| 12556 |
2021-09-19 10:56
|
 vbc.exe 66ce1420280eceebeab924165f28b7bb
PWS .NET framework Gen2 Emotet Gen1 Generic Malware NSIS Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) ASPack Anti_VM KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process AppData folder WriteConsoleW VMware anti-virtualization installed browsers check Windows Browser ComputerName DNS Software |
|
1
|
|
|
16.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12557 |
2021-09-19 10:58
|
 vbc.exe de8a80136d8b6c2002ba8473bda2a617
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
26
http://www.id-ers.com/b6a4/
http://www.helpmovingandstorage.com/b6a4/?p0G=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&uFNl=XP7LsfJxpBQ
http://www.norfolkveggiebox.com/b6a4/
http://www.findingforeverrealty.com/b6a4/?p0G=PInLHBo1X2HDarmW4cmF2pBaWgvKn6miM8cLM6v9Qr8JSOd47ujhG3xH1L1lq6pkSFupWod4&uFNl=XP7LsfJxpBQ
http://www.findingforeverrealty.com/b6a4/
http://www.norfolkveggiebox.com/b6a4/?p0G=1/oriW/wBBMvnVsB6SWy9Yw+vFbi5sAE6aUu3YgJfO8ImsDD+rtOiN3CEmMRA2XQUKRL61LS&uFNl=XP7LsfJxpBQ
http://www.comprarmiaspiradora.com/b6a4/
http://www.cabalzi.com/b6a4/
http://www.rishitaprabhu.com/b6a4/
http://www.comprarmiaspiradora.com/b6a4/?p0G=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&uFNl=XP7LsfJxpBQ
http://www.asteroid.finance/b6a4/
http://www.e38.site/b6a4/?p0G=PYLlb9PqAnilyjTS8SDYyANzlEUh7Z5+yycE2LHFHltN8HlXGx/7Jd/QXNbEbwQsu4dLQl47&uFNl=XP7LsfJxpBQ
http://www.id-ers.com/b6a4/?p0G=uH6EfKcepLhoITy038beys+pLFYYfex5cK/VvJ23mqODSQImeIcr0rdBhl7AYUs9qsPgSB01&uFNl=XP7LsfJxpBQ
http://www.cabalzi.com/b6a4/?p0G=vCEfkciNsJLnQ6NTKgmnH0RKiXqKx4X1OsBfXMLmCHhcM6UjpXRp9mu9MO0KT8GS97XSNDdh&uFNl=XP7LsfJxpBQ
http://www.mygaybookcase.com/b6a4/?p0G=te2h0gcaE7p6i9wQxEk3TsaN/6gLiAYto4hyl6TRVV4kVjpqQnGMO7vaMYfNjjEPzzX2jHXy&uFNl=XP7LsfJxpBQ
http://www.helpmovingandstorage.com/b6a4/
http://www.breathlessandinlove.com/b6a4/?p0G=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&uFNl=XP7LsfJxpBQ
http://www.maximumsale.com/b6a4/?p0G=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&uFNl=XP7LsfJxpBQ
http://www.e38.site/b6a4/
http://www.banban365.net/b6a4/
http://www.rishitaprabhu.com/b6a4/?p0G=mXEWyNYhUxX28+1G/UM2VRAPihtF3WypxWTWJzN08wDEoA83vp8VPi/S1EIUDaTCIrurvPIx&uFNl=XP7LsfJxpBQ
http://www.asteroid.finance/b6a4/?p0G=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&uFNl=XP7LsfJxpBQ
http://www.breathlessandinlove.com/b6a4/
http://www.banban365.net/b6a4/?p0G=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&uFNl=XP7LsfJxpBQ
http://www.maximumsale.com/b6a4/
http://www.mygaybookcase.com/b6a4/
|
28
www.comprarmiaspiradora.com(91.195.240.13)
www.e38.site(18.215.128.143)
www.cabalzi.com(34.98.99.30)
www.meetheveganz.com()
www.banban365.net(34.98.99.30)
www.findingforeverrealty.com(52.71.133.130)
www.helpmovingandstorage.com(209.15.40.102)
www.norfolkveggiebox.com(94.136.40.51)
www.asteroid.finance(198.54.117.210)
www.maximumsale.com(3.223.115.185)
www.rishitaprabhu.com(31.170.161.30)
www.erinkiauq.icu()
www.mygaybookcase.com(172.217.25.83)
www.breathlessandinlove.com(172.67.155.190)
www.id-ers.com(34.102.136.180)
104.21.48.37 - malware
142.250.204.147
94.136.40.51 - mailcious
91.195.240.13 - phishing
198.54.117.212 - mailcious
34.102.136.180 - mailcious
52.71.133.130 - mailcious
31.170.161.30
209.15.40.102
18.213.250.117 - mailcious
104.21.40.174
3.223.115.185 - mailcious
34.98.99.30 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO DNS Query for Suspicious .icu Domain
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12558 |
2021-09-19 10:58
|
 new.exe 0fa96c805292abfab6d01768050a0d3c
RAT Generic Malware UPX AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
185.204.109.42
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12559 |
2021-09-19 10:59
|
 Tcx5xxXPl9GOucJ.exe 04ecb65ad3407b89abab206a1b921e5c
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS crashed |
|
1
|
|
|
11.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12560 |
2021-09-19 11:00
|
 CurrenyCalculatorInst.exe 63fe4796434aad20a0ccbb0944ea0f02
Themida Packer Generic Malware Malicious Library Anti_VM Antivirus UPX Admin Tool (Sysinternals etc ...) DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Dow Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization installed browsers check Tofsee Windows Exploit Browser ComputerName Firmware DNS Cryptographic key Software crashed |
5
http://secure.globalsign.com/cacert/root-r3.crt
https://installcb.online/40.exe
https://iplogger.org/favicon.ico
https://iplogger.org/1hEue7
https://api.ip.sb/geoip
|
12
secure.globalsign.com(104.18.20.226)
123456789009876()
api.ip.sb(104.26.12.31)
installcb.online(31.31.196.204)
iplogger.org(88.99.66.31) - mailcious
demner.site(80.66.87.32)
31.31.196.204 - mailcious
79.174.13.108
80.66.87.32
104.26.12.31
88.99.66.31 - mailcious
104.18.20.226
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12561 |
2021-09-19 11:00
|
 crock e74b2720eaf32bfc409eb52a3d5e937f
RAT Generic Malware Malicious Packer Antivirus PE64 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12562 |
2021-09-19 11:15
|
 kok.exe 2b0eb2dffd9788bfb9390e060f5e4bcc
PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12563 |
2021-09-19 11:15
|
 753.exe af3e98549b975158f54ef8b171182d50
Admin Tool (Sysinternals etc ...) Malicious Library UPX AntiDebug AntiVM PE File PE32 PE64 Malware download VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Creates executable files Windows utilities suspicious process WriteConsoleW Windows DNS Downloader |
1
http://185.215.113.84/etc.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12564 |
2021-09-19 11:17
|
 xxxx1_2021-09-14_09-27.exe f343214355c07ba17b3726491847787a
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12565 |
2021-09-19 11:20
|
 .svchost.exe a6288732dfc7779369a4712b345070fb
Generic Malware UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12566 |
2021-09-19 11:26
|
 System64.exe a2968300e88e5c7f392ea704e39ff9b4
Gen2 RAT Gen1 PWS .NET framework Generic Malware Malicious Packer Antivirus Malicious Library PE64 PE File OS Processor Check .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger unpack itself Auto service Windows ComputerName |
|
|
|
|
4.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12567 |
2021-09-19 11:28
|
 ZZZZZ.exe 2d42f56f58a4c19df022913160949c76
RAT Generic Malware Themida Packer Malicious Packer PE File PE32 OS Processor Check .NET EXE PE64 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
5
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyIDN3MTM&65ab24948c084368808c084126a043f5=wMmhDNzQjYmZTYiRzNxMTOjVWY0I2NhZWN0MTO5MGNxgjMxgjY0EmY&0c2329b9f0dc4c64441b4dcf29994306=d1nIhRDM1cjNwYmYlJzYmV2MjVmYlVjNjZ2M5cTM4YTO0QDOxgDNyI2NkJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=QX9JiI6ISYihjZiVzYmJWM1EWMmRjY1EjYmBzMlVTOzQDO3EjM1ICLiEGNwUzN2AjZiVmMjZWZzMWZiVWN2MmZzkzNxgjN5QDN4EDO0IjY3QmI6ICO0kTO1EjNxYTMzQjN1MWZyIGZzM2YjJDO4czYzE2YhJCLiQzNxYzYjhTMwYjNlljM3YmN1IGZxkTMxgjZ4gjMiRjNwQzNzMmYxQjI6IiZ0UGM2QmY4ATOkNGOmNWN2IWN4cTOzkTMhZGMyQGZ4Iyes0nI5EjbJpXMHlEerRVTp9maJRzZU5Uaa1WTw0kaZpmVX10MJJTT5F1RaJTRyk1aGpmTsJlMOxmUtpVaO1mTsJkeO1mUql1aKlXZ2k0UZBjRHJFMohlWpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dplkWKl2TpRzVhRnUXFles1WSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSzxWbkZkSp9UajVVUVp0QMlWUYF2QCNkTyEUaUxkQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ZHRWMGJjW1xmMjpHbXJmd4cVY1hTbaVHbHNGc5kHT20ESjBjUIFWavpWSsFzRahmVtNWa3lWSzZ1MixmTxwEasJzYCpUaPlWVtJmdwhlW0x2Rkl2dplkMnRVT6FkaJZTSDJGaSNzY2JkbJNXSTJmdOdlWzZ1RWdWRXpVe5IzUnllaONTU6VlQKl2TpNWbjZnSDxUaRR0TzsmaMJTSU10cBpmTyUlaMNTTqlkNJlXW2hXbJNXSpVFTKl2TptmbjBTNXRmdO1WSzl0QiFTOXpFVKl2TpRjMiBHZXpVeKNETpd3VkZnVyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWSzQzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W - rule_id: 3585
http://62.109.1.30/triggers/vm_.php?V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&V9JL2L5tBWjPnGs3XTcD6uK=68l9j&Dk8ljd7jBYa4EX9b4TcqyURjwkzCP4k=KBT9RBgP5yRDnCqwGfESh2LsTYz8o4 - rule_id: 3585
http://176.31.32.198/VideoRecoderDriveMaster.exe
https://ipinfo.io/json
https://api.ipify.org/
|
6
ipinfo.io(34.117.59.81)
api.ipify.org(54.243.45.255)
50.16.239.65
176.31.32.198 - malware
62.109.1.30 - mailcious
34.117.59.81
|
8
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
2
http://62.109.1.30/triggers/vm_.php
http://62.109.1.30/triggers/vm_.php
|
12.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12568 |
2021-09-19 11:28
|
 xmrig.exe 4f5bbe6b657b6f5874e99baf62af5555
PE64 PE File VirusTotal Malware Checks Bios anti-virtualization crashed |
|
|
|
|
2.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12569 |
2021-09-19 11:29
|
 PublicDwlBrowser144.exe 365a5fd9a3835928d4db289bbc3927a7
RAT NPKI Generic Malware PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key crashed |
4
https://electronspectroscopy.bar/
https://best-supply-link.xyz/?user_auth=p4_1
https://best-supply-link.xyz/?user_auth=p4_2
https://best-supply-link.xyz/?user_auth=p4_3
|
8
electronspectroscopy.bar(172.67.133.24)
best-supply-link.xyz(104.21.35.128)
startupmart.bar() - mailcious
50.16.239.65
176.31.32.198 - malware
62.109.1.30 - mailcious
104.21.35.128
172.67.133.24
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12570 |
2021-09-19 11:32
|
 ZZ.exe 1a64fb26106ee3640698eb45f664b760
RAT PWS .NET framework Gen2 NPKI Generic Malware Malicious Packer Malicious Library PE File OS Processor Check .NET EXE PE32 PE64 DLL PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
6
http://sherence.ru/323.exe - rule_id: 5192
http://sherence.ru/Stub1.exe
https://sh1729062.b.had.su//loader.txt - rule_id: 4573
https://sh1729062.b.had.su//cisCheckerstroke.php - rule_id: 4574
https://sh1729062.b.had.su//gate.php?hwid=7C6024AD&os=6.1.7601&av= - rule_id: 4575
https://api.ip.sb/geoip
|
9
sh1729062.b.had.su(92.119.113.140) - mailcious
api.ip.sb(104.26.12.31)
sherence.ru(172.67.176.114) - malware
api.telegram.org(149.154.167.220)
104.21.48.37 - malware
194.15.46.144
104.26.12.31
92.119.113.140 - malware
149.154.167.220
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
4
http://sherence.ru/323.exe
https://sh1729062.b.had.su//loader.txt
https://sh1729062.b.had.su//cisCheckerstroke.php
https://sh1729062.b.had.su//gate.php
|
12.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|