| 11386 |
2021-08-17 09:54
|
 bHiq3IZ1xoLA.php ffc642eb82de920453e88f647fb4c246
Malicious Packer Malicious Library PE File DLL PE32 unpack itself Windows crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11387 |
2021-08-17 09:56
|
 dow-2.exe 79ccfb5a40b349d6012a35b7072f9f1a
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
16
http://www.feathertiara.net/wufn/?b6=kBuwGfiPz7ySFvcjUzLnibr355l72ljuv5/5hH3ZydAEXYL8DZHvf8y8kbj1LoIM4KSTAosX&DbG=_DKdFj
http://www.gaigoilaocai.com/wufn/ - rule_id: 2912
http://www.theforumonline.com/wufn/?b6=oMJPIIffiJ/xnzh2dmE4H4v++ePVGdJ47Cs+qN5CdohcdEg0FINWW3sNxjaQaIOEvkNj7L2f&DbG=_DKdFj
http://www.theforumonline.com/wufn/
http://www.cummingsforum.com/wufn/?b6=PGuDT0srb8+GzzH8GojBu9jJOM86wXlCLaZQF9oyMbXQcbHCqOG6UzGQhd2hamBsdTomrrU0&DbG=_DKdFj - rule_id: 3523
http://www.talleresmulticar.com/wufn/
http://www.reshemporium.com/wufn/
http://www.cummingsforum.com/wufn/ - rule_id: 3523
http://www.reshemporium.com/wufn/?b6=wp/rTAq+nefw0Ut8gBAFiAOZsxmfnTEjPBWm4zxzbrCD8Q+PSp7/6kESKmxQvFdTe2TjazgW&DbG=_DKdFj
http://www.talleresmulticar.com/wufn/?b6=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&DbG=_DKdFj
http://www.zwq.xyz/wufn/?b6=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&DbG=_DKdFj - rule_id: 3226
http://www.feathertiara.net/wufn/
http://www.mimortgageexpert.com/wufn/?b6=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&DbG=_DKdFj - rule_id: 2911
http://www.mimortgageexpert.com/wufn/ - rule_id: 2911
http://www.zwq.xyz/wufn/ - rule_id: 3226
http://www.gaigoilaocai.com/wufn/?b6=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&DbG=_DKdFj - rule_id: 2912
|
17
www.theforumonline.com(69.163.228.182)
www.mimortgageexpert.com(100.24.208.97)
www.zwq.xyz(103.139.0.32)
www.neosinder.com()
www.talleresmulticar.com(35.214.181.99)
www.feathertiara.net(154.220.112.199)
www.gaigoilaocai.com(104.21.84.71)
www.organicdiscover.com()
www.reshemporium.com(34.102.136.180)
www.cummingsforum.com(34.102.136.180)
103.139.0.32 - mailcious
69.163.228.182
35.214.181.99
34.102.136.180 - mailcious
154.220.112.199
100.24.208.97
104.21.84.71
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
8
http://www.gaigoilaocai.com/wufn/
http://www.cummingsforum.com/wufn/
http://www.cummingsforum.com/wufn/
http://www.zwq.xyz/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.zwq.xyz/wufn/
http://www.gaigoilaocai.com/wufn/
|
8.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11388 |
2021-08-17 09:56
|
 bobbyzx.exe 37a5f6cc78f098591dd05bf7dccbdcc5
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11389 |
2021-08-17 09:58
|
 dow-01.exe 815a3dbde4d501e96222d6de9b0be3fc
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
18
http://www.setadragon.com/wufn/?wPT=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&oXN=6lSd02cp - rule_id: 3486
http://www.rootmoover.com/wufn/ - rule_id: 3570
http://www.theforumonline.com/wufn/
http://www.joneshondaservice.com/wufn/?wPT=cHwUMaOvOUl4mR2wsbRfLYaultZ7TSeYo2Z/vCzCk8dNTOF36Jse9g+x5El8dvRa2DMYrrKS&oXN=6lSd02cp - rule_id: 3491
http://www.talleresmulticar.com/wufn/
http://www.recipesdunnright.com/wufn/
http://www.mybodysaver.com/wufn/ - rule_id: 3227
http://www.recipesdunnright.com/wufn/?wPT=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&oXN=6lSd02cp
http://www.talleresmulticar.com/wufn/?wPT=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&oXN=6lSd02cp
http://www.laterlifelendingsupermarket.com/wufn/?wPT=JK53FQapth9VDdSHXGajN0L5nsR3wCbJsKyzCV6oZDicv5erkPKtybHomSqu7DQ5sf8AoARo&oXN=6lSd02cp - rule_id: 3501
http://www.mybodysaver.com/wufn/?wPT=iAyrziyFF9RqM6kqTrR2Gz8v85ou6HqcZ1qFLOyqSC08U8XZpeh2g5fFjWykbq8K9Lt/Vzcu&oXN=6lSd02cp - rule_id: 3227
http://www.joneshondaservice.com/wufn/ - rule_id: 3491
http://www.zwq.xyz/wufn/?wPT=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&oXN=6lSd02cp - rule_id: 3226
http://www.theforumonline.com/wufn/?wPT=oMJPIIffiJ/xnzh2dmE4H4v++ePVGdJ47Cs+qN5CdohcdEg0FINWW3sNxjaQaIOEvkNj7L2f&oXN=6lSd02cp
http://www.zwq.xyz/wufn/ - rule_id: 3226
http://www.setadragon.com/wufn/ - rule_id: 3486
http://www.laterlifelendingsupermarket.com/wufn/ - rule_id: 3501
http://www.rootmoover.com/wufn/?wPT=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&oXN=6lSd02cp - rule_id: 3570
|
18
www.theforumonline.com(69.163.228.182)
www.joneshondaservice.com(50.87.249.29)
www.mybodysaver.com(172.67.177.211)
www.zwq.xyz(103.139.0.32)
www.talleresmulticar.com(35.214.181.99)
www.setadragon.com(209.99.40.222)
www.recipesdunnright.com(66.235.200.147)
www.rootmoover.com(23.227.38.74)
www.laterlifelendingsupermarket.com(85.233.160.23)
103.139.0.32 - mailcious
66.235.200.147 - phishing
69.163.228.182
85.233.160.23 - mailcious
35.214.181.99
209.99.40.222 - mailcious
172.67.177.211 - mailcious
23.227.38.74 - mailcious
50.87.249.29 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
12
http://www.setadragon.com/wufn/
http://www.rootmoover.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.mybodysaver.com/wufn/
http://www.laterlifelendingsupermarket.com/wufn/
http://www.mybodysaver.com/wufn/
http://www.joneshondaservice.com/wufn/
http://www.zwq.xyz/wufn/
http://www.zwq.xyz/wufn/
http://www.setadragon.com/wufn/
http://www.laterlifelendingsupermarket.com/wufn/
http://www.rootmoover.com/wufn/
|
8.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11390 |
2021-08-17 09:59
|
 rundll32.exe 3a77a27df8d701a07b76d63091465c11
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11391 |
2021-08-17 09:59
|
 dow-0.exe 53d55c75030ff7d58afd45080fa00dd2
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself Windows utilities AppData folder Windows |
10
http://www.zwq.xyz/wufn/?kDHl=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&KtxD=PnCTGx9Pf - rule_id: 3226
http://www.gaigoilaocai.com/wufn/?kDHl=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&KtxD=PnCTGx9Pf - rule_id: 2912
http://www.iqpt.info/wufn/?kDHl=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&KtxD=PnCTGx9Pf - rule_id: 2910
http://www.solanohomebuyerclass.com/wufn/?kDHl=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&KtxD=PnCTGx9Pf
http://www.mimortgageexpert.com/wufn/?kDHl=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&KtxD=PnCTGx9Pf - rule_id: 2911
http://www.recipesdunnright.com/wufn/?kDHl=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&KtxD=PnCTGx9Pf
http://www.talleresmulticar.com/wufn/?kDHl=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&KtxD=PnCTGx9Pf
http://www.setadragon.com/wufn/?kDHl=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&KtxD=PnCTGx9Pf - rule_id: 3486
http://www.rootmoover.com/wufn/?kDHl=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&KtxD=PnCTGx9Pf - rule_id: 3570
http://www.hk6628.com/wufn/?kDHl=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&KtxD=PnCTGx9Pf - rule_id: 2909
|
25
www.hsicclassactionsettlement.com() - mailcious
www.sctsmney.com() - mailcious
www.solanohomebuyerclass.com(182.50.132.242)
www.mimortgageexpert.com(100.24.208.97)
www.hk6628.com(34.102.136.180)
www.qq4004.com() - mailcious
www.recipesdunnright.com(66.235.200.147)
www.iqpt.info(67.199.248.13)
www.organicdiscover.com()
www.setadragon.com(209.99.40.222)
www.gaigoilaocai.com(172.67.187.204)
www.kyg-cpa.com() - mailcious
www.rootmoover.com(23.227.38.74)
www.talleresmulticar.com(35.214.181.99)
www.zwq.xyz(103.139.0.32)
103.139.0.32 - mailcious
66.235.200.147 - phishing
35.214.181.99
209.99.40.222 - mailcious
34.102.136.180 - mailcious
35.172.94.1 - phishing
198.71.232.3 - mailcious
172.67.187.204 - mailcious
23.227.38.74 - mailcious
67.199.248.13 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
7
http://www.zwq.xyz/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.iqpt.info/wufn/
http://www.mimortgageexpert.com/wufn/
http://www.setadragon.com/wufn/
http://www.rootmoover.com/wufn/
http://www.hk6628.com/wufn/
|
5.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11392 |
2021-08-17 10:01
|
 vbc.exe 2e11cb22fcff3e1fbf803fea30380e75
UPX Malicious Library PE File PE32 VirusTotal Malware unpack itself Tofsee Remote Code Execution crashed |
1
https://cdn.discordapp.com/attachments/872498603363536989/876731431555059753/Zmlkqojaxmhcbtpljtjnfjssfmlwqrp
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11393 |
2021-08-17 10:03
|
 .svchost.exe c8f7096833654a62280f5897fccfde65
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process VMware anti-virtualization Windows ComputerName Cryptographic key Software |
1
http://www.glendalesocialmediaagency.com/nff/?O0DHs=E6fLQbQj7XlE7pKggeHtmkhlLAH8o5Ikh6AParAHUnAgUAgt+y3sQatBmkz+P0Uh2HxyM3jL&uTxX=ApmHH4
|
4
www.glendalesocialmediaagency.com(34.102.136.180)
www.cuesticksandsupplies.com()
www.shinseikai.site()
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11394 |
2021-08-17 10:05
|
 vbc.exe 61521d238c7c60ca7e91881ffda4a5fa
UPX Malicious Library PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://everydaywegrind.ga/BN22/fre.php
|
1
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
7.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11395 |
2021-08-17 10:07
|
 dllhost.exe 5ee375628c34cd0aa0833e24bc31087a
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
2
www.generlitravel.com()
www.betternatureproducts.net()
|
|
|
7.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11396 |
2021-08-17 10:15
|
 zxcv.EXE 575f6a65c28682f88fa808ba8e862d7f
PWS Loki[b] Loki.m Raccoon Stealer Gen1 Gen2 Generic Malware UPX Malicious Library Malicious Packer DNS Socket KeyLogger HTTP Internet API ScreenShot Http API Steal credential AntiDebug AntiVM PE File PE32 DLL OS Processor Check GIF Format JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
13
http://kullasa.ac.ug/nss3.dll
http://kullasa.ac.ug/main.php
http://kullasa.ac.ug/
http://kullasa.ac.ug/msvcp140.dll
http://185.163.45.248/
http://kullasa.ac.ug/vcruntime140.dll
http://kullasa.ac.ug/softokn3.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/1153e21497e2a00af6fcd2be846b1953a66f76ab
http://kullasa.ac.ug/mozglue.dll
http://kullasa.ac.ug/sqlite3.dll
http://myproskxa.ac.ug/index.php
http://kullasa.ac.ug/freebl3.dll
http://185.163.45.248//l/f/VAuJUXsBPvGyIjkLtOpJ/cc451af81c78b4f59363dcc043c781304dfe0ce1
|
6
kullasa.ac.ug(185.215.113.77)
myproskxa.ac.ug(185.215.113.77)
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
185.215.113.77 - malware
185.163.45.248
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
21.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11397 |
2021-08-17 10:20
|
Quranic Arabic Language Course... 6af2470805fe10cf881871a6babf9986VirusTotal Malware RWX flags setting unpack itself Tofsee |
2
https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/
https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/files-3607001e/
|
2
behr.ppinewsagency.live(185.163.45.63) - mailcious
185.163.45.63 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11398 |
2021-08-17 13:35
|
 vbc.exe 2875b6d653a9311f91e1a2f28e5538e1
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
6
http://www.beastninjas.com/6mam/?yVMpQN-P=oQhTdcG35KVC+c6Wc2Ae/5c2EVHHJUmgpuEXLTkVZHJt0CPiQFk8QVOcUVYqLYUeTWjjNSS/&1bz=o8rLp - rule_id: 3583
http://www.mobiessence.com/6mam/?yVMpQN-P=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&1bz=o8rLp - rule_id: 3578
http://www.besport24.com/6mam/?yVMpQN-P=G66iPt+xvrTiSrnWMSNY3jIG1auw/RAx4P7alq3BxDAHCc2pRDbTwTzLPU1dODy6kKEhnUhc&1bz=o8rLp - rule_id: 3890
http://www.delhibudokankarate.com/6mam/?yVMpQN-P=Dhv3NEq6R5NPQZs0dIik/SqBuvIY1/ydOcIgQc1Go12Tt/gNYl4yWQ2VA57WdGuU8YdfRGOR&1bz=o8rLp
http://www.ilovemehoodie.com/6mam/?yVMpQN-P=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&1bz=o8rLp - rule_id: 4001
http://www.elglink99.com/6mam/?yVMpQN-P=SLcUjScG5RnOVZMPBoDDz2hKjpXj+iqBcro/vPi5ifNBMfCnXfAsQjLgCQAIbn3ZI+l2ZT4E&1bz=o8rLp - rule_id: 3999
|
14
www.delhibudokankarate.com(154.215.87.120)
www.elglink99.com(199.59.242.153)
www.mobiessence.com(52.58.78.16)
www.beastninjas.com(34.102.136.180)
www.f9fui8.xyz()
www.apacshift.support()
www.besport24.com(51.83.52.226)
www.ilovemehoodie.com(23.227.38.74)
154.215.87.120
52.58.78.16 - mailcious
34.102.136.180 - mailcious
199.59.242.153 - mailcious
51.83.52.226 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
5
http://www.beastninjas.com/6mam/
http://www.mobiessence.com/6mam/
http://www.besport24.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.elglink99.com/6mam/
|
9.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11399 |
2021-08-17 13:36
|
 2.dll 37e26534b70abd664cfed4961ad6ecbf
UPX AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
11
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/file/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/10/62/GHKKBYXXMBGPF/7/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/NAT%20status/client%20is%20behind%20NAT/0/
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JykWxsK5VFuVU0IzRFQuDFfZ/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://185.56.175.122/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArhCatD3P7BP%5Cpb2lv.dmo/0/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/14/user/test22/0/
https://ident.me/
https://60.51.47.65/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ldB1JbjZnVLztVnX55JJf5j/
https://36.66.188.251/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabc64/
https://105.27.205.34/rob122/TEST22-PC_W617601.175211BBA3CB5D74BB4C39D8A3B3B1FF/5/pwgrabb64/
|
8
ident.me(176.58.123.25)
105.27.205.34 - mailcious
194.146.249.137 - mailcious
176.58.123.25
185.56.175.122 - mailcious
60.51.47.65 - mailcious
79.106.115.107
36.66.188.251
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
10.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11400 |
2021-08-17 13:36
|
 vbc.exe 8396573aa3039b144f584107f785b321
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
3
105.27.205.34 - mailcious
60.51.47.65 - mailcious
36.66.188.251
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|