| 11956 |
2021-09-01 10:04
|
 yui7653_pdf.exe 734a89ad96b20660a5cc97dad178fdbc
AutoIt UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee DNS |
1
https://pomf.lain.la/f/cenqjp15
|
3
pomf.lain.la(107.191.99.49) - mailcious
167.114.3.98 - mailcious
185.15.196.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11957 |
2021-09-01 13:50
|
Scan HP Jet 371302-83.7z 2c5b2473879d30de86142c75a96ce789
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.4 |
|
16 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11958 |
2021-09-01 14:06
|
Scan HP Jet 371302-83.exe d703b3cc46820009bb6c4ab14666ea9e
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces human activity check Tofsee Windows DNS Cryptographic key DDNS crashed |
1
|
4
rebornx.duckdns.org(194.5.98.5) - mailcious
www.google.com(172.217.161.68)
142.250.66.100
194.5.98.5 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
|
25 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11959 |
2021-09-01 14:14
|
 0831_4435052411.doc 004b4634de3991a6de6a2c756a83e6ff
Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11960 |
2021-09-01 14:15
|
 0831_4532643085.doc f25c56cf3b503d96df86b4bb2c39f479
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://buichely.com/8/forum.php
|
4
api.ipify.org(54.225.219.20)
buichely.com(185.230.91.127) - mailcious
50.19.119.155
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11961 |
2021-09-01 14:18
|
 0831_8300668682.doc 25d3ac93606e135f18e4e96887fa3a44
hancitor Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://buichely.com/8/forum.php - rule_id: 4748
http://api.ipify.org/
|
4
api.ipify.org(54.235.88.121)
buichely.com(185.230.91.127) - mailcious
54.235.247.117
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://buichely.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11962 |
2021-09-01 17:55
|
swflash.cab b3e138191eeca0adcc05cb90bb4c76ff |
|
|
|
|
|
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11963 |
2021-09-02 07:37
|
 PAYLOAD2.PS1 71af182d724fe991f4f3b4026fb7be66
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11964 |
2021-09-02 07:52
|
 tud.exe ce5d381161004cbbd80eaf1f37089cb2
Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
3
https://nt5jww.sn.files.1drv.com/y4mIIeLspNJ3K28H6JugwGsEdpXjFzjPVJT4bPmRd4s8yB8qLpYXzcLDUWXEYrVapMd-sie624Z-x4WyElcv_PZHofwwgvlFNVGzNabdNZAV9sCzBHopy1lzLXg4cDygzCE7AGKWqmXzrN1QPk3Ut_beGliD9n9FYGgNVj_ATz8BvVbleQmMNwRjbVfSqkBTOXQZGlXkhFhKT-u5Snr_Wtezw/Uogsnykzlubtojeyocmevzvkobqbwih?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21134&authkey=AFTe8YO6kjuEIKY
https://nt5jww.sn.files.1drv.com/y4miUsf9sljhXmJzfbHSzBV5TVv6fiYklyyLJPEpgu9KzrWNc5gYDHZ5coO5NjYF8gvoNogRS-nj7GhSKMxPrxvQ3lak9G-88eu_Cq_0vpnd6O5argxr9COAVP2XuxhXOOUg41KabEabJjei_JBLFmHefbSrURxPYQ6Q64IBRowInSxDPXSGnlovCWV-5-GfE7AD0nDVKiNxNQH-lNT6nWWzQ/Uogsnykzlubtojeyocmevzvkobqbwih?download&psid=1
|
4
onedrive.live.com(13.107.42.13) - mailcious
nt5jww.sn.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11965 |
2021-09-02 07:54
|
 invoice.wbk dd2f7b986cc840b4c4f9b03def8fcadd
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/hsbc/vbc.exe
|
3
img.neko.airforce(167.172.239.151)
167.172.239.151
23.95.122.90
|
8
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11966 |
2021-09-02 08:02
|
 vbc.exe 1cd98a8f7c1680578f5a0f097ca218da
Malicious Library PE File OS Processor Check PE32 unpack itself Tofsee |
1
https://img.neko.airforce/files/vldyjj
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11967 |
2021-09-02 08:24
|
 vbc.exe 1cd98a8f7c1680578f5a0f097ca218da
Malicious Library PE File OS Processor Check PE32 unpack itself Tofsee |
1
https://img.neko.airforce/files/vldyjj
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.6 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11968 |
2021-09-02 09:17
|
 bytes.dll 0c6fec239a33864acdd558de506c1c3a
Generic Malware Malicious Packer PE File .NET DLL DLL PE32 VirusTotal Malware |
|
|
|
|
1.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11969 |
2021-09-02 09:19
|
 ..-.-...................------... 98a92918a128f1f26d552bb3aaab2a61
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
19
http://www.hfhwssc.com/24ng/ - rule_id: 4597
http://www.ptpatennis.com/24ng/
http://www.getzlppi.com/24ng/
http://www.jjyzscl.com/24ng/
http://www.emmymorrow.xyz/24ng/?TZ=MpsKsbuj3plW3zxxgPetNSfc39jzCcaN6Okb8XXwEkEAsEoFXdXIJgm+0gMt/BsRuN2GbYWJ&mvHtT=Y2J0irR8DZUtWbf
http://198.12.127.217/hsbc/vbc.exe
http://www.inanavcifitnessclub.com/24ng/?TZ=7B/mxEe684X+Fe8GJ5WQJKEToqxOKLoYRHSlnqT22Suhy7fkAEyyqsV6IsAMnECK+ppvVgFJ&mvHtT=Y2J0irR8DZUtWbf
http://www.brightstarqr.com/24ng/?TZ=8v1BaeXDdHouIcyDdFDGzu6REvBUz6OB3JNjO8R+mAtpk36d8yYIQhxbWZgde9Q6oLtpMRoQ&mvHtT=Y2J0irR8DZUtWbf
http://www.softouchcomputer.com/24ng/?TZ=fXBeYi2KYDeGue3GyybylYEREpAt73UzBLGgjKY/A8hX8o3UYaJp/MnPYrs1PjdYe+TTzooN&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4598
http://www.jjyzscl.com/24ng/?TZ=EaDH/+1mOmQ7aWJI7AX+IlzBUQKYpCjIvrNurEm81n5vQYPM3XYWZDGTjMXv7Z9O/YqAJJxc&mvHtT=Y2J0irR8DZUtWbf
http://www.hfhwssc.com/24ng/?TZ=tUr3L7F+3PGvEFcZd+SfWB+iCUteo8w/ToAKorOuAJitLd2/Au6xWCIPWaoTHGtlxQq11mO7&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4597
http://www.joycekayiba.com/24ng/?TZ=CabvNxLtXK7AxhBdYJap/g8mwsQmgWak8myj7hdi5lEds/kVRqaawrDB55LgJdOF0Pe0hBMQ&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4595
http://www.softouchcomputer.com/24ng/ - rule_id: 4598
http://www.inanavcifitnessclub.com/24ng/
http://www.emmymorrow.xyz/24ng/
http://www.brightstarqr.com/24ng/
http://www.joycekayiba.com/24ng/ - rule_id: 4595
http://www.getzlppi.com/24ng/?TZ=L5LGxFrJmFFW7+IY9g8iVUirVSu4fjeQj90+j0oTYvKK8rEJklo6J2dxJua7XjT6OpHJ/fPt&mvHtT=Y2J0irR8DZUtWbf
http://www.ptpatennis.com/24ng/?TZ=EgM9f4N/TTbc7wy+9K504atXnuYtNAxq+K5G2bjH3yNZBGKx+fYzE5a0kKWfzvBOG3xTHkvq&mvHtT=Y2J0irR8DZUtWbf
|
16
www.emmymorrow.xyz(75.2.18.233)
www.brightstarqr.com(54.157.58.70)
www.softouchcomputer.com(209.99.40.222)
www.hfhwssc.com(101.32.215.239)
www.ptpatennis.com(34.102.136.180)
www.joycekayiba.com(209.99.40.222)
www.getzlppi.com(34.102.136.180)
www.inanavcifitnessclub.com(209.99.40.222)
www.jjyzscl.com(104.252.232.119)
101.32.215.239 - mailcious
104.252.232.119
209.99.40.222 - mailcious
34.102.136.180 - mailcious
54.162.128.250
198.12.127.217
75.2.18.233 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.hfhwssc.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.hfhwssc.com/24ng/
http://www.joycekayiba.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.joycekayiba.com/24ng/
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11970 |
2021-09-02 09:19
|
 templefirstzx.exe 6c0795e7a1460e3eb294d63e6961bd1c
RAT PWS .NET framework Formbook Generic Malware SSL DNS Socket SMTP Escalate priviledges KeyLogger Internet API ScreenShot Dynamic Dns persistence AntiDebug AntiVM PE File .NET EXE PE32 JPEG Format DLL FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder malicious URLs Tofsee Windows Advertising Google ComputerName DNS Cryptographic key DDNS crashed keylogger |
11
http://www.vnielvmdqxk538.xyz/b0ar/?r6=7CUt39hPMjg/s6qQ0+QbWtikgyOufco6CG9l+t5DjC9/JIPCU/WxQ6IAIg/iVENqz91MlH14&sBZxr2=FxopsJeXPvOX3
http://xred.site50.net/syn/SSLLibrary.dll - rule_id: 4617
http://www.mcinerneychrysler.com/b0ar/?r6=oBVrEuqKUfopUpAnqJfem3AP4MxLKUs3kUwU0NiQ7+oE8UvVtrvEXTcSUGgYTlPvZxyytEEp&sBZxr2=FxopsJeXPvOX3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://www.thepink.club/b0ar/?r6=35zmK/1nOG3ZiclOaRDNqBcycOB07sOwoO1SOSl9YfrEiskurZgjdyrE07vb97UKsZwkKKa4&sBZxr2=FxopsJeXPvOX3
http://www.livingalcohol.com/b0ar/?r6=32cJvtm6v5CrHkGtRaCKvnIzMPMaS8klC7QMWGugGRjVzPiNEaTJc2oUIDqYaKdywZUrkA7f&sBZxr2=FxopsJeXPvOX3
http://www.algarmotorcars.com/b0ar/?r6=GBw5w5TP0zGw7Ui1KyuWLvjFNgn/VJyG24akOFBAUZbsXTnWiW1DuuZdfbFm7e75UOMWX9j4&sBZxr2=FxopsJeXPvOX3
http://www.artjohntravis.com/b0ar/?r6=FI6V3ciXB53f+evAnSijLVseR7Fj9SHqs11tijwh7SEaqCYqOPT9yA6Mp0JLeXWl2GeMTJcV&sBZxr2=FxopsJeXPvOX3
https://www.000webhost.com/migrate?static=true
https://www.dropbox.com/s/dl/fzj752whr3ontsm/SSLLibrary.dll
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1 - rule_id: 4618
|
26
www.thepink.club(99.83.154.118)
www.000webhost.com(104.19.184.120)
www.dropbox.com(162.125.84.18) - mailcious
www.ceaice.com()
www.vnielvmdqxk538.xyz(72.52.178.23)
freedns.afraid.org(69.42.215.252)
www.algarmotorcars.com(34.80.190.141)
xred.site50.net(153.92.0.100) - mailcious
www.6972399.com()
www.mcinerneychrysler.com(104.74.219.56)
docs.google.com(172.217.26.14) - mailcious
xred.mooo.com() - mailcious
www.livingalcohol.com(34.102.136.180)
www.privsec-mail.com()
www.artjohntravis.com(34.102.136.180)
www.secure-dwellant.com()
72.52.178.23 - suspicious
104.74.219.56
153.92.0.100 - mailcious
99.83.154.118 - mailcious
34.102.136.180 - mailcious
34.80.190.141 - mailcious
104.19.185.120
69.42.215.252
172.217.26.14 - malware
162.125.84.18 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
ET POLICY Dropbox.com Offsite File Backup in Use
ET HUNTING Suspicious User-Agent Containing .exe
|
2
http://xred.site50.net/syn/SSLLibrary.dll
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
|
15.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|