| 11836 |
2021-08-27 15:58
|
 vbc.exe 7c1876b8b71c72e8e9fb2fd494020c67
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Tofsee |
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11837 |
2021-08-27 16:01
|
 Ne82jq7vKJ7NcDn.exe 7852a7b27bdb9d5120ca3fa917d7f9ca
RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
3
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
2
sh1729062.b.had.su(92.119.113.140)
92.119.113.140 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11838 |
2021-08-27 16:03
|
 XssVEsUTA4UMkp4.exe 4adabacc6bf40958b67967c7af0e3491
RAT PWS .NET framework Generic Malware PSW Bot LokiBot ZeusBot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware IoC AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
3
http://qjqpqiamh.eternalhost.info//loader.txt
http://qjqpqiamh.eternalhost.info//cisCheckerstroke.php
http://qjqpqiamh.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
|
3
qjqpqiamh.eternalhost.info(194.61.0.8)
92.119.113.140 - malware
194.61.0.8 - malware
|
2
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
|
|
14.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11839 |
2021-08-27 16:07
|
 Async.exe cfd0d3019414ab97ca0501e683121468
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE Dridex TrickBot VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS DDNS |
|
2
chromeclusterspectr.ddns.net(179.43.187.164)
179.43.187.164 - malware
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11840 |
2021-08-27 16:08
|
 vbc.exe 47fa27443cb1abe987ca9f653754b6d0
Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS |
17
http://www.listenstech.com/ecuu/?iRIxln_=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Ixl0i=Xj0TQ4BXAfy
http://www.stathotshots.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.tehridam.com/ecuu/
http://www.tehridam.com/ecuu/?iRIxln_=52vxKUookbImOzTI7E+jd1wlXpyw0GfihJo0VkeqObbGxcjgEHmk7kL8PM63ES7BEXBsCGUk&Ixl0i=Xj0TQ4BXAfy
http://www.stathotshots.com/ecuu/?iRIxln_=+WjnV65xNgr8mdfi2OB5TPoJ/nBIB301k5X/uFoN60o83tEWRpQDVejEJi6ZuHqfRkIXe4Q7&Ixl0i=Xj0TQ4BXAfy
http://www.castro-online.run/ecuu/
http://www.listenstech.com/ecuu/
http://www.polaritelibrairie.com/ecuu/?iRIxln_=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Ixl0i=Xj0TQ4BXAfy
http://www.krsfpjuoekcd.info/ecuu/
http://www.castro-online.run/ecuu/?iRIxln_=d5lYEYpKw3U/V2Wa/g5CCF1s2ENwrat2UG5ZDi9BawppgyBx4RRR6Es6l3SZtkKIjt1O6P3x&Ixl0i=Xj0TQ4BXAfy
http://www.krsfpjuoekcd.info/ecuu/?iRIxln_=LU0+1QwVd10+6BiuHNRq5ZogeeHr3Gc/xefg/mY8SYFPV5dsCw2+/zWBWjZ/RXmecVxmw1+U&Ixl0i=Xj0TQ4BXAfy
http://www.enovexcorp.com/ecuu/?iRIxln_=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Ixl0i=Xj0TQ4BXAfy
http://www.enovexcorp.com/ecuu/
https://onedrive.live.com/download?cid=D020578D515FAC65&resid=D020578D515FAC65%21104&authkey=AMOx_K_UwyxYKo0
https://zaxuiw.bn.files.1drv.com/y4mczKrLDnsQEz11TssVLlJ_EmHP8NPIFvgyL9dMyO-_CRvwOF5ixEQUv5HOlguGr7JySkb4RSPdx0TUbwZidmY4JHXL6BFGpm62eW74qM9ev7lC2Y7_cT_dNov11bYggFneIywQyWK4S0kFV0qYaVxVtlb0ZGhKDczVwssjyv1iPbs9BtMQGvpyBz8fRWjVDzs9EupG4eoQcaRta3snZLbjQ/Zpxtgzabmpztljjjvtopqzqjfwgartu?download&psid=1
https://zaxuiw.bn.files.1drv.com/y4m1dOkFsGdv3_-vkq6uf-FuEQulLm5iYLjC3IAeR48S35ZBNv-16V26ZiLJUxqd6lnWtUqaBGD7PzxmSIu64bV3anJq8QtH2aGM6taCMrBo-tRYOZWwoBeEi9Ms7H_rdBYMZPyE6vnif-XyMcf80UxWX3R6c5sRMn2UrqqfeZBejBG2pdPA6W31zw4kW1lUYVAO-Gsf-3iYbj2Mi-vOokf2Q/Zpxtgzabmpztljjjvtopqzqjfwgartu?download&psid=1
|
21
www.krsfpjuoekcd.info(34.254.1.203)
www.castro-online.run(104.21.53.248)
onedrive.live.com(13.107.42.13) - mailcious
zaxuiw.bn.files.1drv.com(13.107.42.12)
www.tehridam.com(184.168.131.241)
www.polaritelibrairie.com(34.102.136.180)
www.gyiblrjd.icu(47.91.170.222)
www.listenstech.com(3.223.115.185)
www.stathotshots.com(34.98.99.30)
www.enovexcorp.com(172.67.134.229)
172.67.221.31
194.61.0.8 - malware
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
172.67.134.229
184.168.131.241 - mailcious
47.91.170.222 - mailcious
34.98.99.30 - phishing
3.223.115.185 - mailcious
34.254.1.203
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11841 |
2021-08-27 16:10
|
 Hidden.exe a49b49fc0253c0dbbbd17e42bfbe9df6
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces IP Check installed browsers check Windows Browser ComputerName DNS DDNS crashed |
1
|
4
ipinfo.io(34.117.59.81)
chromeclusterspectr.ddns.net(179.43.187.164)
179.43.187.164 - malware
34.117.59.81
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET POLICY Possible External IP Lookup ipinfo.io
|
|
11.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11842 |
2021-08-27 17:35
|
 .svchost.exe 2644b63346379dd60b63309ff086eeef
Generic Malware UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11843 |
2021-08-28 02:59
|
 bear.jpg.exe 1d9dcacc61aaacca64e3776e9bb06e94
Generic Malware UPX Antivirus PE File PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
paste.ee(104.26.5.223) - mailcious
104.26.5.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11844 |
2021-08-28 17:46
|
 bd.exe e4c49f9d53f701a8e2edecc9dd8a5057
AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Stealer Windows Browser Email ComputerName DNS |
2
http://91.243.44.250/public/sqlite3.dll
http://91.243.44.250/kVpR1jIWa.php
|
1
|
4
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
|
|
11.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11845 |
2021-08-28 17:47
|
 vbc.exe 4793724aa393e35f8cf54797453a25d6
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.justicegirlssliponslippers.com/24ng/?wh=WWBJW0JSDYR8eHSMaaHepPy4KnBu4Gvj0JfxCRpWuhE/wbyb7+D9ZyNiHl3IO+J4YtFVJ1vF&Tj=CpFH
http://www.joycekayiba.com/24ng/?wh=CabvNxLtXK7AxhBdYJap/g8mwsQmgWak8myj7hdi5lEds/kVRqaawrDB55LgJdOF0Pe0hBMQ&Tj=CpFH
http://www.hypydeals.com/24ng/?wh=Tipg0DZ0W/u1BnHMBiEfaJKUvxtQ4lxVevr3PzlNhB0XMY7egtwv1XYUfnMYaw9zmOa7v3im&Tj=CpFH
http://www.thesmarterhold.com/24ng/?wh=/RUhEfaENboSlgmojjLyDMWHK9i4Zc8eYCa7SILL5NHFrSOQBZqij6sV0hG0BBMCdMggwRSp&Tj=CpFH
http://www.mercurydatas.com/24ng/?wh=73RKxnoEEGPHaiqYHtD+jTsNxYvkw6Ei3DrZaFJsPwj3AJHixVrZdfXfQY48NHPO2bpqzq2Z&Tj=CpFH
http://www.softouchcomputer.com/24ng/?wh=fXBeYi2KYDeGue3GyybylYEREpAt73UzBLGgjKY/A8hX8o3UYaJp/MnPYrs1PjdYe+TTzooN&Tj=CpFH
http://www.115manhuang.com/24ng/?wh=Owna2/24zwwIh/xE09kqyEIy325f9q9s4P3gKqksZHYRpb0Dl/bUddtdd8SN3FvpLDKKAm/1&Tj=CpFH
http://www.hfhwssc.com/24ng/?wh=tUr3L7F+3PGvEFcZd+SfWB+iCUteo8w/ToAKorOuAJitLd2/Au6xWCIPWaoTHGtlxQq11mO7&Tj=CpFH
http://www.mucuatoi.com/24ng/?wh=QUNFspZIlu9G1QDK/5GdI9PnnKjXu3ig7gdN8og61kMqfyQS6iZ5iVMcyVjMyNTUgp47xd5e&Tj=CpFH
|
19
www.mercurydatas.com(91.194.91.202)
www.115manhuang.com(45.248.9.101)
www.softouchcomputer.com(154.219.136.25)
www.hfhwssc.com(101.32.215.239)
www.zaimplusinfo58.info()
www.joycekayiba.com(209.99.40.222)
www.thesmarterhold.com(91.195.240.117)
www.justicegirlssliponslippers.com(45.33.30.197)
www.mucuatoi.com(209.99.40.222)
www.migaomi.ltd()
www.hypydeals.com(52.213.114.86)
209.99.40.222 - mailcious
101.32.215.239
154.219.136.25
91.195.240.117 - mailcious
45.248.9.101
45.33.30.197
91.194.91.202 - mailcious
52.213.114.86 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11846 |
2021-08-28 17:48
|
 44.dll 6a124d95c5c5038daf38b7d0d8719996
PE File PE64 DLL VirusTotal Malware Check memory unpack itself Windows utilities Windows |
|
|
|
|
2.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11847 |
2021-08-28 17:48
|
 BIN.exe d71f491288c6eceb46c92467c83f3758
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11848 |
2021-08-28 17:50
|
 file.exe 3c112a39d8866d896f68adfa3b78a16a
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11849 |
2021-08-28 17:52
|
 PBrowFile17.exe 84224064f8554bcea55de014d6d8538f
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
10
https://2no.co/1m32g7
https://api.ip.sb/geoip
https://theonlinesportsgroup.net/?user_auth=p7_3
https://theonlinesportsgroup.net/?user_auth=p7_2
https://theonlinesportsgroup.net/?user_auth=p7_1
https://theonlinesportsgroup.net/?user_auth=p7_6
https://theonlinesportsgroup.net/?user_auth=p7_5
https://theonlinesportsgroup.net/?user_auth=p7_4
https://2no.co/1XaQy7
https://bestinternetstore.xyz/api.php
|
11
download-serv-234116.xyz()
theonlinesportsgroup.net(104.21.71.245)
bestinternetstore.xyz(104.21.35.173)
api.ip.sb(172.67.75.172)
2no.co(88.99.66.31) - mailcious
185.177.125.94
104.26.12.31
88.99.66.31 - mailcious
188.124.36.242 - mailcious
172.67.172.102
172.67.178.16
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11850 |
2021-08-28 17:53
|
 good.exe 072769a3e8b70e0f24b31278c5f4c897
AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Stealer Windows Browser Email ComputerName DNS |
2
http://91.243.44.250/public/sqlite3.dll
http://91.243.44.250/kVpR1jIWa.php
|
1
|
4
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
|
|
10.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|