| 11911 |
2021-08-31 11:12
|
 b3A6h.exe bc867757658b294a9d7fbfd2d967e477
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11912 |
2021-08-31 11:12
|
 vbc.exe aca08c69a22e6f4f07cb44a74e7b9dac
Malicious Library PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Tofsee |
29
http://www.o-distribs.com/ecuu/
http://www.listenstech.com/ecuu/?uTuD=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4587
http://www.805thaifood.com/ecuu/
http://www.805thaifood.com/ecuu/?uTuD=hUTHBcYuod6wePbk0fg23NzqxmOoeRrbfmFgVJWVpfKHZh9llzJ0TA90NFAjaWRAYOQ0Eh2G&Kj9ht=AVPd7xKPhhkxdz5p
http://www.tasteofourneighborhood.com/ecuu/?uTuD=2bt83kpOuVtEIWyxUzi5DXhitRFjdhq2G+J/5YNEy7Qmu4jdCi+MNXaEKclGMLIx7+ZhZc0n&Kj9ht=AVPd7xKPhhkxdz5p
http://www.poorwhitetrashlivesmatter.net/ecuu/
http://www.empirerack.com/ecuu/
http://www.workabhaile.com/ecuu/
http://www.listenstech.com/ecuu/ - rule_id: 4587
http://www.manufacturedinjapan.com/ecuu/?uTuD=cm4EhB+xSusT2ZEgdpayhNT4zIjmvrOEKqQy1IzKW+qeT4TFPzigSNFvZaza7qmlNOHW0cnS&Kj9ht=AVPd7xKPhhkxdz5p
http://www.empirerack.com/ecuu/?uTuD=GEQTnerqhYYOZeP3k5oh8uqumDp4pVGJvED355C55gboS73ReFUlDy35EJLcN622X6ywqSXw&Kj9ht=AVPd7xKPhhkxdz5p
http://www.tasteofourneighborhood.com/ecuu/
http://www.polaritelibrairie.com/ecuu/ - rule_id: 4591
http://www.o-distribs.com/ecuu/?uTuD=2fFFpbMyLUJzYlZhDT8vOGOwgFBPZS+/I9qabDuA36nCGLx7k9QeIlc/dOLT21aoTTouS1Gs&Kj9ht=AVPd7xKPhhkxdz5p
http://www.aquarius-twins.com/ecuu/?uTuD=i70bI06xK+671wXcZeZFUnUbIG41m3pyCPaR/31xF3WgPXN1BCrK4K5oBTRoN80eF7TYmcNc&Kj9ht=AVPd7xKPhhkxdz5p
http://www.workabhaile.com/ecuu/?uTuD=psKvWxiJggpO43FMpV003tzUv9VXMXoP5rDQMzIOVpzQQ6MlN6hUAQTlmRRdHO4IMuWhrhTy&Kj9ht=AVPd7xKPhhkxdz5p
http://www.manufacturedinjapan.com/ecuu/
http://www.safeandsoundyachtservices.com/ecuu/?uTuD=Ze9u3c+JrkZMLd1iq8wEeNDhA8GBJvow2hjXqHEmaYUNXZ6LBYmY4Z/ain7TyThB0L5b8kMi&Kj9ht=AVPd7xKPhhkxdz5p
http://www.redcountrypodcast.com/ecuu/
http://www.polaritelibrairie.com/ecuu/?uTuD=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4591
http://www.aquarius-twins.com/ecuu/
http://www.redcountrypodcast.com/ecuu/?uTuD=C0rihD2hGnnRrpjswzT7uhuHD8PfbnuKKC7ou16TN5COtT4jGgPjFjduvIv/h6aCIOoNM/lg&Kj9ht=AVPd7xKPhhkxdz5p
http://www.poorwhitetrashlivesmatter.net/ecuu/?uTuD=Pl7Wo/Sc18YTVh4ZfRYn9GaIW3hmPNugWLqq+bwHPa7GGyOQcNaR6G/8c/+q5jU1tNJ+hTp8&Kj9ht=AVPd7xKPhhkxdz5p
http://www.safeandsoundyachtservices.com/ecuu/
http://www.enovexcorp.com/ecuu/?uTuD=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Kj9ht=AVPd7xKPhhkxdz5p - rule_id: 4589
http://www.enovexcorp.com/ecuu/ - rule_id: 4589
https://aceddq.bn.files.1drv.com/y4mmFuLrAmiQhwfiUX_9q9QkYs5bdmG7KRDr6ypX2gbItT1YDleYPEezFf9YGdUc9RoGpprgEYOf1PWKbcCYE6yO6x-iBBL3_2wsh8Em8fejrqpmtT9AbJj_kB-ykvyAre0Oz-9t5XOgmvYDpSytJYC5F7yj1YPgkcRA_y1K7e8We0sXJIPUZjpuM3fHrJA4ZfsWuX2n5pd2KqRsrHirYt5qQ/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1
https://aceddq.bn.files.1drv.com/y4mnpzWq6nzESCeTlyX6547ecopygeoPVjTDPAiQ9qtDwqKns_kP9pal2sQV_WuqgOO1zDsyHgp0sFy8YUdVjz71GDq104jzsUljyKtvmHCmfkbdVcy0zDBruyz9JD3tzOgvgfADgk_UjNKTo5sKr19jQOwO3cmSXkqy9mipCj5i6pi8Ku67RZxJ81TTfPg2Ot43h_6RY8Ap802urbBvPCs2w/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1
https://onedrive.live.com/download?cid=D020578D515FAC65&resid=D020578D515FAC65%21111&authkey=AP6lzi_AotrWkq8
|
27
www.o-distribs.com(62.4.7.10)
onedrive.live.com(13.107.42.13) - mailcious
aceddq.bn.files.1drv.com(13.107.42.12)
www.tasteofourneighborhood.com(34.102.136.180)
www.safeandsoundyachtservices.com(34.102.136.180)
www.workabhaile.com(209.99.40.222)
www.empirerack.com(156.237.251.107)
www.polaritelibrairie.com(34.102.136.180)
www.aquarius-twins.com(194.230.72.206)
www.betsysobiech.com()
www.805thaifood.com(182.50.132.242)
www.redcountrypodcast.com(34.102.136.180)
www.manufacturedinjapan.com(183.181.81.33)
www.poorwhitetrashlivesmatter.net(34.102.136.180)
www.enovexcorp.com(104.21.6.147)
www.listenstech.com(3.223.115.185)
183.181.81.33
13.107.42.13 - mailcious
13.107.42.12 - malware
209.99.40.222 - mailcious
34.102.136.180 - mailcious
172.67.134.229
156.237.251.107
182.50.132.242 - mailcious
194.230.72.206
3.223.115.185 - mailcious
62.4.7.10
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.listenstech.com/ecuu/
http://www.listenstech.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.polaritelibrairie.com/ecuu/
http://www.enovexcorp.com/ecuu/
http://www.enovexcorp.com/ecuu/
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11913 |
2021-08-31 11:12
|
 vbc.exe aa17e1f1f3f2b6b46064b5f425b5a12d
RAT Generic Malware Antivirus Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 GIF Format Malware download VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed Downloader |
1
|
5
www.google.com(172.217.175.4)
172.217.24.68
13.107.21.200
142.250.196.132
193.169.255.212 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11914 |
2021-08-31 11:14
|
 osamazx.exe a17a64737d92abc4c83b976aaaad4f36
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11915 |
2021-08-31 11:16
|
 vbc.exe 5353b45c9539a13e90412b00cffd5a5a
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
https://a.tmp.ninja/dqVxvyvo
|
3
a.tmp.ninja(198.251.89.86) - mailcious
172.67.188.154
198.251.89.86 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11916 |
2021-08-31 11:19
|
 mazx.exe ef4942c6a1878c114f57ad82ee19de69
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.marciaroyal.com/mxwf/?qR-Hnlnp=zMR5KUFiiGsDPWyfVgT3p2HrI4PM/zQ2oGkj6QE3oz/tMoivHJSrooVNzgWf7GF3ogq7LXJb&TVjH4P=yjRhIXLxMLQ
http://www.thewellnessloft365.com/mxwf/?qR-Hnlnp=fz3zRSjyHRBjl1rIa6bXMycrHgGaqLoAb4IqFvz+fVGVYL9pMq7tPSAWMNs8UcZiZ+kcIEfT&TVjH4P=yjRhIXLxMLQ
|
4
www.thewellnessloft365.com(34.80.190.141)
www.marciaroyal.com(52.212.68.12)
34.80.190.141 - mailcious
52.212.68.12
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11917 |
2021-08-31 11:21
|
 plugmanzx.exe 19dff3b73bcbdc7f040dcc6bb85f26fa
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
blackbladeinc52.ddns.net(103.147.185.89) - mailcious
31.170.160.160
103.147.185.89 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11918 |
2021-08-31 11:34
|
 vbc.exe 5353b45c9539a13e90412b00cffd5a5a
UPX AutoIt PE File PE32 VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Tofsee |
1
https://a.tmp.ninja/dqVxvyvo
|
2
a.tmp.ninja(198.251.89.86) - mailcious
198.251.89.86 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
20 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11919 |
2021-08-31 12:50
|
 Server.exe 1d40468835f2dab842cb3dbf4aea5923
Malicious Library PE File OS Processor Check PE32 Malware download VirusTotal Malware Malicious Traffic Check memory Creates executable files RWX flags setting unpack itself sandbox evasion Windows Browser Remote Code Execution DNS |
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11920 |
2021-08-31 12:50
|
 11111.exe 6d99db65a28ca2dcf725a966678ad30e
Malicious Library PE File OS Processor Check PE32 Malware download VirusTotal Malware Malicious Traffic Check memory Creates executable files RWX flags setting unpack itself sandbox evasion Windows Browser Remote Code Execution DNS |
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11921 |
2021-08-31 12:52
|
 verb.exe 46355d768d1028f7b95386d3ea309590
RAT PWS .NET framework Gen2 Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 PE64 DLL VirusTotal Malware PDB MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee DNS |
1
https://moon-bot.org/secret/verb.exe
|
3
moon-bot.org(82.146.63.123)
82.146.63.123 - malware
103.45.140.175 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11922 |
2021-08-31 12:54
|
 mstsc.exe 8ffdda74390bca8ecb399d1b37868977
Malicious Library PE File PE32 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
1
http://111.90.151.16:81/fwlink
|
1
|
1
ET MALWARE Cobalt Strike Beacon Observed (MASB UA)
|
|
3.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11923 |
2021-08-31 12:59
|
 Garland.exe 4ea58f64f2e07a252c21d18d1156c96b
RAT PWS .NET framework Generic Malware SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
45.14.49.184
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11924 |
2021-08-31 15:28
|
 ORDER-656-2561981-4091274.zip 76cdb2bad9582d23c1f6f4d868218d6c |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11925 |
2021-08-31 16:28
|
 Final.txt.ps1 015873296d262315f2583b1fb4fa6b94
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
myownuniqueness.me(192.169.201.69) - mailcious
192.169.201.69 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|