| 11716 |
2021-08-24 09:29
|
 Microsoft.exe 0defe1e926b2407ee4a292480d8ebf48
RAT Generic Malware Themida Packer Anti_VM PE File OS Processor Check .NET EXE PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
1
|
3
api.ip.sb(104.26.13.31)
65.21.203.163
104.26.12.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11717 |
2021-08-24 09:29
|
 blessedzx.exe a27561650fe74ab80657545858791cd4
AgentTesla browser info stealer Generic Malware Google Chrome User Data Admin Tool (Sysinternals etc ...) Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS keylogger |
|
1
79.134.225.21 - mailcious
|
|
|
11.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11718 |
2021-08-24 09:31
|
 omass.exe ba6c5d53e9418b5ce3c569831b68a0c7
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11719 |
2021-08-24 09:32
|
 bom-01.exe 4f9bae274183d2340e7d0cf1d0a37b88
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
14
http://www.333s998.com/wufn/?t8o8nPp=VTesff5V8BaVQfct7ufB+ZGDNoZjfYL94mUu5cNf67hmTMf3dCw98cZx4Ykp6QvQWnzQdmMu&jPjX_=pFQLrvsp3 - rule_id: 3871
http://www.nathanielwhite108.com/wufn/?t8o8nPp=YfnY/Fsmz+QKrLXZBRDCHXjbe12Sn7h7KuPrYhZcTvyjTPZF+555S5Iv48Qw/Q2USlOtryNo&jPjX_=pFQLrvsp3
http://www.nathanielwhite108.com/wufn/
http://www.solanohomebuyerclass.com/wufn/ - rule_id: 4193
http://www.333s998.com/wufn/ - rule_id: 3871
http://www.peak-valleyadvertising.com/wufn/ - rule_id: 3521
http://www.craftbychristians.com/wufn/ - rule_id: 2908
http://www.craftbychristians.com/wufn/?t8o8nPp=rclXbN+KSBSlJsrhYTkKU4x5e2l7eFQRzjtsLZ0wIslBHruFqS+r6dHnex4dI2ICZk3527X7&jPjX_=pFQLrvsp3 - rule_id: 2908
http://www.fafene.com/wufn/?t8o8nPp=q/nZ/0xlcjzfYRCf5lAcwW207Vt55gufSh16C11IQhOATpN5dzVRCn9ZCCtSRwIl23yr9iWQ&jPjX_=pFQLrvsp3 - rule_id: 3499
http://www.searchlakeconroehomes.com/wufn/?t8o8nPp=PMoU3Bb4pp7kIq7s9Lu9lk9x8XSdLDPlrC1uiYxj/TRDLGMuRYRvVOWSTnHGXDduCYD74xYV&jPjX_=pFQLrvsp3 - rule_id: 3867
http://www.solanohomebuyerclass.com/wufn/?t8o8nPp=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&jPjX_=pFQLrvsp3 - rule_id: 4193
http://www.searchlakeconroehomes.com/wufn/ - rule_id: 3867
http://www.peak-valleyadvertising.com/wufn/?t8o8nPp=FgzG7Qx2bDHQRqzBshosqp2KyuZ4BKgjCPQpIPsUZT2saqt6xf80CxpLR0Dj1LrdceOnKHHp&jPjX_=pFQLrvsp3 - rule_id: 3521
http://www.fafene.com/wufn/ - rule_id: 3499
|
16
www.solanohomebuyerclass.com(182.50.132.242)
www.searchlakeconroehomes.com(104.21.0.250)
www.nathanielwhite108.com(172.217.175.19)
www.peak-valleyadvertising.com(34.102.136.180)
www.kyg-cpa.com() - mailcious
www.occulusblu.com()
www.333s998.com(108.160.165.189)
www.joshuatreeresearch.com()
www.fafene.com(34.98.99.30)
www.craftbychristians.com(34.102.136.180)
172.217.175.83 - mailcious
34.102.136.180 - mailcious
31.13.80.37
198.71.232.3 - mailcious
104.21.0.250 - mailcious
34.98.99.30 - phishing
|
|
12
http://www.333s998.com/wufn/
http://www.solanohomebuyerclass.com/wufn/
http://www.333s998.com/wufn/
http://www.peak-valleyadvertising.com/wufn/
http://www.craftbychristians.com/wufn/
http://www.craftbychristians.com/wufn/
http://www.fafene.com/wufn/
http://www.searchlakeconroehomes.com/wufn/
http://www.solanohomebuyerclass.com/wufn/
http://www.searchlakeconroehomes.com/wufn/
http://www.peak-valleyadvertising.com/wufn/
http://www.fafene.com/wufn/
|
8.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11720 |
2021-08-24 09:33
|
 musik.exe 8c02034958ae86a8d8b42fa5545561a7
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11721 |
2021-08-24 09:33
|
 chioma.exe e9c5234672c791846a076210769b9c87
Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11722 |
2021-08-24 09:35
|
 bom.exe 7151706b714e5711fc0c3a49fb4cf9be
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
5
http://www.pawsthemomentpetphotography.com/wufn/?2dqLWP=Rf1VSXHhjAd3xZbUZ5Onn240es76xn7Vld3yUvp1C0rvyafmXRD7FVPOu25ZGszyPHif5o0I&bv4=XVM4iF7P - rule_id: 3861
http://www.fafene.com/wufn/?2dqLWP=q/nZ/0xlcjzfYRCf5lAcwW207Vt55gufSh16C11IQhOATpN5dzVRCn9ZCCtSRwIl23yr9iWQ&bv4=XVM4iF7P - rule_id: 3499
http://www.gaigoilaocai.com/wufn/?2dqLWP=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&bv4=XVM4iF7P - rule_id: 2912
http://www.greenmommarket.com/wufn/?2dqLWP=logrQKqda1/opVmk9q1z/5ZQb95Ly1nqc2GBYZTvjO1HhHB33MEfO9H+6r3OjIRWUPAbFm8G&bv4=XVM4iF7P
http://www.theforumonline.com/wufn/?2dqLWP=oMJPIIffiJ/xnzh2dmE4H4v++ePVGdJ47Cs+qN5CdohcdEg0FINWW3sNxjaQaIOEvkNj7L2f&bv4=XVM4iF7P - rule_id: 4199
|
11
www.theforumonline.com(69.163.228.182)
www.333s998.com(103.200.30.245)
www.gaigoilaocai.com(34.98.99.30)
www.cuadorcoast.com()
www.greenmommarket.com(34.98.99.30)
www.fafene.com(34.98.99.30)
www.pawsthemomentpetphotography.com(198.54.126.105)
192.133.77.59
198.54.126.105 - mailcious
34.98.99.30 - phishing
69.163.228.182 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.pawsthemomentpetphotography.com/wufn/
http://www.fafene.com/wufn/
http://www.gaigoilaocai.com/wufn/
http://www.theforumonline.com/wufn/
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11723 |
2021-08-24 09:39
|
 sefile.exe b1c5a3368b6c0c2aa2042560821dbe69
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11724 |
2021-08-24 09:41
|
 ob.exe 95fe547bbaa4db499b9d04bf7843608b
PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11725 |
2021-08-24 09:43
|
 bd.exe d25769efd533ba3d13a13a3274fe69ab
PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11726 |
2021-08-24 09:48
|
 galvanizedzx.exe 395b7c06e528ce1943e4f10b923acc9e
PWS Loki[b] Loki.m Gen1 Gen2 Generic Malware Malicious Library Malicious Packer UPX DNS Socket KeyLogger HTTP Internet API ScreenShot Http API AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Zeus Windows Browser Email ComputerName Cryptographic key Software |
1
http://cwownola.org/AqwE/index.php
|
2
cwownola.org(72.34.63.196)
72.34.63.196
|
1
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
|
|
15.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11727 |
2021-08-24 11:57
|
211575.xls 85eec686404e8d636c1d2e115f0a28a2
VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11728 |
2021-08-24 11:58
|
 Explorer.exe fd3b4ad42fe49dff3b786e6e949fba83
AntiDebug AntiVM MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
https://www.googletagmanager.com/gtag/js?id=UA-4896146-112
https://www.google-analytics.com/analytics.js
https://maps.googleapis.com/maps/api/js?key=AIzaSyDImG_9Yv6_1Yevn7UDkYzqA1IzBWLE7Tc
|
8
www.googletagmanager.com(172.217.174.104)
maps.googleapis.com(172.217.25.106)
www.google-analytics.com(172.217.25.110)
web.waskitaprecast.co.id(103.229.73.120)
103.229.73.120 - malware
216.58.220.106
142.250.196.142
172.217.31.136
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11729 |
2021-08-24 12:01
|
 StaticArrayInitTypeSize.exe 50c7ebc89793bd7c8ba93468efec11dc
PWS Loki[b] Loki.m Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
3
http://www.rnofinancial.com.au/wp02/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
|
2
www.rnofinancial.com.au(101.0.117.102)
101.0.117.102
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
14.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11730 |
2021-08-24 12:05
|
 DCRAT.exe e8317caac6568f4d37d8535a1e56ad29
RAT Generic Malware Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File OS Processor Check .NET EXE PE3 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS crashed |
2
http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&eeba483f778911903cf941b68c630bd5=c6f9f06b86c5fe1279ff41ef4bf3f710&85f5986082198b606d527e0650b5ef02=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC
http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&7f85f2c144b70ea263aa66e5a581cc10=AOzAjZ4cjZ1cTM2UjYyMmY4gTNjhTMyQWOlZWMmBTZlZmZlZmZzkjN0AjNycDO0EzMyIDM2ATO&85f5986082198b606d527e0650b5ef02=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&203c937cd11a470beeb4818efaf5745a=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W&15c8a6031aa36409a7e96bf6d99174e8=QX9JiI6IiYzETYzMjZzUDN5AjZ3Y2YlBDNlFmZmVTOmRDZ2YzYxICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISMidjMzImMxUGZ4kDZjBDMlZmZkJzMyUGM2MDZjRDOiJCLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6IyYmZGNjBTMzUzNxcTZwgDM4cTMwQWZycDOlFTO1E2Y4Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJNVT3F1RiBnStlkNJlnUCJFbJNXSDRGcKVUSwkFRJ9kQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRXpVe5IzUnd2RkFTOyU1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMl2aE9EeFpGTzkEVNNXSU10dVpGTz0kaJZTS5lld41WSzlUaVxkSp9Uar52YwUzVkZnTtl0cJNkYxkzVaRlSp9Ua0IjYwR2ValnSDxUaVNjW0V0Rj5WNyIGVKl2TptGSkBnTtl0cJNUTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETpVkaMBDND5UavpWS5ZVbWlnVtRWeWJTVpdXaJZDawI1dnpGT5F0QRdWVGVFRCNUT3FFRPRXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2MxE2MzY2M1QTOwY2NmNWZwQTZhZmZ1kjZ0QmN2MWMiwiIkBjYhNDOkFmY4UDZ1Y2YlRzM3EjZ5cDMxgzYhRTNhhTYxEWYxYTZwIiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W
|
1
|
|
|
10.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|