| 12031 |
2021-09-03 08:54
|
 lv.exe ec13b1b95f843a9d05826658350406fc
NPKI Gen1 Gen2 Generic Malware Malicious Library Anti_VM UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs Windows crashed |
|
1
kWIFyTtOQxaHW.kWIFyTtOQxaHW()
|
|
|
9.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12032 |
2021-09-03 08:56
|
 vbc.exe 094922de5b4450aa3323088f17176cc8
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware unpack itself Tofsee |
1
https://img.neko.airforce/files/ezqyil
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12033 |
2021-09-03 08:56
|
 search.exe 8f4b127c5d4bc23dbbab758d2e4a295d
PWS .NET framework email stealer Generic Malware Malicious Library DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
10.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12034 |
2021-09-03 08:58
|
 Server.txt 94399d073244c168d813a46c1751b396
PowerShell MZ ScreenShot AntiDebug AntiVM VirusTotal Malware Check memory unpack itself DNS |
|
1
|
|
|
2.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12035 |
2021-09-03 08:58
|
 kdotzx.exe 69c0afbef4771e4c3bdbcb7571ebc505
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12036 |
2021-09-03 09:00
|
 bankzx.exe a8979ec0855afa6c83d0154c5bff7d8e
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.sulmx.com/bckt/?AlB=0WUjjGmkVCKJmdM9+k5PHEXQUQk8v75Wtsp1rxUo+bpTNu7bsnh5+nhMt2LZUoqphRkP2wFu&ar8=tXIxBh80ZzldQ
|
3
www.eloquentui.com()
www.sulmx.com(99.81.40.78)
99.81.40.78 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12037 |
2021-09-03 09:00
|
 inv_1123.wbk 2a468f175032ed01e5d4fecd511b8b0f
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/icici/vbc.exe
|
3
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
23.95.122.90 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
|
|
5.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12038 |
2021-09-03 09:03
|
 ashleyzx.exe 027eb7b43d4c9d6c2340d2c2391cd6c9
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.infinityormus.com/crg3/?MnW8=aBccGOwErgPre43QnhpcuVoXFq8GKd87aC0dXa3fYTKxl7Jtk/vDSnCkMctKss6ezBqA0jg4&Klh8=p2JXfHEPw
http://www.theriversidecountyhomepro.com/crg3/?MnW8=DlXh8HWi82SzBw0RJ/6VGpFkTUcz0we99XtleYKpWXYF2jgY0Vi1rZXcTXO/6Z9n6hEY3EW/&Klh8=p2JXfHEPw
http://www.infinitytattoocare.com/crg3/?MnW8=G0O/V1BSeeiOXGa3ZhZYpwmF06RYoj1Q/SmNcifgaLNZ9w6ENH+p3VVN7Ne96pxQbzbLpXw9&Klh8=p2JXfHEPw
|
6
www.infinitytattoocare.com(34.98.99.30)
www.infinityormus.com(45.88.202.115)
www.theriversidecountyhomepro.com(34.237.164.220)
34.98.99.30 - phishing
34.237.164.220
45.88.202.115 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12039 |
2021-09-03 09:03
|
 templeblessedzx.exe 185b8728d6154d936c94507565742546
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.trkvalves.id(43.230.131.223)
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
193.122.6.168
43.230.131.223
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12040 |
2021-09-03 09:13
|
 install.exe d15916e67b1327a6532b1b248bb2df47
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12041 |
2021-09-03 09:13
|
 blessedzx.exe af8332ebf771f4da3e3087a682ee87a9
AgentTesla PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
|
1
79.134.225.21 - mailcious
|
|
|
13.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12042 |
2021-09-03 09:15
|
 catzx.exe 221187fbd15140dada95281d6eb078d7
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
tzitziklishop.ddns.net(103.89.89.134) - mailcious
103.89.89.134
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12043 |
2021-09-03 09:16
|
 kswb.exe 9ac22682b4c95a59b075eef78c576260
AgentTesla PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key Downloader |
1
http://198.23.251.109/kswb/vbc.exe
|
2
45.137.22.77
198.23.251.109 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12044 |
2021-09-03 09:19
|
 vbc.exe 1a3c74ff1002eb5d8121bedd3f5d3e9d
PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12045 |
2021-09-03 09:21
|
 kswbc.exe b5bace5942a11ab8ce216ca558f81812
Generic Malware Antivirus Malicious Library PE File .NET EXE PE32 OS Processor Check Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key Downloader |
2
http://198.23.251.109/kswbc/vbc.exe
https://img.neko.airforce/files/uizurz
|
3
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
198.23.251.109 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|