| 11431 |
2021-08-18 11:03
|
 anthonyzx.exe 2c47f030311ad86019602b0da8298332
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11432 |
2021-08-18 11:06
|
 fdseventeen.exe 5c978476aaf6e02c5cd840da6b550bb6
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd17/fre.php
|
2
manvim.co(193.187.173.105) - mailcious
193.187.173.105
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11433 |
2021-08-18 11:07
|
 vbc.exe 24de92095889ef49c35dcc6f687627e5
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
https://pastebin.pl/view/raw/2281be39
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11434 |
2021-08-18 11:19
|
 rcd.exe 679b38d3297913cec51412919546f0fc
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://198.98.49.129:23948/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
198.98.49.129
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11435 |
2021-08-18 11:20
|
 cd13.exe af366ca287f4fff65e730d609d3f6bd2
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://198.98.49.129:23948/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.12.31
198.98.49.129
|
2
SURICATA HTTP unable to match response to request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11436 |
2021-08-18 11:20
|
 JABKA9983.exe 2093d467e65e9dbad2a55577d9f8d396
RAT PWS .NET framework Generic Malware UPX Malicious Library VMProtect PE File OS Processor Check .NET EXE PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://51.89.92.99:5965/
http://f0569268.xsph.ru/jkfe.exe
https://api.ip.sb/geoip
|
5
f0569268.xsph.ru(141.8.193.236)
api.ip.sb(104.26.13.31)
51.89.92.99
104.26.13.31
141.8.193.236 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
11.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11437 |
2021-08-18 11:22
|
 arinzezx.exe 35f1d0f2f60b193c004a81b219c0dcc7
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
12.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11438 |
2021-08-18 11:22
|
 tzd.exe fb4b33133ac61d537322520e6aacdf44
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11439 |
2021-08-18 11:24
|
 kbinzx.exe 3038c63be8eb4248dcb08e75fa8da3c1
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11440 |
2021-08-18 11:25
|
 ashleyzx.exe c36a8f55e7338503e15ef4d91bb39eff
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder Windows Cryptographic key |
7
http://www.laboxfruits.com/ushb/?8p=cnJRCx/8gXfqG0AeOtfEiBLZmKijMT5JINgnFjX2euOW97xlQv5X3xed64+8PDjGkPRul3v3&LJBx=yVPd7xKPhhkxdz-
http://www.ossotasarim.com/ushb/?8p=Kis9qagQgFI/pgEC90LDhBb2/hkn9V+B079wctmSP192jSk/5pov+dY2uUpHLbHPLnwA/Tk/&LJBx=yVPd7xKPhhkxdz- - rule_id: 2507
http://www.m-midas.com/ushb/?8p=KETTpM1456fImzG2o/HCqgJBte/IHmJz01Qx96IPJzNgkPHHpmXueOKRfDyrAPg68mjcbOiZ&LJBx=yVPd7xKPhhkxdz- - rule_id: 2509
http://www.multitraditional.com/ushb/?8p=Oc4WjS4DBu5AvhP85U59EprkqoXzMyfsJMpdZ9aVqZv/kvrlgbGtP2m1bh6Ukc03AoFAKmiH&LJBx=yVPd7xKPhhkxdz- - rule_id: 2510
http://www.freekylerittenhouse.info/ushb/?8p=S+y2noS/WGWQLEH4BKXJSsE1C+Zz8LcS642rc/nlHjL121/uVEOi1SPgawYhQUq2iYV/P4Hf&LJBx=yVPd7xKPhhkxdz-
http://www.torbencoaching.com/ushb/?8p=sOcEsZuhq/HNqMRqRLw+9xiGA2l4o8dKS2e1r9hsXhXVAE5ySSsuGgk58FH2c0S4O7wI+DCC&LJBx=yVPd7xKPhhkxdz-
http://www.dianajhart.com/ushb/?8p=UtfrYFVcdOFaPextGJisK83MR3XnXmjD+ROUlPMj02XBuDTEFdQjeWO+Z9ZhYyxiluzvNSpR&LJBx=yVPd7xKPhhkxdz-
|
15
www.laboxfruits.com(213.186.33.5)
www.m-midas.com(194.63.249.211)
www.dianajhart.com(107.165.40.236)
www.freekylerittenhouse.info(184.168.131.241)
www.torbencoaching.com(163.172.16.94)
www.multitraditional.com(144.168.44.250)
www.domentemenegi19.com()
www.ossotasarim.com(172.67.219.157)
104.21.17.25 - mailcious
194.63.249.211 - mailcious
213.186.33.5 - mailcious
184.168.131.241 - mailcious
163.172.16.94
107.165.40.236
144.168.44.250 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.ossotasarim.com/ushb/
http://www.m-midas.com/ushb/
http://www.multitraditional.com/ushb/
|
11.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11441 |
2021-08-18 11:26
|
 osamazx.exe c0fc593778f04e09b617854121aaca04
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11442 |
2021-08-18 11:26
|
 BIN.exe 2b26fb332ceca5db7983d7734d26db2d
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11443 |
2021-08-18 11:28
|
 hot.exe 5fcbfeae2b818e9eab95723a87460401
UPX Malicious Library PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Malicious Traffic unpack itself DNS |
3
http://www.rakennuspalveluporola.net/pjje/?EfBt4J58=tciR5RhO8AOzFF2Y0LHmIQxwfdqW3+4WiATtW4d/M7Ww/p8yIrAXWYz16zTljOVX4hXvSiko&ohoXP=SzrlsD
http://www.numerologistreading.com/pjje/?EfBt4J58=KXVTcvbjXDD0gNgiMX+DPSy5YiGOmUOJbVJCTGBH734hiXpMW6Qv+6qjmAKa6Qo7kv8Emjmh&ohoXP=SzrlsD
http://www.mission-duplex.com/pjje/?EfBt4J58=kmMGCOOuyZn/Q8N+atCeYTYJw4/WIfZPwWB6wlOMycBYg5A/spRsR9LEwaIQQxcsBMDpWJd1&ohoXP=SzrlsD
|
7
www.numerologistreading.com(35.209.90.116)
www.rakennuspalveluporola.net(34.102.136.180)
www.mission-duplex.com(104.21.87.174)
35.209.90.116
172.67.170.122
34.102.136.180 - mailcious
104.21.19.200
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11444 |
2021-08-18 11:29
|
 test.exe aba88ae23ef00a022dd6a09105b5a740
RAT Generic Malware UPX Malicious Packer PE File OS Processor Check .NET EXE PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
3
http://94.250.250.235/generatormobile/supportmobile/phpframe/php/localServerdataMath/antiprodhtoppool/ruleServerWar/prod/phpcutrule/record/WarpluginCam/plugincore/limit/videoLinesecurebigloadsql.php?mUWINaN1N=Ur43rwNkS1171bo7LvYKuCD7w8UeNy&4ArJZZqocC0oXYpd4dPOcdCMSn=GsbsXeB76KRPifG6H4XpiHfZA7jXb8&e6b8a2644710640e4511bfccb03bd803=gZjVTYxMzM5I2M4IjY5QWOzQGMwADNiZWZjRGO2Y2N1YDOmJWYmdDO2IzM1YDO2ATOygTM4UzM&2500729ed790d9e03c4ceedb9e2db3bc=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&81b9737c426f2137f2a2d127f1a0d829=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEGN4MjZ1QWMwMzN3UzN4MTY4gjY4QGZ3QTY4gDNwgTNiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWMmVGO1kTO0cjYxIDZ2IGZ1gzN0ADZkJGZ0kzMhlzMis3W&bb3b58c93e9d9450e62ead05b2c56a7c=QX9JiI6IiY3ImY2MWY0UWM4EWYkJzNlFDZ1ETOlVmY4UGOmZzM5ICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISY0gzMmVDZxAzM3cTN3gzMhhDOihDZkdDNhhDO0ADO1ICLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6ICZxYWZ4UTO5QzNiFjMkZjYkVDO3QDMkRmYkRTOzEWOzIyes0nIRZWaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETptGbJZTSpJGcxckWC5EWhl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2atNGaOhlWqZFSRl2bqlESGVkVpdXaJBDbtF1ZRpmTnRDMTd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJhmVtNmd0VUSvJFWkZnTGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJVzZU1Ee0knT5VERMlXRE1UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dplUMkdFToJ0MaVXOyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWS3RzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2NiJmNjFGNlFDOhFGZycTZxQWNxkTZlJGOlhjZ2MTOiwiIhFmZ2ETYxQmZxQGMjVWZjhzYzYDZxE2YkVjMjJzN3ADZiFmY3EjNmJiOiEGN4MjZ1QWMwMzN3UzN4MTY4gjY4QGZ3QTY4gDNwgTNiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWMmVGO1kTO0cjYxIDZ2IGZ1gzN0ADZkJGZ0kzMhlzMis3W
http://94.250.250.235/generatormobile/supportmobile/phpframe/php/localServerdataMath/antiprodhtoppool/ruleServerWar/prod/phpcutrule/record/WarpluginCam/plugincore/limit/videoLinesecurebigloadsql.php?mUWINaN1N=Ur43rwNkS1171bo7LvYKuCD7w8UeNy&4ArJZZqocC0oXYpd4dPOcdCMSn=GsbsXeB76KRPifG6H4XpiHfZA7jXb8&2e9269593588ab5e818b73fe346396bb=b4e4b44a4edea5bc8fb1abfd40e9a1d3&2500729ed790d9e03c4ceedb9e2db3bc=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&mUWINaN1N=Ur43rwNkS1171bo7LvYKuCD7w8UeNy&4ArJZZqocC0oXYpd4dPOcdCMSn=GsbsXeB76KRPifG6H4XpiHfZA7jXb8
https://ipinfo.io/json
|
3
ipinfo.io(34.117.59.81)
94.250.250.235
34.117.59.81
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
5.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11445 |
2021-08-18 11:31
|
 obinnazx.exe a3ab9dcf6e3ba0e1f026fcf4b18065a0
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.mcgrudersfitness.com/gz92/?wPT=HdqjPEY9Rfu+aEeJAE6UNHawoElrodkwHbiBzE2NkYUOKlxn2k/XZs7wlcf35PTHZbYJ5c6F&oXN=6lXd02jp
http://www.benvenutoqui.com/gz92/?wPT=2wbwf/0XTDTlOy+JXK0H3VKZklYIa6iQS9nAdKl5Qbk+iaYvuq4CQJRQa05WJzSTgPcgyDfZ&oXN=6lXd02jp
http://www.liveyourmaverick.com/gz92/?wPT=GT0v1A3P0Wo01tn8aEVPdEKMGa27ABb6rwCD6aQ3acm9u+/FCvMWQnF1J5nq1GrsfOQ/roqE&oXN=6lXd02jp
|
6
www.mcgrudersfitness.com(184.168.131.241)
www.benvenutoqui.com(162.241.224.131)
www.liveyourmaverick.com(107.178.245.252)
162.241.224.131 - mailcious
107.178.245.252 - phishing
184.168.131.241 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|