| 12076 |
2021-09-04 14:08
|
 vbc.exe c13976b4653ada57f5b39e16a793e99f
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
9
http://www.allianzbersamamu.com/nthe/?JfExyPL0=2YZdSTXa1loLbzYX+KcnQQkiviJlq8WIBr6m/lVEooYtizd+E4nT8gCCGWlpcQ6d7AGpSO/Q&ojo0s=RzuPnV
http://www.fihglobal.com/nthe/?JfExyPL0=mKrLZ0KBDIQPI4DdC9V+hI0e30bTUityPVbhna4JYUAi4UF4dmM1cf0ZfJCGCONr8A0LwDUp&ojo0s=RzuPnV
http://www.colorfulcreativeco.com/nthe/?JfExyPL0=i1Uafv7/XY5pwQg/IO5636VQDSyiXmHNkufSpgLunOfe4moK9BB1YXz9zS6ff7gD8g/iDxDQ&ojo0s=RzuPnV
http://www.eurolajd.com/nthe/?JfExyPL0=6oXK1x+wYzAmru5Z6N72zxO5QluB6KDp6VcVoDgZC/q3ydUBCDLLVfoEyXCF5izCe5Tk5Ggz&ojo0s=RzuPnV
http://www.hanlansmojitovillage.net/nthe/?JfExyPL0=54OfAHeNbwRIeCfiK96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3r9WBXmbjhC4FqUNXJfm&ojo0s=RzuPnV
http://www.thehendrixcollection.com/nthe/?JfExyPL0=qp5tTycjraYi6SJsXJzwoJew8M45iHa3mcoNtA6+f44Y1u07iGIt/R0L13x3Q7wmKkJP7e6a&ojo0s=RzuPnV
http://www.menucoders.com/nthe/?JfExyPL0=2/6tfhI6PmzLXkibMbYMuhqxPUXSwPisEi/Yg6xjUm32Bq9HT7zDahDLd/hxqMxFYlEHT94T&ojo0s=RzuPnV
http://www.cpb.site/nthe/?JfExyPL0=21tMkqEPJZcvLTuam7CVVp3eTiqf/+4cN27Pgp5ejfxv1jbsXk06Rc83vMhu3FiqrxPpPkW+&ojo0s=RzuPnV
http://www.com-security.center/nthe/?JfExyPL0=O9ru5Cw3dlJheDNPmkvXbDQOyxIElFziblOF/ZOA9naSo9UY2bdQogtefZKIBoCLD75xyqbM&ojo0s=RzuPnV
|
18
www.thehendrixcollection.com(34.102.136.180)
www.menucoders.com(172.217.174.115)
www.colorfulcreativeco.com(185.169.253.175)
www.hanlansmojitovillage.net(34.102.136.180)
www.com-security.center(99.81.40.78)
www.eurolajd.com(95.217.195.80)
www.cpb.site(208.91.197.27)
www.minhscribe.com()
www.allianzbersamamu.com(151.106.124.13)
www.fihglobal.com(13.248.216.40)
172.217.26.51 - phishing
13.248.216.40 - mailcious
99.81.40.78 - mailcious
208.91.197.27 - mailcious
34.102.136.180 - mailcious
151.106.124.13
95.217.195.80 - malware
185.169.253.175
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12077 |
2021-09-04 14:09
|
 PBrowFile16.exe 915fff94ba8a7588af46c1090b7cd6d9
NPKI Generic Malware PE File .NET EXE PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee |
2
https://2no.co/1w7Ab7
https://2no.co/1w8Ab7
|
5
theonlinesportsgroup.net() - mailcious
remotepc3.xyz()
remotenetwork.xyz()
2no.co(88.99.66.31) - mailcious
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12078 |
2021-09-04 14:09
|
 PBrowFile17.exe 8e2c6bd0f789c514be09799fa453f9bb
Generic Malware PE File .NET EXE PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee |
2
https://2no.co/1XaQy7 - rule_id: 4556
https://2no.co/1m32g7 - rule_id: 4557
|
5
theonlinesportsgroup.net() - mailcious
remotepc3.xyz()
remotenetwork.xyz()
2no.co(88.99.66.31) - mailcious
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://2no.co/1XaQy7
https://2no.co/1m32g7
|
4.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12079 |
2021-09-04 14:11
|
 vbc.exe e2e2b1bd1df8d460c9b1d11097429d16
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12080 |
2021-09-04 14:12
|
 beacon.exe 8d8d168e25d41e2d4304c08cb3105d9b
Malicious Library PE File PE32 Dridex TrickBot VirusTotal Malware RWX flags setting unpack itself Kovter ComputerName Remote Code Execution DNS |
|
1
|
3
ET DROP Dshield Block Listed Source group 1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SURICATA Applayer Wrong direction first Data
|
|
3.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12081 |
2021-09-04 14:14
|
 audio.exe 40641703573ab3ccb1fafcb7f996b06a
PWS .NET framework email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12082 |
2021-09-04 14:16
|
 ibefrankzx.exe 9deb8fec62787f6a330618dfcb84d818
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
3
http://www.lightstailor.com/if60/?CPJ=/7ZzCbNeHSszc6QylsRiGi5gpYj6NBvs54qQsraIqiPXOY40xofU9kbAQv/fRZWzyimwhHsI&oX=Txo8s04xDB9t
http://www.snowdons.online/if60/?CPJ=9bcq+XJudGWr+vl0NwXPRwAMr/33HDwFTWBut6x76Ym8O8hj8klc4YO6KlE5RYa+kjRrCxQu&oX=Txo8s04xDB9t
http://www.christal-capital.com/if60/?CPJ=+iBHvVpDYTAAHSLAZWqW8F9qEpNTJeRWs60igPf5tjRvPUaYn7WXN+LoRswjSS5rsxJJbRk9&oX=Txo8s04xDB9t
|
6
www.lightstailor.com(209.99.40.222)
www.christal-capital.com(209.99.40.222)
www.snowdons.online(94.136.40.51)
20.150.137.35
209.99.40.222 - mailcious
94.136.40.51 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12083 |
2021-09-04 14:18
|
 chrome.exe 30b21677cf7a267da2ef6daff813d054
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12084 |
2021-09-04 14:21
|
 new.exe 396e48ab8ea9e0d607ff13b16cf5477d
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Cryptographic key |
1
http://www.champsmaker.com/hh3t/?wP9=NCipgQerCfphd5DTbGF/kFoZZkzsi4tPI1A2Kby7UVlcXZ+cuGCRB/mgzgBvre+yD2+t/g2H&lZQ=7nbLpdZHS
|
4
www.champsmaker.com(34.98.99.30)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
34.98.99.30 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12085 |
2021-09-04 15:18
|
 Zenare.exe d43db563bc6efb1c6cbb86f4d21349d9
Emotet Generic Malware Malicious Library PE File PE32 GIF Format VirusTotal Malware AutoRuns Creates shortcut Creates executable files RWX flags setting unpack itself AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows Browser |
2
http://iplogger.org/1mxPf7
https://iplogger.org/1mxPf7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12086 |
2021-09-04 15:25
|
Security Bugs in Operation.pdf... 02904e802b5dc2f85eec83e3c1948374
Generic Malware Anti_VM DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself suspicious process malicious URLs Tofsee Interception |
1
https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=
|
2
share.bloomcloud.org(139.180.164.131)
139.180.164.131 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12087 |
2021-09-04 15:29
|
Security Bugs in Operation.pdf 887b611a15102af0238a4084c22be025
Anti_VM PDF Windows utilities Windows |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12088 |
2021-09-05 08:54
|
 2GBzRuGCFtarHn8.exe 9982c2f68fbebf8f9c5fb2c0fd711164
Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
2
frubong.duckdns.org(185.140.53.76)
185.140.53.76
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12089 |
2021-09-05 08:57
|
 taos.exe 1d11bcec0aff60ec16a81131e2a4d7c3
Generic Malware Malicious Library AntiDebug AntiVM PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
3
http://185.215.113.20/gb9fskvS/index.php - rule_id: 4230
http://138.197.134.11/santa.clo
http://185.215.113.20/gb9fskvS/index.php?scr=1 - rule_id: 4230
|
2
138.197.134.11
185.215.113.20 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Check-In
|
2
http://185.215.113.20/gb9fskvS/index.php
http://185.215.113.20/gb9fskvS/index.php
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12090 |
2021-09-05 08:59
|
 vbc.exe cd6fb772e30b73bae310c242e03bf8ba
Malicious Library DNS Escalate priviledges ScreenShot AntiDebug AntiVM PE File PE32 GIF Format DLL Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check human activity check Windows ComputerName |
|
2
discoveryvipshinjiru2law.ooguy.com(91.193.75.238) - mailcious
91.193.75.238 - mailcious
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
13.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|