| 11971 |
2021-09-02 09:19
|
 myformzx.exe caee75efc8bd1904d750d941d6a760b8
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11972 |
2021-09-02 09:20
|
 vbc.exe a9a4ef232a3238c20d7e392ca286c265
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
10
http://www.proukai.com/sqwo/?DbG=59MH3VOILL5z2QNZYOizyHYj+fftqBxCIQuKhadA9I2TbROQrnwmP5EnQYKS9xNrkbzZMFXq&QZ0=ehutZJWpFNspox
http://www.indiavirtuallawchambers.com/sqwo/?DbG=2O1+i4BGI1k2joz277jApU5rnHZkWEAMJdqBHqZbDZi4Bp+j/RJ/M26ZihS3sjaRa1txQrME&QZ0=ehutZJWpFNspox
http://www.ringer.pro/sqwo/?DbG=mpg9f8Y45csooX22obIF6W7peY66eDDLthysSPYzep9v0aw78U9pk2CIUIlkmOE3dQhgn+V4&QZ0=ehutZJWpFNspox
http://www.coloradosalsa.com/sqwo/?DbG=ZQEzhroX/pXXk35s3WvvPNG9SpaofcoiDOazIUbGfrGHQIpNZYKOdDtNu1n/ilbTQe76O4xu&QZ0=ehutZJWpFNspox
http://www.thisisatemporaryemail.com/sqwo/?DbG=gAKOWl9ZlpvAq6Ow3+qmV/gdCeDECP4mzyGv8UTw+U6fFj1uXcepbG7pi5w+8yIeN80+gLnU&QZ0=ehutZJWpFNspox
http://www.ratarate.com/sqwo/?DbG=lrDfaoRzNAOMN2B0GfdQV0PruNWXKi9d61SjUyKjOmvObZ3cgWEpXFIDhKzUrtskx/c+maJ0&QZ0=ehutZJWpFNspox
http://www.xinfengsl.com/sqwo/?DbG=VCku72SNHpRVTt3EfV+y4RF0wvhRl+VcCN2KQOPjAfD5Yv2eImu3WtSd32tteAFusdEBHhzF&QZ0=ehutZJWpFNspox
http://www.boealive.com/sqwo/?DbG=YcUhFjlnWjkRFG+zvI9+SnpP7/awtrdVXC2/4yVsTo1nsotrZYX3lFz6dzvB548kciAseVEX&QZ0=ehutZJWpFNspox
http://www.path-precise.com/sqwo/?DbG=wXU3yaorPAVQEXrE6ARF3iFQKYm1nNlMx3B8o4H8pzqIJpzncizsh2wFey63TgewQz5bUBxD&QZ0=ehutZJWpFNspox
http://www.glamandtan.net/sqwo/?DbG=JhW4WKUAk7xlkEEDulhqKZMy2L/keqwe9HdINH+9b6LvJc3qx9ABslN47JV5O7XZ+76PGcj5&QZ0=ehutZJWpFNspox - rule_id: 4694
|
20
www.path-precise.com(72.52.178.23)
www.ratarate.com(101.32.12.102)
www.ringer.pro(75.2.18.233)
www.coloradosalsa.com(45.15.152.14)
www.thisisatemporaryemail.com(44.227.65.245)
www.glamandtan.net(209.99.40.222)
www.boealive.com(34.98.99.30)
www.proukai.com(91.195.240.117)
www.xinfengsl.com(154.81.37.104)
www.indiavirtuallawchambers.com(34.102.136.180)
44.227.76.166 - mailcious
75.2.18.233 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
45.15.152.14
91.195.240.117 - mailcious
154.81.37.104
101.32.12.102
34.98.99.30 - phishing
72.52.178.23 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.glamandtan.net/sqwo/
|
8.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11973 |
2021-09-02 09:21
|
 nnlt4.exe d1ce5b7ddf8d49a2554281ffe4e14270
AgentTesla(IN) RAT Generic Malware Malicious Library Malicious Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11974 |
2021-09-02 09:22
|
 vbc.exe ceed79fe40c1038ca78784cc26a1eed5
RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
https://pastebin.pl/view/raw/ae498e11 - rule_id: 4631
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.pl/view/raw/ae498e11
|
10.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11975 |
2021-09-02 09:23
|
 mazx.exe 2aee5ea79b9327ec85da89421b92d219
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.gatel3ess.com/mxwf/?v6=xHFfgTEL+mJKwfpOdfq+qxaG0inkAfXbv5WaALWrbm9qy3zCGisDRu1Ryc3XwIlgKHY9Bve3&1b=V6ALsRjPe
|
3
www.llanoresources.com()
www.gatel3ess.com(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11976 |
2021-09-02 09:24
|
 odinakazx.exe 5d7a426f8569371c2bdfc6f005bfe951
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
7
http://www.oklahomacityconnection.com/9t6k/?t8rpCju=+rYyK+1tD4QYtBw5RCJOoiJFGGNDctGekZmlscAyO96NBWG5RJoEDdkU1NjOl23zElU2mkBg&9r4T-=K4k0
http://www.schoolphysician.com/9t6k/?t8rpCju=aZxCmALwA5R5+eIwzrzpi1QpWfsvyjuzp/cxNNZ9Jwezj0NN8vNJ2pHGntbNv+WmK2oIJIQQ&9r4T-=K4k0 - rule_id: 4580
http://www.projectnightshade.com/9t6k/?t8rpCju=oh9i7Ds+7cgCHWRg3mUfYyaFqaDL5d2qdt9Gwm+MSl8Oak2zYxO3whCb3Baa+DGB8M4j17pm&9r4T-=K4k0
http://www.enventa360.com/9t6k/?t8rpCju=2mEd6LItrWrpSvNt3Y1LPp8M02PRfGQr7YAAI+I7OlDabWzaWUxik7Jn16BakqRtgVbkjK5l&9r4T-=K4k0
http://www.bakersfieldmart.com/9t6k/?t8rpCju=TkneIUA8iuy/VeLut16l2WZFjETdE+d7eObyYzMyGjWHDSQA1DEVKvZ88ExhoU+AGXcGoZF+&9r4T-=K4k0
http://www.reqforpro.com/9t6k/?t8rpCju=f/dKZdGmDQ8Oe+1tG9UJdXciQ5yWCqiLE/yHo4zbzWbK+eIkvRmA8BRfpq/MYhjjPnoiIcdD&9r4T-=K4k0
http://www.urne24.online/9t6k/?t8rpCju=XEZUsmhefmfw3QKQE5ZrpuI8N7oVWrtY0zr9qFGtaUataE1TE0DCRND7FOKibblEWaB5niCz&9r4T-=K4k0 - rule_id: 4584
|
15
www.reqforpro.com(34.102.136.180)
www.schoolphysician.com(208.109.65.254)
www.urne24.online(89.31.143.1)
www.babysto.com()
www.oklahomacityconnection.com(99.83.154.118)
www.ampretur.com()
www.enventa360.com(217.26.53.21)
www.projectnightshade.com(34.102.136.180)
www.bakersfieldmart.com(23.227.38.74)
208.109.65.254 - mailcious
89.31.143.1 - mailcious
34.102.136.180 - mailcious
99.83.154.118 - mailcious
23.227.38.74 - mailcious
217.26.53.21
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.schoolphysician.com/9t6k/
http://www.urne24.online/9t6k/
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11977 |
2021-09-02 09:26
|
 bankzx.exe 6a6119c0de7a594dc63fd62153812a39
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.kaelmisko.com/bckt/?yVMpQN-P=1sxQ3iJKg1FBYxLLqWoboY/+p5zRzJoOXdMlq1QTyA1xZAuRSGteu9RYTrTxhsE6NtxInfBE&1bz=o8rLp
http://www.wonderspirits.com/bckt/?yVMpQN-P=PLxeG+BKHqSBFiYZ93LaPJoaB7L9znfdzbPpQVw/UvBNMGs491hEyAUlWmQIfLzBIT2rjuoE&1bz=o8rLp
|
4
www.kaelmisko.com(160.121.62.228)
www.wonderspirits.com(3.6.82.7)
3.6.82.7
160.121.62.228
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11978 |
2021-09-02 09:26
|
 vbc.exe 91b3a89d2c0a881737df49fac38744e4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
8
http://www.casaropm.com/r48a/?sXLXkXC=Cat34nk6opy+uwx1Q0WiXOdAmx+sal/fhD2yJHuBxHlr+qhT0J6iHQAknCn4IrM43LqveN3z&CdCph=9rClpfEppnHTIHX
http://www.clientacceleratorchallenge.com/r48a/?sXLXkXC=baqp/TIDki9D11EvgwGTrWJGV6YbzAB2RofJKzOl6tGepc/9yf/Mpz2UGc9BNxHzq1UYFBF1&CdCph=9rClpfEppnHTIHX
http://www.camelotandco.com/r48a/?sXLXkXC=lyfEwo1ambWmVj1NafuCLWLQ7RxyeouX9tQCZtW5QCXIdeUj7v32M2jPcsvhYFRfmk2iotuz&CdCph=9rClpfEppnHTIHX
http://www.diegobreak.icu/r48a/?sXLXkXC=7uIJYx92BGVkHpvaW6V1C1GkG85VHDSX5kqvi+p9JsENL8YHkx/ANZ0NZDYMU+mQFjC0aNxN&CdCph=9rClpfEppnHTIHX
http://www.lambdasocietyblog.club/r48a/?sXLXkXC=9odiPzmloHKm3LHJR0tIEcrIMuf3PGFU8s8z6rklIFGmUIX206qLNaw45+tQpMnCzcyJMTN6&CdCph=9rClpfEppnHTIHX
http://www.saracrearte.com/r48a/?sXLXkXC=Ms3pY1+UExfsdT5Pacu6tZuuQXa6WmEEBnZ1cgi4nSixsO2rAYOiKRlODaW9lsZd0e70WwGK&CdCph=9rClpfEppnHTIHX
http://www.italifestyleclothing.com/r48a/?sXLXkXC=MStHKy/n7cV49w2cJsxYveNbSIv72qrwYMW9d5+NkwHPj0B3SpiiuBKnfvy0mpscZQlawS1t&CdCph=9rClpfEppnHTIHX
http://www.luederfleetservices.com/r48a/?sXLXkXC=bg8780jrLl9UuJ1zpIWeuhaQezyHbOuV+JWjVKyr5Ux9mjn+35Gmb0/Ityax0PtaL0AJIRHh&CdCph=9rClpfEppnHTIHX
|
14
www.italifestyleclothing.com(34.102.136.180)
www.camelotandco.com(198.49.23.144)
www.brainboosthk.com()
www.diegobreak.icu(99.83.154.118)
www.lambdasocietyblog.club(99.83.154.118)
www.clientacceleratorchallenge.com(34.98.99.30)
www.saracrearte.com(99.83.154.118)
www.casaropm.com(216.239.32.21)
www.luederfleetservices.com(34.102.136.180)
216.239.38.21 - phishing
34.102.136.180 - mailcious
99.83.154.118 - mailcious
198.185.159.144 - mailcious
34.98.99.30 - phishing
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11979 |
2021-09-02 09:28
|
 vbc.exe d32b55acf96361e5c9c8da94c1b8a102
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
8
http://www.lechouba.com/imi7/?xVJtG4Th=MwRNuVqXCpM5sEpAO0zMTUldSDVuT7ExLhu+MIv61AaTOVnP0USuu6w5JQ9RcA7a4eUeEmy4&1bw=L6Adp0uXjfjLdRAp
http://www.streetracingscanner.com/imi7/?xVJtG4Th=QU9fCHBLx03MvK38nM/7WtCLFO3YLnqL/vhlC3s1yP3tXBo+uQY42+tjjgs8znE9OQOBbplY&1bw=L6Adp0uXjfjLdRAp
http://www.zahnspange-billstedt.com/imi7/?xVJtG4Th=vckBAd0DC4j+MsItYihpXhKwXQLQeZ6D36qA77B+GbHjiR6WahspDwP56vGaKNJ9R9phXkae&1bw=L6Adp0uXjfjLdRAp
http://www.surukuku.com/imi7/?xVJtG4Th=yw+D4kIyeS/IskVRD9OFJ/qm2U9gF1yLD+ymlIRM6+924SF3q5kTi3l3GSAbP9GS8/x7LGZc&1bw=L6Adp0uXjfjLdRAp
http://www.hasanmedicalservice.com/imi7/?xVJtG4Th=36a/pWAUo31W6XoGvo/EFTJaRW8hdP7wY8dwAf89+AmPJeYNnKnA1bZm+urrEDalaZ6CShBz&1bw=L6Adp0uXjfjLdRAp
http://www.southerngiggle.com/imi7/?xVJtG4Th=6DPXXUxjNhAUxFF0HJPciD7wCMdQ5Kjpq9HSdggl9T7QEXc1VUDnpVSWHHH5kcZKJv7Ciavm&1bw=L6Adp0uXjfjLdRAp
http://www.abc-staff.com/imi7/?xVJtG4Th=3LZm1iRscnuMBa7eXiRmSKBb+/H8umyVbYMems3WtreaiyBf/kGruuLJ8kceVNcEixw/yb8u&1bw=L6Adp0uXjfjLdRAp
http://www.sungoldhomeliving.com/imi7/?xVJtG4Th=IZKb4HJqMXyJMqZyZW8ea0lZO79FfsahuXlqQdaEcqwYU031mgchofAtsOPxSTnym90X9JnS&1bw=L6Adp0uXjfjLdRAp
|
16
www.popuality.com()
www.southerngiggle.com(34.98.99.30)
www.hasanmedicalservice.com(209.99.40.222)
www.crownfoamus.com()
www.sungoldhomeliving.com(34.98.99.30)
www.lechouba.com(204.11.56.37)
www.zahnspange-billstedt.com(54.38.220.85)
www.streetracingscanner.com(34.102.136.180)
www.abc-staff.com(157.112.189.34)
www.surukuku.com(34.102.136.180)
204.11.56.37 - suspicious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
54.38.220.85 - mailcious
157.112.189.34
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11980 |
2021-09-02 09:30
|
 obinnazx.exe 928f82822d997033b331fa2e51e5f6dd
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.mywebdesigner.pro/gz92/?p0D=MfUm+kFNKO5L0HXbTYBUs0TEVsqCqJoX+iXl+u2eiFI0bb2/PaOoBTtaTWcSt8eH78Yvv7z/&1bRtZr=pFNpFT98sdz452tp
http://www.1s5dnwzwv8tht8vi0v78kde4e.com/gz92/?p0D=HTs0NjpwMuS7fwaL03d48AajIpvOUkZhg/JZ2gvmgqYH3gdkieTsQNNo6tdm+/LDhIpSMtab&1bRtZr=pFNpFT98sdz452tp
|
4
www.mywebdesigner.pro(75.2.18.233)
www.1s5dnwzwv8tht8vi0v78kde4e.com(34.98.99.30)
75.2.18.233 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11981 |
2021-09-02 09:43
|
 readytans.png 539614a94256046c940b95493fedb6ec
Malicious Library PE File OS Processor Check DLL PE32 Dridex TrickBot Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://179.189.229.254/rob127/TEST22-PC_W617601.C6F7758F1FE1C33B9A957BEA732BE3DF/5/file/
|
2
179.189.229.254 - mailcious
103.133.111.221
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11982 |
2021-09-02 09:44
|
 XNO.exe 36909bb88f91e69d271e206ab3fa8f00
Generic Malware UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Malware download Remcos NetWireRC VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities WriteConsoleW anti-virtualization Windows RAT DNS DDNS keylogger |
1
http://103.133.111.149/XP-remcos_mXwRejN225.bin
|
3
xp19.ddns.net(103.133.111.221)
103.133.111.221
103.133.111.149 - malware
|
3
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE Remcos RAT Checkin 23
|
|
8.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11983 |
2021-09-02 10:10
|
 udptest.exe 0f7b6037afdc508b17dd99eb1610ef49
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11984 |
2021-09-02 10:10
|
 hkd.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
godisgood1.hopto.org(103.156.91.208) - mailcious
103.156.91.208
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE Possible NanoCore C2 60B
|
|
13.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11985 |
2021-09-02 10:13
|
 C0LiTuZTZQvREpr.exe f805e0d740cfd22eefcdbfccb2ba7d2b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
11.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|