| 12016 |
2021-09-02 18:04
|
 CHARLSE.exe 29df961d87b689567324ce38192e1d66
RAT PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
3
time.google.com(216.239.35.8)
dns.google(8.8.8.8)
216.239.35.0
|
|
|
13.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12017 |
2021-09-02 18:05
|
 168931870.exe a4afd9519bed282bc4c1248f7aaafde0
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
45.88.107.116
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12018 |
2021-09-02 18:07
|
 TOBI.exe 5bf7c4b2b2980b4796c0c93b00dcf602
RAT PWS .NET framework email stealer Generic Malware Antivirus DNS Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself Windows utilities powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Cryptographic key crashed |
|
3
time.google.com(216.239.35.8)
dns.google(8.8.4.4)
216.239.35.8
|
|
|
15.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12019 |
2021-09-02 18:09
|
 368530214.exe e8b6c2c9dfbf5ccb632d59e2da690ac6
NPKI Malicious Library UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proces Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check SectopRAT Windows ComputerName Remote Code Execution DNS |
|
2
NNUcLOTLJm.NNUcLOTLJm()
77.232.36.146
|
1
ET MALWARE Win32/1xxbot CnC Checkin
|
|
14.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12020 |
2021-09-02 18:14
|
assistant.php.ps1 d41d8cd98f00b204e9800998ecf8427e
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12021 |
2021-09-02 18:14
|
 1305533303.exe 36fb5ba2ff9166a3337d819504fe2526
RAT PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12022 |
2021-09-02 18:17
|
 BHBW-P412536.xls 1963a4808a9d94fbc0e380707c150730
AntiDebug AntiVM VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Tofsee Interception |
1
https://www.bitly.com/ewrhteraewkjsi
|
2
www.bitly.com(67.199.248.15) - mailcious
67.199.248.14 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12023 |
2021-09-02 18:17
|
A Letter before court 4.docx 1d2094ce85d66878ee079185e2761bebVirusTotal Malware MachineGuid Check memory RWX flags setting unpack itself GameoverP2P Zeus ComputerName Trojan Banking |
1
http://hidusi.com/e8c76295a5f9acb7/side.html
|
1
|
|
|
4.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12024 |
2021-09-02 18:21
|
 who_template.doc 3657586d8555593012bfd7420d488be4
Generic Malware VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself DNS |
1
http://appmedicine.whoint.cf/data/aini.down
|
1
appmedicine.whoint.cf() - phishing
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12025 |
2021-09-02 18:21
|
 side.html 4c80dc9fb7483214b1613957aae57e2a
AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://hidusi.com/e8c76295a5f9acb7/ministry.cab
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12026 |
2021-09-02 18:31
|
 4.html 9c9209875f3a48c2662578fbad7c916e
Antivirus AntiDebug AntiVM MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
27
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6774392999284712153&zx=a7b85347-8ddd-4604-93d7-576692e043b0
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://tupalamagayta.blogspot.com/p/4.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://tupalamagayta.blogspot.com/p/4.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.blogger.com/static/v1/widgets/672507172-widgets.js
https://www.google.com/css/maia.css
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ftupalamagayta.blogspot.com%2Fp%2F4.html&type=blog&bpli=1
https://www.blogger.com/blogin.g?blogspotURL=https://tupalamagayta.blogspot.com/p/4.html&type=blog
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://migimigichuchuchacha.blogspot.com/p/4.html
https://gagamutakakachota.blogspot.com/p/4.html
https://machearkalonikahdi.blogspot.com/p/4.html
https://kumakahchachi.blogspot.com/p/4.html
https://edf41f52-452f-4671-a310-1da9f1d2ecd8.usrfiles.com/ugd/edf41f_944e7bd73a6542f0987c6be1b132301d.txt
|
16
resources.blogblog.com(172.217.27.73)
www.google.com(172.217.25.228)
www.gstatic.com(172.217.25.99)
fonts.googleapis.com(142.250.196.106)
accounts.google.com(172.217.175.13)
www.google-analytics.com(172.217.175.46)
fonts.gstatic.com(142.250.196.99)
www.blogger.com(172.217.27.73)
172.217.24.142 - mailcious
216.58.220.137
172.217.175.35
172.217.161.68
142.250.196.109
172.217.175.233
172.217.161.67
172.217.174.106 - phishing
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12027 |
2021-09-03 00:57
|
 2.exe 294fab1523dc3b50cbcc120e67946a5b
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware DNS |
|
1
139.196.224.137 - malware
|
|
|
4.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12028 |
2021-09-03 08:53
|
 vbc.exe dd5c7e917f28bbe04bb177571eadb4b6
Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS |
12
http://www.meo6.com/ecuu/
http://www.poorwhitetrashlivesmatter.net/ecuu/ - rule_id: 4683
http://www.tasteofourneighborhood.com/ecuu/ - rule_id: 4685
http://www.tehridam.com/ecuu/ - rule_id: 4593
http://www.tehridam.com/ecuu/?KnbdJ0x8=52vxKUookbImOzTI7E+jd1wlXpyw0GfihJo0VkeqObbGxcjgEHmk7kL8PM63ES7BEXBsCGUk&QXNXP=uphTDjQ0dle - rule_id: 4593
http://www.poorwhitetrashlivesmatter.net/ecuu/?KnbdJ0x8=Pl7Wo/Sc18YTVh4ZfRYn9GaIW3hmPNugWLqq+bwHPa7GGyOQcNaR6G/8c/+q5jU1tNJ+hTp8&QXNXP=uphTDjQ0dle - rule_id: 4683
http://www.keplersark.com/ecuu/
http://www.keplersark.com/ecuu/?KnbdJ0x8=ErLy2cxkmBgc+vcby4/4OzScNwRwZNunoYkj9ouMgCM9dfa6mhMp1sEqnAK/47sh9WzSWDcB&QXNXP=uphTDjQ0dle
http://www.tasteofourneighborhood.com/ecuu/?KnbdJ0x8=2bt83kpOuVtEIWyxUzi5DXhitRFjdhq2G+J/5YNEy7Qmu4jdCi+MNXaEKclGMLIx7+ZhZc0n&QXNXP=uphTDjQ0dle - rule_id: 4685
http://www.meo6.com/ecuu/?QXNXP=uphTDjQ0dle&KnbdJ0x8=YvsDOebvdn33iOC+v2Ok61M54opkfPvcWjQzCgbatYYSU9v1OQaSbdzIzzvoqR0JelM+izEt
https://acgxog.bn.files.1drv.com/y4msQ2m08EEz55CIox4ARzCARZSov_y6dCjL9KyqanqqW24yqFPyPmAgiFkMG2QbocQDtxoJAsMXRLcnBYdf8Vmf7dCAnr4ai6BcsbO0ode1OHkU4-B6Sxcc3qyHm0RZE5d-tYL-NoCSGPbNRA3cyLtIuCoQ-QdtoRv_MGoP5vP5pvjd4CsmpmBh0gXQQ5_PYLHYy5XUPfni0s7poAfWfxe5Q/Skxlgyfleozjvblodjbfwvxsubblvwz?download&psid=1
https://acgxog.bn.files.1drv.com/y4m7zPsFxg1v3fwqegpu63QQ7Fqy5_pkQlSDyodYXMkhDfs6Eqn0yvdAB_1nA0Mg0phAL6brhc-_wzn9DLIYxLRo85j16Plvt7WWn6XgOs8UGEv1lOweLvn8i3THvR44IPsolZ9HquJOzHeiCP5Qsolbxd7DhqPopNhWuDz6y0_Izi3L5QEZPtHC3V5xn34TUKOYuGoK6yyPWpMskHmo3fbLg/Skxlgyfleozjvblodjbfwvxsubblvwz?download&psid=1
|
17
acgxog.bn.files.1drv.com(13.107.42.12)
www.tehridam.com(184.168.131.241)
onedrive.live.com(13.107.42.13) - mailcious
www.keplersark.com(209.99.64.55)
www.tasteofourneighborhood.com(34.102.136.180)
www.meo6.com(75.2.18.233)
www.gyiblrjd.icu(47.91.170.222)
www.blackhillsfarmtn.com()
www.poorwhitetrashlivesmatter.net(34.102.136.180)
www.donnaquerns.com()
184.168.131.241 - mailcious
209.99.64.55 - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
47.91.170.222 - mailcious
75.2.18.233 - mailcious
|
3
ET INFO DNS Query for Suspicious .icu Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.poorwhitetrashlivesmatter.net/ecuu/
http://www.tasteofourneighborhood.com/ecuu/
http://www.tehridam.com/ecuu/
http://www.tehridam.com/ecuu/
http://www.poorwhitetrashlivesmatter.net/ecuu/
http://www.tasteofourneighborhood.com/ecuu/
|
11.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12029 |
2021-09-03 08:53
|
 Install_Rental_LL12_2018_4.exe 2a4bcd31051a5656d118ca1617da35d6
RAT PWS .NET framework Emotet Gen2 Gen1 Generic Malware PDF Suspicious Link Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer Anti_VM ASPack PDF PE File PE32 .NET EXE OS Processor Check MSOffice File DLL PNG Format VirusTotal Malware suspicious privilege Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Ransomware Windows Browser ComputerName crashed |
|
|
|
|
7.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12030 |
2021-09-03 08:53
|
 obizx.exe d8eee8440dde12c5915cb7d7ea8c41e1
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|