| 10891 |
2021-08-05 08:00
|
 empty_9qhg.dotm 054bd3a599129af799c38de49cbfebed
VBA_macro VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process Tofsee |
10
https://portfolio.unitedhours.com/wp-content/themes/ryancv/demo/01/cbKmaYTU.php
https://eflcc.in/images/prettyPhoto/dark_rounded/mjsmceMxauntUkB.php
https://restaccueil.bertekgroup.fr/packages/qXUSzPeL0hmGiG.php
https://tmstest.qubit-software.com.my/tmscust/img/icons/16/M2rjIM1Y.php
https://demo.usa-mycard.com/sql/KhfI5axi.php
https://alexandermarius.com/hr.alexandermarius.com/assets2/vendor/animsition/css/Dq1MUYjf2KVm.php
https://printshop.ozys.ca/wp-content/plugins/woocommerce/includes/abstracts/6i6pYB2eJR.php
https://school.eduproerp.com/smart_school_android_app_src/app/build/outputs/apk/iNGlOz2NEC7jKko.php
https://pos.wndrgt.nrovo.com/api/controller/DGFqsxJMmH.php
https://vivantacriticalcare.com/wp-content/plugins/megamenu/classes/pages/k8WNdTjY8D2zm.php
|
12
portfolio.unitedhours.com(149.255.58.23)
portfolio.unitedhours.com
eflcc.in
restaccueil.bertekgroup.fr
tmstest.qubit-software.com.my
demo.usa-mycard.com
alexandermarius.com
printshop.ozys.ca
school.eduproerp.com
pos.wndrgt.nrovo.com
vivantacriticalcare.com
149.255.58.23
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10892 |
2021-08-05 09:37
|
 2mZgSIB7mML3Ox00.jpg.ps1 f296ea5238d07817af56dbbba4271b45
Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows Cryptographic key |
1
https://mackcatlabor.com/wp-content/plugins/worker/src/Gelf/HXQ6fLudueVLQw0o.txt
|
1
mackcatlabor.com(166.62.88.163)
|
|
|
1.4 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10893 |
2021-08-05 09:42
|
 1852c5dbb4abba07766ee019366658... eb9d1220e5322bcfe4f35193376f9c41
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10894 |
2021-08-05 09:43
|
 filename.exe f67f17d54de5a1bab70766d6f9a124d2
Generic Malware UPX Malicious Library PE File PE32 PDB unpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10895 |
2021-08-05 09:44
|
 vbc.exe 11607ed65e25126d80c7dd877f9f29eb
UPX Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware Check memory crashed |
|
|
|
|
2.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10896 |
2021-08-05 09:45
|
 CryMore2.exe f6f4de736422e2ce52eaf99b41edfe32
PWS .NET framework RAT Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Cryptographic key Software crashed |
2
http://hiconvanor.xyz/
https://api.ip.sb/geoip
|
4
hiconvanor.xyz(77.246.145.4)
api.ip.sb(172.67.75.172)
77.246.145.4 - mailcious
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10897 |
2021-08-05 09:47
|
 NBYS%20ASM.NET.exe 0d5eb410b67945e03382fa1781d573be
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName |
|
|
|
|
3.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10898 |
2021-08-05 09:48
|
 wwerfyr.exe 3693d70402a26fa0810d8ea85c95c954
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware DNS Socket KeyLogger HTTP Internet API ScreenShot Http API AntiDebug AntiVM PE File .NET EXE PE32 Malware download Azorult VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows ComputerName Cryptographic key crashed |
2
http://www.epcdiagnostic.com/wp-content/rem/cach/index.php
https://www.bing.com/
|
4
www.epcdiagnostic.com(185.221.202.118)
www.google.com(142.250.196.132)
142.250.199.68
185.221.202.118
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE AZORult Variant.4 Checkin M2
|
|
12.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10899 |
2021-08-05 09:49
|
 rundll32.exe 234e96fd91a8c8ba1da7e94609bd6827
PWS .NET framework RAT Generic Malware UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10900 |
2021-08-05 09:49
|
 aridonorigin.exe 686f21a796dda4dc4e72bd0130f16d8e
AgentTesla(IN) Generic Malware Malicious Packer Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10901 |
2021-08-05 09:51
|
 assadzx.exe 61eb9d05a7a2dad154f0e0f92b16205d
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Socket Escalate priviledges KeyLogger Code injection HTTP Internet API ScreenShot Http API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName Cryptographic key |
|
|
|
|
12.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10902 |
2021-08-05 09:53
|
 both123.exe 58a63044fe092b8c6e525cc920c04bc1
PE File PE32 VirusTotal Malware |
|
|
|
|
1.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10903 |
2021-08-05 09:54
|
 ggi8w3183a1077e104d07a84291d0d... 2ab4cc984ec0b93b82c0e4bf03aa8c5f
Emotet Gen1 UPX Malicious Library AntiDebug AntiVM PE File DLL PE32 Dridex TrickBot VirusTotal Malware Report suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
18
http://api.ipify.org/?format=text
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/OJLELJAKUDUGHFR/7/
https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/5tIdKd9BQcw97tDkWQXFcV8GHmRSS/
https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/NpdHNRhrX33vnXV5x9jz/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/MDFwQcZzmEtnaC9hhuhJDWmvxuDF/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/KBIJKZGVIOLLRWL/7/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/TFOWOHKHTBS/7/
https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsPXDT3N%5Cpzggi8w3183a1077e104d07a84291d0d5dcc1dexl.grf/0/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/etAeSjeTCe4jkQuDOjlUTHW/
https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/DerGZwL4ua1lDPww283xhhhGVTl48hJ/
https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabc64/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/23/100019/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/DNSBL/listed/0/
https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabb64/
|
11
150.134.208.175.b.barracudacentral.org(127.0.0.2)
api.ipify.org(23.21.224.49)
150.134.208.175.cbl.abuseat.org()
150.134.208.175.zen.spamhaus.org()
105.27.205.34
128.201.76.252
179.189.229.254
184.74.99.214 - mailcious
65.152.201.203
46.99.175.217 - mailcious
54.235.88.121
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY External IP Lookup (ipify .org)
ET POLICY curl User-Agent Outbound
ET CNC Feodo Tracker Reported CnC Server group 10
|
|
9.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10904 |
2021-08-05 09:55
|
 gun-1.exe eab193344b506b1507675779ebf8c11b
Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
16
http://www.kingdomvets.com/wufn/ - rule_id: 3290
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.rsautoluxe.com/wufn/?9rj01D0=w5EnrSKap8oRy2zPlnddF8gTSk3mhpsg6+K+ZUM/zOnILWZ553OzJd1vgJ8iXK568zhVN9hj&v4=Ch6LF - rule_id: 3288
http://www.kingdomvets.com/wufn/?9rj01D0=o6NP/38pvTDlv+JV19NTB11bpLiuGI0dHMB5Vx/enan56b3Zy4geNSKYW/CwegZqLuXFQkxp&v4=Ch6LF - rule_id: 3290
http://www.gaigoilaocai.com/wufn/?9rj01D0=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&v4=Ch6LF - rule_id: 2912
http://www.thetew.com/wufn/?9rj01D0=krP6P15MZQO22/e1Z0jungPG+tUyhBT5786LeGCZDahp25nY4EPnlmCvSbt3zmNAYEf0+pED&v4=Ch6LF
http://www.ashestore.site/wufn/
http://www.brasilupshop.com/wufn/?9rj01D0=59brRu9dLS77nFy0s50o1uJFUTMvI+fKw5ePYjcZBjdZ1DjOWYIxIDuCUckQyVdYQE+vfh4M&v4=Ch6LF - rule_id: 3519
http://www.rsautoluxe.com/wufn/ - rule_id: 3288
http://www.ashestore.site/wufn/?9rj01D0=ISgUE+y+HqjXLrBNcsoJQrgsUIy+PQnmT8IaV+VtAkMVvOhkkzR0T7N+DJe4wV9WEmWhQkdE&v4=Ch6LF
http://www.brasilupshop.com/wufn/ - rule_id: 3519
http://www.goteclift.com/wufn/?9rj01D0=em0DFdLl6esmbY8UPc/uZDIcKySfcb/lSoae1pTrnNJVgQ0OOt09p+wnf9M0i6X3i3/It/+2&v4=Ch6LF
http://www.pon.xyz/wufn/
http://www.thetew.com/wufn/
http://www.pon.xyz/wufn/?9rj01D0=TjHmMFEWoC7f3AvZD4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCe56sbMIcecYmi82gg8d&v4=Ch6LF
http://www.goteclift.com/wufn/
|
17
www.hsicclassactionsettlement.com()
www.rsautoluxe.com(103.48.133.134) - mailcious
www.brasilupshop.com(34.98.99.30)
www.pon.xyz(199.59.242.153)
www.kingdomvets.com(34.102.136.180) - mailcious
www.ashestore.site(52.74.68.242)
www.gaigoilaocai.com(104.21.84.71)
www.goteclift.com(164.160.129.201)
www.thetew.com(74.220.219.18)
164.160.129.201
74.220.219.18
3.1.135.107
34.102.136.180 - mailcious
199.59.242.153 - mailcious
104.21.84.71
103.48.133.134 - mailcious
34.98.99.30 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
8
http://www.kingdomvets.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.kingdomvets.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.brasilupshop.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.brasilupshop.com/wufn/
|
9.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10905 |
2021-08-05 09:56
|
 blaqzx.exe d39308847edb6c582c8e5ae9f625c004
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|