| 11611 |
2021-08-21 08:57
|
 file2.exe fb93137981cf5ba08d4ba71cc4062d6b
RAT PWS .NET framework BitCoin Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://95.181.172.100:6795/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
172.67.75.172
95.181.172.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11612 |
2021-08-21 09:01
|
 eli.exe 70ded05d874a95b1b3027c1e97b16287
Gen1 Gen2 Malicious Library Malicious Packer UPX PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory Creates executable files Collect installed applications AppData folder sandbox evasion anti-virtualization installed browsers check Browser Email ComputerName DNS Software |
1
http://212.192.246.242/rut/index.php
|
1
|
2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.3 Server Response M1
|
|
9.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11613 |
2021-08-21 09:01
|
 StoreTransaction.exe f9b9717cc21b3faf2d7387ae6d2c0958
RAT PWS .NET framework Generic Malware Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11614 |
2021-08-21 09:02
|
 file1.exe fb05824f223c928ba39e91fe17364438
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://45.14.49.200:27625/ - rule_id: 4301
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
172.67.75.172
45.14.49.200 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://45.14.49.200:27625/
|
6.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11615 |
2021-08-21 09:04
|
 mo.exe c19e67355e7333e2d68b904fdcfdceec
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS |
2
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll - rule_id: 4353
http://37.0.10.83/os/moses.exe
|
3
cdn.discordapp.com(162.159.135.233) - malware
37.0.10.83 - malware
162.159.129.233 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
|
4.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11616 |
2021-08-21 09:04
|
 bin.exe 14035831d9b086963a7ab5d7fef18c6a
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
7
http://www.theredcymbalsco.com/n8ba/?qFN46FS8=9vokcWjtebBvVvQIm09VADFSZD35cLZafvs2RAD44ecvqP5w34gv75tdUdLM9TjFHQmC7+ER&zL08l=ejlHZpnp-0w8cX - rule_id: 4155
http://www.mtsnurulislamsby.com/n8ba/?qFN46FS8=S2NOBXxc9KVG355n/GTqJZ9TvZOj5eG5l/TRE661pXEkyU1xrLeeXx7YcLg8bxWnJIvn4GX8&zL08l=ejlHZpnp-0w8cX
http://www.lovebirdsgifts.com/n8ba/?qFN46FS8=oiX0BtPaohd4yUWgi2fqZtos1OZweULA7b8umTfs2FuW0w1nHJyzCnpMFCunVwxOw3eqbn8k&zL08l=ejlHZpnp-0w8cX - rule_id: 4153
http://www.2020coaches.com/n8ba/?qFN46FS8=NxzbwTfN74Qr0N9aBkXP6mlceM3BY6ydPowPg7M1Vpps+oNpFl450TWD3FC8MDJ/A390J+Rd&zL08l=ejlHZpnp-0w8cX
http://www.narrowpathwc.com/n8ba/?qFN46FS8=RqoVB/kTevwYNrpQ68VGCKAD0SwVXhGBA25gncTDeHVSc/TtzgJJgXlZbrh2RaVrYM4D7bqC&zL08l=ejlHZpnp-0w8cX - rule_id: 4154
http://www.77k6tgikpbs39.net/n8ba/?qFN46FS8=RtTzTU3TYCJ9InQDD9LSAzrYY/u3W4uB/I26NcaQBFhoVTbvwK5wRjd6LNsy02kDp7Xu5STA&zL08l=ejlHZpnp-0w8cX - rule_id: 4156
http://www.rrinuwsq643do2.xyz/n8ba/?qFN46FS8=Kggo6N8ytGdENgV+RTl9vbd401xWHVMgNTt/nC5HO7MaxCAqlUcE2D/jOlYaIwQzO1aToKWd&zL08l=ejlHZpnp-0w8cX
|
17
www.shopliyonamaaghin.net() - mailcious
www.lostbikeproject.com() - mailcious
www.mtsnurulislamsby.com(209.99.40.222)
www.77k6tgikpbs39.net(103.120.14.183)
www.aprendelspr.com()
www.rrinuwsq643do2.xyz(49.156.179.85)
www.lovebirdsgifts.com(23.227.38.74)
www.theredcymbalsco.com(184.168.131.241)
www.narrowpathwc.com(182.50.132.242)
www.2020coaches.com(34.102.136.180)
184.168.131.241 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
49.156.179.85
103.120.14.170
182.50.132.242 - mailcious
23.227.38.74 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
4
http://www.theredcymbalsco.com/n8ba/
http://www.lovebirdsgifts.com/n8ba/
http://www.narrowpathwc.com/n8ba/
http://www.77k6tgikpbs39.net/n8ba/
|
10.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11617 |
2021-08-21 09:06
|
 NOTEPAD.exe 0ede6eb3469ccbe97c5cc2a4fc1114a9
Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11618 |
2021-08-21 09:06
|
 file4.exe 1cb884ef5dc76a942f06f07fe147b31d
RAT PWS .NET framework BitCoin Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://135.148.139.222:33569/ - rule_id: 4289
|
1
135.148.139.222 - mailcious
|
|
1
http://135.148.139.222:33569/
|
7.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11619 |
2021-08-21 09:08
|
 js.exe 1429db94406815eaa9cf34236f480f4a
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS |
2
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll - rule_id: 4353
http://37.0.10.83/os/justin.exe
|
3
cdn.discordapp.com(162.159.130.233) - malware
37.0.10.83 - malware
162.159.130.233 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
|
4.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11620 |
2021-08-21 09:08
|
 11.exe be4ede5e88f7c98f1c00147019da42ac
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS |
1
https://cdn.discordapp.com/attachments/877689582395719724/877689610287861840/winomoera.dll
|
3
cdn.discordapp.com(162.159.130.233) - malware
162.159.134.233 - malware
135.148.139.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11621 |
2021-08-21 09:10
|
 rut.exe caf24d1c2944cc10b27a8216aa8a4d4e
RAT Generic Malware PE File .NET EXE PE32 Malware download VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Downloader |
2
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll - rule_id: 4353
http://37.0.10.83/os/eli.exe
|
3
cdn.discordapp.com(162.159.134.233) - malware
37.0.10.83 - malware
162.159.134.233 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
|
4.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11622 |
2021-08-21 09:10
|
 TF7vGJml6S1lQxR.exe f108b8fcf5fa07d914b587c85b19b38b
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11623 |
2021-08-21 09:15
|
 justin.exe 6d7edf1f66a4d43e76d1e47f400f97d0
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
3
http://www.ujenzihypermarket.com/glgd/?alF=KhhcN9s7gbbF0deJVEzP4Fr+CUF5+jhuG5G/YStQzUimyA5hxfgIe5MXcBKjjQi+4esf+xkO&Qzr=LlvxwrIp0zSd
http://www.sunflowerhybrid.com/glgd/?alF=hT+HcWgz9FEH+jyDEtB4UKrfm+OZpFXj/c8x97815zMY4Nb3Km6/aedgRXGlirVN41Axg2GW&Qzr=LlvxwrIp0zSd
http://www.danielsdonuteria.com/glgd/?alF=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&Qzr=LlvxwrIp0zSd - rule_id: 4043
|
8
www.sunflowerhybrid.com(34.98.99.30)
www.bleacheater.com()
www.ujenzihypermarket.com(82.163.176.101)
www.zxyoo.com()
www.danielsdonuteria.com(209.99.40.222)
82.163.176.101 - malware
209.99.40.222 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.danielsdonuteria.com/glgd/
|
3.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11624 |
2021-08-21 09:15
|
 file5.exe 08b62c5bcbf205a2784ee149188e4f4b
Generic Malware Themida Packer Anti_VM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://45.129.236.6:56220/ - rule_id: 4322
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
45.129.236.6 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
http://45.129.236.6:56220/
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11625 |
2021-08-21 09:16
|
 lv.exe ccfc289366f06bf59611aecaba901d50
Emotet Gen1 Gen2 Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug Anti VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
DUJLnoInJHUNOY.DUJLnoInJHUNOY()
|
|
|
6.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|