| 13126 |
2021-10-05 16:47
|
 image.mp3.html 0f8e7f27b8db9e95ae4f6c28f412d847
VirusTotal Malware |
|
|
|
|
0.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13127 |
2021-10-05 16:52
|
 RFQOG051021,PDF.exe 29a2ea2de2e06ff44e764795c83fbba7
NSIS Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder DNS |
8
http://www.disciplednationscounsel.com/x9r4/?Rv=tQXubhpFGsyGhT3AXwUAcNu/WBDo50NRIhLgZHJcGW7IPZmP9naf0hbNiqNCMGqaL6rcqT/+&8pMxB4=GfoXPfjH-r40hn
http://www.graececonsulting.com/x9r4/?Rv=5BCvsP7qzUWsUOU5cB5pHvdLlcp4SUXRPWRSkGIF1+68VMMaDSNZM3V32uV6M81mdP/35xA4&8pMxB4=GfoXPfjH-r40hn
http://www.arthritiscompressiongloves.com/x9r4/?Rv=ATFPyyXTnRckP62jKjrbfg8Vw0Bv/XD6vw6xFnNte9JSgJRs9LftIp4q+LsnfvXDjv30FpUm&8pMxB4=GfoXPfjH-r40hn
http://www.samplecondo.com/x9r4/?Rv=+doDNEi6fOWa0LF15h7eWwDpaipXUINB96E8GDQct7QFtgjI1rCFibn7dDi2YvoPnxVoEoKD&8pMxB4=GfoXPfjH-r40hn
http://www.buoyantcode.com/x9r4/?Rv=ye5EyXveHgiqQJ3SA3jkswDAu87225+WoPo25I6nLbwDd/yRmdW0SAyDRmtkeiRP+iDjGcI9&8pMxB4=GfoXPfjH-r40hn
http://www.wg093.com/x9r4/?Rv=iY1Vcb9pra2CVyO/gFFsBj17NwX903HGTyZVrtd0LEZNlX6jMS5kDkHtNbjIzndNYP6ICTek&8pMxB4=GfoXPfjH-r40hn
http://www.qualiteaof.life/x9r4/?Rv=jDvY5cYY33Pms7mzc+uml1wI+T7tjBnqXryddSJ6812YQFHwaz1JmVU52ljv7705XnwfxCzO&8pMxB4=GfoXPfjH-r40hn
http://www.alchemywaxmelts.com/x9r4/?Rv=T7lInRnaPJ4Sj399zuq8B3zuez8rv2WsT8x0lXuLX/50x39wfAQAbBg+qdzFcBq9/0fz/QPQ&8pMxB4=GfoXPfjH-r40hn
|
20
www.1233326.xyz()
www.arthritiscompressiongloves.com(91.195.240.117)
www.qualiteaof.life(99.83.154.118)
www.disciplednationscounsel.com(34.102.136.180)
www.wg093.com(34.98.99.30)
www.update3online.com()
www.graececonsulting.com(34.98.99.30) - mailcious
www.samplecondo.com(184.168.131.241)
www.alchemywaxmelts.com(34.102.136.180)
www.zhinengjiashiche.com()
www.buoyantcode.com(34.102.136.180)
www.rmsnidlogini.email()
www.littlebirdbedtimestories.com()
www.desocuparlosalverges.com()
www.sofiasaenz.com()
184.168.131.241 - mailcious
34.102.136.180 - mailcious
99.83.154.118 - mailcious
91.195.240.117 - mailcious
34.98.99.30 - phishing
|
3
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to Suspicious *.life Domain
|
|
6.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13128 |
2021-10-05 16:53
|
 image.mp3.html 0f8e7f27b8db9e95ae4f6c28f412d847
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13129 |
2021-10-05 16:55
|
 1796250310-10042021.xls 1f4a448f535f2a3657dfef39beb4a662
VBA_macro Generic Malware Downloader MSOffice File VirusTotal Malware Malicious Traffic RWX flags setting unpack itself suspicious process DNS |
3
http://5.196.247.11/44474.7033944444.dat
http://190.14.37.165/44474.7033944444.dat
http://188.119.113.3/44474.7033944444.dat
|
3
190.14.37.165 - mailcious
5.196.247.11 - mailcious
188.119.113.3 - mailcious
|
|
|
5.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13130 |
2021-10-05 17:44
|
 DOC20211005-0918629831.exe 83a32d0d136cadf943aa605a7b1e3dc0
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key crashed |
15
http://www.survivalfresh.com/ntfs/?AjR=21tLgbP2yagke5ca39MMCkaTw3ul+25tQiZH/vehq0MisVUMvB6xQMdWVewG09mnNKvW1Jqi&ndndsT=KdvDIh08e8D4
http://www.164661.com/ntfs/?AjR=EQGFpvzmjJ01FBcJ82kVFjhH2vYYK8cPxl1D6Cz1nlh+Zn0dJbcoKaYC/GcRTMOob/2YoFxj&ndndsT=KdvDIh08e8D4
http://www.livetvnews24.com/ntfs/?AjR=WWBf0ejULkkWCGhGgTCASpPE+YBI6b/V2JT0klCOaSo8CpBxqsqIUL1am+XWR9RFDjFFrYDz&ndndsT=KdvDIh08e8D4
http://www.aisle5.store/ntfs/?AjR=JiVfHxsQIUZIVOrZdasW0XDgZGDHbuQkpfVpZdXmV082HGIoqOCfLlCi+Z81v5cq8/OBmvs4&ndndsT=KdvDIh08e8D4
http://www.sednayachts.com/ntfs/?AjR=yWWLGy5N757qGygxfTz2VpgR61VSaqzwvTV90moS0mb9EpVeiTqg4EAujagaLLOCRusgD2OW&ndndsT=KdvDIh08e8D4
http://www.pawcomart.com/ntfs/?AjR=+h+pxPcrngPOC8DSeBps7fK+M6H9abOtW9PHZY+UHB6fdPPxF9r9GWz81ir9o9+4HBhkJXpk&ndndsT=KdvDIh08e8D4
http://www.noalareelecionindefinida.com/ntfs/?AjR=dYZXaQ1KnAs1iIfz+GCmlR8GbRfWCjtzJ+9RQt2hFNiEXT8n/q07/spfuGdSq2ifGUCapvn7&ndndsT=KdvDIh08e8D4
http://www.growversa.com/ntfs/?AjR=77KnmNOuKLtpENzAkQuq2gNmvUW4CHqnjVAqaPll/fIdfZHCrb/Qpm1ltv8IJzs1z9eKUWdP&ndndsT=KdvDIh08e8D4
http://www.tonesify.com/ntfs/?AjR=XayKz9N33Y7MmipE5fqv+pwyVwXNcPO1Ok9qLtTzsjUVdppRPVF79P0o009gNfu+TLiF4Hsh&ndndsT=KdvDIh08e8D4
http://www.laliinparfumeri.com/ntfs/?AjR=659NitD4XNMpAA5H+/pz8DnE6u+OgBpPVYj1y9JqI+QCevyhn+u5eqFdNfdyGPZBpQ3K+5wu&ndndsT=KdvDIh08e8D4
http://www.soins-sophro.website/ntfs/?AjR=kF66ll0Um1jo8iklno67xUTptp8D/61uY/Y7h45ITxQ0tPbmVeSluOpT2Cq4/G4DLgLc5y45&ndndsT=KdvDIh08e8D4
http://www.englishforbreakfast.com/ntfs/?AjR=3i72MLA1eJ23KItbm1vJ6YRASBd+2eIAAK9eDTlV/1BpCv8kby1iQl4I3Y535oeWZTKakmdB&ndndsT=KdvDIh08e8D4
http://www.lyketigers.com/ntfs/?AjR=GAYoP5SBXtEJMk1r7XxckxlvOWPYxqX0P7cMtyu4khc4paR1vfQmhhKA4Vf/9ulLTXCCdtNN&ndndsT=KdvDIh08e8D4
http://www.nesboutiqe.com/ntfs/?AjR=0AZpuU1lOai/c3CFYAglV3LWApx0HI/ymZlC3B0dBStOc3qSnIN3lUvYiRyaPsUKmnHjuct2&ndndsT=KdvDIh08e8D4
https://www.bing.com/
|
29
www.laliinparfumeri.com(185.15.197.14)
www.lyketigers.com(34.102.136.180)
www.nesboutiqe.com(45.200.120.200)
www.google.com(172.217.174.100)
www.survivalfresh.com(34.98.99.30)
www.tonesify.com(86.105.245.69)
www.plataformasoma.net()
www.englishforbreakfast.com(31.11.36.5)
www.164661.com(1.32.255.137)
www.sednayachts.com(34.102.136.180)
www.noalareelecionindefinida.com(182.50.132.242)
www.growversa.com(45.76.85.102)
www.soins-sophro.website(81.88.57.68)
www.pawcomart.com(34.102.136.180)
www.aisle5.store(23.227.38.74)
www.livetvnews24.com(142.251.42.147)
45.200.120.200
1.32.255.137
185.15.197.14
142.250.66.147
34.102.136.180 - mailcious
45.76.85.102
172.217.24.68
182.50.132.242 - mailcious
86.105.245.69 - mailcious
81.88.57.68 - mailcious
23.227.38.74 - mailcious
31.11.36.5
34.98.99.30 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13131 |
2021-10-05 17:48
|
 rundll32.exe 1d6ee7c0d6d827f3d7ce131fd2c69d5d
Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.dorotajedrusik.com/cmsr/?ElS=cv8nmsghz/0G5fGTtWrlOCmFaMIR/3kPto7XDrfx1woCi+6kzviqAai4CoqhzgdePYFy6ZTo&Qtu=JnzpcdM03r_
|
4
www.dorotajedrusik.com(34.80.190.141)
www.healthyweathorganics.com(47.91.170.222)
47.91.170.222 - mailcious
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13132 |
2021-10-05 17:50
|
 config.exe ce2434f1e7cf62fb10e62123e59fb335
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee DNS |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
textbin.net(51.79.99.124)
apps.identrust.com(52.217.162.125)
149.248.10.136
52.217.101.99
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13133 |
2021-10-05 17:52
|
 vbc.exe d41f65d9b8b141d40387320ce54f9ac3
NSIS Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
24
http://www.globalservicesproviders.com/p08r/?b6A=kc0HlcHOykXtlE83QAp9W1Y7yFJ/9Iqs5v9tv8rxcf4fEK7gRz8fegFivJuBABnMLio7jmeg&D8S=_FNHAt
http://www.cyworldl.com/p08r/?b6A=NwV8JJ6ZJlAEmD5b4H2bl/w3OwpG2MFDo8NShXAeVJkYkzdeWNbXotIvNWoszNS/7oJ1T3z8&D8S=_FNHAt
http://www.adult-affi2401.com/p08r/?b6A=YBD8ehEBguM+6gGh+VaunkeJelFsPauf8nWvRLa2Q8b5I/eD3+1cxq8HW72tGpOj6qnVLgtZ&D8S=_FNHAt
http://www.lockolock.com/p08r/
http://www.989451.com/p08r/
http://www.kennycheng.tech/p08r/?b6A=RPRpMFG5DiuH4Me2ReofCDIxeK3pjVq+7UTLX2dtWYx9bGYak7LoJY9NsO7Y0IdpYyXG1k8C&D8S=_FNHAt
http://www.adult-affi2401.com/p08r/
http://www.clarysvillemotel.online/p08r/?b6A=/y0eURr3ltnoyVqmCF5+hABmIP5vOnvBOsV4557ulpQQHqCgOASkt/vB2/md2DwCkqo9P7oS&D8S=_FNHAt
http://www.clarysvillemotel.online/p08r/
http://www.puremicrodosing.com/p08r/?b6A=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&D8S=_FNHAt
http://www.globalservicesproviders.com/p08r/
http://www.cyworldl.com/p08r/
http://www.kennycheng.tech/p08r/
http://www.flintandfern.com/p08r/
http://www.flintandfern.com/p08r/?b6A=Ig7E2VbjhUNLzfDSaZHXL8/SDch0w/CqTC9CFS6jYTZ7o1whS6OcAV/jB/WfzBNJNz1c2WE1&D8S=_FNHAt
http://www.consumersvoice.net/p08r/
http://www.cameroon-infos.net/p08r/?b6A=IYc7WM2wy7ET8TsfVSWUiPW1jV3rdQu07vYpL+EaMYvNKjdhepHWyqeEAJ8IIY8trn3trjsC&D8S=_FNHAt
http://www.lockolock.com/p08r/?b6A=BojzXC5XtUXJCn/sviLjp1FSKX3F4rfFxOtL/HTn2WsxIabSXw8AIYc51ovw4Dh6Oxhyfgcs&D8S=_FNHAt
http://www.989451.com/p08r/?b6A=wgGfLhEduyoESPnrST6AXTlsvRUW71KfhZuOrHw7TI51lUsZgWgyOnM3Xtx4zYYaTke8CEyN&D8S=_FNHAt
http://www.cameroon-infos.net/p08r/
http://www.serviciomovistar.online/p08r/
http://www.puremicrodosing.com/p08r/
http://www.serviciomovistar.online/p08r/?b6A=F620ax2IXshNfJXYyz520Uk8ZUO6TkBejSV6e6QrtPv/Tnjc0fjbzMUqFeGXtuHmpTp57JhT&D8S=_FNHAt
http://www.consumersvoice.net/p08r/?b6A=R7Z4cCaC1e2zv+EAWAiOXCWhjhnPFC37ZRsWBv89zgeIsWdkaTqQTyClsbCcSyhG48O6u0Ah&D8S=_FNHAt
|
26
www.cameroon-infos.net(185.46.123.48)
www.puremicrodosing.com(91.184.0.100)
www.clarysvillemotel.online(209.17.116.163)
www.cyworldl.com(121.254.178.253)
www.kennycheng.tech(198.54.121.137)
www.elemnetoutdoor.com()
www.globalservicesproviders.com(45.35.13.43)
www.flintandfern.com(23.227.38.74)
www.alskdfalskdf.com()
www.lockolock.com(145.131.10.226)
www.989451.com(134.122.133.133)
www.serviciomovistar.online(2.57.90.16)
www.adult-affi2401.com(150.95.54.145)
www.consumersvoice.net(92.205.12.148)
209.17.116.163 - mailcious
150.95.54.145
2.57.90.16 - mailcious
45.35.13.43
91.184.0.100 - mailcious
134.122.133.133
198.54.121.137 - phishing
121.254.178.253 - mailcious
145.131.10.226
185.46.123.48
23.227.38.74 - mailcious
92.205.12.148
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13134 |
2021-10-05 17:52
|
 cxl.exe f51da2ac8cdfc1ff41921f0fceee4514
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
8
http://www.jillianvansice.com/noha/?-Z=bTEtFpzNECc+Zd5QB8tCW0UsQG/fhyCLGPTCJuWDJdj6hcfbAUUaBGVN8lsGkgtE30da91+N&rZ=X48HRfqP
http://www.unarecord.com/noha/?-Z=YvZkpRzIvhyEmlzzRS448ue/J8Mk5cJYV8d0kFvUSx81G2wer5LDh4vokaiGyVzfr6bGhK1c&rZ=X48HRfqP
http://www.pixlrz.com/noha/?-Z=pbWa/Zt+jrM37Qkna2LUMphJ1OY8Arc0yZpnLLVq+3NFtdjGEGVpqkOGzVDKwJoEZyTRHeQT&rZ=X48HRfqP
http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&9r4P-=J4k0
http://www.number-is-04.net/noha/?-Z=533EpRLMvdGd3LnMjF6P5H4aqTXvZDN7WJAPd7m9vKZsB2Z3JtcedJpU+7lZs6mIB3YhcvB0&rZ=X48HRfqP
http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&rZ=X48HRfqP
http://www.bois-applique.com/noha/?-Z=bUhQERLpyNF3S/4WPZx/2yInVQcXiLPDhxdoMCXhoM+5+115cTKOZoaz7w3+FhRX4eW13PBz&rZ=X48HRfqP
http://www.onlyforu14.rest/noha/?-Z=P/l8qiYiqt8kvrDBUGtG7DlBr1gw3QxKROVjrB5CU3iUOyLfx1uglQZs8tc2Ej0fs967LZqC&rZ=X48HRfqP
|
22
www.micj7873.com()
www.dirtcheapfire.com()
www.mglracing.com()
www.jillianvansice.com(34.102.136.180)
www.auth-appsgo.com()
www.unarecord.com(52.118.136.180)
www.pixlrz.com(194.9.94.85)
www.trailer-racks.xyz(172.67.131.184)
www.number-is-04.net(183.181.96.123)
www.xn--zbss74a16j.xn--czru2d()
www.onlyforu14.rest(68.65.123.42)
www.iphone13promax.support()
www.xn--vhqp8mm8dbtz.group()
www.bois-applique.com(178.32.114.31)
www.thepretenseofjustice.com()
68.65.123.42 - malware
52.118.136.180
183.181.96.123
34.102.136.180 - mailcious
178.32.114.31
194.9.94.86 - mailcious
172.67.131.184
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13135 |
2021-10-05 17:52
|
 vbc.exe 82878be02fe6a67ed47a89dac51640ca
NSIS Malicious Library PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=493 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://136.243.159.53/~element/page.php
|
11.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13136 |
2021-10-05 17:52
|
 vbc.exe 054b8ad69f868fa172c8c46c735b5dbe
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
2
checkvim.com(82.202.194.8) - mailcious
82.202.194.8
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
12.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13137 |
2021-10-05 17:54
|
 jo.exe 72ac15be91b759522fb1e874bb049ed6
NSIS Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13138 |
2021-10-05 17:56
|
 eflyairplane.png c3e61b2bd99de2bc800e680eed9eaa75
Emotet Gen1 Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check Dridex TrickBot Malware Report suspicious privilege MachineGuid Code Injection Malicious Traffic buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName DNS crashed |
8
http://ipinfo.io/ip
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/5/kps/
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/14/user/test22/0/
https://103.140.207.110/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/5/pwgrabb64/
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CFreeLiteDownload19XJ%5Ceflyairplane.exe/0/
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/14/NAT%20status/client%20is%20behind%20NAT/0/
https://194.190.18.122/lib158/TEST22-PC_W617601.C3B7726919B1BB253F714EB3974575A5/0/Windows%207%20x64%20SP1/1108/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/hh1w4kTqDMTNM6UBLxIey1uynq3IpJv/
|
7
ipinfo.io(34.117.59.81)
179.42.137.109 - mailcious
179.42.137.102
194.190.18.122
179.42.137.104 - mailcious
34.117.59.81
103.140.207.110
|
6
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET POLICY curl User-Agent Outbound
ET POLICY External IP Lookup ipinfo.io
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 1
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
11.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13139 |
2021-10-05 17:57
|
 intel.exe 47c116db3f0e5d536352aaecbbc7d6b6
Malicious Library PE File PE32 VirusTotal Malware Report Check memory Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion Browser DNS crashed |
|
3
194.190.18.122
103.140.207.110
27.50.163.123 - malware
|
1
ET CNC Feodo Tracker Reported CnC Server group 1
|
|
6.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13140 |
2021-10-05 17:57
|
 jfb.exe f858612dba7ed5eabd87e508083c34f5
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
4
http://www.createacarepack.com/nk6l/?AjR=oZdYOW+6uh2zuK8xWj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFMfqhZNBk2mWOnf10lQ/&KtkPc=Ab805b4ps2kTRvUp
http://www.gigasupplies.com/nk6l/?AjR=sMbkpEIa78TqkLB5rpiwDTFtc4P6BDcndICnHPV2jTzFq+m6JFJtgH1maSSXDo0SxR7/Ebcw&KtkPc=Ab805b4ps2kTRvUp
http://www.rthearts.com/nk6l/?AjR=aQJ/5obTpOHNVgnCvNgrcEt00DsX5EewgNz5JOfO7ljBuP/TG6sC4VyDa90vv4w4T6a/FBxt&KtkPc=Ab805b4ps2kTRvUp
http://www.gardeniaresort.com/nk6l/?AjR=6/L4S21g8RxaMOTPSfOWzfLlNnBIzAq4oR6J+9+RtmoRzP6TihvPvjh2BMZgYhIfV2DHyUbE&KtkPc=Ab805b4ps2kTRvUp
|
8
www.gardeniaresort.com(172.67.210.34)
www.createacarepack.com(98.137.244.37)
www.gigasupplies.com(23.227.38.74)
www.rthearts.com(209.17.116.163)
172.67.210.34
23.227.38.74 - mailcious
98.137.244.37 - mailcious
209.17.116.163 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|