| 13276 |
2021-10-07 18:18
|
 installer_2021-09-21_16-31.bmp 6204c8a17955659856af5a12899414f5
Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check PDB Code Injection Checks debugger buffers extracted unpack itself WriteConsoleW Remote Code Execution DNS |
|
2
162.0.214.42 - phishing
162.0.210.44 - mailcious
|
|
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13277 |
2021-10-07 18:18
|
 LivelyScreenRecLy2109.bmp 2b3291f262d10bf7111cceadd232103c
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13278 |
2021-10-07 18:23
|
 Sharefolder.exe 168f3e8c4657a0fe90a2338f3971f6ed
RAT Gen1 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File PNG Format JPEG Format .NET EXE DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk suspicious TLD VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
14
http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/Elmet7adi/Hand_conductor.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/NetworkStreamer/UpdateStream_Provider.exe
http://requestimedout.com/xenocrates/zoroaster
http://www.google.com/
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_slava_inlogsoftware
https://connectini.net/Series/SuperNitou.php - rule_id: 1975
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
|
20
requestimedout.com(162.255.117.78)
storewebitems.tech(5.182.39.146)
i.spesgrt.com(172.67.153.179) - malware
safialinks.com(162.0.214.42) - malware
google.com(216.58.220.110)
source3.boys4dayz.com(104.21.33.188)
connectini.net(162.0.210.44) - mailcious
www.profitabletrustednetwork.com(192.243.59.12) - mailcious
apps.identrust.com(52.216.176.194)
www.google.com(172.217.175.4)
fscloud.su(104.21.47.231)
142.250.204.36
162.0.214.42 - phishing
194.145.227.159 - mailcious
162.0.210.44 - mailcious
52.217.161.205
52.217.201.37
192.243.59.13
142.250.66.46 - mailcious
162.255.117.78
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
5
https://connectini.net/Series/kenpachi/2/goodchannel/
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/Series/SuperNitou.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
|
12.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13279 |
2021-10-07 18:23
|
 sfx_123_207.exe 52703313f94d0869dc584a1d9f681e74
Malicious Library UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Processor Check DLL VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger WMI unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution DNS |
|
1
|
|
|
7.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13280 |
2021-10-08 08:16
|
 Employee%20Update%20-%20Covid.... bb6169cac9a125cd63eedeb3893b920b
VBA_macro Generic Malware MSOffice File VirusTotal Malware Malicious Traffic unpack itself DNS |
1
|
2
185.176.220.198
185.225.19.246
|
|
|
3.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13281 |
2021-10-08 08:24
|
trehjugdr4et6u.msi 065e70c3b1e6841074a25aafa95e20bd
MSOffice File Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
3
http://feristoaul.com/m?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=
http://feristoaul.com/r?x=bmFtZT10ZXN0MjItUENcdGVzdDIyJm9zPTYuMSZhcmNoPXg4NiZidWlsZD0xLjAuMg==
http://feristoaul.com/p?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=
|
2
feristoaul.com(46.161.40.172)
46.161.40.172
|
3
ET MALWARE MirrorBlast CnC Activity M3
ET USER_AGENTS Suspicious User-Agent (REBOL)
ET MALWARE MirrorBlast CnC Activity M2
|
|
3.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13282 |
2021-10-08 09:44
|
 4.txt.ps1 63226c632623e5e764ca4aa9bbbdfcd0
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13283 |
2021-10-08 09:46
|
 vbc.exe 48fdc5b6bdb43e972dff31304cf10ced
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
36 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13284 |
2021-10-08 10:00
|
 vbc.exe 48fdc5b6bdb43e972dff31304cf10ced
Generic Malware Malicious Packer UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13285 |
2021-10-08 11:20
|
 rundll32.exe e8a4177eb1ca6ffcb252e7cd2e8b1814
NPKI Gen1 Generic Malware Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName Password |
9
http://lg-tvproducts.xyz/5.jpg
http://lg-tvproducts.xyz/
http://lg-tvproducts.xyz/7.jpg
http://lg-tvproducts.xyz/1.jpg
http://lg-tvproducts.xyz/3.jpg
http://lg-tvproducts.xyz/4.jpg
http://lg-tvproducts.xyz/6.jpg
http://lg-tvproducts.xyz/main.php
http://lg-tvproducts.xyz/2.jpg
|
2
lg-tvproducts.xyz(195.133.18.140)
195.133.18.140 - malware
|
7
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13286 |
2021-10-08 11:20
|
 nwamazx.exe ab4ad2e9e771c6b25a452fb94b1cb033
NPKI Gen1 Generic Malware Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName Password |
9
http://lg-tvproducts.xyz/5.jpg
http://lg-tvproducts.xyz/
http://lg-tvproducts.xyz/7.jpg
http://lg-tvproducts.xyz/1.jpg
http://lg-tvproducts.xyz/3.jpg
http://lg-tvproducts.xyz/4.jpg
http://lg-tvproducts.xyz/6.jpg
http://lg-tvproducts.xyz/main.php
http://lg-tvproducts.xyz/2.jpg
|
2
lg-tvproducts.xyz(195.133.18.140)
195.133.18.140 - malware
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13287 |
2021-10-08 11:21
|
 loader1.exe b20cb526e8691731581ef0aa0d912a01
NSIS Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=488 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
11.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13288 |
2021-10-08 11:21
|
 IMG_741000106237874.exe 55e2cd3776de61fd52462013c5eea531
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.81)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13289 |
2021-10-08 11:23
|
 .svchost.exe d53b5fa49804ec991df980cb9797676f
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13290 |
2021-10-08 11:23
|
 GY.exe 23c8eb156f6124878f21cf5c98c18071
UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows Remote Code Execution crashed |
|
|
|
|
4.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|