwgzNyM2YhRzMxUTO4YWN4MTM5gTM5UjN0UjNhlTNis3W&fa2a7d53b9adfa05bf211b128296b4e2=QX9JiI6ISMilzYhNTOlVjYiN2NmVmN2cjYiNmZzUzY0YzYwQjZiJCLiMWY0IGO3YGNjNDNihjNhBjM3UTN0AjYlVmYzQWN2MTZldDNldDNzYmI6ISO1QGNiRGOkRGN5UmM5M2YmJDZ3MTOkVmY5gTZ2UGM5ICLiQDMzYWZwADNjBTYykDZ1czY5gDZ0QmYklDNzMDNxAzYjVGM0QzMxYjI6ICMmBDO3IzYjFGNzETN5gjZ1gzMxkDOxkTN2QTN2EWO1Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVWsp0MixkQDFGMWNjYUJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN1T0UEVNV3Yq1Ee3lWT4FEVOV3Y61UavpWSqlzRil2dpl0U0tWS2k0UllnUuJWM5ITWpdXaJNnVzIGbOxWS2kUaiZHbyoFbK5WSzl0Uk5WMTl1dk1mY25EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEjY5MWYzkTZ1ImYjdjZlZjN3ImYjZ2M1MGN2MGM0YmYiwiIwMjMwETYkJjM5QTNyU2N0YjYyETYmBjYwIjY4MjM5E2YyczNzgjM5IiOikTNkRjYkhDZkRTOlJTOjNmZyQ2NzkDZlJWO4UmNlBTOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiAjZwgzNyM2YhRzMxUTO4YWN4MTM5gTM5UjN0UjNhlTNis3W
http://188.120.254.68/Autolocalscreen/phprecordpool/antiPythonCamlog/frame/Djangocore/framehtoprule/support/tracegame/poollog/recordframePython/htopbootplugindata/Pollgenerator.php?SA9CQiRcIWzannTU=yID&n7NmjTDGksvsOdT1nl=uB&06ecda78a6a1b96d5db7032822fd600d=af97fb4c2171c962f834f421bc24d6af&56d76a4877bf6096e52e2b9b2c725a7c=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&SA9CQiRcIWzannTU=yID&n7NmjTDGksvsOdT1nl=uB
|
1
|
|
|
8.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10676 |
2021-07-30 10:33
|
 vbc.exe 844aa82d8a7faac7c53778f82eebe8c1
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 PE File FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
21
http://www.bransolute.com/6mam/?t6Alv2A=3lOIhqUq6P+U3Pv+KiDZArCwgFDmfekdTy2Nm2rSf3PvYUYfwCDamY7ww9DFIoj1y02HC7Ks&PV=FjVH4F7XA4IHzH0p
http://www.cannamalism.com/6mam/
http://www.mobiessence.com/6mam/
http://www.fuzhourexian.com/6mam/
http://www.kykyryky.art/6mam/
http://www.kykyryky.art/6mam/?t6Alv2A=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&PV=FjVH4F7XA4IHzH0p
http://www.annettebrownlee.com/6mam/
http://www.lawmetricssolicitors.com/6mam/?t6Alv2A=4Gj0yn3nr4YWFpZH4qn2bQ/Mf+Y/K54EnXCw/FRHgkyWUNrW3vdYTE+qdBaiGkNQ4kKGGQ8H&PV=FjVH4F7XA4IHzH0p
http://www.beastninjas.com/6mam/?t6Alv2A=oQhTdcG35KVC+c6Wc2Ae/5c2EVHHJUmgpuEXLTkVZHJt0CPiQFk8QVOcUVYqLYUeTWjjNSS/&PV=FjVH4F7XA4IHzH0p
http://www.beastninjas.com/6mam/
http://www.annettebrownlee.com/6mam/?t6Alv2A=Ha/mqQzo1OymR3PjStfn+lIoGvmqdNIZRSzA7EGDhkCDDPdeV8pHgJAz15x41PetfVMQIZVa&PV=FjVH4F7XA4IHzH0p
http://www.bransolute.com/6mam/
http://www.cannamalism.com/6mam/?t6Alv2A=kn71xoO9iU2mX4j71h7bz8HHhkUEjJyTF2/azklG2erytyCHrh0zJMDeYoghQinFk6RtaMTe&PV=FjVH4F7XA4IHzH0p
http://www.lawmetricssolicitors.com/6mam/
http://www.miamiqueensdress.com/6mam/?t6Alv2A=EBok50QODh/qmCP7J2xI5qJEvLCVP7z6QxySw5ZUrU5I7S6miF2cwhtfnH/LuNQ5P6YcYCdk&PV=FjVH4F7XA4IHzH0p
http://www.fuzhourexian.com/6mam/?t6Alv2A=qbpZFH7voKbXHHWLfMfEAiwyGaz4A1Dlq6aJ6MnbqPgDgfYDR2UnLoNROh/k48NFxcmn1xi3&PV=FjVH4F7XA4IHzH0p
http://www.mobiessence.com/6mam/?t6Alv2A=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&PV=FjVH4F7XA4IHzH0p
http://www.miamiqueensdress.com/6mam/
https://pxqrda.sn.files.1drv.com/y4mVUIaLYjXuhlSuH8C1Poa6N3fD118-kF46y9jgrvjs4vHSLl_xoQY8wtd55BrthF7v-t2d5iFTz3s04C-BMPlOqQiz_sp9Nq8AydX_6J43UIPYHQYcKPvL0MSauM_3AiyMxp9MgKXUTADQfTWxkAFhyB6W1aY9eGKGxPp7V9S8EPug4FwOk9pew7dmpHlBWZpLVhDGiWIkVKnKs_kwtfIdA/Vmxgjqhexkgjojgjzjujxckxtulzbsg?download&psid=1
https://pxqrda.sn.files.1drv.com/y4m__S5cMVGcFy7pOBpoFvjnko8AL4p5khOaFXAKHOBONod9wuptZWr2NXTzHqD7-lpVg0Z4e_BbFaeA2ebB7pnq1ItYlfdo7T9V2lPne4uS7rnHRVQMTtbazlN6QF3Xvr5ttEMxOdNqoE0LgqtrG6gcR5LA7BtUZnWvmd77YgDv9vnlh7Jo_tCsgbTdO9ifvgRNPf5-a2WZhEpH7Ud0Xg7oA/Vmxgjqhexkgjojgjzjujxckxtulzbsg?download&psid=1
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21111&authkey=AJ7X28D7DpibhQI
|
24
www.cannamalism.com(34.102.136.180)
onedrive.live.com(13.107.42.13) - mailcious
www.fuzhourexian.com(108.62.76.146)
www.mobiessence.com(52.58.78.16)
www.beastninjas.com(34.102.136.180)
www.miamiqueensdress.com(75.2.115.196)
pxqrda.sn.files.1drv.com(13.107.42.12)
www.bransolute.com(192.185.236.169)
www.titanusedcarsworth.com()
www.annettebrownlee.com(159.203.181.190)
www.hanasugisaki.com(91.195.240.94)
www.lawmetricssolicitors.com(66.45.250.213)
www.kykyryky.art(194.58.112.174)
192.185.236.169
52.58.78.16 - mailcious
91.195.240.94 - phishing
13.107.42.13 - mailcious
13.107.42.12 - malware
159.203.181.190
34.102.136.180 - mailcious
194.58.112.174 - mailcious
108.62.76.146
75.2.115.196
66.45.250.213
|
2
ET MALWARE FormBook CnC Checkin (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10677 |
2021-07-30 10:33
|
 Desktop.exe f31199c1fccb1fe693824f89573e4194
Themida Packer Anti_VM DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare Check virtual network interfaces suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows ComputerName Firmware DNS crashed |
5
http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&a0998ff4206b57b19976d7e99c5a37ef=0VfiAjbJpnSXF2c4ZEWzkkaiZHaHRWNCZEWjBneRl2bql0bShVWRp0QMlWVqxEMJl2TpRjMiBnTuNGbaFTY5ljMkxWMXlVeatWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVW5R2VaNnVHZVa3lWSp9maJpnQINmQxcVWsJ1MVl2dplUdkNjY1RXbiZlSp9UaRV1U5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWSYpleWZlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJlnW1Z0RURnRXpFMOxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVWsJ1MVl2dplUd4x2Yjx2QtVTelBXZ59US2x2RaFjRFlUd5cVYwwWbiBnWXpVRCNUYux2RT92dhdGdUJmbzpGNwJHTp9UaNhlW1lzRhdXOtNmasdFVpdXaJVHesN2YGR1VChXRVRFbFJ1Y4xGTjhnRYNmSp9UaN5mYsZVbjpmTsl0cJlWS2kUejRnRykVaWJjVpd3UPhXRU5kNJNFVCpEbJNXSD1Ud5cVYwYUbjZnQuNmdOVUSshnMZhmSzQVavpWSrpEWZZnStNGbodEZ2FzaJNXSTFld0sWS2k0QiNnRyQGbKhVYHp0QMlWRww0TKl2Tp1EWklHbtRGcS5mYCp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMl2ZrlFdkVUSyZ1RkZXNtJGcKl2Tp1UMUpkSrl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A
http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&0c2329b9f0dc4c64441b4dcf29994306=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOisHL9JSUmlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUarxWS2kUaiBXMHplQOhVYpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETpVUVRVEbVRFbodkVp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
https://ipinfo.io/json
|
3
ipinfo.io(34.117.59.81)
62.109.1.30
34.117.59.81
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
13.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10678 |
2021-07-30 10:34
|
 bvack.exe 59fb7442592a9c032fbabad5a797fbde
PWS .NET framework RAT Generic Malware UPX PE32 OS Processor Check .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10679 |
2021-07-30 10:35
|
 reviewwinfontrefperf.exe cc982bb10719da0325bdd790df6b3a03
RAT Generic Malware Malicious Packer UPX PE32 OS Processor Check .NET EXE PE File Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check Tofsee Windows Browser ComputerName DNS Cryptographic key |
2
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?dbNrr8z7=RMLf1fFId1YoCVXIkRnMUFyTxLHSg92&t0=o6vU3sBRuP&aFzjGrLvpLY2sqXwle9=4LEtLz6tdSyDE&9cb2beefe30f08fd6b229bb65bdf14a5=cbe8ead4e58ebaeb2d1f8262e2b19694&847db2de527380cc6f80ef60ca65913d=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&dbNrr8z7=RMLf1fFId1YoCVXIkRnMUFyTxLHSg92&t0=o6vU3sBRuP&aFzjGrLvpLY2sqXwle9=4LEtLz6tdSyDE
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?dbNrr8z7=RMLf1fFId1YoCVXIkRnMUFyTxLHSg92&t0=o6vU3sBRuP&aFzjGrLvpLY2sqXwle9=4LEtLz6tdSyDE&6620ba511bddaf7cd97a91f748a57ce0=AZmFTZkJDMyYjYlZDO5E2MmVTN3IWMmFjM2YWZiZmNxQWY3UmY0gDZyUzM5MjNyUjMyAjMwUzM&847db2de527380cc6f80ef60ca65913d=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&3766d7ec164999b3250f09ca6d7b986c=d1nIxcDOxImMlNGNiJWMwcDZzIzYwMWYzIjNxEzYzcjMlZTOyY2NlRWO1IiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W
|
4
ipinfo.io(34.117.59.81)
62.109.1.30
78.24.217.56
34.117.59.81
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10680 |
2021-07-30 10:37
|
 file.exe 042edfa930d712dd70b6adee1218d3d9
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|