| 12541 |
2021-09-18 21:40
|
Japán vízkúra.pdf.igvm c27de5e6764d3f0cbce3dae0117a66f6
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12542 |
2021-09-18 22:04
|
11 billentyűkombináció, ami me... 536838e1ba71280e538c83079e48495a
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12543 |
2021-09-18 22:10
|
11 billentyűkombináció, ami me... 536838e1ba71280e538c83079e48495a
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12544 |
2021-09-19 10:42
|
 Kdkvxufvvymmebagxmoolsfkmwkkqa... 663dfa8f055ba37eaa8bffc10026f311
UPX Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee Remote Code Execution crashed |
1
https://cdn.discordapp.com/attachments/780223158832988201/888322445285662750/Kdkvxufvvymmebagxmoolsfkmwkkqan
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12545 |
2021-09-19 10:42
|
 0d.exe 3a2984391e5a67689e60830f82700e74
RAT Generic Malware ScreenShot Http API Steal credential AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
http://179.43.187.185/
https://telete.in/opussenseus1
|
3
telete.in(195.201.225.248) - mailcious
179.43.187.185
195.201.225.248 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12546 |
2021-09-19 10:44
|
 vbc.exe 3cb12929c01dcbf5af156b6ce3fa3a6f
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
3
checkvim.com(185.251.91.166) - mailcious
179.43.187.185
185.251.91.166
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://checkvim.com/fd7/fre.php
|
13.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12547 |
2021-09-19 10:44
|
 cyber-server.exe 6d4254084c9aff0d20d9c1cdfb7a31ec
RAT PWS .NET framework Generic Malware Malicious Packer PE File .NET EXE PE32 VirusTotal Malware ICMP traffic IP Check DNS |
1
|
3
ip-api.com(208.95.112.1)
77.21.216.101
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
4.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12548 |
2021-09-19 10:46
|
 mygod.exe 60a01c98200c36b4917c453feedbf79d
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12549 |
2021-09-19 10:47
|
 vbc.exe 866d1aeb69daac5e6e4dda938edf8d26
Malicious Library PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself Remote Code Execution |
14
http://www.kedaiherbalalami.com/b6a4/?v4=AClaEyNViDSune13/YZUUjazMao4yP2qoW92J+V8GQKrmRmlM8SyMJgG/BS9WoJI+nFJwME4&Hp=V48HzvXX
http://www.puffycannabis.com/b6a4/?v4=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&Hp=V48HzvXX
http://www.banban365.net/b6a4/?v4=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&Hp=V48HzvXX
http://www.skoba-plast.com/b6a4/?v4=p6ZBaKxeDGGGbWVKNL6LmfLe4qu41/ZuDkLfUQVsf5tarRyTEM8ysZ8aqSh2CwtwR2aIkrq6&Hp=V48HzvXX
http://www.helpmovingandstorage.com/b6a4/?v4=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&Hp=V48HzvXX
http://www.mengzhanxy.com/b6a4/?v4=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&Hp=V48HzvXX
http://www.shinebrightjournal.com/b6a4/?v4=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&Hp=V48HzvXX
http://www.id-ers.com/b6a4/?v4=uH6EfKcepLhoITy038beys+pLFYYfex5cK/VvJ23mqODSQImeIcr0rdBhl7AYUs9qsPgSB01&Hp=V48HzvXX
http://www.rnerfrfw5z3ki.net/b6a4/?v4=855Z9vQ5XXc46/dVYdONeB9yi8X3cSgRKyshY/MEyACWaY62iqQ2QtSCUTEdj76PLZdbQSVg&Hp=V48HzvXX
http://www.naughty0milf.today/b6a4/?v4=y3Ab41qY+IWzqUQ9j62fWmWTVEKi2r9ZDEGdaGq9wc7JzSC40q3Bki+eTJ19ahFkSaZblDBO&Hp=V48HzvXX
http://www.maximumsale.com/b6a4/?v4=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&Hp=V48HzvXX
http://www.recargasasec.com/b6a4/?v4=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&Hp=V48HzvXX
http://www.mrtireshop.com/b6a4/?v4=1IxU2pCdzLjbc0WwjWEQ14t/h9IMUjYewkIb86Rsf7stw4Ydt/lwwX9QzcCR3qe4ia4DtzcM&Hp=V48HzvXX
http://www.avisdrummondhomes.com/b6a4/?v4=tgq8zJv4ZamsZtYNH8dbmFxJ3RcVgptpPUIUZanqqJHtnwqLeeTduXi6ZJW0PDdhmdVNmULh&Hp=V48HzvXX
|
27
www.naughty0milf.today(99.83.154.118)
www.mengzhanxy.com(154.85.61.184)
www.kedaiherbalalami.com(5.181.216.107)
www.shinebrightjournal.com(66.96.162.247)
www.helpmovingandstorage.com(209.15.40.102)
www.avisdrummondhomes.com(52.71.133.130)
www.banban365.net(34.98.99.30)
www.rnerfrfw5z3ki.net(54.65.172.3)
www.skoba-plast.com(193.34.169.17)
www.id-ers.com(34.102.136.180)
www.maximumsale.com(3.223.115.185)
www.mrtireshop.com(34.102.136.180)
www.puffycannabis.com(34.102.136.180)
www.recargasasec.com(157.230.119.90)
www.gr2future.com()
154.85.61.184
66.96.162.247
193.34.169.17
209.15.40.102
5.181.216.107
157.230.119.90
34.102.136.180 - mailcious
99.83.154.118 - mailcious
52.71.133.130 - mailcious
54.65.172.3
3.223.115.185 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12550 |
2021-09-19 10:49
|
 Stub.exe 5eaf5e0662c263dd7acc3476067991a2
RAT PWS .NET framework NPKI Gen2 Generic Malware Malicious Packer Malicious Library PE64 PE File OS Processor Check .NET EXE DLL VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
4
http://sherence.ru/323.exe - rule_id: 5192
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
|
4
sh1729062.b.had.su(92.119.113.140) - mailcious
sherence.ru(172.67.176.114) - malware
172.67.176.114 - malware
92.119.113.140 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
8.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12551 |
2021-09-19 10:49
|
 Stub.exe 5eaf5e0662c263dd7acc3476067991a2
RAT PWS .NET framework Gen2 Generic Malware Malicious Packer Malicious Library PE64 PE File OS Processor Check .NET EXE DLL VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
4
http://sherence.ru/323.exe - rule_id: 5192
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
|
5
sherence.ru(104.21.48.37) - malware
sh1729062.b.had.su(92.119.113.140) - mailcious
104.21.48.37 - malware
92.119.113.140 - malware
162.159.135.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12552 |
2021-09-19 10:52
|
 vbc.exe 2a59d2396654692dc87a81df7554b608
Malicious Library PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself Remote Code Execution DNS |
12
http://www.mengzhanxy.com/b6a4/?pPc=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&1b=W6RpsLRPH
http://www.helpmovingandstorage.com/b6a4/?pPc=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&1b=W6RpsLRPH
http://www.recargasasec.com/b6a4/?pPc=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&1b=W6RpsLRPH
http://www.asteroid.finance/b6a4/?pPc=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&1b=W6RpsLRPH
http://www.comprarmiaspiradora.com/b6a4/?pPc=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&1b=W6RpsLRPH
http://www.findsmartvestorpro.com/b6a4/?pPc=2zUiPygWWhGhTTPt59aALdzubfJOZPfGYm8T4hMrtq8qpNxJkD0bejz9pJEVuH2VhcQLkVD+&1b=W6RpsLRPH
http://www.darenscape.com/b6a4/?pPc=/o8bd4Yn+5EYQl0+0B6vT8FOqtBFFV3vKtm6qVeMT3pPn9BnW0HxlU6BOHg8g2MYVqRIgKAb&1b=W6RpsLRPH
http://www.puffycannabis.com/b6a4/?pPc=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&1b=W6RpsLRPH
http://www.shinebrightjournal.com/b6a4/?pPc=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&1b=W6RpsLRPH
http://www.banban365.net/b6a4/?pPc=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&1b=W6RpsLRPH
http://www.breathlessandinlove.com/b6a4/?pPc=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&1b=W6RpsLRPH
http://www.besthypee.com/b6a4/?pPc=Qns5Qsf7idreXcQcAn7ngAtcze6YDtPoIPtFsjnoPncdjMyZsXPG24zliSsXwtCsnKHDqpq8&1b=W6RpsLRPH
|
24
www.findsmartvestorpro.com(34.98.99.30)
www.comprarmiaspiradora.com(91.195.240.13)
www.mengzhanxy.com(154.85.61.184)
www.puffycannabis.com(34.102.136.180)
www.shinebrightjournal.com(66.96.162.247)
www.helpmovingandstorage.com(209.15.40.102)
www.banban365.net(34.98.99.30)
www.qipai039.com(47.91.170.222)
www.asteroid.finance(198.54.117.210)
www.darenscape.com(34.102.136.180)
www.besthypee.com(34.98.99.30)
www.breathlessandinlove.com(104.21.40.174)
www.recargasasec.com(157.230.119.90)
154.85.61.184
66.96.162.247
209.15.40.102
91.195.240.13 - phishing
198.54.117.212 - mailcious
157.230.119.90
34.102.136.180 - mailcious
92.119.113.140 - malware
47.91.170.222 - mailcious
34.98.99.30 - phishing
172.67.155.190
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12553 |
2021-09-19 10:53
|
 templezx.exe fbc43fdfa54c1ed1a41f4618d695e784
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
freegeoip.app(172.67.188.154)
mail.alliedhealthga.com(107.180.56.180)
checkip.dyndns.org(193.122.6.168)
107.180.56.180 - malware
158.101.44.242
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12554 |
2021-09-19 10:53
|
 terrin.exe 4bcdcb852861a9d7f40a26bc825882b2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12555 |
2021-09-19 10:55
|
 n.wbk f001c279ed34264cd5bd0acf4987cec1
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
|
3
107.180.56.180 - malware
172.67.176.114 - malware
198.46.199.171 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|