| 10831 |
2021-08-03 17:05
|
7f1f7c5c4b6b486e5ba93409440362... 7f1f7c5c4b6b486e5ba9340944036285
VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10832 |
2021-08-03 18:29
|
2670767360cnf.xlsx 39ca085ce4df97ba36a9a61666be7b3f
Generic Malware MSOffice File Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash unpack itself Windows Exploit DNS crashed |
1
http://103.155.82.200/msword/.csrss.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10833 |
2021-08-03 18:30
|
PO20201120 PACKING LIST & INVO... 4a044c98d5e93a64d63e0bd2aa4f14d8
Generic Malware MSOffice File Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://45.137.22.103/cctv/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10834 |
2021-08-04 09:25
|
 mbv.exe c7fa8f8171852a11239f8e2c2b38815c
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10835 |
2021-08-04 09:25
|
 Clownic1.0.exe 711486a19e8b011528dee34a5d25776e
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10836 |
2021-08-04 09:27
|
 Autoupdate.exe 1d46827289d9ae8b53f8f7ae54f89000
Generic Malware Antivirus UPX PE File OS Processor Check .NET EXE PE32 GIF Format VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
1
volamnoibo.com(103.200.22.212)
|
|
|
4.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10837 |
2021-08-04 09:27
|
 arinzex.exe ba17343be61c0394910b0ada481b1f86
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(193.122.130.0)
132.226.8.169
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10838 |
2021-08-04 09:29
|
 toolspab3.exe c3dfcfc19b5756d18d6ac1a185b349e9
UPX Malicious Library AntiDebug AntiVM PE File PE32 VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10839 |
2021-08-04 09:30
|
 vbc.exe 811ea41e60760a97b5f28973618728fe
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS |
3
https://pxqklq.sn.files.1drv.com/y4mg89f-6gcTFt9nUg_sEWMZaxANJtZ7KMjeZ0uFle33_KPtwBN9B0K_qoN_QPW8-byP6qrtoBYRbmXkpxTfUEwpZw0wySpJMYbHpVDFh2dOM7ne3-MhDZuyyuEwohpk8dvJeVWBT5AKYXBF-NbNEZsYXHQNDDBsuQsiryuQGYcsAfYHYZN-weN5jSSBfsDTCFTZZm_cNa_kvhnRO1TegqIKQ/Fdhlajkqzshwymncekoaweuudqrkiey?download&psid=1
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21114&authkey=AMU_VwbYanb_5vQ
https://pxqklq.sn.files.1drv.com/y4mlEcSPiQ-xLrMA-uh5-6zES3qzdkrPd7A5sYKVbpPegFaYO84OWiK8q0VzRB27zPc8qeNTbVrZt4hFA0ar9IFBGmPjFZnMRcioeM52jkL2S4YC9Dq0PgHm29CPXplS79VoZe87r8wmy0DOvZBoR7VAYdgeMTyyH2LEkzqpCHM9TcUnaHZgslTFHWnAvibAiQUKUAknvMUxEjV5lSOE0XPhw/Fdhlajkqzshwymncekoaweuudqrkiey?download&psid=1
|
5
pxqklq.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
103.200.22.212
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10840 |
2021-08-04 09:31
|
 toolspab2.exe 0223d101b920891258027c3a87606982
UPX Malicious Library AntiDebug AntiVM PE File PE32 Malware PDB Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10841 |
2021-08-04 09:32
|
 dun.exe 214b1ddf045e4d6fdd73a5c8788d2adc
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
8
http://www.thesoulrevitalist.com/p2io/ - rule_id: 2157
http://www.thesoulrevitalist.com/p2io/?VPXhs=ywi4HDlC8ElSOMEyK6H+rd6B6cynTULkanOSXBUPYg06e2wPUHpv6wPun14JIO+5lIaxxIkr&nHLD_L=8p-HvnrH7hptqnk - rule_id: 2157
http://www.zmzcrossrt.xyz/p2io/ - rule_id: 1573
http://www.procircleacademy.com/p2io/?VPXhs=tgVoMP8jv8oJh0LH0MPWwDnGYGbnfEGTJ+yRL/Ijcc1+MHyU0MyQxKIFLUwq3WzUPcz2/uvN&nHLD_L=8p-HvnrH7hptqnk - rule_id: 2905
http://www.procircleacademy.com/p2io/ - rule_id: 2905
http://www.totally-seo.com/p2io/
http://www.totally-seo.com/p2io/?VPXhs=TySV6YYxUBKYb4HOwOCoDLKT5SC+Z4HfI/KqKrWSPqp5raNcMGgDmwJErp1xJY1yPtBpBPJW&nHLD_L=8p-HvnrH7hptqnk
http://www.zmzcrossrt.xyz/p2io/?VPXhs=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&nHLD_L=8p-HvnrH7hptqnk - rule_id: 1573
|
9
www.procircleacademy.com(104.16.13.194) - mailcious
www.zmzcrossrt.xyz(99.83.183.31)
www.totally-seo.com(198.49.23.144)
www.thesoulrevitalist.com(34.102.136.180) - mailcious
www.a3i7ufz4pt3.net()
198.49.23.145 - mailcious
34.102.136.180 - mailcious
104.16.12.194
75.2.73.220 - mailcious
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.thesoulrevitalist.com/p2io/
http://www.thesoulrevitalist.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
http://www.procircleacademy.com/p2io/
http://www.procircleacademy.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
|
9.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10842 |
2021-08-04 09:33
|
 vbc.exe 26f17ecd8ee2fc34a1c0b3b850d9d0fc
PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
1
|
|
|
3.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10843 |
2021-08-04 09:34
|
 .----...............---....inv... 6ffa0988ffc7d8ff440b6811065d974c
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre - rule_id: 2584
|
2
198.23.212.137 - mailcious
185.227.139.18 - mailcious
|
14
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10844 |
2021-08-04 09:36
|
 New_1007572_021.exe 41137fd61b9cc0d92225c91660a5902c
RAT Generic Malware UPX AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder crashed |
3
http://www.xinyisanreqi.com/cg53/?T8SD=IH6xuV53t1O8cgYhT4tQpi3TxtA7wfqS8uDOT7Zi29wexx3ZCGtTBXSi+TOfwYL1x8voHF35&NVlTnb=o2JhQT4HxtyDuVtP
http://www.lvyi19.com/cg53/?T8SD=WiiXXgOAleA7Y5gv4djo0cAbbquqgea++YKCzxIGHZZ1xQP78WGQ3riSOchSPht9pZSIkzZ4&NVlTnb=o2JhQT4HxtyDuVtP
http://www.healinghandssalem.com/cg53/?T8SD=i57Q5A28ObJQOLfsNs28RhAlfyvzZM0CQcr3ejFPyqD98hX6/Q6nrSa1A8B/q2hu3ufg8b08&NVlTnb=o2JhQT4HxtyDuVtP
|
7
www.healinghandssalem.com(104.36.56.20)
www.xinyisanreqi.com(156.245.252.91)
www.lvyi19.com(154.205.30.80)
www.zerkalo-mr-bit-casino.com()
154.205.30.80
156.245.252.91
104.36.56.20
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10845 |
2021-08-04 09:37
|
 dun-1.exe 182170393a1acd19744575f00562384f
Generic Malware UPX Malicious Library Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
8
http://www.dreamcashbuyers.com/p2io/?OH2LRV=H0m9fF/7YLmrrfUIC4653EpAABAppk+gPA36EdDaEoCMlE2zCVYj52aQtiOQLLDBcMq8ZjGa&_jqp3=mvRxvPC0EdzH
http://www.dreamcashbuyers.com/p2io/
http://www.zmzcrossrt.xyz/p2io/ - rule_id: 1573
http://www.centergolosinas.com/p2io/?OH2LRV=r2GsjHfE9bHmJvLFmfqM84hqAY3LnZYXU2evLvxsfUtrrcQFCKudTC+PxzRKMZm48G9NrLWy&_jqp3=mvRxvPC0EdzH - rule_id: 2902
http://www.sonderbach.net/p2io/?OH2LRV=2ax3GqWpRrSdWZvs+TKAK3bdHNL66UJyZbfAdtPO/FaZGfOa/v3aE89kJzgFOPU2QDwHTbD5&_jqp3=mvRxvPC0EdzH - rule_id: 1726
http://www.centergolosinas.com/p2io/ - rule_id: 2902
http://www.zmzcrossrt.xyz/p2io/?OH2LRV=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&_jqp3=mvRxvPC0EdzH - rule_id: 1573
http://www.sonderbach.net/p2io/ - rule_id: 1726
|
10
www.kce0728com.net()
www.dreamcashbuyers.com(54.69.66.227)
www.zmzcrossrt.xyz(99.83.162.16)
www.a3i7ufz4pt3.net()
www.sonderbach.net(51.254.41.57)
www.centergolosinas.com(192.169.223.13) - mailcious
34.215.222.250
192.169.223.13 - mailcious
51.254.41.57 - mailcious
99.83.162.16
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.zmzcrossrt.xyz/p2io/
http://www.centergolosinas.com/p2io/
http://www.sonderbach.net/p2io/
http://www.centergolosinas.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
http://www.sonderbach.net/p2io/
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|