| 11491 |
2021-08-19 09:43
|
 texts.exe dc1cbeeae12fd82cbbab918c6037b965
Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11492 |
2021-08-19 09:44
|
 vbc.exe 46b2b8e7621a93ae6b876b071da55212
UPX Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself Remote Code Execution |
3
http://www.wang0911.com/otcl/?uzu4=W0aQsAfnZT9K8WsD4i5637X8WoT/2UA8HayUDBPHV5pQR9uMddXCE1ucNEuG5AYfMdvmFofK&OjQl7x=9r74bd4h
http://www.fussionpromos.com/otcl/?uzu4=R6pBimEX126Y/7jz26NSIB+pAf+iSCkbIcynLs+ia55rI8fnMgFdof6zFKq4BsG3kSXOUZFo&OjQl7x=9r74bd4h - rule_id: 3833
http://www.sxhuanghe.com/otcl/?uzu4=bykNueCGzGef1kTLSC6P98gcCLtJHJm8XaoDN192w2lHtEo2seD5whRxipE3R8Jwf92JqfL+&OjQl7x=9r74bd4h
|
8
www.sxhuanghe.com(3.223.115.185)
www.schuldenzaesurgesetz.info()
www.fussionpromos.com(192.254.185.89)
www.wang0911.com(154.92.6.107)
www.onenesstokyo.com()
3.223.115.185 - mailcious
154.92.6.107
192.254.185.89 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.fussionpromos.com/otcl/
|
8.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11493 |
2021-08-19 09:45
|
 microsoft.exe 1edf6239fdc16549861e1b187c396ce2
email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows Cryptographic key crashed |
|
|
|
|
9.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11494 |
2021-08-19 09:47
|
 doc.exe e6ae96286fa8a92b9cd34d39a8170c29
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11495 |
2021-08-19 09:48
|
 fish.exe 3306d43a83c6d6c58cee03e51617ee21
Generic Malware Admin Tool (Sysinternals etc ...) UPX DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
newmeforever.3utilities.com(79.134.225.25)
newmeforever12.3utilities.com()
79.134.225.25 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
14.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11496 |
2021-08-19 09:49
|
 vbc.exe f5dd75dff7af606ddb23acee9872b6b2
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
29
http://www.threatprotection.net/6mam/
http://www.miamiqueensdress.com/6mam/?WbTDk=EBok50QODh/qmCP7J2xI5qJEvLCVP7z6QxySw5ZUrU5I7S6miF2cwhtfnH/LuNQ5P6YcYCdk&oXMx2h=yRnHMfEXqtjp - rule_id: 3582
http://www.fuzhourexian.com/6mam/ - rule_id: 3580
http://www.blueline-productions.co.uk/6mam/
http://www.fuzhourexian.com/6mam/?WbTDk=qbpZFH7voKbXHHWLfMfEAiwyGaz4A1Dlq6aJ6MnbqPgDgfYDR2UnLoNROh/k48NFxcmn1xi3&oXMx2h=yRnHMfEXqtjp - rule_id: 3580
http://www.kykyryky.art/6mam/?WbTDk=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&oXMx2h=yRnHMfEXqtjp - rule_id: 3577
http://www.genesysshop.com/6mam/ - rule_id: 4000
http://www.ilovemehoodie.com/6mam/?WbTDk=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&oXMx2h=yRnHMfEXqtjp - rule_id: 4001
http://www.mypursuitpodcast.com/6mam/?WbTDk=U4etKMGnApM4LPry/y2VHJ3U/bl1CG9Jeeehw1oO6+oHUhxigrqTTryZm0Ujj1iWyaAjlaMg&oXMx2h=yRnHMfEXqtjp
http://www.bagyat.com/6mam/?WbTDk=iV+++IZpql/PnhwiHoT5F+UEaK9f6TfC+P1mkxzUfgS/Y+pmMP73bpSijNJOr1JGqobxJRWc&oXMx2h=yRnHMfEXqtjp
http://www.genesysshop.com/6mam/?WbTDk=gbNVLwi1vO2ZsTKwdijolRE+nd+f4bOFGjLO6oLWdkpAXgcu19jDQ9iXEv77aHIk6xstCEEF&oXMx2h=yRnHMfEXqtjp - rule_id: 4000
http://www.ilovemehoodie.com/6mam/ - rule_id: 4001
http://www.mobiessence.com/6mam/ - rule_id: 3578
http://www.threatprotection.net/6mam/?WbTDk=5U63IG+8vBO93ME5ubhPJsaYeNu0pzfei2tMILncnfG3lfTZPYhqalgINgf11uesldX0DPY5&oXMx2h=yRnHMfEXqtjp
http://www.delhibudokankarate.com/6mam/?WbTDk=Dhv3NEq6R5NPQZs0dIik/SqBuvIY1/ydOcIgQc1Go12Tt/gNYl4yWQ2VA57WdGuU8YdfRGOR&oXMx2h=yRnHMfEXqtjp - rule_id: 4168
http://www.amazebrowser.com/6mam/ - rule_id: 4002
http://www.amazebrowser.com/6mam/?WbTDk=bdYiy4dFQ1FKdK0RHZb8AKGKI6CI94rlWbRWgupG1OIMQwt3tgAXT6Nv0jCitXCfOrToZzYc&oXMx2h=yRnHMfEXqtjp - rule_id: 4002
http://www.delhibudokankarate.com/6mam/ - rule_id: 4168
http://www.mobiessence.com/6mam/?WbTDk=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&oXMx2h=yRnHMfEXqtjp - rule_id: 3578
http://www.adenxsdesign.com/6mam/ - rule_id: 4003
http://www.adenxsdesign.com/6mam/?WbTDk=tU44klL44EKqmodFv/jg5nrIY8m9SPufik0gg789I5xKoKlf2FGRw1yhbPhqQNhokqqERcg/&oXMx2h=yRnHMfEXqtjp - rule_id: 4003
http://www.kykyryky.art/6mam/ - rule_id: 3577
http://www.blueline-productions.co.uk/6mam/?WbTDk=DNrR1GaWXHlbTOpdMpUbF0coFsiHOlXFagQQYcV57R3aprlTATx9iTyvS/+hnA5kOUeynF9h&oXMx2h=yRnHMfEXqtjp
http://www.bagyat.com/6mam/
http://www.mypursuitpodcast.com/6mam/
http://www.miamiqueensdress.com/6mam/ - rule_id: 3582
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21122&authkey=APxDcNiaNod5Ikk
https://dkyyda.sn.files.1drv.com/y4mrSimVfItmLHInNrSOJmhcu7jSN40x5ikR2n0jNVSGWcdC2tCdOiGTr4rigJL5sdDQ3GAZDSGjkFLKwcbPR2J-NBnZnhI8eC2Gkttmfb0hbRsQUXseigyCEA03KPHHw5YV_PP0de9LoaSk6O5SImU0jQhYk4bmDbERwII7h5Me9r9H0jwpYg-pfTPUVILyDYtxaM02eAiAksWwCQse3Pz4w/Cvieuwqzlnyecwrnrfxtrahtdbaboaj?download&psid=1
https://dkyyda.sn.files.1drv.com/y4m97_S5N0dD1MsmWaq0eYG0Sb7_XlfGPp7W0ONc_xDzt_HblQFoIpUN4BloCEjg8c5mWj_pPLTdK3USNiULYn8KSFtBVDT5ZMMUxo9BEFVfSlNYC9ZvXK6cCn9X_Ea6X9Eud5mrCSEIKB6Z2D5F0-aYMIvpgMQrOPwfWQl11H4pZxOl5LJi78yhlQq8bDMvbt7DlLP3RdQUbpBJO2ZsjqwSg/Cvieuwqzlnyecwrnrfxtrahtdbaboaj?download&psid=1
|
30
www.delhibudokankarate.com(154.215.87.120)
onedrive.live.com(13.107.42.13) - mailcious
dkyyda.sn.files.1drv.com(13.107.42.12)
www.fuzhourexian.com(47.245.33.84)
www.mobiessence.com(52.58.78.16)
www.adenxsdesign.com(217.160.0.46)
www.amazebrowser.com(207.244.67.214)
www.miamiqueensdress.com(75.2.115.196)
www.bagyat.com(209.99.40.222)
www.threatprotection.net(52.58.78.16)
www.kilbyrnefarm.com()
www.mypursuitpodcast.com(34.102.136.180)
www.blueline-productions.co.uk(85.233.160.23)
www.coicplat.com() - mailcious
www.genesysshop.com(34.102.136.180)
www.ilovemehoodie.com(23.227.38.74)
www.kykyryky.art(194.67.71.40)
154.215.87.120 - mailcious
52.58.78.16 - mailcious
47.245.33.84 - mailcious
37.48.65.148
194.67.71.40
13.107.42.13 - mailcious
13.107.42.12 - malware
209.99.40.222 - mailcious
34.102.136.180 - mailcious
75.2.115.196 - mailcious
217.160.0.46 - mailcious
85.233.160.22 - mailcious
23.227.38.74 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
18
http://www.miamiqueensdress.com/6mam/
http://www.fuzhourexian.com/6mam/
http://www.fuzhourexian.com/6mam/
http://www.kykyryky.art/6mam/
http://www.genesysshop.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.genesysshop.com/6mam/
http://www.ilovemehoodie.com/6mam/
http://www.mobiessence.com/6mam/
http://www.delhibudokankarate.com/6mam/
http://www.amazebrowser.com/6mam/
http://www.amazebrowser.com/6mam/
http://www.delhibudokankarate.com/6mam/
http://www.mobiessence.com/6mam/
http://www.adenxsdesign.com/6mam/
http://www.adenxsdesign.com/6mam/
http://www.kykyryky.art/6mam/
http://www.miamiqueensdress.com/6mam/
|
10.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11497 |
2021-08-19 09:49
|
 123.exe f9fd13cdacab6e8e8a57b6d48c2434f4
Generic Malware Themida Packer Anti_VM PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
7.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11498 |
2021-08-19 09:50
|
 AugustFotosAlbom.exe 8195a17c3ec5f3df03202016050a456b
Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger RWX flags setting unpack itself suspicious process Tofsee Interception |
|
2
dnziplik.com.tr(95.173.189.98)
95.173.189.98 - mailcious
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11499 |
2021-08-19 09:52
|
 docx.exe 060d51548927a76054327f8d17aca3a1
RAT PWS .NET framework email stealer Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11500 |
2021-08-19 09:52
|
 richyzx.exe 0951bbdc6abd651b72cbc6fd5c06a95a
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11501 |
2021-08-19 09:54
|
 kl4.exe ec10291029375563c6f4f5151700e789
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://188.124.36.242:25802/ - rule_id: 4226
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.13.31
188.124.36.242 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://188.124.36.242:25802/
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11502 |
2021-08-19 09:55
|
 excel.exe d91aec7f3d8b6583ead18b236e082c01
AgentTesla(IN) RAT Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Checks debugger exploit crash unpack itself Windows Exploit Browser Email Cryptographic key Software crashed |
|
|
|
|
7.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11503 |
2021-08-19 09:56
|
 DOC.exe 529e59864d8d624d0b6f50ed3f29ab1a
email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS Cryptographic key DDNS crashed |
|
2
tobi12345.hopto.org(18.118.55.110)
18.118.55.110
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11504 |
2021-08-19 10:01
|
 gg.exe e2d90156ab03ca59299b499a70cd598d
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.140.147.31:22127/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
104.26.13.31
45.140.147.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11505 |
2021-08-19 10:01
|
 lv.exe 21251e40d18b7366c30efacb9f2f45a3
Emotet Gen1 NPKI Gen2 Malicious Library UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiD VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
|
|
|
6.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|