| 10681 |
2021-07-30 10:37
|
 loader.exe 2136731abbe410fb24240c34f1a47260
VMProtect Malicious Packer UPX Malicious Library AntiDebug AntiVM PE32 OS Processor Check PE File DLL Malware download VirusTotal Malware GhostRAT PDB Code Injection Checks debugger Creates executable files unpack itself Detects VMWare suspicious process VMware Tofsee RAT Backdoor ComputerName Trojan DNS crashed |
1
https://www.ez-cheats.com/panel/topup_hwid.php?h=085ec62e9b2ec0ab976156f2008398da
|
3
www.ez-cheats.com(43.255.241.176)
43.255.241.176 - malware
34.117.59.81
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
|
|
9.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10682 |
2021-07-30 10:39
|
 694271_Telegram_Buratino-T.apk dc030efa5973ba809bad2f544d9b18d2
Generic Malware VirusTotal Malware |
|
|
|
|
1.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10683 |
2021-07-30 10:40
|
 pmo-01.exe 121a6914b86cfc9ca8d12864cba4da75
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows DNS Cryptographic key crashed |
8
http://www.rootmoover.com/wufn/?KzrxE=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&p0D=AfpHLx9
http://www.iqpt.info/wufn/?KzrxE=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&p0D=AfpHLx9 - rule_id: 2910
http://www.intoxickiss.com/wufn/?KzrxE=eFcjLRgeiIUzDbHmwTb3Jzj/ojOR5Bd5C6w81D5RMgQILdL/YJI1IKkLX7W57Fxdc9GGy5Q6&p0D=AfpHLx9
http://www.gaigoilaocai.com/wufn/?KzrxE=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&p0D=AfpHLx9 - rule_id: 2912
http://www.cummingsforum.com/wufn/?KzrxE=PGuDT0srb8+GzzH8GojBu9jJOM86wXlCLaZQF9oyMbXQcbHCqOG6UzGQhd2hamBsdTomrrU0&p0D=AfpHLx9 - rule_id: 3523
http://www.setadragon.com/wufn/?KzrxE=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&p0D=AfpHLx9 - rule_id: 3486
http://www.zwq.xyz/wufn/?KzrxE=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&p0D=AfpHLx9 - rule_id: 3226
http://www.hk6628.com/wufn/?KzrxE=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&p0D=AfpHLx9 - rule_id: 2909
|
17
www.intoxickiss.com(151.101.192.119)
www.hk6628.com(34.102.136.180)
www.zwq.xyz(52.128.23.153)
www.iqpt.info(67.199.248.13)
www.kyg-cpa.com() - mailcious
www.setadragon.com(209.99.40.222)
www.gaigoilaocai.com(172.67.187.204)
www.rootmoover.com(23.227.38.74)
www.cummingsforum.com(34.102.136.180)
52.128.23.153 - mailcious
43.255.241.176 - malware
209.99.40.222 - mailcious
34.102.136.180 - mailcious
67.199.248.12 - mailcious
172.67.187.204 - mailcious
151.101.128.119
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.iqpt.info/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.cummingsforum.com/wufn/
http://www.setadragon.com/wufn/
http://www.zwq.xyz/wufn/
http://www.hk6628.com/wufn/
|
9.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10684 |
2021-07-30 10:41
|
 vbc.exe b6e6712ed64dc7d72f13f84ef50c04ad
Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10685 |
2021-07-30 10:42
|
 0GTTI98V0N.exe 096fc2ac3b2337b2293a9f64a8bc06c7
PWS .NET framework RAT Generic Malware UPX PE32 .NET EXE PE File JPEG Format PNG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces Tofsee Browser ComputerName DNS Software crashed |
5
http://duckyu.biz/corona//image.png
http://api.my-ip.io/ip
http://freegeoip.app/xml/
https://freegeoip.app/xml/
https://api.my-ip.io/ip
|
6
freegeoip.app(104.21.19.200)
api.my-ip.io(157.245.5.40)
duckyu.biz(178.208.83.29)
157.245.5.40
172.67.188.154
178.208.83.29
|
3
ET INFO Observed DNS Query to .biz TLD
ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10686 |
2021-07-30 10:43
|
 @bbakoch.exe 109c885cfa000ea4d0c72f9e30e7191c
PWS .NET framework RAT Generic Malware UPX PE32 OS Processor Check .NET EXE PE File Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://45.82.179.116:10425/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
172.67.75.172
45.82.179.116
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
6.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10687 |
2021-07-30 10:44
|
 SessionBrokerhostCrtCommonSave... cd0b926202baba9c26fde1d71e6b38a7
RAT Generic Malware Malicious Packer UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS |
|
1
|
|
|
9.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10688 |
2021-07-30 10:46
|
 can.exe d7c3ab252ef50bfbce42bd5ef67a4217
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10689 |
2021-07-30 10:46
|
 downloaddocument.do 8dcc2d557edcd14aa33dd738ea58f937
Emotet Gen1 Malicious Packer UPX Malicious Library PE32 OS Processor Check DLL PE File Dridex TrickBot VirusTotal Malware Report suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/ - rule_id: 2675
https://138.34.28.219/index.html - rule_id: 2677
https://138.34.28.219/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
|
13
185.56.76.28 - mailcious
60.51.47.65 - mailcious
154.58.23.192 - mailcious
45.36.99.184 - mailcious
68.69.26.182 - mailcious
217.115.240.248 - mailcious
185.56.76.108 - mailcious
97.83.40.67 - mailcious
38.110.100.142 - mailcious
38.110.103.18 - mailcious
185.56.76.94 - mailcious
138.34.28.219 - mailcious
24.162.214.166 - mailcious
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 25
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 19
|
3
https://138.34.28.219/login.cgi
https://138.34.28.219/cookiechecker
https://138.34.28.219/index.html
|
8.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10690 |
2021-07-30 10:48
|
 chrome.exe 90eb803d0e395eab28a6dc39a7504cc4
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Report suspicious privilege MachineGuid Code Injection Checks debugger buffers extracted exploit crash unpack itself installed browsers check Windows Exploit Browser DNS Cryptographic key crashed |
|
2
45.36.99.184 - mailcious
24.162.214.166 - mailcious
|
2
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 16
|
|
10.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10691 |
2021-07-30 10:49
|
 lv.exe 07a8066356c148cb6de49f858865a99f
NPKI Emotet Gen1 Gen2 Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiD VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
HvzRVtijmTzktm.HvzRVtijmTzktm()
|
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10692 |
2021-07-30 10:50
|
 babkadeda.exe 536e4abcd95e47970c6dcad2a6a4dec8
PWS .NET framework RAT Generic Malware UPX PE32 OS Processor Check .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
4.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10693 |
2021-07-30 10:50
|
 .csrss.exe b158c924678cd5bac37bfd7bfc9d8781
Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10694 |
2021-07-30 10:52
|
 Tms5ke8HVQpO8gl.exe 91e00dfab0a4c96a3eb89ea38eff74c4
PWS Loki[b] Loki[m] Generic Malware UPX DNS Socket KeyLogger HTTP Internet API ScreenShot Http API AntiDebug AntiVM PE32 .NET EXE PE File Malware download Azorult VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key |
1
http://treasurerauditor.com/temp/oka/index.php
|
2
treasurerauditor.com(62.109.19.133)
62.109.19.133
|
1
ET MALWARE AZORult Variant.4 Checkin M2
|
|
9.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10695 |
2021-07-30 10:53
|
 Minerrr.exe 9f6215f166653c320ed7e749d6114cdd
RAT Generic Malware PE64 PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
5.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|