| 12721 |
2021-09-23 17:18
|
 lv.exe b8a2adb46798ea4ac7961ed4af59bd08
Gen1 Gen2 Themida Packer Generic Malware Malicious Library Anti_VM Malicious Packer PE File PE32 PE64 DLL VirusTotal Malware Check memory Creates executable files unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12722 |
2021-09-23 17:19
|
 file01.exe 1bc4ccc0c1f64df605fe8665ce0337e3
Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12723 |
2021-09-23 17:22
|
 file.exe fb38ecfc9a0b6f8d92beee0528483d9e
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12724 |
2021-09-23 17:22
|
0922_1191338386338.doc 273d4eb1cb3c5d92107aa30a70090ddf
hancitor VBA_macro Generic Malware MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://armerinin.com/8/forum.php - rule_id: 5383
http://api.ipify.org/
|
4
api.ipify.org(50.19.104.221)
armerinin.com(65.108.20.39) - mailcious
50.16.239.65
65.108.20.39 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://armerinin.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12725 |
2021-09-23 17:23
|
 vbc.exe c1d5bfbc58841648fa9a46768b6a408c
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
2
checkvim.com(94.247.137.151) - mailcious
94.247.137.151 - mailcious
|
|
|
12.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12726 |
2021-09-23 17:24
|
 vbc.exe ccb092ded62c0a7ce793daa1873db0cb
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12727 |
2021-09-23 17:27
|
 inlinelots.png dd37687f508cb88b08f932fae1e2a767
Emotet Gen1 Malicious Packer Malicious Library AntiDebug AntiVM PE File OS Processor Check DLL PE32 Dridex TrickBot Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
11
https://43.252.158.104/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabb64/
https://105.27.205.34/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabc64/
https://ident.me/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZhP7RHTDpJf3xpRdHfhTN/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/10/62/TJJNLPBFNNBTXBZBFLF/7/
https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/cN8siDphAP0SDyFMo/
https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CiLogicMonitorUB2IF8%5Cgxinlinelots.pngxp.our/0/
|
9
ident.me(176.58.123.25)
105.27.205.34 - mailcious
128.201.76.252 - mailcious
221.147.172.5 - mailcious
176.58.123.25
185.56.175.122 - mailcious
43.252.158.104
60.51.47.65 - mailcious
181.129.167.82 - mailcious
|
4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
|
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12728 |
2021-09-23 17:28
|
 vbc.exe c8e61cce27a796697bba399a93a302a8
PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
5
checkvim.com(94.247.137.151) - mailcious
105.27.205.34 - mailcious
128.201.76.252 - mailcious
94.247.137.151 - mailcious
43.252.158.104
|
|
|
13.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12729 |
2021-09-23 17:30
|
 hgfnXcvfm.exe 7582915797c3ea5d7a52ca8196d641e7
PWS Loki[b] Loki.m UPX Malicious Library DNS AntiDebug AntiVM PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS DDNS Software |
|
2
silveryarmiler.sytes.net(154.120.121.249)
154.120.121.249
|
|
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12730 |
2021-09-23 17:32
|
 vbc.exe 5031b2a1f347c6e0f57c268656c5e74d
PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
2
checkvim.com(94.247.137.151) - mailcious
94.247.137.151 - mailcious
|
|
|
11.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12731 |
2021-09-23 17:34
|
 raccon.exe b3794d38a4b03fcb0b7b3eaee4ab1c9f
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12732 |
2021-09-23 17:57
|
 vbc.exe ccb092ded62c0a7ce793daa1873db0cb
Generic Malware Malicious Packer UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
11 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12733 |
2021-09-23 18:33
|
 Clipr.exe eec17dc61f01426b05aa6a26b89cba96
RAT Generic Malware UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12734 |
2021-09-23 18:37
|
 DownFlSetup999.exe 22645131985dbfd4405df8298003ea77
RAT Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser Email ComputerName Firmware DNS Cryptographic key Software crashed |
10
https://guidereviews.bar/?username=p9_1 - rule_id: 5401
https://guidereviews.bar/?username=p9_2 - rule_id: 5401
https://guidereviews.bar/?username=p9_3 - rule_id: 5401
https://guidereviews.bar/?username=p9_4 - rule_id: 5401
https://guidereviews.bar/?username=p9_5 - rule_id: 5401
https://guidereviews.bar/?username=p9_6 - rule_id: 5401
https://guidereviews.bar/?username=p9_7 - rule_id: 5401
https://api.ip.sb/geoip
https://iplogger.org/1aNhd7
https://iplogger.org/1aBhd7
|
10
guidereviews.bar(104.21.22.36) - mailcious
iplogger.org(88.99.66.31) - mailcious
all-design-space.top() - mailcious
api.ip.sb(104.26.12.31)
172.67.75.172 - mailcious
88.99.66.31 - mailcious
188.124.36.242 - mailcious
172.67.202.60 - mailcious
94.140.112.88
188.165.222.221
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
7
https://guidereviews.bar/
https://guidereviews.bar/
https://guidereviews.bar/
https://guidereviews.bar/
https://guidereviews.bar/
https://guidereviews.bar/
https://guidereviews.bar/
|
16.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12735 |
2021-09-23 18:43
|
0922_3501454333268.doc 128be827b25a69a27e187c0df066ed82
hancitor VBA_macro Generic Malware MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://armerinin.com/8/forum.php - rule_id: 5383
http://api.ipify.org/
|
4
api.ipify.org(23.23.137.115)
armerinin.com(65.108.20.39) - mailcious
65.108.20.39 - mailcious
54.235.247.117
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://armerinin.com/8/forum.php
|
8.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|