| 10906 |
2021-08-05 09:57
|
 vbc.exe c16b365ffaffa1804beeb266d79205ec
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
12
http://www.patriotsrepublic.net/att3/?DneDl=PfVHzi6IaZWp9Jxi+el8OEAdxu/ixXiZwb4fBuKwIXtnBcLirb01dB/LEnAAoDL0TXUvcstk&Dxlpi=2dmX
http://www.authorsarajones.com/att3/?DneDl=iNDWypK+K4cv1RDeAy5/hWgjjlBTbVulJVJdGtlb+HtO557c+qllIVc7Q//BI3dUS5hOJOrV&Dxlpi=2dmX
http://www.wearemariposa.com/att3/?DneDl=Qba5iYsT7l+ar23hovipgJkLTV6jAhk5ZTqWgPeD1pVoRdoWgN0lA48IdacgHUOSWnjkLZtL&Dxlpi=2dmX
http://www.authorsarajones.com/att3/
http://www.wearemariposa.com/att3/
http://www.hospiceinelmonte.com/att3/
http://www.digitalwebhunt.com/att3/
http://www.szgmgq.com/att3/?DneDl=+I2Hlt4n4lM+V0vfLsNkAEbe3i01Or9iZVgHJGsOzQyEbEHn+pPfybQFQSWYilt9/w79vuue&Dxlpi=2dmX
http://www.patriotsrepublic.net/att3/
http://www.szgmgq.com/att3/
http://www.digitalwebhunt.com/att3/?DneDl=5gLWPyP5QviS3SFhurDoT60HSkIYyFPwgHoHmMkxOCsKzQcSuQnGIpa31kZ4k8TQnJdAlvOD&Dxlpi=2dmX
http://www.hospiceinelmonte.com/att3/?DneDl=5DjSdOjkuIrR7JSOtU2qkh6c6SCHIzwdqVqd7oB4yQ+f2Llvplm9CPFSH2dwj1JqDSSA4/6C&Dxlpi=2dmX
|
18
www.patriotsrepublic.net(3.13.31.214)
www.wearemariposa.com(162.241.216.14)
www.ibvddna.icu()
www.authorsarajones.com(34.102.136.180)
www.cloud9-life.net(208.91.197.91)
www.vitaebigdata.com()
www.digitalwebhunt.com(23.229.190.68)
www.hospiceinelmonte.com(74.208.206.64)
www.szgmgq.com(165.3.80.32)
www.ehnlomr.icu()
www.rhfctzdsna.club()
34.102.136.180 - mailcious
3.13.31.214 - suspicious
162.241.216.14
74.208.206.64
23.229.190.68
208.91.197.91 - mailcious
165.3.80.32
|
3
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
12.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10907 |
2021-08-05 09:58
|
 gun.exe 873cf90c9a977554d65c523f433a96f8
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
1
http://go.microsoft.com/fwlink?linkid=30219&locale=ko-KR&clientType=VISTA_GAMES&clientVersion=6.1.2
|
2
movie.metaservices.microsoft.com(65.55.186.113)
65.55.186.113
|
|
|
6.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10908 |
2021-08-05 09:58
|
 document.wbk 3fc1fda1b322148664c0906b2b3f21b3
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
https://pastebin.pl/view/raw/af4dd2e8 - rule_id: 3746
|
3
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
45.137.22.103 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://pastebin.pl/view/raw/af4dd2e8
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10909 |
2021-08-05 10:00
|
 gun-5.exe dcf861a4858cc95b9d2e9ec60969933e
Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10910 |
2021-08-05 10:02
|
 pub1.exe 141a93e960b8490b9db17e609eb37d42
UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10911 |
2021-08-05 10:04
|
 vbc.exe 4ebdb80a36728294c6086c4ed91605b0
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
12
http://www.mobiessence.com/6mam/?s0=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&CZ=7nH8XRk - rule_id: 3578
http://www.mobiessence.com/6mam/ - rule_id: 3578
http://www.bransolute.com/6mam/?s0=3lOIhqUq6P+U3Pv+KiDZArCwgFDmfekdTy2Nm2rSf3PvYUYfwCDamY7ww9DFIoj1y02HC7Ks&CZ=7nH8XRk - rule_id: 3581
http://www.annettebrownlee.com/6mam/?s0=Ha/mqQzo1OymR3PjStfn+lIoGvmqdNIZRSzA7EGDhkCDDPdeV8pHgJAz15x41PetfVMQIZVa&CZ=7nH8XRk - rule_id: 3579
http://www.schoolfrontoffice.com/6mam/?s0=44unMI1SijcIMv+N8WCIjTNIPpmavX0UQRjroN+fGhmCyiukZbvVPaBMPWfnclalAqceBNWz&CZ=7nH8XRk
http://www.annettebrownlee.com/6mam/ - rule_id: 3579
http://www.fanbase.fan/6mam/
http://www.fanbase.fan/6mam/?s0=9d5C1xs5i//XDxr4dB0bA7JyBPYNineSxbWNYqwR1mLnXlE7iqxwCfAfIH0GmtdYbidcrtDB&CZ=7nH8XRk
http://www.maximos.world/6mam/
http://www.bransolute.com/6mam/ - rule_id: 3581
http://www.schoolfrontoffice.com/6mam/
http://www.maximos.world/6mam/?s0=1a5QnJIXHWQb2gghw5aLRRgFP80dKh9Fg4OBHx9jqqG7vx0A8u6epTP2d4hNvGeyhllgiJAB&CZ=7nH8XRk
|
14
www.mobiessence.com(52.58.78.16)
www.mayartpaints.com(192.155.172.18)
www.maximos.world(23.227.38.74)
www.fanbase.fan(34.102.136.180)
www.schoolfrontoffice.com(34.102.136.180)
www.candlewooddmc.com()
www.annettebrownlee.com(159.203.181.190)
www.bransolute.com(192.185.236.169)
192.185.236.169 - mailcious
52.58.78.16 - mailcious
192.155.172.18
159.203.181.190 - mailcious
34.102.136.180 - mailcious
23.227.38.74 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .world TLD
ET INFO HTTP Request to Suspicious *.world Domain
|
6
http://www.mobiessence.com/6mam/
http://www.mobiessence.com/6mam/
http://www.bransolute.com/6mam/
http://www.annettebrownlee.com/6mam/
http://www.annettebrownlee.com/6mam/
http://www.bransolute.com/6mam/
|
9.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10912 |
2021-08-05 10:05
|
 R3K3GVYVPP.exe 10f5add22c17abbf6d49b1698f0883e5
PWS .NET framework RAT Generic Malware UPX PE File .NET EXE PE32 PNG Format JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces Tofsee Browser ComputerName DNS Software crashed |
5
http://duckyu.biz/corona//image.png - rule_id: 3563
http://api.my-ip.io/ip
http://freegeoip.app/xml/
https://freegeoip.app/xml/
https://api.my-ip.io/ip
|
6
freegeoip.app(172.67.188.154)
api.my-ip.io(157.245.5.40)
duckyu.biz(178.208.83.29) - mailcious
157.245.5.40
172.67.188.154
178.208.83.29 - mailcious
|
3
ET INFO Observed DNS Query to .biz TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2
|
1
http://duckyu.biz/corona//image.png
|
6.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10913 |
2021-08-05 10:06
|
 gun-3.exe ff404b207167fe0cdeb456afcdc2ee4f
PWS .NET framework RAT Generic Malware UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows Cryptographic key |
7
http://www.theroseofsharonsalon.com/wufn/?LXxP=OadTn2uJtzT8oubefSjMAoLtzsAZKEPGGNEB1Q92m5bHHV2MxPvD7WU/WfzEYQpZzBC6ZQgQ&tTrt=ndfHUnBht8 - rule_id: 2913
http://www.craftbychristians.com/wufn/?LXxP=rclXbN+KSBSlJsrhYTkKU4x5e2l7eFQRzjtsLZ0wIslBHruFqS+r6dHnex4dI2ICZk3527X7&tTrt=ndfHUnBht8 - rule_id: 2908
http://www.gaigoilaocai.com/wufn/?LXxP=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&tTrt=ndfHUnBht8 - rule_id: 2912
http://www.iqpt.info/wufn/?LXxP=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&tTrt=ndfHUnBht8 - rule_id: 2910
http://www.martabaroagency.com/wufn/?LXxP=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&tTrt=ndfHUnBht8 - rule_id: 2915
http://www.cuadorcoast.com/wufn/?LXxP=kYzY+WOATOJvl0LGKoTI9L4ky9M8/RXPaPgWsg9EorAZ9N2DAW9xe5TyjlQCxAJLBvRqjfNR&tTrt=ndfHUnBht8 - rule_id: 2914
http://www.hk6628.com/wufn/?LXxP=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&tTrt=ndfHUnBht8 - rule_id: 2909
|
14
www.martabaroagency.com(185.14.56.84)
www.theroseofsharonsalon.com(198.49.23.144)
www.cuadorcoast.com(156.231.25.88)
www.iqpt.info(67.199.248.13)
www.gaigoilaocai.com(172.67.187.204)
www.hk6628.com(34.102.136.180)
www.rizqebooks.com() - mailcious
www.craftbychristians.com(34.102.136.180)
156.231.25.88 - mailcious
198.49.23.145 - mailcious
34.102.136.180 - mailcious
185.14.56.84 - mailcious
67.199.248.13 - mailcious
172.67.187.204 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
7
http://www.theroseofsharonsalon.com/wufn/
http://www.craftbychristians.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.iqpt.info/wufn/
http://www.martabaroagency.com/wufn/
http://www.cuadorcoast.com/wufn/
http://www.hk6628.com/wufn/
|
11.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10914 |
2021-08-05 10:07
|
 SessionCrtSvcWinrefCrt.exe 355f3e43422d9df559f51c8b836a2238
RAT Generic Malware Malicious Packer UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File OS Processor Check .NET EXE VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
1
http://62.109.12.219/screen/tracePreflocal/phpPythonframe/antipoolsystemtrace/data/searcher/serverProtect.php?TyibT=5KRv4oGXbMSQ&jZEoqXx5yHcCr6=EVp7M3hiaWRmlf1BJav4r&K1EgaGCzt=rdSFhUEg&45d44bb14fed5e80dcf403d3facb85ff=6802edbb3f3ee7951de548e8dd409cbd&5503d154bca72b4bc34dd27480f6676a=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&TyibT=5KRv4oGXbMSQ&jZEoqXx5yHcCr6=EVp7M3hiaWRmlf1BJav4r&K1EgaGCzt=rdSFhUEg
|
1
|
|
|
9.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10915 |
2021-08-05 10:08
|
 .wininit.exe 4790a6bec0eb9efda12d2abe2bb38d00
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
12
http://www.browbabelondon.com/n84e/
http://www.792argonne.com/n84e/
http://www.betterhealthdc.com/n84e/?s0=HpDyM7h5S8k83y8yqRedKYUfYoom3rvCxt/61BOuhsxa8LZ1DHJJwbq3je7qCSJdcJE1pbe9&CZ=7nH8XRk
http://www.scorchonerecords.com/n84e/
http://www.conectaragora.com/n84e/ - rule_id: 3740
http://www.notemanches.com/n84e/?s0=t6cJ++5ur6LyOWHVfvSSg1kOqj+5LkQnu0xiLqduvq4gQlmcvj2tgZjJWmh2P/ItDCI8JQg1&CZ=7nH8XRk
http://www.scorchonerecords.com/n84e/?s0=AAar8/QTt3rWpEU75zSnopAP9jFchFx03LuP9S6n7N0ZyqjMic65prikiu4NCiYQqXEz50yr&CZ=7nH8XRk
http://www.conectaragora.com/n84e/?s0=p6i+kRTznlIfp8/7XMyecgcPSEfEpCNZNLU/042ESd3JmDRQsTR5UXzjOO9R4eeSQMVHZgcS&CZ=7nH8XRk - rule_id: 3740
http://www.betterhealthdc.com/n84e/
http://www.notemanches.com/n84e/
http://www.792argonne.com/n84e/?s0=DFZFTQHbXlya/MeaUFAazqs5HaS9PDJCmOYPBYguisCI4Vi6jG07nsAfhM9aFpcU+h3ZeOvL&CZ=7nH8XRk
http://www.browbabelondon.com/n84e/?s0=iN/2jpDVItD0PjH3kQlCvYGpp+lZ4fRxObDvETofyrxd1QZoKdP5K/qHZNaGThNBJIIcYPFv&CZ=7nH8XRk
|
12
www.notemanches.com(34.102.136.180)
www.792argonne.com(184.168.131.241)
www.kailinsen.com(23.234.7.122)
www.browbabelondon.com(34.80.190.141)
www.betterhealthdc.com(67.205.10.140)
www.scorchonerecords.com(34.102.136.180)
www.conectaragora.com(184.168.131.241)
184.168.131.241 - mailcious
34.102.136.180 - mailcious
23.234.7.122
67.205.10.140
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.conectaragora.com/n84e/
http://www.conectaragora.com/n84e/
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10916 |
2021-08-05 10:09
|
 nbys.aspx a6a737e2431ccb08b421808d2ade1140
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10917 |
2021-08-05 10:12
|
 cheat.exe b0e7ef4773c4319c4ae27ec4ea36b342
RAT Generic Malware Malicious Packer UPX Antivirus DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File OS Processor Chec VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
1
http://78.24.219.155/Lowprotecttrack.php?oDbcT4N8fv9iR=TujXh4jntmcd4J2DfELEOgu8&c0927e23dedb725b931e0a2ee9073b6a=0193ed1277868731a6de6a33e873ea7f&6ab37595298e97e419a7acdb79dccaf7=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&oDbcT4N8fv9iR=TujXh4jntmcd4J2DfELEOgu8
|
1
|
|
|
12.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10918 |
2021-08-05 10:12
|
 askinstall55.exe 1219ec0cfe2e0dfa88dae43f713b1a94
Trojan_PWS_Stealer Gen2 NPKI BitCoin Credential User Data Generic Malware Malicious Packer UPX Malicious Library SQLite Cookie Anti_VM DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenS Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution crashed |
4
http://www.nincefcs.xyz/Home/Index/lkdinl - rule_id: 3618
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1lcZz
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.nincefcs.xyz(188.225.87.175) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.nincefcs.xyz/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
11.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10919 |
2021-08-05 10:15
|
 GUN-2.exe b92376d5972be4bf3f100b17e978b6af
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
16
http://www.martabaroagency.com/wufn/?Ez=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&lhud=Txol_2G - rule_id: 2915
http://www.travelstipsguide.com/wufn/?Ez=VyftNyjG0aQ5lx947SUGSmHD3tMYmiTmQvBtAxw4efd8ssVW9Od3MOGKP5omeKQ1iB3A5VY5&lhud=Txol_2G
http://www.gaigoilaocai.com/wufn/?Ez=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&lhud=Txol_2G - rule_id: 2912
http://www.iqpt.info/wufn/ - rule_id: 2910
http://www.iqpt.info/wufn/?Ez=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&lhud=Txol_2G - rule_id: 2910
http://www.theroseofsharonsalon.com/wufn/?Ez=OadTn2uJtzT8oubefSjMAoLtzsAZKEPGGNEB1Q92m5bHHV2MxPvD7WU/WfzEYQpZzBC6ZQgQ&lhud=Txol_2G - rule_id: 2913
http://www.rsautoluxe.com/wufn/ - rule_id: 3288
http://www.martabaroagency.com/wufn/ - rule_id: 2915
http://www.joneshondaservice.com/wufn/ - rule_id: 3491
http://www.pon.xyz/wufn/?Ez=TjHmMFEWoC7f3AvZD4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCe56sbMIcecYmi82gg8d&lhud=Txol_2G
http://www.theroseofsharonsalon.com/wufn/ - rule_id: 2913
http://www.rsautoluxe.com/wufn/?Ez=w5EnrSKap8oRy2zPlnddF8gTSk3mhpsg6+K+ZUM/zOnILWZ553OzJd1vgJ8iXK568zhVN9hj&lhud=Txol_2G - rule_id: 3288
http://www.travelstipsguide.com/wufn/
http://www.joneshondaservice.com/wufn/?Ez=cHwUMaOvOUl4mR2wsbRfLYaultZ7TSeYo2Z/vCzCk8dNTOF36Jse9g+x5El8dvRa2DMYrrKS&lhud=Txol_2G - rule_id: 3491
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.pon.xyz/wufn/
|
17
www.rsautoluxe.com(103.48.133.134) - mailcious
www.joneshondaservice.com(50.87.249.29)
www.martabaroagency.com(185.14.56.84)
www.travelstipsguide.com(204.11.56.48)
www.pon.xyz(199.59.242.153)
www.iqpt.info(67.199.248.13)
www.gaigoilaocai.com(104.21.84.71)
www.800pls.info()
www.theroseofsharonsalon.com(198.49.23.144)
198.49.23.144 - mailcious
185.14.56.84 - mailcious
199.59.242.153 - mailcious
204.11.56.48 - phishing
67.199.248.12 - mailcious
172.67.187.204 - mailcious
103.48.133.134 - mailcious
50.87.249.29 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
12
http://www.martabaroagency.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.iqpt.info/wufn/
http://www.iqpt.info/wufn/
http://www.theroseofsharonsalon.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.martabaroagency.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.theroseofsharonsalon.com/wufn/
http://www.rsautoluxe.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.gaigoilaocai.com/wufn/
|
10.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10920 |
2021-08-05 10:16
|
 gun-4.exe 3bba9f210c742796887179a14acfca42
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|