| 12886 |
2021-09-28 16:13
|
 uo.exe fcb2548f36fee756bde5fcf5c99e19b4
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.swoern.info/hp6s/?uTuD=4T5YGQUYHOUszNOY444hn7mmf6FrtM+AFTjOJC+Py6Ag/b5xU53y9DZCTZxlx39fr7jwKFEI&Kj6dY=ATxxQ4G
http://www.rlgbsuilds.com/hp6s/?uTuD=Fw5YSRn6B6q7Vo6CTsfssUahdbXa4r2ZD7nmGGCHLkY8GDkOmUQxWePCsmLEOuwwrsL9h5YF&Kj6dY=ATxxQ4G
http://www.usedtowels.com/hp6s/?uTuD=LFde+ie6fWvOLN7PGF70NwTYUX7Jm/JyGjPm4XWrD0fHhgM6rcivN6x0AQjvoX504Y/z8KH4&Kj6dY=ATxxQ4G
http://www.digitalimmersioncg.com/hp6s/?uTuD=ecMUAiyMfvfWY8rzTadGuccx8GuXMB82GuQzWJgBWyxQ3c9DaRyVLVaaQhcCvX5nneSnIplK&Kj6dY=ATxxQ4G
|
8
www.swoern.info(150.95.255.38)
www.usedtowels.com(88.214.207.96)
www.digitalimmersioncg.com(192.252.151.20)
www.rlgbsuilds.com(166.88.19.181)
88.214.207.96 - mailcious
192.252.151.20
166.88.19.180
150.95.255.38 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12887 |
2021-09-28 16:16
|
 lv.exe 990be1512e2d246835b3655ee103bf78
Gen1 Emotet Gen2 Themida Packer Generic Malware Malicious Library Anti_VM Malicious Packer PE File PE32 DLL PE64 VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows crashed |
|
1
CjPiwXWAdOLiM.CjPiwXWAdOLiM()
|
|
|
6.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12888 |
2021-09-28 16:16
|
 hak.exe 3b710cc2fd2ed7c2c71e88b128cb1297
Formbook PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
12
http://www.socialmediaplugin.com/mjyv/?uTuD=OU27+ysrGKu/jK/yOqR5sqFza95Uvw+WRzi5j7TKNAgvfz99QkpIgkjRoF2Ht6HwV+67RAOW&Kj6dY=ATxxQ4G
http://www.calmingscience.com/mjyv/?uTuD=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&Kj6dY=ATxxQ4G
http://www.upgradepklohb.xyz/mjyv/?uTuD=9dnvdWURialXEyaz2ywPsOoM6gGuiR5AxFBltEEFKs81axtXl2dPjYUDr1hLwXJCVRBcbtND&Kj6dY=ATxxQ4G
http://www.bjjinmei.com/mjyv/?uTuD=tK48cpNOceqqCiIAD7hTSWdfMm0U+M5ICQ0DMQW4dcqulfLFmq83X0mVZBBYriEB2HGVoedd&Kj6dY=ATxxQ4G
http://www.healthylifefit.com/mjyv/?uTuD=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&Kj6dY=ATxxQ4G
http://www.volteraenergy.net/mjyv/?uTuD=6GSsGhXNJ4X+IglcYBeGMK5UD+vC/aYPjEqHkj3TutxRiNJSuqpeM1lWW/9MfcCLuZzXea82&Kj6dY=ATxxQ4G
http://www.chatcure.com/mjyv/?uTuD=Q1v42zleUYIi8flkghcQmr8tAyGjsl4sXlxb78q+SjvyPDjFfh7215Q2cKPJE2klAkGZe5l7&Kj6dY=ATxxQ4G
http://www.single-on-purpose.com/mjyv/?uTuD=Q7OMrrO86y0JqdY0g4bf91NmCgnX6BTekei23iJFdfIv5eDZ2hVr8AZAqZJxsWpRuuzn5HXG&Kj6dY=ATxxQ4G
http://www.simpeltattofor.men/mjyv/?uTuD=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&Kj6dY=ATxxQ4G
http://www.ziototoristorante.com/mjyv/?uTuD=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&Kj6dY=ATxxQ4G
http://www.murdabudz.com/mjyv/?uTuD=hg13/nVpXa7sw8wTOoVMHFZDgDUsR9Gv/arf8487HKoYm/D9BgH6B8HPQM6vzvqD84xy947Y&Kj6dY=ATxxQ4G
http://www.welcome-sber.store/mjyv/?uTuD=Kv+/SJ7M/lzJbcaI/wLw7bttHXU14P8fHaqyHUXbe+/kB7RUPLEP6r3tla+4qncMfsOmfoJX&Kj6dY=ATxxQ4G
|
28
www.socialmediaplugin.com(52.58.78.16)
www.wenyuexuan.com()
www.simpeltattofor.men(103.224.182.210)
www.single-on-purpose.com(192.0.78.24)
www.reemletenleafy.com()
www.ziototoristorante.com(199.59.242.153)
www.ventasdecasasylotes.xyz()
www.murdabudz.com(182.50.132.242)
www.chatcure.com(52.20.84.62)
www.welcome-sber.store(87.236.16.91)
www.calmingscience.com(104.21.51.3)
www.bjjinmei.com(154.205.217.133)
www.miyonbuilding.com()
www.healthylifefit.com(104.16.13.194)
www.volteraenergy.net(34.102.136.180)
www.upgradepklohb.xyz(198.54.117.216)
87.236.16.91 - mailcious
52.20.84.62 - mailcious
154.205.217.133
52.58.78.16 - mailcious
34.102.136.180 - mailcious
199.59.242.153 - mailcious
104.21.51.3
103.224.182.210 - phishing
198.54.117.210 - mailcious
192.0.78.24 - mailcious
182.50.132.242 - mailcious
104.16.14.194
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
3.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12889 |
2021-09-28 16:17
|
 mmss.exe 0c837db4a275290db36c56c650445eeb
Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Remote Code Execution Firmware DNS Cryptographic key crashed |
|
2
www.wenyuexuan.com()
84.38.189.175 - mailcious
|
|
|
7.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12890 |
2021-09-28 16:17
|
 file.exe 881838479bd774a3e90aaba668a922d8
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12891 |
2021-09-28 16:21
|
 cc.exe 4c70d5b1c63a468f7e0aedf64f93ca42
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
20
http://www.5fbuy.com/mjyv/
http://www.tropicaldepression.info/mjyv/
http://www.productprinting.online/mjyv/?w0G=dI0EVfu1T7SuYQVSFiskZOhLU8OYvItQe6UNnJ1ElFuaQLbdP5Uf2YRPyTd8+GYShGrxOpBk&uFQh=XP7HMZ_0
http://www.behiscalm.com/mjyv/?w0G=K9FJa1ryPTd/bsjfiuRfbodFPMpyTpIbchH43KPgl0gdBdpLbzvy0KNnzkM4/ITWWD0DdyPm&uFQh=XP7HMZ_0
http://www.esomvw.com/mjyv/?w0G=84GmfEPteUtbFNbJoLd8GDghdGpnh6a0oBhzpjSSdSN1iSLo8RVzibpVbWjYetZr49ZHqSiu&uFQh=XP7HMZ_0
http://www.simpeltattofor.men/mjyv/
http://www.5fbuy.com/mjyv/?w0G=ywYd3xylGJO5OLpkslz37JrHIzwp3tlWSnLC1Y96rw35uOcoKsXpHhY5pdkkf/dPTOcgW5oS&uFQh=XP7HMZ_0
http://www.behiscalm.com/mjyv/
http://www.recreativemysteriousgift.com/mjyv/
http://www.heianswer.xyz/mjyv/
http://www.totalselfconfidence.net/mjyv/?w0G=7+dRD0Usrp3WWVtSB58FWZJEotErpYduYxSnFhVAMtOnW0W/yaWH2gNfK0a+FiHaPyaiz1lE&uFQh=XP7HMZ_0
http://www.simpeltattofor.men/mjyv/?w0G=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&uFQh=XP7HMZ_0
http://www.recreativemysteriousgift.com/mjyv/?w0G=UIDv5jYg+EGmLgH+kIA/UtxX3yxSo1C4sdt8PdUehlnxHFL/vvHfTGKb0f+7G6qAqL9f6D8F&uFQh=XP7HMZ_0
http://www.tropicaldepression.info/mjyv/?w0G=6gygz6yKUka1Qt5eq57e3sczR1onff0rQ5APpUKZF9lXnBs4e0E13IroulXz/W0b6vprOEhp&uFQh=XP7HMZ_0
http://www.heianswer.xyz/mjyv/?w0G=PnJxMkqvc09Z2Oi3w0K1aE42Df2MO+gXeSc77N3Ck37Jj1CPHETfefhUrzlouLifmytUaiIJ&uFQh=XP7HMZ_0
http://www.productprinting.online/mjyv/
http://www.lebonaharchitects.com/mjyv/?w0G=0MkTYu9FMNUsMiLIDY53araUyNOR0X7Q4YfgznEZYap2TEr+u3Fin7WpC36DVb6QOCYDEkLN&uFQh=XP7HMZ_0
http://www.esomvw.com/mjyv/
http://www.totalselfconfidence.net/mjyv/
http://www.lebonaharchitects.com/mjyv/
|
22
www.chilestew.com()
www.wenyuexuan.com()
www.simpeltattofor.men(103.224.182.210)
www.lebonaharchitects.com(34.102.136.180)
www.babybox.media()
www.5fbuy.com(172.255.219.23)
www.behiscalm.com(34.102.136.180)
www.recreativemysteriousgift.com(104.156.48.44)
www.esomvw.com(104.18.26.58)
www.productprinting.online(108.179.246.105)
www.totalselfconfidence.net(107.160.80.135)
www.medicalmanagementinc.info()
www.heianswer.xyz(34.102.136.180)
www.tropicaldepression.info(34.80.190.141)
104.156.48.44 - malware
104.18.27.58
172.255.219.23
34.102.136.180 - mailcious
107.160.80.135
103.224.182.210 - phishing
34.80.190.141 - mailcious
108.179.246.105 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12892 |
2021-09-28 16:24
|
 jol.exe 51195e0d79dacd68acd8b5bcbc356ab1
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Downloader |
19
http://www.jmrrve.com/mjyv/?jL04lH=MugnLanDZ3SAjzNGVYbYT4Dv9bUq7VTPAUXZDjWlHe9ioe8xswTkcd0N7hIbRG1/aAPOZqOJ&w0G=mfZ8ixbxe8Q4
http://www.livinglovinglincoln.com/mjyv/?jL04lH=v6+mrmhO2D69c29A/GgIjudjrVDrCDx9nnSs75EQfHkZ3AKYNDn6ZLLROHAwtRRZFNrkSLmU&w0G=mfZ8ixbxe8Q4
http://www.localagentlab.com/mjyv/
http://www.krveop.com/mjyv/
http://www.georges-lego.com/mjyv/
http://www.localagentlab.com/mjyv/?jL04lH=MgSBGe4UfRsxE+vcY6lCnzsJdaRn2Tt2te4kufH0BbtC9PnAxa6ttLLgFfm6oaBPxXTKCyZA&w0G=mfZ8ixbxe8Q4
http://www.brandqrcodes.com/mjyv/
http://www.car-insurance-rates-x2.info/mjyv/
http://www.krveop.com/mjyv/?jL04lH=HyN26CoozcigRUDs6U0prJ5eBZfzn97g/8B9IGyhoA6SSk6Sl3gieBOJFuTEwLYMjZXl5Kk/&w0G=mfZ8ixbxe8Q4
http://www.livinglovinglincoln.com/mjyv/
http://www.lkkogltoyof4.xyz/mjyv/
http://www.jmrrve.com/mjyv/
http://www.car-insurance-rates-x2.info/mjyv/?jL04lH=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&w0G=mfZ8ixbxe8Q4
http://www.dubaibiologicdentist.com/mjyv/?jL04lH=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&w0G=mfZ8ixbxe8Q4
http://www.lkkogltoyof4.xyz/mjyv/?jL04lH=EAnvUfdnxtXwjiMmXogoEpuHKt07Q8tnkdGiEhG/REbOr3I/vzDeldegz5vqjtC9vgo6Xl7J&w0G=mfZ8ixbxe8Q4
http://www.dubaibiologicdentist.com/mjyv/
http://www.brandqrcodes.com/mjyv/?jL04lH=UrRdFqIHIOT9TTwqrgiD5IQ8ICq4EZmeq8Qf7hTdESXU5u+H11XJP7uPtyUjrGxObxoE2Pl7&w0G=mfZ8ixbxe8Q4
http://www.georges-lego.com/mjyv/?jL04lH=IZUq8fC9aIDt6XI/MpfblzTmEBhmcMRnvlVpbIF889hbhAnbHw7SbsJeBBLvviP4WChYzMnM&w0G=mfZ8ixbxe8Q4
https://cdn.discordapp.com/attachments/888348114673598475/890866414997635092/TNG.dll
|
25
www.jmrrve.com(104.21.2.49)
www.livinglovinglincoln.com(34.102.136.180)
www.wenyuexuan.com()
www.dubaibiologicdentist.com(198.54.117.210)
www.lkkogltoyof4.xyz(150.95.255.38)
www.brandqrcodes.com(99.86.207.38)
www.babybox.media()
www.reemletenleafy.com()
www.krveop.com(172.67.158.14)
www.car-insurance-rates-x2.info(66.29.132.69)
www.thehauntdepot.com()
www.localagentlab.com(34.102.136.180)
cdn.discordapp.com(162.159.135.233) - malware
www.georges-lego.com(192.0.78.24)
www.miyonbuilding.com()
162.159.134.233 - malware
104.21.2.49
198.54.117.211 - phishing
104.21.49.26
34.102.136.180 - mailcious
150.95.255.38 - mailcious
66.29.132.69
99.86.207.37
192.0.78.24 - mailcious
31.210.20.22 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12893 |
2021-09-28 16:24
|
 vbc.exe ab8ee5a9711e4616baf39951f00a1d91
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga16/fre.php
|
2
checkvim.com(45.144.65.120) - mailcious
45.144.65.120
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12894 |
2021-09-28 17:07
|
 winpro.exe fa0b89043edf03a3e3c27f0ad56114ea
Generic Malware Malicious Packer UPX Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
44 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12895 |
2021-09-28 17:11
|
 TNG.dll e889031780d41c9bfad18160301aae89
RAT Generic Malware PE File .NET DLL DLL PE32 VirusTotal Malware |
|
|
|
|
1.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12896 |
2021-09-28 21:56
|
 recital-1498700469.xls 1f57d735aef14bf0f9609035c44d1187
DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM MSOffice File Check memory unpack itself suspicious process malicious URLs Tofsee |
3
https://dharmasasthatrust.com/cEJYcStqlAf/hr.html
https://shalsa3d.com/UGqWNCLT/hr.html
https://haroldhallroofing.net/pAz8O63Gn/hr.html
|
6
shalsa3d.com(162.222.225.246)
dharmasasthatrust.com(204.11.59.34)
haroldhallroofing.net(192.185.36.115)
192.185.36.115 - mailcious
204.11.59.34 - mailcious
162.222.225.246 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12897 |
2021-09-29 01:15
|
 Iarsn_TaskInfo_v10_0_0_keygen.... 4b2c9dd6e75758dd58d9fcb9d8adbe67
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
7 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12898 |
2021-09-29 07:49
|
 PPT_25084100000125.exe 062e63a1422126e35e93a19aba338b64
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12899 |
2021-09-29 07:54
|
 RunPE.dll a042546ec4ebfa088dfcc4eda7e716da
RAT Generic Malware Malicious Packer PE File .NET DLL DLL PE32 PDB |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12900 |
2021-09-29 07:56
|
 ctp1.exe c208dc846cb784a780a5e0904fa565e4
PWS Loki[b] Loki.m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://ctp1.xyz/w2/fre.php
|
2
ctp1.xyz(172.67.153.93)
104.21.88.207
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
7.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|