| 13291 |
2021-10-08 11:26
|
 file.exe db6a30fc47f61794d43ca50f0ac635fc
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13292 |
2021-10-08 11:28
|
 mx.exe 9541217b4276268f9cf0e6e2f01a08e2
NSIS Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder ComputerName |
20
http://www.efficientmother.com/noha/?Mjn8dTK0=Kn8BG0j13PT+fdehn0ecRK5TtgM7hEwDx6Ir9myzuy5hft3py86IuSi7z6NlkX23/IG2RvpY&IR9Dk4=3fFxw
http://www.imonbayazid.com/noha/?Mjn8dTK0=upOZ6PrAG2ZdtPD6bJdPoGjorbFnC14tHGvdg8pRXaHzyQfaZGuhGqEgmemzXeBkBYwm47js&IR9Dk4=3fFxw
http://www.bois-applique.com/noha/?Mjn8dTK0=bUhQERLpyNF3S/4WPZx/2yInVQcXiLPDhxdoMCXhoM+5+115cTKOZoaz7w3+FhRX4eW13PBz&IR9Dk4=3fFxw - rule_id: 5965
http://www.marketingtipsntricks.com/noha/?Mjn8dTK0=dXkK42TjkDV8ApElYKc3WklGy88ofVoxrIW43HxsKnt67+EPCV+CYMLG06Fj92qydxRY4T+w&IR9Dk4=3fFxw
http://www.efficientmother.com/noha/
http://www.artehamburguer.com/noha/
http://www.standardizedsubmissions.com/noha/?Mjn8dTK0=GK9Iij4dWGdWLGI8rL9KorDi156VJ86bzIwgF26pZJPilePG3H+sAuSIpYDMLu4exuJwhJUg&IR9Dk4=3fFxw
http://www.unarecord.com/noha/?Mjn8dTK0=YvZkpRzIvhyEmlzzRS448ue/J8Mk5cJYV8d0kFvUSx81G2wer5LDh4vokaiGyVzfr6bGhK1c&IR9Dk4=3fFxw - rule_id: 5964
http://www.bois-applique.com/noha/ - rule_id: 5965
http://www.imonbayazid.com/noha/
http://www.r2d2u.com/noha/
http://www.onlyforu14.rest/noha/ - rule_id: 5962
http://www.unarecord.com/noha/ - rule_id: 5964
http://www.standardizedsubmissions.com/noha/
http://www.aodesai.store/noha/?Mjn8dTK0=jNXElFR2OtuqYf82LF4n3edstrWz0xOH2pdB2jawHl0j72O1VC8tvoT1rH57qzPmPpxD4Y+z&nfutZl=xPJDZDjp
http://www.onlyforu14.rest/noha/?Mjn8dTK0=P/l8qiYiqt8kvrDBUGtG7DlBr1gw3QxKROVjrB5CU3iUOyLfx1uglQZs8tc2Ej0fs967LZqC&IR9Dk4=3fFxw - rule_id: 5962
http://www.r2d2u.com/noha/?Mjn8dTK0=ZqhtMyjM+olvYlg5E9e4KUZ/Rp6UxnNDbckrhrh9o2PIna/l82DGPwJoZNojCf8iwBxOhgIT&IR9Dk4=3fFxw
http://www.artehamburguer.com/noha/?Mjn8dTK0=DIBCgQlqZpY9Thmaxf2kwZI9o6lnh3R5a85wuhZ9ARcS/yE4SOqWB+pyUDCzI4sO9p7f2GE3&IR9Dk4=3fFxw
http://www.aodesai.store/noha/
http://www.marketingtipsntricks.com/noha/
|
27
www.imonbayazid.com(156.234.82.249)
www.r2d2u.com(154.213.157.16)
www.mglracing.com() - mailcious
www.zsnhviig.xyz()
www.marketingtipsntricks.com(23.27.137.72)
www.standardizedsubmissions.com(162.241.24.116)
www.unarecord.com(52.118.136.180)
www.spfldvaccineday.info()
www.aodesai.store(104.18.26.58)
www.xn--zbss74a16j.xn--czru2d()
www.onlyforu14.rest(68.65.123.42)
www.efficientmother.com(68.65.122.75)
www.yyds9527.space()
www.xn--vhqp8mm8dbtz.group() - mailcious
www.bois-applique.com(178.32.114.31)
www.artehamburguer.com(192.185.209.235)
www.denghaoxin.club()
192.185.209.235
162.241.24.116
68.65.123.42 - malware
154.213.157.16
156.234.82.249
23.27.137.72
178.32.114.31 - mailcious
68.65.122.75
104.18.26.58
52.118.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.bois-applique.com/noha/
http://www.unarecord.com/noha/
http://www.bois-applique.com/noha/
http://www.onlyforu14.rest/noha/
http://www.unarecord.com/noha/
http://www.onlyforu14.rest/noha/
|
6.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13293 |
2021-10-08 11:28
|
 img-0878111036633.exe f058ec68a9f1649827914157c3e3b45a
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.74)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13294 |
2021-10-08 11:28
|
 BBN.exe b172b8e0bc46d457b39e4ac74e76e326
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13295 |
2021-10-08 11:30
|
 plt_107510013098613.exe fc1ac30e0bd33f65402eee320f49f829
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.64.153)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13296 |
2021-10-08 11:30
|
 vbc.exe b21fc6ad7e9aabcf73702889dc017f67
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13297 |
2021-10-08 11:32
|
 loader2.exe 9ab5e8528c6928c400ec8f72d8f5bbd6
NSIS Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=485 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
11.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13298 |
2021-10-08 11:33
|
 jf.exe 27e82e5a6ba22fd144a1aa0499ae1acd
NSIS Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
4
http://www.rthearts.com/nk6l/?xh6pFFa8=aQJ/5obTpOHNVgnCvNgrcEt00DsX5EewgNz5JOfO7ljBuP/TG6sC4VyDa90vv4w4T6a/FBxt&CR=CpCdU0E - rule_id: 5981
http://www.okdahotel.com/nk6l/?xh6pFFa8=7Cx7t3AZ2id/O6OwSSjkUz51aeTB+IK9J6vBgt2n544Oy/iasIcSWdfBUkGyM4lqaa8FXgYE&CR=CpCdU0E
http://www.poeticdaily.com/nk6l/?xh6pFFa8=rVD8+QajG6hBV5DMpuwEZ0RCKhEDH8x71UIWoVFRrcLN1VQdus1DI2AqPYOGAxFyY53e8M0A&CR=CpCdU0E
http://www.olitusd.com/nk6l/?xh6pFFa8=A96J2yqZ15MRy9jQ1ShVttrHs3hZu5ufOYENCH+AED1FqV/nHh3IRBYvDz8bZEr5XGiorOrH&CR=CpCdU0E
|
9
www.patsanchezelpaso.com()
www.poeticdaily.com(34.102.136.180)
www.olitusd.com(54.251.187.76)
www.okdahotel.com(217.147.89.90)
www.rthearts.com(209.17.116.163)
217.147.89.90
34.102.136.180 - mailcious
54.251.187.76
209.17.116.163 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.rthearts.com/nk6l/
|
5.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13299 |
2021-10-08 11:35
|
 stealler.exe c241b933feb0df373ff34dafece3027b
Generic Malware Themida Packer PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
|
1
|
|
|
6.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13300 |
2021-10-08 11:35
|
 wap-01.exe ea7b66c47877294f9390eb621963295b
Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
12
http://www.moms4real.com/shjn/
http://www.j98066.com/shjn/?0nDXLD=hdjbmsHdtuA4QEGoB3oD94RkfqtpUesXyapBYMe8OtYPf+730hyQbFELkUIKszuSY0QpTSCu&JXRxqD=NV3dvb
http://www.istanbulmadencilik.com/shjn/?0nDXLD=3vkpdSuKMvnDC3rwoy3XEE/QmC5Oa6WHwf0iKAQqafKqC5V/qBrSw6ZqP+AFqPHWLfbtjtIG&JXRxqD=NV3dvb
http://www.asmrfans.com/shjn/?0nDXLD=B0iATFdGg1fPt2kCYbifVSHcC04NXb89TU0JggzXokPWoTa+EQBNijkKL3hjITOKiPX5zDRZ&JXRxqD=NV3dvb
http://www.istanbulmadencilik.com/shjn/
http://www.sumikkoremon.com/shjn/
http://www.anamentor.com/shjn/ - rule_id: 5867
http://www.asmrfans.com/shjn/
http://www.anamentor.com/shjn/?0nDXLD=tv0gbh/H/soz9i/0EOOET4kbqB9H6LwHpkop0tG7g7gxjFABywsjhwxqrYIUZa09c3SMOexP&JXRxqD=NV3dvb - rule_id: 5867
http://www.moms4real.com/shjn/?0nDXLD=/apFU/0WgNOPFK1wZ6Mb+W8OQw2lJHU1Pl5fd3jf0bzQkgezmpo0qn2O9NidYW6+N2V64fZ2&JXRxqD=NV3dvb
http://www.sumikkoremon.com/shjn/?0nDXLD=UlDIkmAW5GM38pZYKJ99gEzGlA8Lt9FqO9GcKIEPhekb8YQNowAH1SHNE2AyqXgwjiXf7YLl&JXRxqD=NV3dvb
http://www.j98066.com/shjn/
|
15
www.j98066.com(159.138.153.156)
www.anamentor.com(172.67.178.31)
www.majesticgolftours.com()
www.moms4real.com(154.208.173.55)
www.wwv-kraken-apps.com(127.0.0.1)
www.asmrfans.com(185.7.99.239)
www.istanbulmadencilik.com(34.102.136.180)
www.petscomfortgrooming.com()
www.sumikkoremon.com(163.44.239.73)
104.21.51.95 - mailcious
185.7.99.239
47.243.55.106
163.44.239.73 - mailcious
34.102.136.180 - mailcious
154.208.173.55
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.anamentor.com/shjn/
http://www.anamentor.com/shjn/
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13301 |
2021-10-08 11:36
|
 rollerkind.exe 13125b46122981864bd9f93b018ff04a
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13302 |
2021-10-08 11:37
|
 SteamWebHelper.exe 2db0b5a09292133e794322cb14639b2c
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware AutoRuns PDB Creates executable files unpack itself AppData folder Windows Remote Code Execution |
|
|
|
|
3.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13303 |
2021-10-08 11:39
|
 bro.exe cfbd1a2cbc6b71ecb11b80ddf05db117
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13304 |
2021-10-08 11:39
|
 QTL076213000008.exe 70eeaeae5a9624ca4fbaaef91d2adfdb
RAT Generic Malware Antivirus PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13305 |
2021-10-08 11:41
|
 windows.exe a1a6e9d23d017f11193700753a10b6cc
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|