| 12181 |
2021-09-08 09:36
|
 vbc.exe 3e7e25ad1c141f146e5ef2b18e624886
Dimnie PE File PE32 VirusTotal Malware Tofsee |
1
https://img.neko.airforce/files/pazsby
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.0 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12182 |
2021-09-08 09:38
|
 PAYMENT.exe d16088a5dce52983fccd16363d805cf7
Dimnie PE File PE32 VirusTotal Malware unpack itself Tofsee |
1
https://img.neko.airforce/files/upaujx
|
2
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
1.0 |
|
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12183 |
2021-09-08 09:44
|
 template.dotm 51a5d75a820382d1f3cb2978f64e5ae4
VBA_macro Generic Malware Antivirus Malware download Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
1
http://52.57.83.240/update365_0831042.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12184 |
2021-09-08 09:44
|
 rollerkind.exe 39c975f6377274ff7240746aa53ad1a6
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12185 |
2021-09-08 09:46
|
 osamazx.exe 4d94d8bf0fca86712a541658c8c0025f
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12186 |
2021-09-08 09:46
|
 TLH_110503078801.exe 6f8bb2ff11646a8e47c1b2a27d475010
PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic RWX flags setting unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
3
time.google.com(216.239.35.8)
dns.google(8.8.4.4)
216.239.35.4
|
|
|
12.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12187 |
2021-09-08 09:49
|
 vbc.exe 8f388b3312600431d2eb17b497ab3ee2
RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
https://pastebin.pl/view/raw/ae498e11 - rule_id: 4631
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.pl/view/raw/ae498e11
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12188 |
2021-09-08 09:49
|
 CRYPT_INSTALLS.exe 56c100bab6222d310357dad74157a447
RAT NPKI Emotet Gen1 Generic Malware UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDeb Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
4
http://95.215.205.85/INSTALLS.exe
http://95.215.205.85/eth.exe
https://builder.pp.ru/testqcwqebqweqwe.dll
https://api.ip.sb/geoip
|
6
UNMwIDlLXcJdBCaCx.UNMwIDlLXcJdBCaCx()
builder.pp.ru(185.244.41.39) - malware
api.ip.sb(104.26.13.31)
185.244.41.39 - malware
172.67.75.172 - mailcious
95.215.205.85 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
17.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12189 |
2021-09-08 09:50
|
 INSTALLS.exe 10ef944af097dfefef2b1e3b26fd2017
RAT PWS .NET framework Generic Malware PE File PE32 OS Processor Check .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
104.26.13.31
95.215.205.85 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12190 |
2021-09-08 09:51
|
 odinakazx.exe ac9d0d3e4b472040eb5b614c2577103b
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
7
http://www.360453.com/9t6k/?q48=MXszZjiL5m8KYwVoSSySw2FqEqiBnWUcZ0I4A0KIaxlfgU1OBx983PfdxSJageOZ61F/gpnc&rTFx8=GBZh7698a6FlT2v - rule_id: 4581
http://www.luckytwo.agency/9t6k/?q48=S9YSEPIqba8wB530Cg5sN/cQJuN7u/xCJuo1bG42GqhOjBxV4SnDQq1eie0/0N1gc/fj547d&rTFx8=GBZh7698a6FlT2v
http://www.urne24.online/9t6k/?q48=XEZUsmhefmfw3QKQE5ZrpuI8N7oVWrtY0zr9qFGtaUataE1TE0DCRND7FOKibblEWaB5niCz&rTFx8=GBZh7698a6FlT2v - rule_id: 4584
http://www.duancanhoastralcity.com/9t6k/?q48=1USpb1Bk7NLatI5NohBEA9PujVfNP1PKGiDc81iHBltTqKOkZ5Hh2NRwQh24DsrsAEaWcebH&rTFx8=GBZh7698a6FlT2v - rule_id: 4578
http://www.blackculturewriters.com/9t6k/?q48=BUsuDb3+CS6qfzw6lDsNIVyFrKsoNd5kaf0Kt1n2YbQO8TwWRcFmetNQzODvFAFnp5pXnl9e&rTFx8=GBZh7698a6FlT2v
http://www.presenceleads.net/9t6k/?q48=BDUFcgmtNQfU+uT4Wrl19rOd0Drh8W8/mstc9dOVr8JPIcYLlNwJ9zAsQVPDnLq1b3Q0p6S5&rTFx8=GBZh7698a6FlT2v
http://www.gsmits.com/9t6k/?q48=DHXsxYVj36jYo9XSI0k8aBI122PK8jbY2KWdAli3CiKs+89pIe70JNlIpSp++nfgfBz+S8aX&rTFx8=GBZh7698a6FlT2v - rule_id: 4585
|
17
www.duancanhoastralcity.com(209.99.40.222)
www.babysto.com()
www.luckytwo.agency(99.83.154.118)
www.gsmits.com(34.98.99.30)
www.blackculturewriters.com(34.102.136.180)
www.urne24.online(89.31.143.1)
www.galimetsl.com()
www.presenceleads.net(34.98.99.30)
www.360453.com(103.110.62.64)
www.enventa360.com(217.26.53.21)
89.31.143.1 - mailcious
103.110.62.64 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
99.83.154.118 - mailcious
34.98.99.30 - phishing
217.26.53.21 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.360453.com/9t6k/
http://www.urne24.online/9t6k/
http://www.duancanhoastralcity.com/9t6k/
http://www.gsmits.com/9t6k/
|
7.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12191 |
2021-09-08 09:53
|
 globalzx.exe 70dc1affd1eb47ac88c155fde4bab4d6
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12192 |
2021-09-08 09:53
|
 famzlogszx.exe d61989608bebc11c9bd867ebffae126e
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.tammistreasures.com/fzsg/?Txlpd4m=mVPrW81xXm+27sJHDx2aXcwWb0J1NInNMTvVSdXzFYbJRHy6ZX93Lh/qhSyOzCPDEHZFsPCC&KzuD=PnjpFpHPM
|
4
www.tammistreasures.com(182.50.132.242)
www.xhost.one(188.246.25.58)
188.246.25.58
182.50.132.242 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12193 |
2021-09-08 09:56
|
 IMG_80350001.exe f88fe2ffbc0ac8b13baa8cdcb55bab28
RAT PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic RWX flags setting unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
10
facebook.com(157.240.215.35)
google.com(172.217.175.78)
outlook.com(40.97.153.146)
bing.com(13.107.21.200)
youtube.com(172.217.175.14)
204.79.197.200
40.97.153.146
142.250.204.46
157.240.215.35
172.217.174.110 - phishing
|
|
|
12.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12194 |
2021-09-08 09:56
|
 BLT-750108002.exe 4e3f9aaa521bd82e3b2902d528e51685
RAT PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic RWX flags setting unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
10
facebook.com(157.240.215.35)
google.com(172.217.175.78)
bing.com(204.79.197.200)
outlook.com(40.97.153.146)
youtube.com(172.217.175.14)
13.107.21.200
142.250.66.142
40.97.161.50
157.240.215.35
142.250.66.46 - mailcious
|
|
|
12.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12195 |
2021-09-08 09:58
|
 rrrem.exe c4ffb0ae8bc377ff6062360971fb1037
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data UPX Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
11
facebook.com(157.240.215.35)
google.com(172.217.175.78)
outlook.com(40.97.156.114)
bing.com(204.79.197.200)
youtube.com(172.217.175.14)
142.250.204.78
13.107.21.200
79.134.225.77 - mailcious
172.217.31.142 - phishing
40.97.116.82
157.240.215.35
|
|
|
14.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|