| 12646 |
2021-09-22 22:14
|
 yes.exe e3cbb2e3f1de0e9161429b42fcb12e59
Generic Malware Anti_VM PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
7.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12647 |
2021-09-22 22:14
|
 vbc.exe 6e1476a40e4f1b65294f5ff5df9f99d7
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
9
http://www.consultantadvisors.com/euzn/?rN=gRHJwkU0eGhkrjVDfSU/OcJ7ShdCgW1BIV9SGNo0IH8WD3pEe1P+1VlpG5HE84G3l7hPUiuE&QZ3=ehux_83h40wLUZ
http://www.surgeryforfdf.xyz/euzn/?rN=EpmAK0+2jFjtJaupBxY+iB/KODjASHlZTS8e2g9nhppabl0rCueEyWWeiGQCdQi64S5ePb9R&QZ3=ehux_83h40wLUZ
http://www.aarohaninsight2021.com/euzn/?rN=tpA7Te0+nUnr1HOdOE+qFfTw2tLsCF2jUICbjpBBjxiTG/nmy3xWknIfEwtJw7ngaXTuFt3z&QZ3=ehux_83h40wLUZ
http://www.arceprojects.com/euzn/?rN=YRXSBiSDQSCZhMMUR8bbHnyPN+rRNpjXZ/H6tz5eiGlkZ6MPFWs4UspiD2SvKhVY+KpYofGz&QZ3=ehux_83h40wLUZ
http://www.livinwoodbridgefarms.com/euzn/?rN=moGIXacKCgTTAUe57kuPTI/aejLamE7P/iO2yXFvg6HSbU/5IHVbCLXK6r5ijAwS3zDQ8LAv&QZ3=ehux_83h40wLUZ
http://www.anodynemedicalmassage.com/euzn/?rN=u178RPbG1CayFbOZYSAKyFLEc68kuAf3hA3vqsrS6PkpQJLqVCaolBE1fK47wZ3OtkH0Cafm&QZ3=ehux_83h40wLUZ
http://www.pentesting-consulting.com/euzn/?rN=Qkk4EtUIbRe7bUc/kBPF3RhrTSrWSL+/l9z4M1f2eH5+z4sB/j6f5r71EEPNJmBkaLw9uaX1&QZ3=ehux_83h40wLUZ
http://www.gofieldtest.com/euzn/?rN=IS9oJtnRB1khRNdbFj5DXdDtV4ltZM5ZCnM5/Nps8K1Le4Ve5neGTV6oufa6y97bH+uIf5+D&QZ3=ehux_83h40wLUZ
http://www.sonimultispecialityclinic.com/euzn/?rN=sr5ufTzlwk8+d8O1oqUtSftrTl6NpBKEzurAJnMywP0ySu86WmQ5xv7EGBVjyp8+xZq3jniF&QZ3=ehux_83h40wLUZ
|
19
www.pentesting-consulting.com(198.54.117.211)
www.arceprojects.com(217.160.0.187)
www.consultantadvisors.com(50.87.248.44)
www.livinwoodbridgefarms.com(184.168.131.241)
www.gofieldtest.com(142.250.199.115)
www.anodynemedicalmassage.com(199.59.242.153)
www.surgeryforfdf.xyz(198.54.117.218)
www.isystemslanka.com()
www.aarohaninsight2021.com(99.86.207.13)
www.sonimultispecialityclinic.com(208.91.197.91)
50.87.248.44 - mailcious
217.160.0.187 - mailcious
184.168.131.241 - mailcious
198.54.117.210 - mailcious
198.54.117.212 - mailcious
199.59.242.153 - mailcious
99.86.207.65
142.250.204.83
208.91.197.91 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12648 |
2021-09-22 22:16
|
 vbc.exe a96ab325cb199f7130a1496e377cdb58
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
2
checkvim.com(5.180.136.169) - mailcious
5.180.136.169
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
12.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12649 |
2021-09-22 22:16
|
 vbc.exe 415ec37f083919417aefd51bdfaa3831
UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12650 |
2021-09-22 22:18
|
 8d6d7.exe cb9a037aaff7548550a2923c73d6b612
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12651 |
2021-09-22 22:18
|
 download2.php 6e96da1afcb4f380b8a198f096ab70abVirusTotal Malware |
|
|
|
|
1.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12652 |
2021-09-22 22:20
|
 8.exe 54e127a42f86ce2577e926a8c178bcca
Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware Cryptographic key Software crashed |
1
|
4
tambisup.com(2.57.90.16)
api.ip.sb(172.67.75.172)
172.67.75.172 - mailcious
91.206.15.183
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12653 |
2021-09-22 22:21
|
 5.exe 5c03d52d98f6c01ea66e09f5993aebc2
RAT Generic Malware PE File .NET EXE PE32 PE64 OS Processor Check PNG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://sherence.ru/buildcpils.exe
https://api.ip.sb/geoip
|
7
api.ip.sb(172.67.75.172)
sherence.ru(172.67.176.114) - malware
api.telegram.org(149.154.167.220)
194.15.46.144
172.67.176.114 - malware
172.67.75.172 - mailcious
149.154.167.220
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO TLS Handshake Failure
|
|
15.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12654 |
2021-09-22 22:23
|
 vbc.exe 1b4d9985eae2737b8cc344aef840ec85
RAT PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
https://pastebin.pl/view/raw/ae498e11 - rule_id: 4631
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.pl/view/raw/ae498e11
|
12.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12655 |
2021-09-22 22:23
|
 lv.exe b8ce3bfde204d00436c9af5d970a8d9b
Gen1 Gen2 Themida Packer Generic Malware Malicious Library Anti_VM Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloade VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs Windows crashed |
|
1
cDSqvWaQQxWRRUBNQZPr.cDSqvWaQQxWRRUBNQZPr()
|
|
|
6.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12656 |
2021-09-22 22:25
|
 hussanzx.exe 88f75a26375befa941b2b57d7e302c32
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=473 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
16.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12657 |
2021-09-22 22:25
|
rsoft.exe 31ce4f326c616ad189f2b03bdee1e20d
PE File PE32 VirusTotal Malware MachineGuid Malicious Traffic buffers extracted unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows Firmware DNS crashed |
2
http://185.163.45.42/
https://telete.in/uispolarkins2
|
3
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
185.163.45.42
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12658 |
2021-09-22 22:27
|
 navitas_employee_survey.hta 537363b3738a8e0726ae15e6bc4fc314VirusTotal Malware Check memory unpack itself |
2
http://www.healthsouthdothan.com/tab_home_active
http://www.healthsouthdothan.com/components/tab_home.ico
|
2
www.healthsouthdothan.com(13.59.208.38) - mailcious
13.59.208.38 - mailcious
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12659 |
2021-09-22 22:28
|
 WORD.exe a2f81b2021d159eaf2c7bcac2dfbeacb
RAT Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key DDNS crashed |
1
https://store2.gofile.io/download/4e000ee8-86dd-407b-8452-140e650fa3e9/Aufvbosfzpz.dll
|
5
cloudhost.myfirewall.org(146.59.132.186) - mailcious
store2.gofile.io(31.14.69.10)
31.14.69.10
146.59.132.186
185.163.45.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to DDNS Domain .myfirewall .org
|
|
17.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12660 |
2021-09-22 22:29
|
 863387648.exe 8df6d5b6ce4864ae629684b7566ebaa7
RAT Generic Malware Malicious Packer Antivirus PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|