| 12151 |
2021-09-07 15:03
|
 charles.html da1721b1e3a188310ec7e7b2520213c3
Antivirus AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
31
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://www.google.com/css/maia.css
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.google.com/js/bg/X2aRQ1GJwV-aYJrCompTpOZQ5iK38WjpPJbnCrlYm6o.js
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D7944712838498198807%26blogspotRpcToken%3D9022165%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D7944712838498198807%26blogspotRpcToken%3D9022165%26bpli%3D1&passive=true&go=true
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://chalgyahainknaiajsubkuch.blogspot.com/p/charles.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://chalgyahainknaiajsubkuch.blogspot.com/p/charles.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css
https://www.blogger.com/blogin.g?blogspotURL=https://chalgyahainknaiajsubkuch.blogspot.com/p/charles.html&type=blog
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=X2aRQ1GJwV-aYJrCompTpOZQ5iK38WjpPJbnCrlYm6o
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=7944712838498198807&blogspotRpcToken=9022165&bpli=1
https://resources.blogblog.com/img/blank.gif
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=7944712838498198807&blogspotRpcToken=9022165
https://www.blogger.com/static/v1/jsbin/1621653182-comment_from_post_iframe.js
https://www.blogger.com/static/v1/widgets/672507172-widgets.js
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fchalgyahainknaiajsubkuch.blogspot.com%2Fp%2Fcharles.html&type=blog&bpli=1
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/static/v1/jsbin/2520659415-cmt__en_gb.js
https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=107c350b-6f1f-40e8-91e5-f0d478aaccdb
https://resources.blogblog.com/img/anon36.png
|
16
resources.blogblog.com(172.217.31.169)
www.google.com(172.217.25.68)
www.gstatic.com(172.217.25.67)
fonts.googleapis.com(172.217.175.234)
accounts.google.com(216.58.197.205)
www.google-analytics.com(216.58.197.238)
fonts.gstatic.com(172.217.31.163)
www.blogger.com(172.217.31.169)
142.250.207.67
172.217.31.164
172.217.26.141
142.250.204.41
142.250.204.73
172.217.26.14 - malware
172.217.161.131
142.250.66.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12152 |
2021-09-07 15:06
|
 blackmatter.exe 18c7c940bc6a4e778fbdf4a3e28151a8
BlackMatter Ransomware PE File PE32 VirusTotal Malware MachineGuid Check memory unpack itself AntiVM_Disk VM Disk Size Check Ransomware ComputerName |
|
2
nowautomation.com() - mailcious
mojobiden.com() - mailcious
|
|
|
7.6 |
|
53 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12153 |
2021-09-07 15:11
|
 ojbabas.exe 04980596d66951166fa2ebfd96c84d22
TTiger Keylogger PE File PE32 OS Processor Check VirusTotal Malware unpack itself Tofsee |
1
https://img.neko.airforce/files/bnzrp
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.2 |
M |
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12154 |
2021-09-07 18:57
|
 shattgojas.exe 3dd433076befeaeb67f2e9aee5207b9a
PE File PE32 VirusTotal Malware Tofsee |
1
https://img.neko.airforce/files/vpphrt
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
1.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12155 |
2021-09-07 18:58
|
 rollerkind2.exe 69e1794d5d6331000ad3d26f6876432f
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12156 |
2021-09-07 19:00
|
 dan.exe aff8123fb844bd75ae95db9dd3dc94ed
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12157 |
2021-09-07 19:00
|
 p5.exe 150d402c22f8ad26ac0a47cb08ef2b8d
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Browser Email ComputerName Software crashed |
1
|
2
ifconfig.me(34.117.59.81)
34.117.59.81
|
1
ET POLICY External IP Lookup Domain (ifconfig .me)
|
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12158 |
2021-09-07 19:04
|
 clip.exe 745b2fa5052c6dd80ae98f7aed56d23a
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12159 |
2021-09-07 19:04
|
 rig.exe 0b85eae86038116041ecc8d24ba2fadb
Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12160 |
2021-09-07 19:06
|
 c2.exe ef125f7a35d65a62902594b0b4c46812
RAT Generic Malware Malicious Packer PE File PE32 OS Processor Check .NET EXE VirusTotal Malware |
|
|
|
|
1.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12161 |
2021-09-07 19:07
|
 vbc.exe 94253a7c421aeba9e411730ba3f3c897
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
12
http://www.agamdesigners.com/imi7/?GzuD=+Q7WlN4Hp8A5gOzDFXVaDonw6sKaX4xwzxcmYTkSJF2wJC8otdv/8Zp0zZIInzmaXv0UDelR&AlB=O2Mthllp7
http://www.abc-staff.com/imi7/?GzuD=3LZm1iRscnuMBa7eXiRmSKBb+/H8umyVbYMems3WtreaiyBf/kGruuLJ8kceVNcEixw/yb8u&AlB=O2Mthllp7 - rule_id: 4770
http://www.agamdesigners.com/imi7/
http://www.gtof.net/imi7/?GzuD=+j1/LGSTzSFy2WiPqgX06qTWSgEnm/IsRi2ZZUw9cN5z+r+J9ApLQHqEeUtXBDfftexbEh7P&AlB=O2Mthllp7
http://www.southerngiggle.com/imi7/ - rule_id: 4774
http://www.abc-staff.com/imi7/ - rule_id: 4770
http://www.gtof.net/imi7/
http://www.powerlinkme.com/imi7/?GzuD=M//sfA69f+etYomJd9U2YdUVkVopbLoRE9mfqGVotdj8O3ZNk+jc/j3Mry8rPUpRzBLqbT1f&AlB=O2Mthllp7 - rule_id: 4740
http://www.sungoldhomeliving.com/imi7/ - rule_id: 4772
http://www.southerngiggle.com/imi7/?GzuD=6DPXXUxjNhAUxFF0HJPciD7wCMdQ5Kjpq9HSdggl9T7QEXc1VUDnpVSWHHH5kcZKJv7Ciavm&AlB=O2Mthllp7 - rule_id: 4774
http://www.sungoldhomeliving.com/imi7/?GzuD=IZKb4HJqMXyJMqZyZW8ea0lZO79FfsahuXlqQdaEcqwYU031mgchofAtsOPxSTnym90X9JnS&AlB=O2Mthllp7 - rule_id: 4772
http://www.powerlinkme.com/imi7/ - rule_id: 4740
|
15
www.agamdesigners.com(182.50.132.242)
www.southerngiggle.com(34.98.99.30)
www.acceptedsolutions.net()
www.crownfoamus.com() - mailcious
www.sungoldhomeliving.com(34.98.99.30)
www.gtof.net(18.208.31.123)
www.abc-staff.com(157.112.189.34)
www.powerlinkme.com(23.80.211.101) - mailcious
www.be530.com()
23.80.211.101 - mailcious
52.205.158.209
182.50.132.242 - mailcious
157.112.189.34 - mailcious
34.117.59.81
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.abc-staff.com/imi7/
http://www.southerngiggle.com/imi7/
http://www.abc-staff.com/imi7/
http://www.powerlinkme.com/imi7/
http://www.sungoldhomeliving.com/imi7/
http://www.southerngiggle.com/imi7/
http://www.sungoldhomeliving.com/imi7/
http://www.powerlinkme.com/imi7/
|
8.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12162 |
2021-09-07 19:08
|
 Vids.exe 09f9f48eea4e7bf45dc549f15e4d27e8
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12163 |
2021-09-07 19:10
|
 raccon.exe 357f32eecd7be7427ccc0e7fab0ce386
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12164 |
2021-09-07 19:11
|
 vbc.exe 1ad28c768524311e68f7db00b34e9c29
PE File PE32 VirusTotal Malware unpack itself Tofsee |
1
https://img.neko.airforce/files/ltnhq
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12165 |
2021-09-07 19:12
|
 hv.exe 385eccb9e711368035f0f329f98255ec
Gen2 ASPack Malicious Library Malicious Packer PE File PE32 OS Processor Check Malware download VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Creates executable files Windows utilities suspicious process WriteConsoleW Zeus Windows ComputerName Trojan DNS |
1
http://37.49.230.185/bp/gate.php?017BD04FB3BF45B68167E
|
1
|
3
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|