| 11551 |
2021-08-20 09:17
|
 fibo.exe 18bd1660bcab90d7ae7236da4a070918
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
3
https://a2ooiw.sn.files.1drv.com/y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
https://a2ooiw.sn.files.1drv.com/y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
|
6
onedrive.live.com(13.107.42.13) - mailcious
twistednerd.dvrlists.com(62.102.148.152) - mailcious
a2ooiw.sn.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
62.102.148.152
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11552 |
2021-08-20 09:17
|
 apines1.exe d942626640bd34a96b1887f24feeecf7
UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11553 |
2021-08-20 09:18
|
 SavesrefruntimedlldriverMonito... a2226ebbc6b9170a8ce5c238dd2cfc68
RAT Generic Malware UPX Malicious Packer PE File OS Processor Check .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS crashed |
5
http://ip-api.com/line/?fields=hosting
http://80.87.199.216/packetprocess.php?qCZPnDy16i5fg2D0rglocPB=iB6OrBMLF9HJtTnAS&8LpNgr7MgS4xPaB3qmGkK5Wuahu=HY3kVmQ00VfPQfe3QRtrHzmB4spDy&x86DEIZUcnJKDUG1TobddIxDwSv2p=6NB5igTNaVd6zGh7vS4D&7e3a3ef18428fe71357b9150e384c75b=gZ3ATYhJGZ2ADN2UTM2UDMiBjNwATNyADN2IDMiVWYiRTMyQWOyczYyIjN1ITOykzNyITN5IjM&2ea7ec2a64fd1c290035512855f53c76=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&3394755a4396faac6f769a1f2b028eaa=0Vfic2QLFEWhZTNDRWdWJjWolzQkVnVyoFa5kWT0kERPZTQU5Ee0MkTw0EVNV3ZE1Ue0MlTzUkaDRmWU5kNVRVTnVkaNdXSqxENBpGT3lkeXJiOiMGNmZGOkF2MyEGO1MmN4YzMjdzMxQzY2ATO0Y2Y3MGNiwiIxcTYwQzNyE2YjZ2MwMmNycTYjhTY1kjNxgDZkJWN0cDNxgTN0IDM5IiOigjN3YmM0QDZwYDN4kTM0UGOmNzYwgDN5MTMyITMhBDMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiUmZwEDO4kTMjRmMjZmN3kjYmVGZkZ2NhFTNyIWYmVTMis3W
http://80.87.199.216/packetprocess.php?qCZPnDy16i5fg2D0rglocPB=iB6OrBMLF9HJtTnAS&8LpNgr7MgS4xPaB3qmGkK5Wuahu=HY3kVmQ00VfPQfe3QRtrHzmB4spDy&x86DEIZUcnJKDUG1TobddIxDwSv2p=6NB5igTNaVd6zGh7vS4D&7e3a3ef18428fe71357b9150e384c75b=gZ3ATYhJGZ2ADN2UTM2UDMiBjNwATNyADN2IDMiVWYiRTMyQWOyczYyIjN1ITOykzNyITN5IjM&2ea7ec2a64fd1c290035512855f53c76=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&fcd9bfc24bb087cd4651a420f201fd8d=d1nIxcDOxImMlNGNiJWMwcDZzIzYwMWYzIjNxEzYzcjMlZTOyY2NlRWO1IiOigjN3YmM0QDZwYDN4kTM0UGOmNzYwgDN5MTMyITMhBDMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiUmZwEDO4kTMjRmMjZmN3kjYmVGZkZ2NhFTNyIWYmVTMis3W
http://80.87.199.216/packetprocess.php?qCZPnDy16i5fg2D0rglocPB=iB6OrBMLF9HJtTnAS&8LpNgr7MgS4xPaB3qmGkK5Wuahu=HY3kVmQ00VfPQfe3QRtrHzmB4spDy&x86DEIZUcnJKDUG1TobddIxDwSv2p=6NB5igTNaVd6zGh7vS4D&f5086507d7d6e3265419d4a313a1af60=90c6dd95845cee8f42b83f4a83154e97&2ea7ec2a64fd1c290035512855f53c76=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&qCZPnDy16i5fg2D0rglocPB=iB6OrBMLF9HJtTnAS&8LpNgr7MgS4xPaB3qmGkK5Wuahu=HY3kVmQ00VfPQfe3QRtrHzmB4spDy&x86DEIZUcnJKDUG1TobddIxDwSv2p=6NB5igTNaVd6zGh7vS4D
http://80.87.199.216/packetprocess.php?qCZPnDy16i5fg2D0rglocPB=iB6OrBMLF9HJtTnAS&8LpNgr7MgS4xPaB3qmGkK5Wuahu=HY3kVmQ00VfPQfe3QRtrHzmB4spDy&x86DEIZUcnJKDUG1TobddIxDwSv2p=6NB5igTNaVd6zGh7vS4D&7e3a3ef18428fe71357b9150e384c75b=gZ3ATYhJGZ2ADN2UTM2UDMiBjNwATNyADN2IDMiVWYiRTMyQWOyczYyIjN1ITOykzNyITN5IjM&2ea7ec2a64fd1c290035512855f53c76=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&fcd9bfc24bb087cd4651a420f201fd8d=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOigjN3YmM0QDZwYDN4kTM0UGOmNzYwgDN5MTMyITMhBDMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiUmZwEDO4kTMjRmMjZmN3kjYmVGZkZ2NhFTNyIWYmVTMis3W&730eb3cee6c6ef206083f7122c3734c1=0VfiIiOiMGNmZGOkF2MyEGO1MmN4YzMjdzMxQzY2ATO0Y2Y3MGNiwiIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOigjN3YmM0QDZwYDN4kTM0UGOmNzYwgDN5MTMyITMhBDMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiUmZwEDO4kTMjRmMjZmN3kjYmVGZkZ2NhFTNyIWYmVTMisHL9JCMulUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSapUaPlGNXFGdSdVU6xWbJNXSpRVavpWS0ZkMZlmVyYles1WSzl0UXl2bqlEb1IjYvJ0MilnTXFmTOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnRDMTd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJhmVtNmd0VUSvJFWkZnTGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJVzZU1Ee0knT5VERMlXRE1UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dplUMkdFToJ0MaVXOyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWS4RzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMGNmZGOkF2MyEGO1MmN4YzMjdzMxQzY2ATO0Y2Y3MGNiwiIyEWZ3AzYmV2M1QGN4ADNmlDZllTMmZmYyUGMlZzM1YGZiR2M4UGOyIiOigjN3YmM0QDZwYDN4kTM0UGOmNzYwgDN5MTMyITMhBDMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiUmZwEDO4kTMjRmMjZmN3kjYmVGZkZ2NhFTNyIWYmVTMis3W
|
3
ip-api.com(208.95.112.1)
80.87.199.216
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11554 |
2021-08-20 09:23
|
 smm.exe f06588724e79ef9502afe278ee0fc66d
RAT PWS .NET framework BitCoin Generic Malware UPX SMTP AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
8.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11555 |
2021-08-20 09:23
|
 file5.exe 44186c5a72e2f2f7e6ccc9989f7b025f
Generic Malware Themida Packer PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://135.181.134.27:54477/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
135.181.134.27
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
9.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11556 |
2021-08-20 09:25
|
 cd14.exe 822591641c9d6d7cd6a12037c6b418d6
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
198.98.49.129 - mailcious
|
|
|
4.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11557 |
2021-08-20 09:26
|
 Bzboosttt.exe a055c5bf6726eaf334bb919722f0197d
PWS .NET framework NPKI Generic Malware PSW Bot LokiBot ZeusBot Admin Tool (Sysinternals etc ...) UPX KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware IoC Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
4
http://sh2585396.b.had.su//loader.txt
http://45.156.27.166/12345.exe
http://sh2585396.b.had.su//cisCheckerstroke.php
http://sh2585396.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
3
sh2585396.b.had.su(92.119.113.115)
45.156.27.166 - malware
92.119.113.115 - malware
|
8
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
|
|
14.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11558 |
2021-08-20 09:32
|
 install2285.exe 8b0f8c97e965175050da42c13c111b7d
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.129.236.6:56220/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
45.129.236.6
172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11559 |
2021-08-20 09:32
|
 acd.exe 3d1fdad54d7d8900613e79e555fa93ea
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://141.95.23.41:62480/
https://api.ip.sb/geoip
|
4
api.ip.sb(104.26.13.31)
172.67.75.172
141.95.23.41
92.119.113.115 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11560 |
2021-08-20 09:33
|
 1109507197.exe 9dc9f133beab8d851147917573119400
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11561 |
2021-08-20 09:35
|
 1048019981.exe d0aa9f9f1051d5ec09152411a540e392
UPX Malicious Library PE File PE32 PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11562 |
2021-08-20 09:36
|
 lipster.exe 35878c80b3957a04c99270e45d66f3cc
Generic Malware UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11563 |
2021-08-20 09:37
|
 rollerkind2.exe 8592015a4beab9f11614e49ae3080bbb
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11564 |
2021-08-20 09:38
|
 sergey11.exe 7b43102eac227f292e0534dbcd99e797
RAT PWS .NET framework Gen1 Gen2 BitCoin Generic Malware UPX Malicious Library Malicious Packer SMTP ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key |
5
http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/8d02576b82138d2b010fc768953f1941bd716a7e
http://45.140.147.35/
http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/c3389610b851607a24842e7bc0dc8a2c5f85d167
https://testmonbot.space/smm.exe
https://telete.in/hobaoparunjohnyrun2
|
6
telete.in(195.201.225.248) - mailcious
testmonbot.space(82.146.63.123) - malware
195.201.225.248 - mailcious
95.179.166.29
82.146.63.123 - malware
45.140.147.35
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
16.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11565 |
2021-08-20 09:39
|
 vbc.exe c465f78b104d49976e2fda4921ceb312
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.conveniencestorelosangeles.com/m3n0/?FPWhH4Y=Y8aNBIvgUljk+Y154DjGmLXqNUZReizFXju5Ab+xsn7ClCWV4MsKuafR6FKqj9jPN8Yt2Da/&Bl=lHUl2XmxXLc
http://www.elsonidodelacalle.com/m3n0/?FPWhH4Y=m4MFs36Ucpj1GyErAGBxkzm4FiJMt3pbCU5S1e6L9Cs2CafjD4xrmEyE6l1gxjHDfcxPRFuP&Bl=lHUl2XmxXLc
|
4
www.elsonidodelacalle.com(209.99.64.55)
www.conveniencestorelosangeles.com(52.44.94.227)
52.44.94.227
209.99.64.55 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|