| 11941 |
2021-09-01 09:26
|
 D1ztFQ.exe 2403d45817a791f882e157fa75bf2d5c
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11942 |
2021-09-01 09:34
|
 win101.exe 801affd34ae1974fd0965e7c1128eb96
Generic Malware Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.meridianopolitico.com/d6b4/?OXolp=Mk+xgxxMFq35RtCV/s1lAC9Od9t6BRTzkK3YJigL61KDkS5U9vEs0v6vAvJo+stnW/rREfuU&Txo=O0DPaBdh7tsX0d
|
3
www.patlichen.com()
www.meridianopolitico.com(50.117.40.106)
50.117.40.106
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11943 |
2021-09-01 09:34
|
 foxmail.exe a2f0a07f9490f1f79e845525246e6250
PWS .NET framework email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11944 |
2021-09-01 09:36
|
 vbc.exe 3b0b40fc6119f8ac909a86a6522e8e4a
Generic Malware AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://pomf.lain.la/f/khbytn1s
|
2
pomf.lain.la(107.191.99.49) - mailcious
198.244.149.184
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11945 |
2021-09-01 09:37
|
 Glary_Utilities.exe 61ed372e749496ecbb31e17bc90a0422
Raccoon Stealer Gen1 BitCoin Generic Malware WinRAR Malicious Library UPX ASPack AntiDebug AntiVM PE File OS Processor Check PE32 DLL VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution Cryptographic key crashed |
1
http://dns16-microsoft-health.com:4762/
|
2
dns16-microsoft-health.com(45.137.152.34) - mailcious
45.137.152.34
|
|
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11946 |
2021-09-01 09:39
|
 system32.exe a5c58ba5c48f9cb8ab45cd5847a8cb08
RAT PWS .NET framework Generic Malware HTTP Internet API Http API Downloader AntiDebug AntiVM PE File .NET EXE PE32 GIF Format VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows Browser Cryptographic key crashed |
2
http://iplogger.org/1WsDi7
https://iplogger.org/1WsDi7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11947 |
2021-09-01 09:39
|
 vbc.exe 87c51ca97825602b25752753161f6ab4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.powerlinkme.com/imi7/
http://www.powerlinkme.com/imi7/?0T0lqH=M//sfA69f+etYomJd9U2YdUVkVopbLoRE9mfqGVotdj8O3ZNk+jc/j3Mry8rPUpRzBLqbT1f&OXolp=AZ3x_83h40wLUZM0
|
5
www.tuiseyingxiang.com(47.91.170.222)
www.powerlinkme.com(23.80.211.101)
www.okulekitaplari.com()
23.80.211.101
47.91.170.222 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11948 |
2021-09-01 09:41
|
 binbobbyzx.exe 63b4bbbb2c1b18487c673abcfcff9fff
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.maedazouen-osaka.com/g0ib/?Mvdl=Y0KAwGFF7aeiUaXqGXtzE1r6FISNPFrGB685Z2xEnT7rwx7wj+Z0quRc/4NDShlxc6aW+ibn&QPXl7=GdPL
http://www.stickyflasks.com/g0ib/?Mvdl=ZWuaS7WofFbkvxyzet/9Sha7YIdf1NUVm0nCdNVXeFpr4IHHq2QjGgDhYkF3CGr6lmNA7Cmu&QPXl7=GdPL
http://www.lifeofaroma.com/g0ib/?Mvdl=eGvHNFMMHGiXXF9RTNFfS4KI7T0Hg4PlR5l/Ac1Au3uAREYhIrjqRt2sRRHGWT6dq8ueFK+P&QPXl7=GdPL
|
6
www.stickyflasks.com(66.96.162.147)
www.lifeofaroma.com(157.7.107.216)
www.maedazouen-osaka.com(150.95.255.38)
157.7.107.216
150.95.255.38 - mailcious
66.96.162.147
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11949 |
2021-09-01 09:43
|
 rozezx.exe d9167b13f4f747f5e9b18a6688a7064e
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.simgeasansor.com.tr(185.15.196.172)
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
216.146.43.70 - suspicious
185.15.196.172
104.21.19.200
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
|
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11950 |
2021-09-01 09:46
|
 DOGGY.exe acbc7c1dedc73fdd72ccbaaca2318430
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key crashed |
2
http://google.com/
http://www.google.com/
|
4
google.com(216.58.220.142)
www.google.com(172.217.25.228)
172.217.161.142
172.217.25.228 - suspicious
|
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11951 |
2021-09-01 09:47
|
 pattern.exe dcef208fcdac3345c6899a478d16980f
Emotet NPKI Gen2 Gen1 Formbook Generic Malware Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library Anti_VM ASPack PE File PE32 MSOffice File JPEG Format OS Processor Check DLL PNG Format Emotet VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic unpack itself Windows utilities suspicious process WriteConsoleW shadowcopy delete Turn off Windows Error Recovery notification window IP Check Tofsee Ransomware Windows ComputerName crashed |
4
http://iplogger.org/1L3ig7.gz
http://geoiptool.com/
https://iplogger.org/1L3ig7.gz
https://www.geodatatool.com/
|
5
www.geodatatool.com(158.69.65.151)
geoiptool.com(158.69.65.151)
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
158.69.65.151
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Geo Location IP info online service (geoiptool.com)
|
|
14.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11952 |
2021-09-01 09:47
|
 kelvinzx.exe bb1daddaf3592e05e82b0ab73e7ecd11
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
2
www.nongnongqingyi.com()
www.minuit-trois.com()
|
|
|
7.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11953 |
2021-09-01 09:50
|
 vbc.exe 04179ebbab706ca5b7d7eda0becd3abc
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
8
http://www.godspeedcheckout.com/utrf/?Mfd=YML6/4MbFaucvPXElRZzyjtyBDATZONUVEP0rukyNV7mVwlwfr0MKlD7TeqeK4zM4Y3EYRGq&rVj4Z=8pDDGD
http://www.alissapagelsminor.com/utrf/?Mfd=s7erYgESKr9m+mzxA/Q9UnpXdzsFrxDJZ/xrFu9DkcgPYBzGfkjQ2CYvjt6ZaVjEFZ88uL+J&rVj4Z=8pDDGD
http://www.merchwatcher.com/utrf/?Mfd=Vad6uiVCVQosa9/mMY+DSKEiZ4Jv5RPcsLzWpF9Fiou154vFmBtZmKNHtjvNv+8WA9b5ndEt&rVj4Z=8pDDGD
http://www.tijprintersolution.com/utrf/?Mfd=L2svVb92Me7XPiVF7aaorHdCyxGEk9sqT+LYZOj9a4pmUmwib36vvLRubxA8uAZ/BnXkUSVN&rVj4Z=8pDDGD - rule_id: 4706
http://www.astoriahotelbarcelona.com/utrf/?Mfd=/lvtB4BzNB+XSoc6maQY1pAmtDeeU5aaQ3ZY2TWN2TbQpQK9MzOytDPVTjOJ5T+hHcAWeXpA&rVj4Z=8pDDGD
http://www.spyrodinero.com/utrf/?Mfd=KQbHNIk3IOJpZvsSnT4OJ/X4/hEQqeZz8HC9HeygUUs08q8KumgzMZqNo+5TDnVW3UvDLF98&rVj4Z=8pDDGD - rule_id: 4707
http://www.fouralarmtechnology.com/utrf/?Mfd=aYwwqrlB15XqomXBiKKKrsegDxHiZBo0iQoRomjSnJfsLuFqj/vzEqUBUmKicJvkhKlZCqBV&rVj4Z=8pDDGD
http://www.beerstars.club/utrf/?Mfd=h1yjKFJ6FSP2Kh1jUAIvko6y6HNcV42PvaaxpdnymUUjCSM4Nx5Ku1RzDekWBf9g27Re0JFu&rVj4Z=8pDDGD
|
20
www.godspeedcheckout.com(162.241.61.219)
www.merchwatcher.com(34.98.99.30)
www.tvactivations.online()
www.spyrodinero.com(208.91.197.46) - mailcious
www.tijprintersolution.com(104.42.16.175) - mailcious
www.beerstars.club(63.250.43.5)
www.astoriahotelbarcelona.com(91.210.235.214)
www.fouralarmtechnology.com(34.102.136.180)
www.gol-investissement.com() - mailcious
www.nongnongqingyi.com()
www.alissapagelsminor.com(198.49.23.144)
104.42.16.175 - mailcious
208.91.197.46 - mailcious
198.49.23.145 - mailcious
91.210.235.214
34.102.136.180 - mailcious
63.250.43.6
162.241.61.219
34.98.99.30 - phishing
104.21.19.200
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.tijprintersolution.com/utrf/
http://www.spyrodinero.com/utrf/
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11954 |
2021-09-01 10:00
|
 JKd.txt.ps1 72b9eedf6b1effb1f41c3ee79e89eb98
Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11955 |
2021-09-01 10:01
|
 StaticArrayInitTypeSize52.exe 69b982b35f003dc6e9ca1e4b5ace2274
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
checkip.dyndns.org(158.101.44.242)
freegeoip.app(104.21.19.200)
api.telegram.org(149.154.167.220)
216.146.43.70 - suspicious
172.67.188.154
149.154.167.220
|
5
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO TLS Handshake Failure
|
|
12.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|