| 11671 |
2021-08-23 12:43
|
 steammaa.dll a1a454066b561968825cf19ca262b2fc
RAT Generic Malware Malicious Packer PE File .NET DLL DLL PE32 VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11672 |
2021-08-23 12:50
|
 AudioMD.exe 04a571f97551cafab9847b1211c250b2
RAT Generic Malware Antivirus HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion WriteConsoleW Tofsee Windows Browser ComputerName Cryptographic key |
2
http://iplogger.org/1m2Kd7
https://iplogger.org/1m2Kd7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11673 |
2021-08-23 13:30
|
 faveSQTg6lvyAQO.exe fd496a2b10e16382abba374c4ce2fc4d
Plimrost EnigmaProtector PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Checks debugger Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName crashed |
|
|
|
|
6.4 |
M |
39 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11674 |
2021-08-23 15:55
|
 微信图片_20181017153614.exe 330d84024809897bd0e60a4b4a4fd1fc
Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11675 |
2021-08-23 16:07
|
45-8801B 예천양수발전 제작 및 납품 설치공사 견... 94a20af025fdd40b139844c3c61a0580
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
6 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11676 |
2021-08-23 16:28
|
SAMSUNG Golar gFLNG FEED Updat... ddd570573ab5711d161bcbde884f3028
Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
3
http://www.smartcontractlinks.com/z01e/?tFQh=jz1QSopeH0ncCuAqPOmL2kGJtabphaCzYNtJdPRDd1MFaYXX9lLvp4/Mb0A3Try9YkKeJvJF&CTvX=cvUlPjex
http://www.eringallion.com/z01e/?tFQh=B//l5Zx8wKhjX/CGczVJpiL0VaKWL+ugi8DzIAbYos2+2jt13ov0A3r38/ucVAYhrHWY16MV&CTvX=cvUlPjex
http://www.0598ido.com/z01e/?tFQh=Y+OQWzozaQQaVD1idcVynurUqqwyUtUTy4GBfPjBCxrveELGq9YqjdRnOiMPm/Ruy9MCrGSs&CTvX=cvUlPjex
|
6
www.0598ido.com(34.98.99.30)
www.smartcontractlinks.com(75.2.18.233)
www.eringallion.com(66.235.200.147)
75.2.18.233
66.235.200.147 - phishing
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
|
26 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11677 |
2021-08-23 16:39
|
 PO623473258-50465043274032859-... 59faa740c9efe54f967745118e4bc625
UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
26 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11678 |
2021-08-23 16:54
|
 PO623473258-50465043274032859-... 59faa740c9efe54f967745118e4bc625
Generic Malware UPX Malicious Packer PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11679 |
2021-08-23 18:54
|
Fattura_01557972.xls 5f25557c3a67cc816c456e44f9a89bbe
VBA_macro KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11680 |
2021-08-23 18:58
|
 taxve_710451_20210816_93407095... 9a812ebcc070d2a63465ebb416ba8b95VirusTotal Malware Check memory ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
5
https://cdn.discordapp.com/attachments/876792192524501045/876837688651681843/1.dll
https://cdn.discordapp.com/attachments/876792192524501045/876837576193998848/1.dll
https://cdn.discordapp.com/attachments/876792192524501045/876837913906774076/1.dll
https://lamisionerafm.com/images/Pk52FX0q62R4XoO.php
https://investtomontenegro.com/wp-content/plugins/wordpress-seo/lib/migrations/8dXd8jlaax.php
|
6
investtomontenegro.com(34.94.136.184) - mailcious
lamisionerafm.com(51.222.42.168)
cdn.discordapp.com(162.159.129.233) - malware
34.94.136.184 - mailcious
51.222.42.168 - mailcious
162.159.130.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11681 |
2021-08-23 19:01
|
 Pk52FX0q62R4XoO.dll f0242add3e62b4bda6a1f3e38e98a73d
Malicious Library Malicious Packer PE File DLL PE32 VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11682 |
2021-08-23 19:09
|
 r.exe 305c02b6842f5b81a6fa7a2aab07b00e
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic ICMP traffic unpack itself |
13
http://www.writingleagues.com/n58i/?-Zlpd6I=Z6pcotGHuwup7vEJjItj1SMHlg1lI5Bof4K5Wxog5cvylXCYemKJNG9ltyRUngPfK9sxmYhZ&2d=lnxdA
http://www.grandrapidsvirtualboatshow.com/n58i/?-Zlpd6I=OS+vzmTsnmN10NeNgCtuygPzY9t4uWhaxu5Nv18Vn7M4GGCiu5ByynyiNgJ6krK/bHgQrClL&2d=lnxdA
http://www.science-laboratory.info/n58i/?-Zlpd6I=/nrcVLyNbZ8bYrDk6/UlbutTqsEUanwD8p6K9ytcogSviWuK5Nx4baFKDnT+NePORnTimWea&2d=lnxdA
http://www.exdysis.com/n58i/?-Zlpd6I=ar/hIjdwXaCGf/zdCDkC4zsWp5P7JdaYWCx8Owc4v4wJnpGf9FeXfuCAHZspk67PmQf770IM&2d=lnxdA
http://www.mack3sleeve.com/n58i/?-Zlpd6I=qZci4eCxhQIq67bxmD8yxm5V81S+h6tSaZJP73tHPhAaZkJunDnOJhOERfLB6WVODJ1YcUPc&2d=lnxdA
http://www.fashionelixirs.com/n58i/?-Zlpd6I=2MarohCXJGtzO5KijtWpZ6tpmiifjax3IcswJvFbJYnD8s/zp8BDI56dCC/lebOR9voDqH90&2d=lnxdA
http://www.oldhousechicago.com/n58i/?-Zlpd6I=CK4+1XAVCoeZwyHbixU/1VMC/3ullPTgwlkVzkJuJ8wPuPx8xeqByV5EBcZtpXh2eT3NYNjS&2d=lnxdA
http://www.stlcityc.com/n58i/?-Zlpd6I=uzwaBAU/pBgcbN1zupTtS4xKhn/JfyJ+hchnD3b71uo3p2+6HxfOIRQU6DCQj21baC8sD6fO&2d=lnxdA
http://www.5923599.com/n58i/?-Zlpd6I=WfKFfWUZkc85OmL1xKrDJMWuh4MURh0lzQfSoppYt54ugY1RFf52IxAuWjoc55Oi676SGeLg&2d=lnxdA
http://www.nl-cafe.com/n58i/?-Zlpd6I=dWyvCTk6qzBk5tQTWdvNT7b5/8qdhAsQ/biP+tl913DTpQRW05YYrZEgjkVCG8NuIqrlrrLw&2d=lnxdA
http://www.verisignwebsite-verified.com/n58i/?-Zlpd6I=XTVW7Jo2gvRqiEaI/sIMQWbMhFkMtGnqkQB68uCXOe+MAHXwIzjfWh0i/TEE6wJi9coosj2z&2d=lnxdA
http://www.floortak.co.uk/n58i/?-Zlpd6I=pQmM9Y5t5dxvkFXQKfmWGEE0N5/IJF3moBqOslL4HJEdPUTnkZQuk/UltHUu3hWKDkbYR94e&2d=lnxdA
http://www.citysucces.com/n58i/?-Zlpd6I=KZIzYVxAQpcTYtobWmj1UPG5K5R9NnHuf0RrbShrXmsvVrVhxvmYdjAsOWtc/dkVV+rflXZO&2d=lnxdA
|
26
www.stlcityc.com(103.139.0.32)
www.mack3sleeve.com(34.102.136.180)
www.writingleagues.com(204.11.56.48)
www.science-laboratory.info(209.99.40.222)
www.nl-cafe.com(23.226.52.164)
www.grandrapidsvirtualboatshow.com(34.102.136.180)
www.fashionelixirs.com(184.168.131.241)
www.goddessruby.com()
www.oldhousechicago.com(45.83.86.245)
www.rlxagva.com()
www.5923599.com(45.142.156.44)
www.citysucces.com(184.168.131.241)
www.verisignwebsite-verified.com(185.196.8.122)
www.exdysis.com(34.98.99.30)
www.floortak.co.uk(85.233.160.22)
103.139.0.32 - mailcious
185.196.8.122 - phishing
184.168.131.241 - mailcious
23.226.52.164
209.99.40.222 - mailcious
34.102.136.180 - mailcious
45.142.156.44 - mailcious
85.233.160.22 - mailcious
45.83.86.245
204.11.56.48 - phishing
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11683 |
2021-08-23 19:14
|
 kl8.exe 505468e6735f6b0bf0d37a937eb2d155
Generic Malware Themida Packer Anti_VM PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
188.124.36.242 - mailcious
|
|
|
7.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11684 |
2021-08-23 19:14
|
 sefile2.exe f403b3a7bba12aa247e7195e8bb9afe5
UPX Malicious Library PE File OS Processor Check PE32 PDB unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11685 |
2021-08-23 19:18
|
 dd.exe 7c207438745687fd62777e3b18535020
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows DNS Cryptographic key crashed |
13
http://www.maxridetubes.com/b8eu/ - rule_id: 3479
http://www.yummylipz.net/b8eu/?xPWDGpd=BJsIvBSedMRHPw6hRBySesvKf4cy5ptvtRL/e7MsGjTsJ8iq89FIxlkUleqlB63Tk93sEUrP&9rjLtF=fdh4ZfOXj - rule_id: 3480
http://www.jungbo33.xyz/b8eu/
http://www.yummylipz.net/b8eu/ - rule_id: 3480
http://www.1borefruit.com/b8eu/?xPWDGpd=A4LkB67AN0rT8RFmMquep8c2AsZvn5ORK54hnBFZVpIMXZD2YBNIRfDe8FOwTg2Lg5GqvZMM&9rjLtF=fdh4ZfOXj - rule_id: 2707
http://www.1borefruit.com/b8eu/ - rule_id: 2707
http://www.jungbo33.xyz/b8eu/?xPWDGpd=GmI8jSW8wZDXyHJ+nm+VctTqJjSDtJnwzb2V52lMmbj1mGO5nmJilKnf6++a1fzFRB1wzuIX&9rjLtF=fdh4ZfOXj
http://www.9adamtech.com/b8eu/
http://www.9adamtech.com/b8eu/?xPWDGpd=+AG5ppZmejnuTpk3EwZpZ/2iGE2KnSGG1FqIV7Cyt9/nDXZoOrQGfjtxiAY609lVsX0hRZhU&9rjLtF=fdh4ZfOXj
http://www.savorysinsation.com/b8eu/?xPWDGpd=ihOh3VcBgGscCIl7Gp9RUh0SxOyxg93S+dgnHrogWPYlTTM6Rq1HtngBBhu3Oex5wwxe+avC&9rjLtF=fdh4ZfOXj
http://www.maxridetubes.com/b8eu/?xPWDGpd=YDI1SWbbFRthc8Kjnqcv/XHNG8x6cigBY/xRhCdFgjBrhgoPW0KwDcLaM2HjMafBAr+1quYA&9rjLtF=fdh4ZfOXj - rule_id: 3479
http://www.savorysinsation.com/b8eu/
https://www.bing.com/
|
18
www.yummylipz.net(216.239.36.21)
www.jungbo33.xyz(99.83.154.118)
www.dongtaykethop.cloud()
www.9adamtech.com(34.102.136.180)
www.laurawmorrow.com() - mailcious
www.maxridetubes.com(104.21.39.205)
www.1borefruit.com(154.212.109.100) - mailcious
www.cataractmeds.com() - mailcious
www.google.com(172.217.174.100)
www.savorysinsation.com(104.19.152.75)
216.239.34.21 - mailcious
104.19.152.75
13.107.21.200
154.212.109.100 - mailcious
99.83.154.118 - mailcious
34.102.136.180 - mailcious
104.21.39.205 - mailcious
172.217.175.228
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .cloud TLD
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.maxridetubes.com/b8eu/
http://www.yummylipz.net/b8eu/
http://www.yummylipz.net/b8eu/
http://www.1borefruit.com/b8eu/
http://www.1borefruit.com/b8eu/
http://www.maxridetubes.com/b8eu/
|
14.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|