| 13141 |
2021-10-05 17:59
|
 mo.exe 056200319751e3b276a22f27bd1149f0
NSIS Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13142 |
2021-10-05 17:59
|
 esmallruby.png 27b1967b1a15a26dbdc9863068c44799
Malicious Library PE File PE32 OS Processor Check Dridex TrickBot Malware suspicious privilege buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
|
6
18.139.111.104
179.42.137.106 - mailcious
179.42.137.104 - mailcious
202.183.12.124
27.50.163.123 - malware
171.103.189.118
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13143 |
2021-10-05 18:01
|
 vbc.exe c3e9c249becb24a345309463006d9d72
Loki NSIS Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
3
74f26d34ffff049368a6cff8812f86ee.gq(104.21.62.32) - mailcious
104.21.62.32 - mailcious
34.117.59.81
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13144 |
2021-10-05 18:05
|
 mxo.exe 7e17686d4ba718b453ca93634c1c91ee
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
22
http://www.georgialogisticscontractors.com/pusp/?xVJtG4Th=uXFBoWTbwpRe3QPmrmmdA8fVM1sPFIdCr4IpmJZcwBKKd8ZRxWIMBxwaKrU120JbOkE11jfq&1bw=L6Adp0uXjfuLdDA0
http://www.nm-ent.com/pusp/?xVJtG4Th=QKlvSsq1g3ywZ5RJgqHKfBX77rwF+3OkPjfWtJrcAgJEUgRrzskrjCLYXcfubbSsfkZBuGOB&1bw=L6Adp0uXjfuLdDA0
http://www.dhgjjtq.com/pusp/?xVJtG4Th=F7NxiRsX9aeJ/xS6ytSC95ekg6G+Iab4R7P/P6ebpmQyNfgbdryclrgzZKUl+RJmXhHCbEcs&1bw=L6Adp0uXjfuLdDA0
http://www.ez8-pay.com/pusp/
http://www.usfiltros.com/pusp/?xVJtG4Th=8j5ZDxP5Kjr1GqC+NJhJWhBuUGifdIvct6dCH9aw24IiMW6kEE6uvcqT9EmS++Kc3UzZ5CjP&1bw=L6Adp0uXjfuLdDA0
http://www.dhgjjtq.com/pusp/
http://www.advancedautoair.repair/pusp/?xVJtG4Th=nmJFn5gWHgR85O5qeMhC8SY2AOi9nxjXr1zOp9/mLaHLfpEZyMhYyybAfbJv5rCssjX9d6Xn&1bw=L6Adp0uXjfuLdDA0
http://www.fieldsauction.online/pusp/
http://www.ez8-pay.com/pusp/?xVJtG4Th=WjGeI7p1H4+/S9Zuvg4I2DZNA92GuQJFuoH+crR+gUAo1tApr80Jm27CU4T9SRDjyVSBKp3E&1bw=L6Adp0uXjfuLdDA0
http://www.colonelabrams.com/pusp/
http://www.georgialogisticscontractors.com/pusp/
http://www.fanaticscardgroup.com/pusp/
http://www.morgsanusa.com/pusp/?xVJtG4Th=/Fjax9oi/YhlDG4ZDyfPMUGG3veF+C45tP1S8dUcdfoMjlb2IAI5B23eH5djDsayMc3auOGa&1bw=L6Adp0uXjfuLdDA0
http://www.usfiltros.com/pusp/
http://www.fanaticscardgroup.com/pusp/?xVJtG4Th=LcRe9pjN5Gb8pjGdHIWKy0hSBOjCts21Z8mM0bPkxuRl55vVFJrqur5aeHJ3ehnhmvvyB+PF&1bw=L6Adp0uXjfuLdDA0
http://www.fieldsauction.online/pusp/?xVJtG4Th=VrWe0xVr9ux9Mcv5Ey2q6vLJLLqsoVD/pcwJdQ9af4hJVfahtpaWhvXjPrPh/9jB4zO7QS6q&1bw=L6Adp0uXjfuLdDA0
http://www.geemove.com/pusp/?xVJtG4Th=2U8gML9VR2lXg8r2cxwKt3kTtYK9n+QtiPzqfiX0r0tg/nEfsGYGs5OQxuADyIoex9ZgHdg6&1bw=L6Adp0uXjfuLdDA0
http://www.morgsanusa.com/pusp/
http://www.nm-ent.com/pusp/
http://www.colonelabrams.com/pusp/?xVJtG4Th=GpOemIVbAEkRtcZWG0w6ZY9t/Kj0kHMZJUri0oAYzPXxYIlKghPFhBLyPyQ6wS25kQBXaNQK&1bw=L6Adp0uXjfuLdDA0
http://www.advancedautoair.repair/pusp/
http://www.geemove.com/pusp/
|
26
www.fieldsauction.online(203.170.80.250)
www.geemove.com(72.167.241.180)
www.ez8-pay.com(34.102.136.180)
www.advancedautoair.repair(209.17.116.163)
www.usfiltros.com(2.57.90.16)
www.phbs-tea.com()
www.nm-ent.com(74.208.236.228)
www.georgialogisticscontractors.com(182.50.132.242)
www.dhgjjtq.com(168.76.29.184)
www.fanaticscardgroup.com(198.54.117.216)
www.b148twpvne5uvxloele5274.com()
www.morgsanusa.com(166.88.19.181)
www.sjsndtvitzru.mobi()
www.colonelabrams.com(184.168.131.241)
www.jesuspass.com()
209.17.116.163 - mailcious
168.76.29.184
166.88.19.181 - mailcious
74.208.236.228
184.168.131.241 - mailcious
72.167.241.180 - mailcious
198.54.117.212 - mailcious
34.102.136.180 - mailcious
182.50.132.242 - mailcious
2.57.90.16 - mailcious
203.170.80.250 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
6.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13145 |
2021-10-05 18:06
|
 nf.exe e007d4f9bcd9d51aff452fa92631fb93
NSIS Malicious Library PE File PE32 DLL VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
2
doubleup.ddns.net(185.140.53.14)
185.140.53.14
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
11.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13146 |
2021-10-06 13:23
|
 BUSINESS%20FILES.exe 7e360ceb5c5948199b7a9528909e94b5
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
2
http://www.haroldbrandon.com/rf3t/?Qzr=t+7/aGZMeVZ7qsEt5+4DmBD8HyUQSDbBqUHSzjReRbXHaiGlO3MURrtIfM/Rf2R0aEUe0WBN&MJBx=FdCxDn7P6z6LifAP
http://www.abouttohour.com/rf3t/?Qzr=dxabV5xweBKddW3hBDYDNLhqd7jg5/k4VAxBEzq92W65ij6GfsSmxJ7KJPHKVEBEKh4WCjoG&MJBx=FdCxDn7P6z6LifAP
|
5
www.abouttohour.com(35.206.99.234)
www.thewiseowl.art()
www.haroldbrandon.com(192.185.21.196)
192.185.21.196
35.206.99.234
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13147 |
2021-10-06 13:26
|
 aeopmguywjffmigwnfbefrvgqg.exe 06d3c19201d5c4fd9d069605dd46c514
Generic Malware DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API ScreenShot Http API Downloader persistence AntiDebug AntiVM PE File PE32 .NET EXE DarkComet VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process Windows DNS DDNS keylogger |
|
3
sommerishere.sytes.net(212.192.246.92)
ommerishere.sytes.net()
212.192.246.92
|
|
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13148 |
2021-10-06 13:27
|
 Build18_1950eu.exe 5f251ddf1f41eb3ccc330508f173152a
Gen1 Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Stealer Windows Browser Email ComputerName DNS |
8
http://185.215.113.22/public/nss3.dll
http://185.215.113.22/public/freebl3.dll
http://185.215.113.22/public/mozglue.dll
http://185.215.113.22/public/softokn3.dll
http://185.215.113.22/public/vcruntime140.dll
http://185.215.113.22/E2vacMBpWA.php
http://185.215.113.22/public/sqlite3.dll
http://185.215.113.22/public/msvcp140.dll
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
|
|
11.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13149 |
2021-10-06 13:28
|
 VmvadDHPESlhU8X.exe 3f3aeea5e1ee0c4d28f32e77b4eb2ff0
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13150 |
2021-10-06 13:28
|
 946792219.exe 61f9521aba6003796e3e2544dfdb2596
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13151 |
2021-10-06 13:30
|
 398562008.exe e7c85909bd98c3b3d5b1cd85f55023dc
Malicious Library PE File PE32 OS Processor Check JPEG Format VirusTotal Malware PDB Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Remote Code Execution |
|
|
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13152 |
2021-10-06 13:31
|
 new.exe 3c4bb0d8ea06d2b95ee937a82a860d69
Generic Malware UPX Anti_VM PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Remote Code Execution Firmware DNS Cryptographic key crashed |
|
1
192.162.242.94 - mailcious
|
|
|
7.6 |
|
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13153 |
2021-10-06 13:32
|
 852188550.exe 26ac6f38b111522b7802b03d1fa93e5f
Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check JPEG Format VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows Remote Code Execution DNS Cryptographic key |
|
1
185.180.220.105 - mailcious
|
|
|
10.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13154 |
2021-10-06 13:32
|
 1629822095.exe 049ae3aa2c71389246c85aa2013b6357
RAT PWS .NET framework Generic Malware PE File PE32 OS Processor Check .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13155 |
2021-10-06 13:34
|
 gyty.wbk 9f33914979fc685f81ab79066877d01c
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed Downloader |
28
http://www.wandawallinbristow.com/p08r/
http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf
http://www.minisoshop.com/p08r/
http://www.oarlary.xyz/p08r/
http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf
http://www.tasteofgadsdencounty.com/p08r/
http://www.happinessfashionline.com/p08r/
http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf
http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf
http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf
http://www.110cy.top/p08r/
http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf
http://www.tradeplay.net/p08r/
http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf - rule_id: 5950
http://www.shopmoly.com/p08r/
http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf
http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf
http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf
http://www.apeironnature.com/p08r/
http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf
http://www.blinglj.com/p08r/
http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf
http://www.xaudix.com/p08r/
http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf
http://www.puremicrodosing.com/p08r/ - rule_id: 5950
http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf
http://www.standunitedforamerica.us/p08r/
http://www.tamaracastrillejo.com/p08r/
|
28
www.tradeplay.net(172.67.128.125)
www.happinessfashionline.com(100.24.208.97)
www.minisoshop.com(3.223.115.185)
www.bgcs.online()
www.puremicrodosing.com(91.184.0.100)
www.apeironnature.com(34.102.136.180)
www.shopmoly.com(128.199.158.128)
www.xaudix.com(182.50.132.242)
www.blinglj.com(23.227.38.74)
www.110cy.top(156.241.132.45)
www.tasteofgadsdencounty.com(34.102.136.180)
www.tamaracastrillejo.com(104.21.42.37)
www.standunitedforamerica.us(34.102.136.180)
www.wandawallinbristow.com(192.249.119.170)
www.oarlary.xyz(104.21.34.240)
128.199.158.128
156.241.132.45
34.102.136.180 - mailcious
100.24.208.97
182.50.132.242 - mailcious
192.249.119.170
198.12.107.117 - malware
3.223.115.185 - mailcious
172.67.155.197
172.67.166.87
104.21.2.9
23.227.38.74 - mailcious
91.184.0.100 - mailcious
|
11
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.top domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
2
http://www.puremicrodosing.com/p08r/
http://www.puremicrodosing.com/p08r/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|