| 12631 |
2021-09-22 10:10
|
 abu.exe ae12cf1192ea6c6e686379e5fdf21999
PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
13.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12632 |
2021-09-22 10:12
|
 product_specifications_details... 3bd6f12e4d6f4ed06a414a6cb100f546
RAT Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://store2.gofile.io/download/a1c57f0b-1c7b-4dad-97ee-57d68360aaf4/Ucvcldsqn.dll
|
9
www.facebook.com(157.240.215.35)
www.google.com(172.217.31.132)
www.twitter.com(104.244.42.129)
store2.gofile.io(31.14.69.10)
104.244.42.65 - suspicious
216.58.200.68
13.107.21.200
31.14.69.10
31.13.77.35
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12633 |
2021-09-22 10:13
|
 ntcm.dll 9f3d6ad1891e088e16f93a17da7e338e
PE64 PE File DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Tofsee DNS |
1
|
3
aws.amazon.com(99.86.203.74)
gigamerolini.top()
54.230.166.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12634 |
2021-09-22 10:15
|
 kyc1.exe d8df42168344da59b56a583991be0ac4
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
https://pastebin.pl/view/raw/8adebac9
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12635 |
2021-09-22 10:18
|
 vbc.exe 15c0994e6c4cff319deb5e35339c204b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself DNS |
8
http://www.beybey.bet/hosg/?wPT=t1QL297U4khOE/XUjdt+RZ7WaDVgPv23XO17NjpkvNnU/WisW3HaLmUN0VdBDjHtMo8oarmJ&oZN=6lbLphf0F
http://www.turningheadshairsalon.biz/hosg/?wPT=O8PvSHEI1+HTySJOYla/lpLOHRJF+tECo1INoKS8Fz1F5feCQSibUHkAmh8sQknM6WsyOVar&oZN=6lbLphf0F
http://www.metadata.directory/hosg/
http://www.sarahannsartstudio.com/hosg/?wPT=BSGwCtLZjnGtcghTjeJ22/B7nzm9KxnmQDBouGRUWo6meRRcOp+D33w8wneug6CfjgpaVSXB&oZN=6lbLphf0F
http://www.sarahannsartstudio.com/hosg/
http://www.metadata.directory/hosg/?wPT=c0xJ62F3co+3d6SQ7Let0hP51UxLX5MQhIyNHKWrkaR91sSKDLD7G+CHdT3UAyFJXYLUu2Gd&oZN=6lbLphf0F
http://www.turningheadshairsalon.biz/hosg/
http://www.beybey.bet/hosg/
|
12
www.rdplvh.com()
www.dgwb8.com()
www.sarahannsartstudio.com(162.241.253.231)
www.blueflypr.com()
www.beybey.bet(184.168.131.241)
www.metadata.directory(185.199.111.153)
www.turningheadshairsalon.biz(34.80.190.141)
www.brbl.xyz()
185.199.111.153 - malware
34.80.190.141 - mailcious
184.168.131.241 - mailcious
162.241.253.231 - malware
|
2
ET INFO Observed DNS Query to .biz TLD
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12636 |
2021-09-22 10:19
|
 ConsoleApp13.exe b5b75b3da47bb461fceb52a2c69d1240
AgentTesla browser info stealer Generic Malware Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
2
freightmgmt.duckdns.org(194.5.98.207) - mailcious
194.5.98.207 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12637 |
2021-09-22 10:22
|
 tiganazx.exe baffd35ab2f86aa9a397a286ac5df964
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
1
http://www.simplereturnz.com/lgym/?ohr0k=cV7UcUtXTZKCIEYOjXnd0zC4KZQdXRc9FOSXfhNDQWAzOd9uX1hXyuC/lUTZjdsknEOAS/0F&1bm=3fe4HJEhWHjpOl
|
5
www.after-that-term.com()
www.roenlie.com(81.166.139.5)
www.simplereturnz.com(208.91.197.13)
208.91.197.13 - mailcious
81.166.139.5
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12638 |
2021-09-22 10:24
|
 1056935770.exe 7b4cdcad8ab6a42017cd93d9639074ae
Generic Malware UPX Antivirus PE64 PE File VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12639 |
2021-09-22 10:26
|
 flfile.exe 0ce36f818bd21747d974bd4e01a5d941
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12640 |
2021-09-22 22:07
|
 file.exe 01b2e0187b466e2193285ee7a0abc6ce
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12641 |
2021-09-22 22:07
|
 1.exe 884d66f9b2674168bdcb7363bb335e8b
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12642 |
2021-09-22 22:09
|
MSOfficeUpdate.cab 0907498bc0ee4cee45b37df6a186b602
Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12643 |
2021-09-22 22:09
|
 2047321040.exe 2be66ce2b5cfdfec51cdc633577f0cb4
RAT Eredel Stealer Extended PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
116.203.27.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12644 |
2021-09-22 22:11
|
 952392868.exe e7c0b56dd1a23c604dfef02fde250715
Malicious Library AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Checks debugger buffers extracted unpack itself Windows DNS keylogger |
|
1
185.215.113.62 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
|
|
12.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12645 |
2021-09-22 22:13
|
 me.exe 079627807595b290ff96d0d78f981055
Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
16
http://www.theklownz.com/n092/?KjUdv2=xZ6zTG1yfWAp1S2A4OgDrOSOP6aEPheXUTMWd2UF/Jx25s5YP8n7TsdqoIzOhHQP9VHsfIVj&lzul=z8oHn2ihgL
http://www.hoshibanamogurablog.com/n092/?KjUdv2=tCH+IOi2Up8kweraIwYX/Hc3cvgnI173LdgscwSYShgUiRrZl7G6IwOGnLUFyHF2za2hZ3PV&lzul=z8oHn2ihgL
http://www.paraflexwork.com/n092/?KjUdv2=MqLgVgGqfes2elbeOlwDwHPLn2aU31mvDuD5RLowlV4LKA8fR2x9yHu0mSJdI8KTdqNqHPJ7&lzul=z8oHn2ihgL
http://www.azrock-express.com/n092/?KjUdv2=6VGFGxLAhWflDACrW1tjo3PuomEtVGIOek9mGbZZ1PhiOx3WUVraJy+ucXchxKapmEKjNvsD&lzul=z8oHn2ihgL
http://www.highclassescorts.xyz/n092/
http://www.highclassescorts.xyz/n092/?KjUdv2=11C6opxYdenm4+LOW2rfkO+/DICHpdbPnaEmKVE8hnbELmTxLkPZX5P6Fg1264EmYUePHdji&lzul=z8oHn2ihgL
http://www.hoshibanamogurablog.com/n092/
http://www.hivizpeople.com/n092/
http://www.arssaf.com/n092/
http://www.hivizpeople.com/n092/?KjUdv2=uaY0THpqv5ZUDi4Svnm06lpodfUxh6yq2Ukbc245yKA9WepW8xtBasK/cm7V+/dOV3B20yCG&lzul=z8oHn2ihgL
http://www.theklownz.com/n092/
http://www.arssaf.com/n092/?KjUdv2=hKNhAfHVZZWwyDRcjphuVsdU/RdzYJu2V8VFy+XS+c7IxZI0SD3i+YwExSbpjKPidxarQtMx&lzul=z8oHn2ihgL
http://www.azrock-express.com/n092/
http://www.paraflexwork.com/n092/
http://www.tanzibkarate.quest/n092/
http://www.tanzibkarate.quest/n092/?KjUdv2=mM5Ml+T6RzjtHa1ctXPWFZx/OlR+qTO/DcYgr0w797fzZ94DEcy52GQaH8JrHCfhd5GgPpkF&lzul=z8oHn2ihgL
|
18
www.tanzibkarate.quest(37.123.118.150)
www.hoshibanamogurablog.com(118.27.122.217)
www.theklownz.com(182.50.132.242)
www.hivizpeople.com(208.91.197.27)
www.azrock-express.com(2.57.90.16)
www.paraflexwork.com(118.27.122.218)
www.arssaf.com(198.54.126.239)
www.highclassescorts.xyz(172.67.196.58)
www.awbnmnmammmamnre.top(35.205.61.67)
172.67.196.58
2.57.90.16 - mailcious
37.123.118.150
35.205.61.67 - mailcious
208.91.197.27 - mailcious
118.27.122.217
182.50.132.242 - mailcious
198.54.126.239 - malware
118.27.122.218
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET DNS Query to a *.top domain - Likely Hostile
|
|
9.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|