| 12991 |
2021-10-01 09:48
|
 RuntimeBroker.exe 8065e99bad5ca445cc93fb51511f28a2
Gen2 Malicious Library PE64 PE File OS Processor Check VirusTotal Malware Creates shortcut ICMP traffic DNS |
|
31
61.162.220.58
117.18.237.29
119.36.226.210
104.192.110.245
116.177.248.108
114.55.205.237
103.235.46.191 - mailcious
123.56.15.95
220.185.168.228
140.249.60.184
180.163.251.76
123.113.216.89
47.108.115.101
113.105.172.41 - malware
180.101.190.124
47.246.29.14
120.52.95.235 - malware
203.119.216.75
49.233.246.186
120.39.202.71
106.196.71.55
119.28.164.142
47.94.223.128
101.91.140.56
139.170.156.220
122.225.216.240
106.11.250.206
58.223.168.189
106.11.84.4
101.198.192.8
106.75.97.110
|
|
|
4.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12992 |
2021-10-01 09:49
|
 Po.exe 188d6a7eeed0fccf78aab1def93b3285
PWS .NET framework email stealer Generic Malware DNS Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
11.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12993 |
2021-10-01 09:52
|
 zou.exe 2568935548847088614d36f8ebeee706
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Remote Code Execution DNS |
3
http://www.cameratademurcia.com/hp6s/?MZkp=uxFLPsEJ7+F0e4q4Xbjc7ooGr7spuZXJbjCqSwyNOECeVyUWI2YbaUrgXzG3tNErpaJasZRt&U4kp=Ntx0ULGH4Bu8xJ0
http://www.restdayrunner.com/hp6s/?MZkp=DWCLYveIyJzDZ98aMPEyM+WajRPQeicmVQBEOZl9whfEdIOOGt+07CoxCiyYSWFuVNyfQFd7&U4kp=Ntx0ULGH4Bu8xJ0
http://www.animastrue.art/hp6s/?MZkp=ZozstJ7iktbmX5IlXFYfEtw0G6xkBB3eXsvYUCdXr3vEJJAAxFs1+Xa+lbyYS7DFwKFViTJ7&U4kp=Ntx0ULGH4Bu8xJ0
|
9
www.cameratademurcia.com(150.95.255.38)
www.heartrusound.com()
www.animastrue.art(192.0.78.24)
www.restdayrunner.com(103.80.48.27)
150.95.255.38 - mailcious
114.116.39.220
104.129.43.19
192.0.78.25 - mailcious
103.80.48.27
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12994 |
2021-10-01 09:55
|
 Compensation-1192584148.xls 37a0ab0f9ab8422201dc00efef4a41c5
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://safalerp.com/J1wlINw7HtJ/siera.xml
https://godschildrenaf.org/qxwbRMzrqoWK/siera.xml
https://callgirlsandescortkenya.site/hllzvTuU/siera.xml
|
5
safalerp.com(119.18.54.27) - mailcious
callgirlsandescortkenya.site(50.87.151.118) - mailcious
godschildrenaf.org(50.87.151.118) - mailcious
119.18.54.27 - mailcious
50.87.151.118 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12995 |
2021-10-01 09:57
|
 Compensation-1192735226.xls 4e7ee8165dc4ce387c6c4d66a405dbd6
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://safalerp.com/J1wlINw7HtJ/siera.xml
https://godschildrenaf.org/qxwbRMzrqoWK/siera.xml
https://callgirlsandescortkenya.site/hllzvTuU/siera.xml
|
5
safalerp.com(119.18.54.27) - mailcious
godschildrenaf.org(50.87.151.118) - mailcious
callgirlsandescortkenya.site(50.87.151.118) - mailcious
119.18.54.27 - mailcious
50.87.151.118 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12996 |
2021-10-01 13:30
|
ab1f2763fad083c2_~wrs{f16ac57e... 05f690805ac5004c2718b128a7051550 |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12997 |
2021-10-01 13:33
|
 Op.gg.exe ee228a1b9d71fc6381e15e9364bf8fb9
Themida Packer Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12998 |
2021-10-01 13:48
|
 Op.gg.exe ee228a1b9d71fc6381e15e9364bf8fb9
Themida Packer Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12999 |
2021-10-01 13:52
|
 Op.gg.exe ee228a1b9d71fc6381e15e9364bf8fb9
Themida Packer Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13000 |
2021-10-01 15:03
|
 サンプルカタログ2021.exe bcde42776b0996bd7ec03be666fbd8c3
NSIS Malicious Library PE File PE32 VirusTotal Malware Check memory crashed |
|
|
|
|
1.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13001 |
2021-10-01 16:42
|
 Ticket00073146.docm a91be9529d06cd4a6c06a01b5c595630
RAT VBA_macro Generic Malware Antivirus Word 2007 file format(docx) PE File .NET DLL DLL PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13002 |
2021-10-01 18:14
|
 esmallruby.png c1c5d100cbfc61d121150b08b3f5584a
Emotet Gen1 Malicious Packer UPX Malicious Library PE File OS Processor Check PE32 PDB suspicious privilege MachineGuid buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process ComputerName DNS crashed |
|
6
179.42.137.109
103.56.207.230 - mailcious
179.42.137.106 - mailcious
179.42.137.104
171.103.187.218 - mailcious
103.59.105.226
|
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13003 |
2021-10-01 18:16
|
 64.exe ba0c30c85ff45d4a7dfbf010ebff1ca8
Emotet Malicious Packer Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted Creates executable files unpack itself ComputerName DNS |
20
http://45.77.127.230:8888/vvfboeffycvrynppulwwnath
http://45.77.127.230:8888/fuzenqmkwrlygvxhtspbioaj
http://45.77.127.230:8888/etasgyhyghhlwpfmecyevdev
http://45.77.127.230:8888/jobzzbwswpetyulf
http://45.77.127.230:8888/lfvhzlhblwzwnnogzyskqvbb
http://45.77.127.230:8888/sbzteobxhgcskdoufsgivcyv
http://45.77.127.230:8888/sdgrdfljmvpknoztwrwkanlr
http://45.77.127.230:8888/mawvbiovgthpuddedpbmntnb
http://45.77.127.230:8888/kmlpweovgrhfsbqanduitcjy
http://45.77.127.230:8888/xjofesqimtzpnkduhvrlagyc
http://45.77.127.230:8888/piqykabpjhlrvbhzhojdwhoo
http://45.77.127.230:8888/iykcnfmbdeoxhzrajpvuqgwl
http://45.77.127.230:8888/nvklteimfsubjgwxhrqcyoad
http://45.77.127.230:8888/mrlodqwspxaehztivcykfbug
http://45.77.127.230:8888/tqudtaxonhghgymszhfehjqc
http://45.77.127.230:8888/myxbldskuilrpgymdkcdmzvw
http://45.77.127.230:8888/doasxsmklfyjvgrqgiwnixpw
http://45.77.127.230:8888/ibgvbcipiyghykqqsxmvhfiy
http://45.77.127.230:8888/eqpynojbspcsxttzzxaogyol
http://45.77.127.230:8888/zycogcqzstnhdjlwopnrenlm
|
1
|
|
|
7.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13004 |
2021-10-01 18:16
|
 67.exe 2ea556def72c528c071e52f3ee0285d2
Gen2 Gen1 Themida Packer Malicious Packer UPX Malicious Library PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
1
|
5
api.ip.sb(104.26.13.31)
65.108.5.215
171.103.187.218 - mailcious
103.59.105.226
104.26.13.31
|
|
|
11.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13005 |
2021-10-01 18:16
|
 vbc.exe 1a79d8cecf21e710f563c14a34a63381
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga16/fre.php - rule_id: 5628
|
2
checkvim.com(85.192.56.106) - mailcious
85.192.56.106
|
|
1
http://checkvim.com/ga16/fre.php
|
12.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|