| 13351 |
2021-10-08 17:29
|
 REVISED PURCHASE ORDER.exe 020f8ee721322add5d0305a08bc865e2
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
blackb.duckdns.org(185.244.30.252) - mailcious
185.244.30.252
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13352 |
2021-10-08 17:29
|
 SWJ7380000239.PNG.scr 1d6c6ebc1c567d6c7e73a2fe7c04bdad
Generic Malware Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
3
strongodss.ddns.net(197.210.54.10) - mailcious
185.19.85.175 - mailcious
197.210.54.10
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13353 |
2021-10-08 17:35
|
 TH8938545845904.JPG.scr 77e7c359cd4b72b1698280b71f4ec5c8
Generic Malware Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Remote Code Execution crashed |
|
|
|
|
13.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13354 |
2021-10-08 17:35
|
 SWTR5376383393.JPG.scr fafe214c03f1e66da0aa8fbcf50cc6a6
Generic Malware Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
3
strongodss.ddns.net(197.210.54.10) - mailcious
185.19.85.175 - mailcious
197.210.54.10
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
17.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13355 |
2021-10-08 17:37
|
 ZYH~09876543234567-987654567.e... 2ccbb9c2db0f35ef80fbc7dd1f13411c
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13356 |
2021-10-11 09:55
|
 rundll32.exe f93fe182b5ec5a3a1e343110b1ca22a0
NSIS Malicious Library PE File PE32 OS Processor Check DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13357 |
2021-10-11 09:55
|
 rollerkind2.exe 8513b0c431334c6c5c6bcb99f2546325
Malicious Library PE File PE32 OS Processor Check PDB unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13358 |
2021-10-11 09:57
|
 DS.exe facac9092fbd9878bd2b5a0bbc2d0055
Malicious Packer UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows crashed |
|
|
|
|
3.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13359 |
2021-10-11 09:57
|
 file.exe 22dccb5bba83abd89502fafda108b0ce
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13360 |
2021-10-11 10:01
|
 fm.exe f3cfacb645a896421d6f9083897e8887
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
11
http://www.groupninemed.com/noha/?NvWHJt=lvCRxprni/Iu4Xb0cYxnjQze0QPiFV0jDZ7jTVQcDsojxzhXqwn2iFqK753LFqKksQztMSnr&1bj=jlK0MhVxt
http://www.mariadimitropoulou.com/noha/?NvWHJt=OpI7f+0Km3uF8QErh96y4UfCxqU+B78KM7iZg5orCNy4mHyPM1oOkE97tDp7RXQr0WnW8/Q8&1bj=jlK0MhVxt
http://www.paddlercentral.com/noha/?NvWHJt=BflZB6OqREwGJlb9Sk842/jtcaZ5fuiyOju/J2yjGs5y9yumeUh4rkZlJ2CmfPQeRsVHYWsh&1bj=jlK0MhVxt
http://www.simulatefuck.com/noha/?NvWHJt=3UR2uIfPulFdGcNwCm68yvPjTylt7u4HFjdICGqlfciJpq0vRWhT4BZscjCcYF3P85gFX7PT&1bj=jlK0MhVxt
http://www.wkshops22012.xyz/noha/?NvWHJt=RebRg6mjS38HnQVFXuKaHIu5RFW1uZmRgUuld07QvOTPlsbmEhTTyuxWH3TxPNjfgX4h79Nk&1bj=jlK0MhVxt
http://www.ranbix.com/noha/?NvWHJt=WqlLRyxmklHBR9bvDjAAjeD09IEXqdmYERcw+cExScONqRgH/+tJNETkvgWEj3p7qMAbvI1j&1bj=jlK0MhVxt
http://www.number-is-04.net/noha/?NvWHJt=533EpRLMvdGd3LnMjF6P5H4aqTXvZDN7WJAPd7m9vKZsB2Z3JtcedJpU+7lZs6mIB3YhcvB0&1bj=jlK0MhVxt - rule_id: 5959
http://www.llcmastermachine.com/noha/?NvWHJt=Cr7+FRPE36fJRNF+5kkCw9g1tnWsfV4otLCv7DCNGJQx9ElyDO+ayRlzaO2NWarxkvHU10eu&1bj=jlK0MhVxt
http://www.bonairemarathon.com/noha/?NvWHJt=CfFhcsmBnCLlkKf5ffInGLMZzIhhwlCqJPdqaYx0k1orYL70EHpmKvFIXv9rltq9xHJc66O3&1bj=jlK0MhVxt
http://www.beauallenpoetry.com/noha/?NvWHJt=ceDwew5ozM+2tYIKmX5bctY7wq875Ed5vvDz8Yv10Jsktdi2pfgBVa05BRpFzyVFYnPslpoC&1bj=jlK0MhVxt
http://www.headlinebysmp.com/noha/?NvWHJt=ozWyOMXinaZwMUakYGHIPoMs5gZF5fcGvcEi2jjLRr0L8mOJllSpWkT4nhlbZ81Fu5Rkb7br&1bj=jlK0MhVxt
|
26
www.headlinebysmp.com(104.16.15.194)
www.paddlercentral.com(198.54.117.210)
www.wkshops22012.xyz(184.168.96.164)
www.mglracing.com() - mailcious
www.beauallenpoetry.com(74.208.236.174)
www.auth-appsgo.com() - mailcious
www.nongminle.net()
www.ranbix.com(199.193.6.162)
www.simulatefuck.com(139.59.228.134)
www.llcmastermachine.com(45.58.190.82)
www.bonairemarathon.com(185.87.187.145)
www.aegnoshipping.com()
www.number-is-04.net(183.181.96.123)
www.groupninemed.com(184.168.131.241)
www.mariadimitropoulou.com(198.54.117.210)
139.59.228.134
74.208.236.174 - malware
199.193.6.162
198.54.117.211 - phishing
183.181.96.123 - mailcious
198.54.117.215 - mailcious
185.87.187.145
184.168.131.241 - mailcious
64.32.22.102
184.168.96.164
104.16.14.194 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.number-is-04.net/noha/
|
5.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13361 |
2021-10-11 10:01
|
 96.exe ea800644b9dfd027807447fdd98241aa
RAT Generic Malware task schedule ASPack Malicious Packer Malicious Library Antivirus ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee DCRat Windows Browser ComputerName DNS Cryptographic key Software crashed |
10
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN&16a1bd48dc8a4465093dd8dee2d8ec90=0VfiElZpVFVORDOxE1Y4ZkTyMWMUhlTYVGV4ZEW6R2MitWNXFGW4ZEW200aJZTSDFGMGdUVpdXaJFDND5UavpWS1lzVhpnSYp1V012Y2RGWaRnRtN2RKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzlUaiNmSIhFerZVUNJUMVpkUFh1Y1MEWjhnRYl2bqlke1clWsp0MZRlSDxUaJBjUnVlaJZTSTRlQKxWSzl0QNVXOXFGMG12Y2JkbjZnTFlEb4JTWop0MUl2bql0aKhVW2pUbjxGaHRmdxsWSzl0URZHNrlkNJNkYzZkMkxmSYF2RKNETpVEMM9kSp9UaNhFZ5xWbkBnUuJmQKNETpRjMkZXNyEWdWxWS2k0QVpUNVFVTKNETpd2aZRHZFlkcWdEZ2VTbiBnSp9UaNFDVKp0aJNXSTtUWtx0NsZjS3cGOXF2aWhVUnRjMiBnUYFWds1mWsJVRJ9GZXFWSoNkcCJzT0RWePlmb1VXS2kUejxWNyI2bCNjY550Vh5kSDxUaJl2Tp1EWihmTtlFbkxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOiYDZhljY2IDNiRjZ5YTN4YGN5AzN4AzNxImN1IzY0IGNiwiI3UzYjJ2M0YjZ4IGNkZ2MyUDNiJDM0gDMlVzNiJWN0IjZlNWZ2MDMxIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN&a8bd4009f819dc612a88747701d9ae54=d1nI0gDOzYzMwI2NyMmM4cDNyMjZiVDNmBjYmFWZzEDZhFjNhdTZ0ITNwIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W&6cf5e4104872872b39c54edbb9e8d6a7=0VfiIiOiYDZhljY2IDNiRjZ5YTN4YGN5AzN4AzNxImN1IzY0IGNiwiI0gDOzYzMwI2NyMmM4cDNyMjZiVDNmBjYmFWZzEDZhFjNhdTZ0ITNwIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMisHL9JCMulUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSapUaPlGNXFGdSdVU6xWbJNXSplkNJlnUCJFbJNXSDRGcKVUSwkFRJ9EdFl0cG1mY2xmMjpnVtpldKhUVnNGRJpHZzI2a1cVYYpUaPlWSYp1V1cVYYp0QMljSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzlUeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOiYDZhljY2IDNiRjZ5YTN4YGN5AzN4AzNxImN1IzY0IGNiwiIjJjNzQmN3ETY4QjMlFTO3Q2M4MWYhRGOlJDMmhjYjNDOyYGN2kTMjJiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&3fa8bd4e23584991e2ef4ca0ef58599a=1488ac3f87e8ab55a8ca2895fac3eb7d&0f1a5cdcbe121b534316670b7861f3bc=gYjV2NlJGMjVGM3Y2NkRmYjlDM5UDMxcjYwYGMllzNjZWZ3kDMhNjN&BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN&6cf5e4104872872b39c54edbb9e8d6a7=0VfiIiOiYDZhljY2IDNiRjZ5YTN4YGN5AzN4AzNxImN1IzY0IGNiwiI3UzYjJ2M0YjZ4IGNkZ2MyUDNiJDM0gDMlVzNiJWN0IjZlNWZ2MDMxIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN&a8bd4009f819dc612a88747701d9ae54=d1nIzQDOzkzNmNjZhJTYlVWZwAjZhVWNlJWOmFTM4cTZ3UjMjZGO1YmYzIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W
http://188.120.247.145/scriptdemo/Warsystem/CpubinMathprogram/antisystemPythonphp/recordrecord/coreCpuCam/bin/supporthtop/cutgameMathgenerator/recordrecordCpuCam/loglogCamsystem/phpmobileCamCam/linuxWordpressdatalifecdnTemporary.php?BRnh4=7pVTZBf9GU&gyC1lTzSDDchANH4lx1y1RZev62mdE=ej10xqPa7yO0OeHVFS&39b69d362f51fb0180e3753d06acef2f=QY3cjZjJDZxQjZ0czNhFjM4MGM5UTMhRWZ3kzYmVTMhRDOiVDNjNzMwUDMzMDM0gTMygzNzEzM&0f1a5cdcbe121b534316670b7861f3bc=gZ5ImZ5ETOxMmN0kjZkRWZwUTMxkDO5QjYzEjYjRzNlFmM3ATNxYzN&6cf5e4104872872b39c54edbb9e8d6a7=QX9JSUNJiOiYDZhljY2IDNiRjZ5YTN4YGN5AzN4AzNxImN1IzY0IGNiwiIzQDOzkzNmNjZhJTYlVWZwAjZhVWNlJWOmFTM4cTZ3UjMjZGO1YmYzIiOikzY3QTOxgTM5IGMwE2Y5QTNmV2MjlDZxATZiRTMyQDOiwiIhZDZmRjM0ETYwEDNkZWNwczYjR2MyYGN0MWMiJTYmNmM3E2YkNjZ3IiOiEWZzkDMlVTOxImM1QmMlRDM2YmY2QjZxYWO5gzYkVzMis3W
https://cdn.discordapp.com/attachments/893177342426509335/896364505993478164/1584E3DD.jpg
https://cdn.discordapp.com/attachments/893177342426509335/896364508291924018/EA731B75.jpg
https://cdn.discordapp.com/attachments/893177342426509335/896364502570901514/7DB3BF04.jpg
|
3
cdn.discordapp.com(162.159.129.233) - malware
188.120.247.145
162.159.129.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/DCRat CnC Exfil
|
|
20.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13362 |
2021-10-11 10:02
|
 BlueStacks.exe f3288557c97b978eb4a011de328ed93f
Generic Malware Malicious Library PE File PE32 OS Processor Check PDB unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13363 |
2021-10-11 10:05
|
 lis-0.exe a6dc10d7c082142c47aea5e53463af8b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.douyinliu.com/shjn/?t8o=NXrH5dXVIf0JrfP3fCMohyU6UzMUuLBIs5HJamiAFJBa71zEFBe74zKYGEWK4Di7AkOyBynK&UlX=YvLHM - rule_id: 6220
http://www.pacelicensedelectrician.com/shjn/?t8o=VkQRrEiHlCMTfbqYon+0J45zSL0qeo3yQ3SwB83Uas6KiGXopFOC9AqH388Vlp7I+dcvmlG2&UlX=YvLHM
http://www.adna17.com/shjn/?t8o=gIQVuDcRIY4XvFUAl53fICEJ91WI1iSE0AUdTXzTDGz082gomeG4pb7wdAGgUXgOeQAeJBXd&UlX=YvLHM - rule_id: 6219
http://www.adna17.com/shjn/ - rule_id: 6219
http://www.anamentor.com/shjn/?t8o=tv0gbh/H/soz9i/0EOOET4kbqB9H6LwHpkop0tG7g7gxjFABywsjhwxqrYIUZa09c3SMOexP&UlX=YvLHM - rule_id: 5867
http://www.bailey-holzwerk.com/shjn/?t8o=7575+ZyA+3AhhNdmtpbiyeHM+ziuXJXyS4M7vLGfe/3XLnVMcjxPEMnuXFvnyvALK/Vku+u1&UlX=YvLHM
http://www.privatelymeeting.com/shjn/?t8o=WC6mZM07V0QeetghyDG6ZhC66ih1U/GhUT+zKl6s+Bbyt2zvJc6FkJ8w4blMoz/O8NOHIojL&UlX=YvLHM
http://www.bailey-holzwerk.com/shjn/
http://www.myspoiledbytchcreations.com/shjn/?t8o=olO/4/34fTDYblSo6PVzSieAYEWJ8QjPszux+JGlGKA6HcH4zxO2wCejPiuwsk00ELnYHVXi&UlX=YvLHM - rule_id: 5866
http://www.lawsorlando.com/shjn/
http://www.lawsorlando.com/shjn/?t8o=+9h9GrLpR1HKiEUy/SkR4MIwS6FhLKFxRvUyTadh8W6vxv5wh11IZuaiHW1QDLv7SeRlfKXJ&UlX=YvLHM
http://www.anamentor.com/shjn/ - rule_id: 5867
http://www.douyinliu.com/shjn/ - rule_id: 6220
http://www.privatelymeeting.com/shjn/
http://www.pacelicensedelectrician.com/shjn/
http://www.myspoiledbytchcreations.com/shjn/ - rule_id: 5866
|
17
www.pacelicensedelectrician.com(173.201.181.36)
www.anamentor.com(104.21.51.95)
www.douyinliu.com(103.224.212.219)
www.wwv-kraken-apps.com(127.0.0.1)
www.lawsorlando.com(34.102.136.180)
www.privatelymeeting.com(213.186.33.5)
www.adna17.com(35.215.156.178)
www.myspoiledbytchcreations.com(199.34.228.176)
www.bailey-holzwerk.com(81.169.145.90)
81.169.145.90 - mailcious
34.102.136.180 - mailcious
213.186.33.5 - mailcious
35.215.156.178 - mailcious
172.67.178.31
199.34.228.176 - mailcious
173.201.181.36
103.224.212.219 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.douyinliu.com/shjn/
http://www.adna17.com/shjn/
http://www.adna17.com/shjn/
http://www.anamentor.com/shjn/
http://www.myspoiledbytchcreations.com/shjn/
http://www.anamentor.com/shjn/
http://www.douyinliu.com/shjn/
http://www.myspoiledbytchcreations.com/shjn/
|
8.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13364 |
2021-10-11 10:06
|
 111.exe 9b164a8d1003a08d50d8d282da9cde81
Malicious Packer Malicious Library PE64 PE File Malware Code Injection Malicious Traffic buffers extracted Tofsee DNS |
1
https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip - rule_id: 2610
|
7
github.com(52.78.231.108) - mailcious
raw.githubusercontent.com(185.199.108.133) - malware
sanctam.net() - mailcious
52.78.231.108 - malware
185.199.110.133 - malware
117.18.237.29
208.95.112.1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13365 |
2021-10-11 10:08
|
 bwmonitor.exe 583ec7c5fb5616cf290f0f5ec21582d7
Emotet RAT Gen1 Generic Malware Themida Packer Malicious Library Antivirus Malicious Packer UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File GIF Format .NET EXE PE64 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder AntiVM_Disk suspicious TLD VMware anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Windows Exploit Browser ComputerName Firmware DNS Cryptographic key Software crashed |
3
http://8yfg.federguda.ru/
https://iplogger.org/favicon.ico
https://iplogger.org/1hWNy7
|
5
8yfg.federguda.ru(81.177.141.85)
iplogger.org(88.99.66.31) - mailcious
40.121.139.210
88.99.66.31 - mailcious
81.177.141.85 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|