| 11161 |
2021-08-10 10:40
|
 sya.exe de74d8f4a95d6fe1f3d916191c88e034
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11162 |
2021-08-10 10:42
|
 myn.exe 0b97f7e640adbb46c56fb1229d97a894
NPKI UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB MachineGuid Check memory buffers extracted WMI unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS crashed |
|
2
desireblex.ddns.net(2.56.59.13)
2.56.59.13
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
6.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11163 |
2021-08-10 10:43
|
 mn.exe 4fbbb9db49ac6bfeddeaf2ac8a43ae38
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11164 |
2021-08-10 10:45
|
 bda.exe b9b5b54cf3469380c133057543a9362e
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11165 |
2021-08-10 10:45
|
 storm.exe de904e0d5b71c0c3d99430b61d40aae2
Gen2 NPKI RAT Formbook Emotet Gen1 Generic Malware Javascript ShellCode Malicious Library HWP PS PostScript Malicious Packer Anti_VM Admin Tool (Sysinternals etc ...) PE File PE32 MSOffice File OS Processor Check Emotet VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic unpack itself Windows utilities suspicious process WriteConsoleW shadowcopy delete Turn off Windows Error Recovery notification window IP Check Tofsee Ransomware Windows ComputerName crashed |
4
http://iplogger.org/1L3ig7.gz
http://geoiptool.com/
https://iplogger.org/1L3ig7.gz
https://www.geodatatool.com/
|
5
www.geodatatool.com(158.69.65.151)
geoiptool.com(158.69.65.151)
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
158.69.65.151
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Geo Location IP info online service (geoiptool.com)
|
|
14.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11166 |
2021-08-10 17:39
|
 S58.CARGO_2021.08.09.xlsb 8420c97abd12c1aaad8f01a84c7a0181
VBA_macro VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process |
1
https://loans.uhuruloans.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/X8av4FUl7STEot3.php
|
2
loans.uhuruloans.com(67.225.140.14) - mailcious
67.225.140.14 - mailcious
|
|
|
3.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11167 |
2021-08-10 17:39
|
 8724.js fab8e604d52f778cc2fc0eaebb60c43d
Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
|
2
erzurum.us(198.54.126.77) - malware
198.54.126.77 - phishing
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11168 |
2021-08-10 17:41
|
76792.xls c27e15e92fc6401b37346e1356b358d6
VBA_macro MSOffice File RWX flags setting unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11169 |
2021-08-10 17:44
|
 .dllhost.exe c700731279dc3294e76a17a6f0269044
RAT Generic Malware .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11170 |
2021-08-10 17:45
|
 vbc.exe d7674428d2b9970b706165d4ab317c0a
RAT Generic Malware UPX Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
https://pastebin.pl/view/raw/af4dd2e8 - rule_id: 3746
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.pl/view/raw/af4dd2e8
|
11.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11171 |
2021-08-10 17:47
|
 HFG.exe d75e198aabc8f95796bd8a8cd15a5313
Generic Malware Malicious Packer DNS AntiDebug AntiVM .NET EXE PE File PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
godisgood1.hopto.org(103.89.90.65) - mailcious
103.89.90.65
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11172 |
2021-08-10 17:49
|
 Vidik.exe d307a9934a5fd7513c731373c5786579
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11173 |
2021-08-10 17:49
|
 document.doc db3ea85d5a4ce443a1beb72e682dbb35
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://45.137.22.67/win/vbc.exe
http://manvim.co/fd16/fre.php
|
3
manvim.co(185.204.3.193) - mailcious
45.137.22.67
185.204.3.193
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11174 |
2021-08-10 17:51
|
 XDF.exe 9cc283969b75e69c196e8661fea9f7ed
Generic Malware Malicious Packer DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
xp18.ddns.net(103.167.85.148) - mailcious
103.167.85.148
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11175 |
2021-08-10 17:52
|
 bank.exe e92cb564767afb2d59b12ecfc97ed86a
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
3
https://apv5oq.sn.files.1drv.com/y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ
https://apv5oq.sn.files.1drv.com/y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
|
6
apv5oq.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
twistednerd.dvrlists.com(62.102.148.130) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
62.102.148.130
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|