| 12751 |
2021-09-24 09:07
|
 vbc.exe 78e101f15647e6c2046aa3af1fc09ee4
UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
0.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12752 |
2021-09-24 09:09
|
 Proof%20Of%20Payment.exe 03ed41e76169fe171fd5bd680c1eab24
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12753 |
2021-09-24 09:12
|
 walkapp.exe 4ff604e9e7bb8cc02ec70c357e8928d9
RAT Generic Malware PE File .NET EXE PE32 Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890313896316006410/Ryoajkwqxfhnekc.dll
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12754 |
2021-09-24 09:13
|
 lv.exe d61c08b3104e88acd8de39a60dd195c2
Emotet Gen1 Gen2 Generic Malware Themida Packer Malicious Library Anti_VM UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credentia VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows crashed |
|
1
TbIGgtosSiE.TbIGgtosSiE()
|
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12755 |
2021-09-24 09:14
|
 doc.exe 683ae406bf4a0b1a4dbc0f2391db9771
Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
7
www.twitter.com(104.244.42.65)
www.facebook.com(157.240.215.35)
www.google.com(172.217.175.100)
142.250.66.132
157.240.215.35
104.244.42.193 - suspicious
13.107.21.200
|
|
|
12.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12756 |
2021-09-24 09:15
|
 vbc.exe 9ffb0b9eef2df4a9ecdb74ad63e32577
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
5
http://www.hanlansmojitovillage.net/nthe/?adsDxBr=54OfAHeNbwRIeCfiK96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3r9WBXmbjhC4FqUNXJfm&00D=qBZpwRbXK6sp9jn - rule_id: 4898
http://www.angelsmoonsexshop.com/nthe/?adsDxBr=T5s/0fbgdl+MaeIuYdVOHRh9jCSGWhC3hP7gi/tBX2fjRLX1bb3e6M4tG92ag7ym3EbeFXtg&00D=qBZpwRbXK6sp9jn
http://www.requotation.com/nthe/?adsDxBr=V6YTtHW2tzxe58b8wCpp2czyw04EBHapp18dR6qLAa/8BddVtaMq4KYgEeFd5t8erWZpYy6o&00D=qBZpwRbXK6sp9jn
http://www.allianzbersamamu.com/nthe/?adsDxBr=2YZdSTXa1loLbzYX+KcnQQkiviJlq8WIBr6m/lVEooYtizd+E4nT8gCCGWlpcQ6d7AGpSO/Q&00D=qBZpwRbXK6sp9jn - rule_id: 4895
http://www.ujulus.club/nthe/?adsDxBr=xsIXR8n8RkoAU67gRj/Abok+PHWVbYMswx8lPi77hM2Z3YjaRlc0eh7Kt5rhpjwWbx+pmVwE&00D=qBZpwRbXK6sp9jn
|
12
www.ujulus.club(34.98.99.30)
www.hanlansmojitovillage.net(34.102.136.180)
www.angelsmoonsexshop.com(54.36.145.173)
www.denme.net(91.195.240.94)
www.requotation.com(74.220.199.6)
www.allianzbersamamu.com(151.106.124.13)
91.195.240.94 - phishing
34.102.136.180 - mailcious
54.36.145.173 - malware
74.220.199.6 - mailcious
151.106.124.13 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.hanlansmojitovillage.net/nthe/
http://www.allianzbersamamu.com/nthe/
|
9.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12757 |
2021-09-24 09:16
|
 xcvzn6sgATucn.cms 78f2458cc24af9604d6963087bf385bf
Malicious Library PE File OS Processor Check DLL PE32 Malware download Cobalt Strike Ursnif VirusTotal Malware PDB MachineGuid unpack itself Windows ComputerName |
1
http://apt.updateffboruse.com/WdSON6naJhd7NZw9Nfb_/2B6jJVjZ_2FxoalKYRW/Izq4eflqjjmGJwDwCqANlh/_2FmlhZ3tVBBq/qACG27Iz/MDSqQF0lfIIt35xnvThfkp0/wgNsv_2BY7/mxLTBEHWWV1xe3RTA/4MMMVFPrWkY7/TZ26YdTeHY_/2Bk37dK5mbwXHQ/9VitTIvySFW56aqYjOTFq/pSGhAYKxwLHgg2dC/_2B1_2FK_2FtvOJ/A0u_2F8qAsm1af5sDN/5_2FoTFWY/abRTUPuqNV_2FWCeStb7/7wYkbOF5EA_2FCctL8Q/4CmDudB2PVSgAM29EkPjun/p4UMugd6oYAMD/Y
|
2
apt.updateffboruse.com(94.142.143.142)
94.142.143.142
|
2
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
|
|
2.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12758 |
2021-09-24 09:16
|
 fresh.exe 2599454a9b82b8e86319faced7487508
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12759 |
2021-09-24 09:19
|
 Product_Specifications_Details... bbe72c8d0a9c597fb116a040f06255af
KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890370492152836126/Zupdzrq.dll
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12760 |
2021-09-24 09:19
|
 vbc.exe 8fdf6032932fa1a0c9b0fd342ee8bee1
RAT PWS .NET framework Gen2 Gen1 Emotet CryptBot Formbook Generic Malware NSIS Malicious Library Malicious Packer UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM ASPack KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Windows Browser ComputerName |
|
|
|
|
11.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12761 |
2021-09-24 09:20
|
 vbc.exe 7b74904762e17b9fc2337043401456cd
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
14
http://www.elliotpioneer.com/b2c0/
http://www.6233v.com/b2c0/?5j=TXWnycs9/xQM88J50NGMQUHmzvUS8Ow5beoaBntAR1L12gyUTl4Vs8xkkPbSltJIhMz7f2PR&vTd8K=LHQx
http://www.6233v.com/b2c0/
http://www.playstarexch.com/b2c0/?5j=F+Gco1RrSA+q6KRKzyydjUzXzSLtfZhJDsnZ0YatH9yILxLZnbeI6GZ7F32+m8aTJR9d/lLK&vTd8K=LHQx
http://www.newstodayupdate.com/b2c0/
http://www.ideemimarlikinsaat.com/b2c0/?5j=BhwIz8la4HUVi1nMBiVIC5A9YxwCbjsxx995Kt+xQMqbSybskl546EwbcvTy7pfoVmGr2lPQ&vTd8K=LHQx
http://www.playstarexch.com/b2c0/
http://www.dxxlewis.com/b2c0/
http://www.roleconstructora.com/b2c0/?5j=1K0N61gHDa1dphA2mScjseGlMpXBLPWPRyroe9GKqjCieTRKzq19FpKJorkSVL2IbFhLWsH/&vTd8K=LHQx
http://www.dxxlewis.com/b2c0/?5j=9ahEnHZeeTorCCf1BxWsn/rXQiL42ezX5ROQBOh91FMP3dxhyP3zcRxjW2sluygknGFgWtoi&vTd8K=LHQx
http://www.roleconstructora.com/b2c0/
http://www.elliotpioneer.com/b2c0/?5j=/Ci6lA1yaE3CUS8uYzq6dZWl1lKVRbc/m6rjse/j6toaEbYIMAGoPQ/GjZ3pODpgFVgK+X0m&vTd8K=LHQx
http://www.newstodayupdate.com/b2c0/?5j=ngE3zTESEmF1TlzaI1JtRqVv6LVi69c0ageAEF+ggQEJgbQkBMu6yGJsOdi7lkxHgRVmVRi9&vTd8K=LHQx
http://www.ideemimarlikinsaat.com/b2c0/
|
15
www.avito-rules.com()
www.bjyxszd520.xyz()
www.thesewhitevvalls.com()
www.6233v.com(134.122.133.171)
www.playstarexch.com(34.102.136.180)
www.dxxlewis.com(207.97.200.47)
www.roleconstructora.com(192.185.131.113)
www.newstodayupdate.com(34.102.136.180)
www.ideemimarlikinsaat.com(178.18.193.120)
www.elliotpioneer.com(34.102.136.180)
134.122.133.171 - mailcious
192.185.131.113
178.18.193.120
34.102.136.180 - mailcious
207.97.200.47
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12762 |
2021-09-24 09:21
|
 file.exe c8aa942d50814189f92ca4a01620b4ed
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12763 |
2021-09-24 09:21
|
 chungzx.exe 7f98d772d1fb2415494f7c8a6107050f
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Socket Sniff Audio Escalate priviledges KeyLogger Code injection Internet API Downloader persistence DGA DNS Create Service HTTP FTP ScreenShot Http API Steal c VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security WriteConsoleW Windows DNS DDNS keylogger |
|
2
yjune2021.duckdns.org(194.5.97.131)
194.5.97.131
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12764 |
2021-09-24 09:23
|
 Product_Specifications_Details... 5627f70136a7169cabb92e648311b855
KeyBase RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
1
https://cdn.discordapp.com/attachments/888490061170110496/890371414232801301/Qapvbbflsprygnfy.dll
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12765 |
2021-09-24 09:24
|
 vbc.exe 989933e361010648c467c6d7b6c2d812
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
8
http://www.angelsmoonsexshop.com/nthe/?Bb=T5s/0fbgdl+MaeIuYdVOHRh9jCSGWhC3hP7gi/tBX2fjRLX1bb3e6M4tG92ag7ym3EbeFXtg&uTg4S=yVCTVb0X
http://www.onpar-golf.com/nthe/?Bb=B6rYep0S73RNFmWsau/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57ybOi0sWW5tf90o6VPCZy&uTg4S=yVCTVb0X
http://www.kankanlol.com/nthe/?Bb=cvH84XOE1Mc69dma6+LElktmjB8SWHOwfxyzVXpixFUMpSEf83XEW4B9ZBGynhTDB4YXkroJ&uTg4S=yVCTVb0X
http://www.thehendrixcollection.com/nthe/?Bb=qp5tTycjraYi6SJsXJzwoJew8M45iHa3mcoNtA6+f44Y1u07iGIt/R0L13x3Q7wmKkJP7e6a&uTg4S=yVCTVb0X - rule_id: 4896
http://www.yamano-ue.com/nthe/?Bb=OPSTabmmEXV1zVa1ryRuQq6A4ABGL5nerV70FY85LrvGP9kj1LcjL/YglTrk5au/rYBhTrYm&uTg4S=yVCTVb0X
http://www.menucoders.com/nthe/?Bb=2/6tfhI6PmzLXkibMbYMuhqxPUXSwPisEi/Yg6xjUm32Bq9HT7zDahDLd/hxqMxFYlEHT94T&uTg4S=yVCTVb0X - rule_id: 4891
http://www.hanlansmojitovillage.net/nthe/?Bb=54OfAHeNbwRIeCfiK96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3r9WBXmbjhC4FqUNXJfm&uTg4S=yVCTVb0X - rule_id: 4898
http://www.sprtnet.com/nthe/?Bb=iuhjL64HlYD5oaL8MtJSfYbzkjMORTvI821/9thXQYEXQWvmyYKnNoBIBvBP+GMkqvupGokD&uTg4S=yVCTVb0X
|
16
www.tomrings.com()
www.thehendrixcollection.com(34.102.136.180)
www.menucoders.com(172.217.175.19)
www.kankanlol.com(34.98.99.30)
www.hanlansmojitovillage.net(34.102.136.180)
www.mailbroadcastdelivery.club()
www.angelsmoonsexshop.com(54.36.145.173)
www.sprtnet.com(34.98.99.30)
www.urfavvpimp.com() - mailcious
www.onpar-golf.com(34.102.136.180)
www.yamano-ue.com(163.44.239.72)
163.44.239.72
34.102.136.180 - mailcious
54.36.145.173 - malware
142.250.204.83
34.98.99.30 - phishing
|
3
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
3
http://www.thehendrixcollection.com/nthe/
http://www.menucoders.com/nthe/
http://www.hanlansmojitovillage.net/nthe/
|
8.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|