| 11296 |
2021-08-13 20:26
|
 brownzx.exe 6f75f32ed9c7c697dbf8baff60b3a22f
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11297 |
2021-08-13 20:27
|
 pysnake.exe eff22c6f6beec66c74ccd00fb1a4b708
Gen2 Gen1 Generic Malware UPX Malicious Library Malicious Packer Anti_VM PE64 OS Processor Check PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself Ransomware |
|
|
|
|
2.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11298 |
2021-08-13 20:29
|
 bum-0.exe 42d14493d70781dbb667f48ed49b3883
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.carmelodesign.com/p2io/?Dz=N1c5K3PjC0viFOIgeR7Z0k8Uw9B7cwaCQzeNFWpedVjl04LWmNZIIwAVMJfWqJKb/L1NUNJg&lnud=Txll_2G
http://www.cleanxcare.com/p2io/?Dz=pxlxKDN2MotDZDPtsB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dyrLkdFSJvUjFQmrBLsu&lnud=Txll_2G
http://www.essentiallyourscandles.com/p2io/?Dz=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&lnud=Txll_2G - rule_id: 1553
http://www.malcorinmobiliaria.com/p2io/?Dz=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&lnud=Txll_2G - rule_id: 1719
http://www.adultpeace.com/p2io/?Dz=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&lnud=Txll_2G - rule_id: 1554
http://www.untylservice.com/p2io/?Dz=L8zxg9SOaofWzoyPv00N4yNSfvs8vmV6MzKbpPLG03vcM8SdHJJ++2zBKn8m8TZ8Pf8jLpz7&lnud=Txll_2G - rule_id: 1546
http://www.totally-seo.com/p2io/?Dz=TySV6YYxUBKYb4HOwOCoDLKT5SC+Z4HfI/KqKrWSPqp5raNcMGgDmwJErp1xJY1yPtBpBPJW&lnud=Txll_2G - rule_id: 3721
http://www.zmzcrossrt.xyz/p2io/?Dz=tbodHACq9TgEm1QCflemmH955SxRRtof3zi2445TBfF16F/HFiIOFPSeH8a5z8Uvje9sxZdT&lnud=Txll_2G - rule_id: 1573
http://www.thriveglucose.com/p2io/?Dz=bgEje2qqVLxeqLNVlwWQjpUULYzLZlDcA+G1vxfW8Jz/ro52V1dcg5nZt+TpVqb/WeIjD6oW&lnud=Txll_2G - rule_id: 1568
|
18
www.malcorinmobiliaria.com(160.121.176.84)
www.carmelodesign.com(34.102.136.180)
www.cleanxcare.com(78.31.67.91)
www.totally-seo.com(198.49.23.144)
www.zmzcrossrt.xyz(75.2.73.220)
www.essentiallyourscandles.com(23.227.38.74)
www.untylservice.com(2.57.90.16)
www.adultpeace.com(163.44.239.73)
www.thriveglucose.com(184.168.131.241)
160.121.176.84 - mailcious
184.168.131.241 - mailcious
163.44.239.73 - mailcious
34.102.136.180 - mailcious
2.57.90.16 - mailcious
99.83.185.45
23.227.38.74 - mailcious
198.185.159.144 - mailcious
78.31.67.91 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
7
http://www.essentiallyourscandles.com/p2io/
http://www.malcorinmobiliaria.com/p2io/
http://www.adultpeace.com/p2io/
http://www.untylservice.com/p2io/
http://www.totally-seo.com/p2io/
http://www.zmzcrossrt.xyz/p2io/
http://www.thriveglucose.com/p2io/
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11299 |
2021-08-13 20:30
|
 services.exe efc0f46f3fa314f232394e2cb781659f
PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself Windows DNS |
1
http://144.48.240.173:29106/NetSyst96.dll
|
2
103.229.126.73
144.48.240.173 - malware
|
1
ET INFO Dotted Quad Host DLL Request
|
|
4.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11300 |
2021-08-13 20:33
|
 update.dll c00d207efb855910154389b48404e550
Antivirus UPX Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware Buffer PE Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser DNS Cryptographic key crashed |
|
2
103.229.126.73
192.52.167.44
|
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11301 |
2021-08-14 09:20
|
 bill.xlsm 95efc56b74a992e18a361579a267c4f3
VBA_macro VirusTotal Malware RWX flags setting unpack itself Tofsee |
1
https://source-london-login-a44c-44d1-bc9b-a.e-voicemail.com/api/Analytics/Macro?iid=1511a0be-b05f-473d-8f41-5800f48cba12
|
2
source-london-login-a44c-44d1-bc9b-a.e-voicemail.com(104.21.24.5)
104.21.24.5
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11302 |
2021-08-14 09:27
|
 SKBM-120821.exe 807a927252237ee6436724cbbcd05fa0
RAT PWS .NET framework Gen1 Generic Malware Malicious Packer UPX Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Password |
8
http://zau.divendesign.in/3.jpg
http://zau.divendesign.in/1.jpg
http://zau.divendesign.in/7.jpg
http://zau.divendesign.in/
http://zau.divendesign.in/5.jpg
http://zau.divendesign.in/2.jpg
http://zau.divendesign.in/6.jpg
http://zau.divendesign.in/4.jpg
|
2
zau.divendesign.in(142.4.7.91) - mailcious
142.4.7.91 - mailcious
|
4
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
16.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11303 |
2021-08-14 09:38
|
 toor.exe f2c5f9df39fee2ca644154968920e444
Gen2 RAT Generic Malware Themida Packer Malicious Packer Anti_VM UPX Malicious Library OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
2
http://77.232.41.105:27056/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
172.67.75.172
77.232.41.105
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11304 |
2021-08-14 09:38
|
 wsd.exe 898f0ec3d9588199aa00da724447b5bb
UPX Malicious Library DGA DNS Socket Create Service SMTP Sniff Audio Escalate priviledges KeyLogger Code injection Internet API ScreenShot Downloader AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Checks debugger buffers extracted unpack itself AppData folder malicious URLs Windows DNS keylogger |
|
1
|
|
|
13.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11305 |
2021-08-14 09:39
|
 arinzezx.exe becd8371316c6ce0003a3beb62b9b471
PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(193.122.6.168)
132.226.247.73
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11306 |
2021-08-14 09:40
|
 123.exe 900e57970906aaeaa5d53979fd3b6f41
RAT PWS .NET framework Generic Malware .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11307 |
2021-08-14 09:41
|
 P2SDus.exe 4b1cfa1207d89791b682f40c6c9fc01d
Generic Malware .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Browser DNS Cryptographic key Software crashed |
8
http://music-sec.xyz/?k=v2&user=p2_6
http://music-sec.xyz/?k=v2&user=p2_5
http://music-sec.xyz/?k=v2&user=p2_4
http://music-sec.xyz/?k=v2&user=p2_3
http://music-sec.xyz/?k=v2&user=p2_2
http://music-sec.xyz/?k=v2&user=p2_1
https://iplogger.org/1WEBy7
https://iplogger.org/1WQBy7
|
5
music-sec.xyz(172.67.190.140)
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
132.226.247.73
104.21.92.87
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11308 |
2021-08-14 09:42
|
 index.php ab275081299757d7948052046332a6ee
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11309 |
2021-08-14 09:43
|
 makenobodyzx.exe 1ea72895c4c7f412c3bd5aa4150a3a89
RAT PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11310 |
2021-08-14 09:44
|
 Downloader.exe 9388365245c1d52f5aebc8a3ef352665
RAT Generic Malware Antivirus UPX Malicious Library .NET EXE PE File PE32 OS Processor Check VirusTotal Malware powershell PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://95.181.155.150/files/release.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|