| 11266 |
2021-08-12 11:00
|
 edi.exe 586f79d31e3b60f3737c247810e56612
NPKI Gen1 Generic Malware UPX Malicious Packer Malicious Library Antivirus ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC VirusTotal Email Client Info Stealer Malware powershell Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself suspicious process AppData folder WriteConsoleW Ransomware BitRAT Windows Browser Email ComputerName Cryptographic key Software crashed keylogger Password |
|
5
www.xenarmor.com(69.64.94.128) - mailcious
eter102.dvrlists.com(79.134.225.71)
dns.google(8.8.4.4)
79.134.225.71 - mailcious
69.64.94.128 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
ET POLICY XenArmor Password Recovery License Check
|
|
24.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11267 |
2021-08-12 13:47
|
 .svchost.exe 8056c1da01723959661caf103a001271
GuLoader Generic Malware Malicious Packer UPX Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.8 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11268 |
2021-08-12 13:52
|
 vbc.exe da8a93ada0a33e6df7f52f8a7c1726b1
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://185.227.139.5/sxisodifntose.php/B0MWbknI2Z7T2 - rule_id: 3949
|
1
185.227.139.5 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.5/sxisodifntose.php
|
8.0 |
M |
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11269 |
2021-08-13 09:44
|
 sw.exe 1d8f32a4bcd066413acbb8c4bf6037c9
Gen2 Generic Malware Malicious Packer Anti_VM UPX Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Remote Code Execution Firmware DNS Cryptographic key crashed |
1
http://46.28.205.147:14933/
|
1
|
|
|
6.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11270 |
2021-08-13 09:45
|
 bobbyzx.exe 9a813a694390804d6d8cc05ac1efe79f
PWS Loki[b] Loki.m AgentTesla ftp Client info stealer email stealer Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) DNS Socket Escalate priviledges ScreenShot Steal credential persistence AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer Pony VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications AppData folder malicious URLs WriteConsoleW installed browsers check Windows Update Browser Email Cryptographic key Software Downloader |
1
http://manvim.co/ae1/AE1.php
|
2
manvim.co(46.173.214.209) - mailcious
46.173.214.209
|
4
ET MALWARE Fareit/Pony Downloader Checkin 3
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
|
|
15.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11271 |
2021-08-13 09:46
|
 runvd.exe a945644533a405a16423fbf5b9a37069
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11272 |
2021-08-13 09:47
|
 plugmanzx.exe 864e2a02a8da7f5829616b793608b6a5
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM .NET EXE PE File PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
fellasbam.ddns.net(103.145.252.108)
103.145.252.108
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11273 |
2021-08-13 09:48
|
 Rx4.exe cebd70129181b2d00175a09425028661
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11274 |
2021-08-13 09:49
|
 wealthzx.exe a36b4d2566935944f7281dae1be18d5b
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11275 |
2021-08-13 09:53
|
 sa.exe d32c07f78a2d47bd5b916231eae4e322
RAT PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows DNS Cryptographic key crashed |
4
http://www.kemal.cloud/glgd/?bl=jk4VpCF5xdpBDNcbSqsqgBgwF6YcP4kaSOYLmBmtlVdMnJSVXFYCGxGvNq3dPEwe6EUIg0zq&Rx=8pdTb4gHinL0bf
http://www.rbhealthy.com/glgd/?bl=kR8gmaZqMogH8CiUuJYgQcfwl5N31iCbhe58//cToFgt6foWGXoMvouW9NVpWQhogq8/M5Y/&Rx=8pdTb4gHinL0bf
http://www.uniquelypotted.com/glgd/?bl=V9IxTD1L2pbNugnzWnDipJso32tnejGJlJNh1IVIAa1aPYJ6KBCtXWw1B+PcSxzlCdhuOnbd&Rx=8pdTb4gHinL0bf
https://www.bing.com/
|
9
www.rbhealthy.com(23.82.175.70)
www.uniquelypotted.com(23.227.38.74)
www.google.com(172.217.31.164)
www.kemal.cloud(184.168.131.241)
184.168.131.241 - mailcious
13.107.21.200
23.82.175.70
142.250.199.68
23.227.38.74 - mailcious
|
4
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11276 |
2021-08-13 09:53
|
 mazx.exe bd2c6dc178b0c292a9f6d62a1c4121a4
Generic Malware Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Windows DNS Cryptographic key |
2
http://www.sacredkashilifestudio.net/mxwf/?N2=eipsewIB2PU7fLq0V+MVTYpseXSXiNmBphXFeMyyAJ/wgZWHvgK6rmKFdWqq2CZ89/HqMPFu&2d=YnaxWrPp - rule_id: 3876
http://www.salesnksportswt.top/mxwf/?N2=uYJBTZe+wem0QBywdcFTHeog83TcyiNB0ETXWcjybDUOyRLANZFAapORYGJvd4e0N3a9PRyB&2d=YnaxWrPp
|
4
www.salesnksportswt.top(103.139.0.32)
www.sacredkashilifestudio.net(34.102.136.180)
103.139.0.32
34.102.136.180 - mailcious
|
4
ET MALWARE FormBook CnC Checkin (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
|
1
http://www.sacredkashilifestudio.net/mxwf/
|
8.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11277 |
2021-08-13 09:55
|
 sww.exe c7ece25f5f2bec6d7287b7a531e14d44
RAT PWS .NET framework Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
7
http://www.thingstodoindunedin.com/niot/
http://www.thingstodoindunedin.com/niot/?EZU4Dv=48uOoX6Wc2hsKvIrOtn0ApaRaENJVHQfIumx6wM4fMbKLWvSbJa5dB449gGtDQ00apEQBZxS&DzrLW=VBZHTpkXnd1TKz
http://www.gardencitybmt.com/niot/
http://www.finanzasparamamas.com/niot/
http://www.gardencitybmt.com/niot/?EZU4Dv=ZaqbUaYvDjuGQr0EDqqcWZh9vPIpKnCjn6oCX8HmduoUF/2PWdF8sZmlygdtdl7q61ZcKLMo&DzrLW=VBZHTpkXnd1TKz
http://www.finanzasparamamas.com/niot/?EZU4Dv=YkTW+uzHL3SLBgk98Yosihv/KnE1sA5ZUP1MhCVnb/WzKuMtU2Nje3FBoHkkeJnSDHuX0U/l&DzrLW=VBZHTpkXnd1TKz
https://www.bing.com/
|
14
www.google.com(172.217.175.68)
www.brandygbco.space(91.215.152.214)
www.coyoyi.com(127.0.0.1)
www.gogetdental.com()
www.everyonecpr.com()
www.saferennahan.info()
www.gardencitybmt.com(198.185.159.145)
www.thingstodoindunedin.com(198.185.159.145)
www.finanzasparamamas.com(104.16.13.194)
198.49.23.145 - mailcious
142.250.204.132
13.107.21.200
104.16.16.194 - mailcious
91.215.152.214
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11278 |
2021-08-13 09:55
|
 SteamUpdates.exe bfbc4e524ead489dcd8939c17bba7071
Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows crashed |
|
|
|
|
8.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11279 |
2021-08-13 09:55
|
 abc.exe bb6e3f99be7215c2afe4de4e80805ddb
RAT PWS .NET framework Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11280 |
2021-08-13 09:58
|
 ejikezx.exe f214b97d081f549c3527c0b1f2631b21
Formbook PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
193.122.130.0
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
13.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|