| 13171 |
2021-10-06 13:53
|
 vbc.exe 8f48ae7e6330a607031c4d7ac6ebef2d
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
2
http://www.vabeachfishingcharters.com/s6tn/?adpHs0O=oJmonk6NKufDJxa4yvaYqbi8MTSZgIVC93Uxw9LH+2+fP6Mh9kwvmkvp3AFDgWmsWNzgMBvy&0nGT-0=LhrXPT3PdlRpW
http://www.theetcollective.com/s6tn/?adpHs0O=RUehyYXa4SbiG6WBiTIYi4+ut4pduN6XlYpoPDD6Qb4Wiaqqz3vOThrsGLfStPfWklcQ6Avj&0nGT-0=LhrXPT3PdlRpW
|
6
www.h14-pvzn.biz(116.50.47.104)
www.theetcollective.com(154.0.162.133)
www.vabeachfishingcharters.com(34.254.1.203)
116.50.47.104
154.0.162.133
34.254.1.203 - mailcious
|
2
ET INFO Observed DNS Query to .biz TLD
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13172 |
2021-10-06 13:55
|
 syz.exe 900b1c9abbab7a08f9f89b8e12fd2750
PWS .NET framework email stealer Generic Malware DNS Socket Escalate priviledges KeyLogger Code injection Downloader persistence AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS DDNS crashed |
|
2
telegrammylink.ddns.net(45.133.1.143) - mailcious
45.133.1.143 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
11.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13173 |
2021-10-06 13:56
|
 vbc.exe 790abe77329f408bb3cd8782d0592be0
Gen2 Emotet Gen1 NSIS Generic Malware Malicious Library ASPack Malicious Packer UPX Admin Tool (Sysinternals etc ...) Anti_VM PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Windows Browser |
22
http://www.khadarelhodge.com/b6a4/
http://www.cbspecialists.com/b6a4/
http://www.maximumsale.com/b6a4/?h0Gl9hf=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&MXEL9=XbiptfYxWjcdj6k0 - rule_id: 5324
http://www.aryadesigningstudio.com/b6a4/
http://www.starlangue.com/b6a4/?h0Gl9hf=g69R7dbOA8vG6mackXWbpFQiI3jHqcSgcWnxdpV03totRPt41IlhRiyddP1MDY+gUZ8Ltk0r&MXEL9=XbiptfYxWjcdj6k0
http://www.cabalzi.com/b6a4/ - rule_id: 5318
http://www.shuangyashanpower.com/b6a4/
http://www.kedaiherbalalami.com/b6a4/?h0Gl9hf=AClaEyNViDSune13/YZUUjazMao4yP2qoW92J+V8GQKrmRmlM8SyMJgG/BS9WoJI+nFJwME4&MXEL9=XbiptfYxWjcdj6k0 - rule_id: 5352
http://www.cabalzi.com/b6a4/?h0Gl9hf=vCEfkciNsJLnQ6NTKgmnH0RKiXqKx4X1OsBfXMLmCHhcM6UjpXRp9mu9MO0KT8GS97XSNDdh&MXEL9=XbiptfYxWjcdj6k0 - rule_id: 5318
http://www.asteroid.finance/b6a4/ - rule_id: 5316
http://www.42shenmao.com/b6a4/?h0Gl9hf=/YLPVle51s/wMjptNjSN7dsoOectpdxamVjEBuIIjQO2gjITNfwF/374CWCNKQU8LkxY9Lpe&MXEL9=XbiptfYxWjcdj6k0
http://www.cbspecialists.com/b6a4/?h0Gl9hf=evtpUE4huYbesJcHMcONCfRNSBT00PmI2ZEopGNqYdx8ef/JxfONVVxMCDT+WEjswdimTH7J&MXEL9=XbiptfYxWjcdj6k0
http://www.kedaiherbalalami.com/b6a4/ - rule_id: 5352
http://www.helpmovingandstorage.com/b6a4/ - rule_id: 5315
http://www.42shenmao.com/b6a4/
http://www.aryadesigningstudio.com/b6a4/?h0Gl9hf=yCgAN4tsczShp29S318tv4ZltSNu4XfQYE5+ktzl6CIAkzW36D9NAkECVM5DnUVdw2E5gUoj&MXEL9=XbiptfYxWjcdj6k0
http://www.helpmovingandstorage.com/b6a4/?h0Gl9hf=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&MXEL9=XbiptfYxWjcdj6k0 - rule_id: 5315
http://www.asteroid.finance/b6a4/?h0Gl9hf=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&MXEL9=XbiptfYxWjcdj6k0 - rule_id: 5316
http://www.shuangyashanpower.com/b6a4/?h0Gl9hf=VB2wfkl4CXJnVTEEGMGPXmuuPrI7urt4dwMiQOsc4hS9dMr3PM8JoDhoprhFz887WFewqIR9&MXEL9=XbiptfYxWjcdj6k0
http://www.khadarelhodge.com/b6a4/?h0Gl9hf=ISFOGxfdiE1PPsNkkPhd2vjxQRkX0rrnM8iioAzdPJooWlLmYfY3DJnTJL0my3ntIGXVziQO&MXEL9=XbiptfYxWjcdj6k0
http://www.maximumsale.com/b6a4/ - rule_id: 5324
http://www.starlangue.com/b6a4/
|
25
www.cbspecialists.com(207.148.248.143)
www.starlangue.com(77.222.61.114)
www.maximumsale.com(3.223.115.185)
www.42shenmao.com(51.195.17.68)
www.msalee.net()
www.helpmovingandstorage.com(209.15.40.102)
www.khadarelhodge.com(192.185.0.218)
www.meetheveganz.com() - mailcious
www.aryadesigningstudio.com(34.98.99.30)
www.kedaiherbalalami.com(5.181.216.107)
www.profesyonelkampcadiri.net()
www.cabalzi.com(34.98.99.30)
www.dalvascleaningservice.com()
www.asteroid.finance(198.54.117.212)
www.shuangyashanpower.com(195.149.84.100)
198.54.117.218 - mailcious
207.148.248.143 - mailcious
51.195.17.68
5.181.216.107 - mailcious
209.15.40.102 - mailcious
34.98.99.30 - phishing
3.223.115.185 - mailcious
195.149.84.101
77.222.61.114
192.185.0.218 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
10
http://www.maximumsale.com/b6a4/
http://www.cabalzi.com/b6a4/
http://www.kedaiherbalalami.com/b6a4/
http://www.cabalzi.com/b6a4/
http://www.asteroid.finance/b6a4/
http://www.kedaiherbalalami.com/b6a4/
http://www.helpmovingandstorage.com/b6a4/
http://www.helpmovingandstorage.com/b6a4/
http://www.asteroid.finance/b6a4/
http://www.maximumsale.com/b6a4/
|
6.2 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13174 |
2021-10-06 13:57
|
 507913557.exe 99f51633e0f6419c6310a9e08d3626a1
Generic Malware Malicious Library Antivirus PE64 PE File GIF Format VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities powershell.exe wrote suspicious process AntiVM_Disk sandbox evasion WriteConsoleW Firewall state off VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
2
http://iplogger.org/1NWKh7
https://iplogger.org/1NWKh7
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13175 |
2021-10-06 14:28
|
 Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting DNS |
1
http://45.14.226.221/cdfe/Fack.jpg
|
1
|
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13176 |
2021-10-06 14:36
|
 microsoftExcelEarth.jpg b724179ecfdd640b5b9d8cf902cbb820
Emotet Gen2 Gen1 Malicious Packer Malicious Library PE File PE32 OS Processor Check DLL Dridex TrickBot VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.9.188.78/zvs1/TEST22-PC_W617601.583AB3B7CD51FEABBEE773B10BBFC63F/5/kps/
|
4
103.123.86.104
45.115.172.105
36.95.23.89 - mailcious
103.9.188.78
|
2
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13177 |
2021-10-06 14:39
|
bleh.ppt f0da0a10cdf0e66706034fd14f70b06f
VBA_macro Generic Malware Antivirus AntiDebug AntiVM MSOffice File PNG Format VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName Cryptographic key |
11
http://bitly.com/qtyiwedhjkabdhsagbdhnsavbd
https://www.blogger.com/static/v1/widgets/963277127-widgets.js
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=c284ae92-b0d2-4f96-8852-ffc3b557f602
https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html
https://www.blogger.com/static/v1/jsbin/186635561-comment_from_post_iframe.js
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
|
8
resources.blogblog.com(216.58.197.201)
bitly.com(67.199.248.15) - mailcious
kyahogysammajhnailagrahiat1.blogspot.com(172.217.24.129)
www.blogger.com(216.58.197.201)
142.250.66.129
67.199.248.14 - mailcious
172.217.31.233
142.250.66.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13178 |
2021-10-06 14:57
|
https://kyahogysammajhnailagra... 0f41820986333d27198258a02927fc1c
Antivirus AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
34
https://www.blogger.com/static/v1/widgets/963277127-widgets.js
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D6736565095014907579%26blogspotRpcToken%3D1540682%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D6736565095014907579%26blogspotRpcToken%3D1540682%26bpli%3D1&go=true
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=6736565095014907579&blogspotRpcToken=1540682&bpli=1
https://kyahogysammajhnailagrahiat1.blogspot.com/favicon.ico
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://fonts.googleapis.com/css?family=Open+Sans:300
https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fkyahogysammajhnailagrahiat1.blogspot.com%2Fp%2Fog1-1.html&type=blog&bpli=1
https://www.google-analytics.com/analytics.js
https://www.blogger.com/img/share_buttons_20_3.png
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html%26type%3Dblog%26bpli%3D1&go=true
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=c284ae92-b0d2-4f96-8852-ffc3b557f602
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://www.blogger.com/blogin.g?blogspotURL=https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html&type=blog
https://resources.blogblog.com/img/blank.gif
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=HVOBT6Mp1feN9noQtTICieFh_C2gsjCcO__mLFs-bwg
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
https://www.google.com/css/maia.css
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://www.blogger.com/static/v1/jsbin/186635561-comment_from_post_iframe.js
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=6736565095014907579&blogspotRpcToken=1540682
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://fonts.gstatic.com/s/opensans/v26/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ.woff
https://www.blogger.com/static/v1/jsbin/1613438611-cmt__en_gb.js
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.google.com/js/bg/HVOBT6Mp1feN9noQtTICieFh_C2gsjCcO__mLFs-bwg.js
|
18
resources.blogblog.com(216.58.197.201)
www.google.com(172.217.175.100)
www.gstatic.com(142.250.196.131)
fonts.googleapis.com(172.217.25.74)
kyahogysammajhnailagrahiat1.blogspot.com(172.217.24.129) - mailcious
accounts.google.com(172.217.161.77)
www.google-analytics.com(216.58.220.142)
fonts.gstatic.com(142.250.196.99)
www.blogger.com(216.58.197.201)
142.250.204.142
142.250.66.67
142.250.204.100
142.250.204.129
142.250.66.74
142.250.204.45
172.217.161.163
142.250.66.73
142.250.66.41
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13179 |
2021-10-06 15:54
|
 1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267
VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13180 |
2021-10-06 16:14
|
 1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13181 |
2021-10-06 17:56
|
 lpe.exe 1df4ccb14d198d81a2ba8a053cf3626a
Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13182 |
2021-10-06 17:56
|
 vbc.exe d27baa5536590d60f3c183d6aa0b9ddb
NSIS Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName |
|
2
2meonline.ddnsgeek.com(77.247.127.169) - mailcious
77.247.127.169
|
|
|
9.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13183 |
2021-10-06 17:59
|
 Update.exe d85e65af9f95ec441918502621be13b4
UltraVNC Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key crashed |
1
http://www.teknoarge.com/update/islem.php?mod=update&id=14454991&progid=2&oto=1
|
2
www.teknoarge.com(212.12.151.74) - malware
212.12.151.74 - malware
|
|
|
4.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13184 |
2021-10-06 18:16
|
 doc-144430402.xls 8e7e1a9a754cdaf05c7969966d6ab878
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
http://access-cs.com/WH0dOuF31Vjo/sep.html
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html
https://dreamonvibes.gr/PH5NmKjhY7js/sep.html
|
5
access-cs.com(198.46.82.18)
proflizbowles.com(198.46.82.18)
dreamonvibes.gr(192.185.35.74)
192.185.35.74 - mailcious
198.46.82.18
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13185 |
2021-10-06 18:18
|
 doc-1444048942.xls fcb53e0a9e6f45288b263a0145f9d74b
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
5
http://access-cs.com/WH0dOuF31Vjo/sep.html - rule_id: 6075
http://access-cs.com/WH0dOuF31Vjo/sep.html
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html - rule_id: 6074
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html
https://dreamonvibes.gr/PH5NmKjhY7js/sep.html
|
5
access-cs.com(198.46.82.18)
proflizbowles.com(198.46.82.18)
dreamonvibes.gr(192.185.35.74)
192.185.35.74 - mailcious
198.46.82.18
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://access-cs.com/WH0dOuF31Vjo/sep.html
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|