| 13066 |
2021-10-04 10:26
|
 dow.exe 7a29daa31a1ce60f705519b9e1b8648c
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.ahljsm.com/ef6c/
http://www.planetgreennetwork.com/ef6c/?q48=viiOdeoYufNRN60WkpfLEAw1fJ1OatCxqWV4tuVbpGnby6TfOu9tKnuCwWlJt5WAZl2p+p2R&rTFDr=GB1hulOhXlAhMp
http://www.publicationsplace.com/ef6c/
http://www.pamperotrabajo.com/ef6c/
http://www.restaurant-utopia.xyz/ef6c/?q48=QQd8BU9Fy5B/Jf1+m4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N5pbbojH/ir2XBTcopEK&rTFDr=GB1hulOhXlAhMp
http://www.conversationspit.com/ef6c/?q48=2B3AR6Tylpqs5Gri0FIlqBRxWQiEdo1VgukX0Re3vdIAR+O8ytnn3lUzDvQXM3H/f6RyrHJq&rTFDr=GB1hulOhXlAhMp
http://www.pamperotrabajo.com/ef6c/?q48=KDbDnDLzsuDPs88N0LpNmm61A6mSDcCmQh7h1rTXqzI0ioxvfa7TYmVWl9MBuezo9XnNQKeB&rTFDr=GB1hulOhXlAhMp
http://www.44mpt.xyz/ef6c/?q48=jKy9H8VqZwiUle4gjb+CLEX9fpBCwuv2o754Pr7fJKTzkjLdsKrrwvS2m3F+8CxbXLoYiDn1&rTFDr=GB1hulOhXlAhMp
http://www.gaminghallarna.net/ef6c/?q48=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&rTFDr=GB1hulOhXlAhMp
http://www.conversationspit.com/ef6c/
http://www.planetgreennetwork.com/ef6c/
http://www.ahljsm.com/ef6c/?q48=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&rTFDr=GB1hulOhXlAhMp
http://www.publicationsplace.com/ef6c/?q48=69obzrOqqjyeWfIWJOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtImRdCopiSdNHcaNy3Iv&rTFDr=GB1hulOhXlAhMp
http://www.gaminghallarna.net/ef6c/
http://www.44mpt.xyz/ef6c/
http://www.restaurant-utopia.xyz/ef6c/
|
18
www.pamperotrabajo.com(119.81.108.180)
www.csspadding.com()
www.conversationspit.com(34.102.136.180)
www.44mpt.xyz(23.224.235.100)
www.ahljsm.com(45.39.212.162)
www.planetgreennetwork.com(34.102.136.180)
www.publicationsplace.com(108.170.14.102)
www.gaminghallarna.net(194.9.94.85)
www.xzq585858.net()
www.pacifica7.com()
www.restaurant-utopia.xyz(104.21.35.47)
172.67.213.229
119.81.108.180 - malware
108.170.14.102
34.102.136.180 - mailcious
23.225.32.156
194.9.94.86 - mailcious
45.39.212.162
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13067 |
2021-10-04 10:26
|
 pm.exe 7bbc2539d7196864b7745b8065a35e7e
RAT NPKI Generic Malware Antivirus PE64 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13068 |
2021-10-04 10:27
|
 det-066.exe cf38251ea9830826534aead3ce07a6d0
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
8
http://www.szyyglass.com/ef6c/?u4=WJZ/PBlgU2sqxbhuKWSW0gAF450CRpcifwWN2Hn02+HJZd2OB2qk7jd6844pcDa/ZUIS0tAu&Hr=Y48Du8lP
http://www.levanttradegroup.com/ef6c/?u4=9g8sfBGzWY6JJ+yJLDpPQys/8ShNqhTPTp4cpY8RvCwAQwKx0UrfmPEzoi+Z1D/DgpYog5qv&Hr=Y48Du8lP
http://www.charlottewright.online/ef6c/?u4=bKl6S2PMskhcSXFE7HfaeHnYXQvAUl613IM//zHPO3TKPYZdoHU3iT1YZPc6b5wFOFr3iCzD&Hr=Y48Du8lP
http://www.gicaredocs.com/ef6c/?u4=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&Hr=Y48Du8lP
http://www.stopmoshenik.online/ef6c/?u4=AItpU6mQCC6s81rj7necuGYpWrqi0PbHxxDMCTfv5nDjvQQMu+peq6WH+jA65E1HrZKOBeeG&Hr=Y48Du8lP
http://www.kinglot2499.com/ef6c/?u4=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&Hr=Y48Du8lP
http://www.pamperotrabajo.com/ef6c/?u4=KDbDnDLzsuDPs88N0LpNmm61A6mSDcCmQh7h1rTXqzI0ioxvfa7TYmVWl9MBuezo9XnNQKeB&Hr=Y48Du8lP
http://www.fis.photos/ef6c/?u4=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&Hr=Y48Du8lP
|
18
www.pamperotrabajo.com(119.81.108.180)
www.stopmoshenik.online(194.58.112.174)
www.csspadding.com()
www.levanttradegroup.com(34.102.136.180)
www.gicaredocs.com(208.91.197.27)
www.charlottewright.online(203.170.80.250)
www.fis.photos(192.0.78.25)
www.szyyglass.com(172.120.106.61)
www.pacifica7.com()
www.kinglot2499.com(34.102.136.180)
172.120.106.61
119.81.108.180 - malware
20.43.94.199
208.91.197.27 - mailcious
34.102.136.180 - mailcious
194.58.112.174 - mailcious
192.0.78.24 - mailcious
203.170.80.250 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13069 |
2021-10-04 10:28
|
qingdi1 6c3a8a55969e4251cd8c8bd3802efb9a
Malicious Library AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
4.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13070 |
2021-10-04 10:31
|
 dow-08.exe 649ef81c0ce0f13b1197ccdb30685547
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
11
http://www.lacucinadesign.com/ef6c/?ETml9Ha=9TcXST3u6WT+pAlmYAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p2hxsWhOg+dHKCBclHOd&VR-D9=3fgT8pc8InE4HvgP
http://www.ahljsm.com/ef6c/?ETml9Ha=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&VR-D9=3fgT8pc8InE4HvgP
http://www.kinglot2499.com/ef6c/?ETml9Ha=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&VR-D9=3fgT8pc8InE4HvgP
http://www.test-testjisdnsec.store/ef6c/?ETml9Ha=pCgBXBmDeodDN9Ij/QwvhvCGUOrFtlbKKwJyINTUtb59Z1VInJrq7ZxQE5p6wLD76RTmpOOc&VR-D9=3fgT8pc8InE4HvgP
http://www.satellitphonestore.com/ef6c/?ETml9Ha=2HQYiK3SqCAOAD8t1I4UDgwc9i5WnuBSVk/U/jy+BINbcOU7l/xUqscit0kTEHSPOQww5Ion&VR-D9=3fgT8pc8InE4HvgP
http://www.ambrandt.com/ef6c/?ETml9Ha=LpvmmmP8130l+/J4QjVaSApGnUfMJ5/j1z/KRz5qiZs92IprYNoIBOkfulD2ZI4sCy4j1IwA&VR-D9=3fgT8pc8InE4HvgP
http://www.szesdkj.com/ef6c/?ETml9Ha=fLa1O6LgDU4JmATAWF+Un0DhSyi8xEXua0Xgw1gdYMhmHbBdgR9nT+JgCDSJbt7Dlll1cLDk&VR-D9=3fgT8pc8InE4HvgP
http://www.fis.photos/ef6c/?ETml9Ha=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&VR-D9=3fgT8pc8InE4HvgP
http://www.apricitee.com/ef6c/?ETml9Ha=KSHN/72BZOSNcoSkGOIXNFBSZoOhZSSqcZXlNpA3fA8LE+ARMJMD6XqqXDR03XtMsLmcqmrd&VR-D9=3fgT8pc8InE4HvgP
http://www.restaurant-utopia.xyz/ef6c/?ETml9Ha=QQd8BU9Fy5B/Jf1+m4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N5pbbojH/ir2XBTcopEK&VR-D9=3fgT8pc8InE4HvgP
http://www.vngc.xyz/ef6c/?ETml9Ha=wSkjLUNz9KMnKLEpTJsPicKZ1kuS/lhbyPtlijpm6RS6Gnr6JEITfVGplX7ZAvxV+33Wr+ZN&VR-D9=3fgT8pc8InE4HvgP
|
21
www.kinglot2499.com(34.102.136.180)
www.ahljsm.com(45.39.212.162)
www.test-testjisdnsec.store()
www.szesdkj.com(170.130.13.86)
www.lacucinadesign.com(34.102.136.180)
www.restaurant-utopia.xyz(172.67.213.229)
www.apricitee.com(172.65.227.72)
www.fis.photos(192.0.78.25)
www.ambrandt.com(156.234.138.25)
www.vngc.xyz(172.217.174.115)
www.satellitphonestore.com(35.186.238.101)
172.67.213.229
35.186.238.101 - mailcious
209.99.40.222 - mailcious
170.130.13.86
156.234.138.25
34.102.136.180 - mailcious
192.0.78.24 - mailcious
172.217.161.179 - suspicious
172.65.227.72
45.39.212.162
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13071 |
2021-10-04 10:33
|
 dow-01.exe 26c2ebe63533d05a859e5f990091e487
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
9
http://www.uzmdrmustafaalperaykanat.com/ef6c/?Bn=ja7SoM3OFQT8Gg6cQsrMgEr4X7AAHRd2HQn2dp6ngt1+3x8/3G/noJ63mRQfE8+wCQKkMG6+&lvKh=X2MToVAP_0DHbf3
http://www.redelirevearyseuiop.xyz/ef6c/?Bn=+zggs108Zt88mF3I15I6Vl7MIKEVgTDkllssvVc7oGo+vC3UJFm7tcArJeeO3BpO4YdkYwbo&lvKh=X2MToVAP_0DHbf3
http://www.rjtherealest.com/ef6c/?Bn=yyRuLH36V5D2Dmz0i9ruMhsFzlS0YjZ0uNFvdh2spF2dMn6mTJc7Wogiisuz4rZ01/rUtxwE&lvKh=X2MToVAP_0DHbf3
http://www.totalcovidtravel.com/ef6c/?Bn=AOAVqbk968+jHu33UUeQn7iAyru7by0I3gjPPIw/EAE0dL+8Vx6AP0T4t83EQPWP+KOBcQOK&lvKh=X2MToVAP_0DHbf3
http://www.kidzgovroom.com/ef6c/?Bn=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&lvKh=X2MToVAP_0DHbf3
http://www.conversationspit.com/ef6c/?Bn=2B3AR6Tylpqs5Gri0FIlqBRxWQiEdo1VgukX0Re3vdIAR+O8ytnn3lUzDvQXM3H/f6RyrHJq&lvKh=X2MToVAP_0DHbf3
http://www.pgonline111.online/ef6c/?Bn=YwrbNwP1/uOx/t5EQbsAb0agM3IyucVno+6hj+S4img8g2n6a6v8t37VHfacQRvRoazZ9RvI&lvKh=X2MToVAP_0DHbf3
http://www.upinmyfeels.com/ef6c/?Bn=qu0EmkGdK39lP2qjKkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJxOOjUtYwvxNL/o9/3iV&lvKh=X2MToVAP_0DHbf3
http://www.gaminghallarna.net/ef6c/?Bn=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&lvKh=X2MToVAP_0DHbf3
|
17
www.redelirevearyseuiop.xyz(198.54.117.244)
www.conversationspit.com(34.102.136.180)
www.pgonline111.online(13.251.172.64)
www.kidzgovroom.com(34.102.136.180)
www.gaminghallarna.net(194.9.94.85)
www.jakante.com()
www.upinmyfeels.com(34.102.136.180)
www.pacifica7.com()
www.uzmdrmustafaalperaykanat.com(52.29.206.172)
www.totalcovidtravel.com(34.102.136.180)
www.rjtherealest.com(74.208.236.145)
52.29.206.172
34.102.136.180 - mailcious
198.54.117.244 - phishing
194.9.94.86 - mailcious
74.208.236.145 - malware
13.251.172.64
|
4
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13072 |
2021-10-04 10:35
|
 dow-0.exe fa8622d626b79da91b5cbb891ccf8c40
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.sensorypantry.com/ef6c/?5jUh=cw2PwNl+5NOQItrLnKllT2tGwrd+rdd5UTQlQyS8ptLSIxj973nGji9KRlDOdanBBwTAA2mM&llxh=fTRld0QHk69D0Xw
http://www.conversationspit.com/ef6c/?5jUh=2B3AR6Tylpqs5Gri0FIlqBRxWQiEdo1VgukX0Re3vdIAR+O8ytnn3lUzDvQXM3H/f6RyrHJq&llxh=fTRld0QHk69D0Xw
http://www.fis.photos/ef6c/?5jUh=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&llxh=fTRld0QHk69D0Xw
http://www.gicaredocs.com/ef6c/?5jUh=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&llxh=fTRld0QHk69D0Xw
http://www.kidzgovroom.com/ef6c/?5jUh=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&llxh=fTRld0QHk69D0Xw
http://www.arcflorals.com/ef6c/?5jUh=kGlMeYY5BdILFMvYVNR7bZ0Mn33Q8LI2mKSsuAJB2+8tGFV37lUpti1UFknkbAVSBI+8nqql&llxh=fTRld0QHk69D0Xw
http://www.narbaal.com/ef6c/?5jUh=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&llxh=fTRld0QHk69D0Xw
http://www.shacksolid.com/ef6c/?5jUh=JeohSOzV/eF3b++alSWyFy7AWxQU0a2IMxUYSulMFNSbZpwQl2hdImGcJZ3OYLlpDcL1Ncux&llxh=fTRld0QHk69D0Xw
http://www.lacucinadesign.com/ef6c/?5jUh=9TcXST3u6WT+pAlmYAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p2hxsWhOg+dHKCBclHOd&llxh=fTRld0QHk69D0Xw
|
16
www.conquershirts.store(195.110.124.133)
www.conversationspit.com(34.102.136.180)
www.arcflorals.com(198.71.233.83)
www.sensorypantry.com(34.102.136.180)
www.kidzgovroom.com(34.102.136.180)
www.narbaal.com(198.54.117.210)
www.gicaredocs.com(208.91.197.27)
www.lacucinadesign.com(34.102.136.180)
www.fis.photos(192.0.78.24)
www.shacksolid.com(64.190.62.111)
198.71.233.83
198.54.117.212 - mailcious
208.91.197.27 - mailcious
34.102.136.180 - mailcious
64.190.62.111 - mailcious
192.0.78.24 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13073 |
2021-10-04 11:59
|
 invoice.wbk a77137852cc21108b4b4d23b82fa52a5
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://202.55.132.141/11882/vbc.exe
http://checkvim.com/ga15/fre.php
|
3
checkvim.com(85.192.56.106) - mailcious
85.192.56.106
202.55.132.141
|
11
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13074 |
2021-10-04 16:21
|
 hofile.exe d111824423a23721dc128900f359067a
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13075 |
2021-10-04 17:54
|
 docfile221021.exe 4e6047ebadcbb3b2c9e75fbd130f5041
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key |
|
1
79.134.225.36 - mailcious
|
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13076 |
2021-10-04 17:55
|
Bank Statement.exe 516ff4e98725f65ba5447f4dfb2875b2
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
4
deedee111.ddns.net(194.5.98.11)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
194.5.98.11 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13077 |
2021-10-04 17:57
|
NEW ORDER.exe e09c3b0402059d9ee50591a2832a06b1
PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
cutixglobal.ddns.net(79.134.225.8)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
79.134.225.8
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13078 |
2021-10-04 17:57
|
 HTG~0000098765434567-098765432... a3fb8baaebd4544f3eca7dd0d4da2ad0
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
14.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13079 |
2021-10-04 17:58
|
 NEW ORDER EXPO_51052 IMG002398... 2f0f161e125227509d9c0dbd5cef40b3
Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
futurist11.ddns.net(194.5.98.46) - mailcious
37.235.1.177 - mailcious
37.235.1.174 - mailcious
194.5.98.46 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13080 |
2021-10-04 18:00
|
 QUOTATION-10-01-2021.doc.exe 64a94e95263d5d44c99f69d16188d4b6
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|