| 13396 |
2021-10-12 09:51
|
 SMKMBT-00000789-2021-10-90340.... 4169b7a2e71ecfb831565118b9b6a3bb
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName |
|
2
faith.dnsabr.com(172.94.85.78)
172.94.85.78
|
|
|
12.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13397 |
2021-10-12 09:54
|
 vbc.exe cda5dff7abc114308bd9491cacb36e0d
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13398 |
2021-10-12 09:55
|
 LOGS.exe 3f6f7c01dc86ddaabade6d6665967c0a
RAT AgentTesla(IN) Generic Malware Admin Tool (Sysinternals etc ...) Malicious Packer UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.161.68)
142.250.66.68
13.107.21.200
172.217.174.196
185.140.53.52 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13399 |
2021-10-12 09:56
|
 CCle.exe cd3ee914a93505c4826084e77c4bfe28
Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13400 |
2021-10-12 09:57
|
 vbc.exe 41bc8c583d9904897e2b504f127ced23
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
20
http://www.apnagas.com/hr8n/
http://www.taschenhimmel.guru/hr8n/
http://www.libbybruce.space/hr8n/?t8o8szU=tvOOJymLPTo+u55ddd5JgP/eYwawdK1IFhff86iTT/s0UFVHuQ3vbuf5ifvAKeBftP33/qgK&kPj0Q=K4kP
http://www.sairafashions.xyz/hr8n/
http://www.saamcoheir.quest/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/?t8o8szU=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&kPj0Q=K4kP
http://www.sadeghzeyni.com/hr8n/
http://www.saamcoheir.quest/hr8n/?t8o8szU=R26DTpfzA2VD9hRPflCugFiWJmz76mGRu2xdmjzokLxTboOOz3ynAcRQqISanFjV6lYEFOfd&kPj0Q=K4kP
http://www.apnagas.com/hr8n/?t8o8szU=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&kPj0Q=K4kP
http://www.silviomicalikush.xyz/hr8n/?t8o8szU=bYIimKNFWGQLcke9rRfmGD5wqMA0TBEwAa1PZc0t0V99lHADDQgalPgGlfThnmlwNoY2xrcM&kPj0Q=K4kP
http://www.nobadfeelings.com/hr8n/?t8o8szU=Rhzf+PqKp8guEEqt715vcp9c9vM34Bw1qpRpHPEEdxbfYcnS1c6wHcUbaKP1jV8TpqBjAgVO&kPj0Q=K4kP
http://www.pochi-owarai.com/hr8n/?t8o8szU=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&kPj0Q=K4kP
http://www.sairafashions.xyz/hr8n/?t8o8szU=eY7bowusc/bCtxQMT3E4oiaJBtnJA6QvJzKziTbvMWKe2c93ynfcfmr+9Oy8QuoOqX4wikEz&kPj0Q=K4kP
http://www.sadeghzeyni.com/hr8n/?t8o8szU=XNF4wODNdZd564DUbqL8Atnmgl2vzSdsp2HsDocaw8/zJtVtceT5jQqs4TffeumyLKa8kRTb&kPj0Q=K4kP
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.taschenhimmel.guru/hr8n/?t8o8szU=yJ4GO29XYUJ6kbG1GRGXThACvN8qU+BD3SVuKAwHCyV4JpEO0MjgfQHHB8RtU9GLUJB1g/bU&kPj0Q=K4kP
http://www.silviomicalikush.xyz/hr8n/
http://www.libbybruce.space/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.nobadfeelings.com/hr8n/
|
24
www.suvsangebotguenstigdeorg.com(185.53.179.94)
www.saamcoheir.quest(37.123.118.150)
www.taschenhimmel.guru(34.102.136.180)
www.sadeghzeyni.com(164.138.19.157)
www.libbybruce.space(23.227.38.74)
www.pochi-owarai.com(118.27.122.218)
www.paradojascomunicacion.com()
www.sairafashions.xyz(103.148.14.203)
www.preadmirer.info()
www.nobadfeelings.com(156.234.82.226)
www.acmcnetwork.com()
www.apnagas.com(208.91.197.91)
www.silviomicalikush.xyz(192.64.119.106)
www.jeetopesekashback.xyz()
37.123.118.150 - mailcious
185.53.179.94
34.102.136.180 - mailcious
192.64.119.106
164.138.19.157
156.234.82.226
23.227.38.74 - mailcious
103.148.14.203
208.91.197.91 - mailcious
118.27.122.218 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13401 |
2021-10-12 09:58
|
 game.exe 446d891b81bee0bfd287bd1f968c5ac3
Malicious Library PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13402 |
2021-10-12 09:58
|
Swift_copy.cab 1a6b2d478c45cb2244454829f79c7974
Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13403 |
2021-10-12 10:01
|
 profit.exe 31c0c5e61f7616bd625cc9a1a3117e96
Themida Packer UPX Anti_VM PE File PE32 .NET EXE Browser Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious TLD VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://vs1.ckauni.ru/
|
5
apps.identrust.com(119.207.65.137)
vs1.ckauni.ru(81.177.141.85)
81.177.141.85 - mailcious
31.131.254.2
182.162.106.42 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13404 |
2021-10-12 10:02
|
 rundll32.exe 958327f65e87da599ad05ad82897f730
RAT PWS .NET framework Gen1 Generic Malware Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName Password |
9
http://chrisproperties.xyz/2.jpg
http://chrisproperties.xyz/6.jpg
http://chrisproperties.xyz/main.php
http://chrisproperties.xyz/4.jpg
http://chrisproperties.xyz/3.jpg
http://chrisproperties.xyz/1.jpg
http://chrisproperties.xyz/7.jpg
http://chrisproperties.xyz/5.jpg
http://chrisproperties.xyz/
|
2
chrisproperties.xyz(195.133.18.140)
195.133.18.140 - malware
|
7
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
16.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13405 |
2021-10-12 10:02
|
 LZrg9QKDOYThFzj.exe 1686f2ca568d14d7f2b177ee1c743f60
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13406 |
2021-10-12 10:04
|
 audio.exe 16b6795e99dfc883377cfeb6a650ab3f
PWS Loki[b] Loki.m RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
13
http://www.rayofdesign.online/mexq/?T8kD=v7iebwklV93BQeNRhNKnZBOc00ssW05/EJY7RAktaGuFgmlqXWNfGjaZNJNpUMxJMCcFg7Eh&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.goraeda.com/mexq/?T8kD=QQYKHWaYXv3nlU9A8w1mabSECBSCPZ/y0iNtukQgplMpJvwipYNHHI6ylSSj4fjtetvl23fx&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.ashainitiativemp.com/mexq/?T8kD=e9HtqWPw7KG8nNN2eRZKHqcezPcdEcriHB0ThIcSmjccX7AY0rxqliyYitgHJDgcHrjWn8+6&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.fucibou.xyz/mexq/?T8kD=vc1pDYbJ5W6HAfgFPq0jHmbLe6X8NTWHZnO1qe6vYejsTdLAJqwT3rl/LzyLzjyE2JZHpsDr&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.50003008.com/mexq/?T8kD=cEb/qBiVSPdtiAo85hYkYl/zNoxvLU/kAfSKQuQie0XnNXn5gUcRV5Pf1gXadH0+kvqmJOPo&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.kickonlines.com/mexq/?T8kD=oDaZDfLYVd83Ocp4eEJPsYnUQj7NoJc/kCEURGkASnUuXUXeJVnvSNXTYVfbzDM24pYQJOvI&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.cancleaningpros.com/mexq/?T8kD=NJNbqm6+SlsLfYr6Zj/XezAeggAydfBj92rg/s9qVItoK6OMdZ6hCXnXJK/Ss/33A/jyN6qN&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.promiseface.com/mexq/?T8kD=zlS6lJ6TIwWjbSvtugQ/2qpaVbEDvrPTP2GJSFClDW0PJPQvISYtc1ILXeqX+qk9BWPhfhLv&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.abbastanza.info/mexq/?T8kD=HxheXHNeZnuh7hWJGhsr6d5umAb+gTBnlbDLBsLWbPaXIzw9yocRim9m9M79jCReeU6Lm+iq&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.uniqued.net/mexq/?T8kD=/3l62yGpIujmRd23NYyOlMT7eauth93xr/VrnqvY3AX4beNsr7BJ6oW+mJu6AhSMiBiHOIq9&Vnw0Z=-Z2hTbdPQ2dhN4y
http://www.glassrootsstudio.com/mexq/?T8kD=nWtcyRV81SNGW2DvsY/sW1Rayj7FVoy+dB8rERvtTkJL2CuTAK+m2Bl3X1Gl0Rr0bQf4gZWN&Vnw0Z=-Z2hTbdPQ2dhN4y
https://cdn.discordapp.com/attachments/893177342426509335/897018292928147546/EF9D4265.jpg
https://cdn.discordapp.com/attachments/893177342426509335/897018290151493662/346F70AB.jpg
|
27
www.uniqued.net(23.227.38.74)
www.mxconglomerate.com()
www.goraeda.com(121.254.178.253)
www.ashainitiativemp.com(198.54.125.174)
www.abbastanza.info(172.217.175.51)
www.50003008.com(156.235.230.196)
cdn.discordapp.com(162.159.135.233) - malware
www.aliexpress-br.com()
www.kickonlines.com(172.67.164.38)
www.xn--l6qw76agwi5rjeuzk9q.com()
www.rayofdesign.online(203.170.80.250)
www.promiseface.com(23.227.38.74)
www.cancleaningpros.com(3.223.115.185)
www.glassrootsstudio.com(198.252.99.138)
www.fucibou.xyz(104.21.12.169)
www.brandmty.net()
156.235.230.196
162.159.134.233 - malware
198.252.99.138
203.170.80.250 - phishing
142.250.199.83
172.67.164.38
3.223.115.185 - mailcious
121.254.178.253 - mailcious
23.227.38.74 - mailcious
198.54.125.174
172.67.152.210
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13407 |
2021-10-12 10:04
|
 Update.exe.rar a22ca06bb3a58d4ca2bca856434b96f3
Generic Malware Malicious Packer PE File PE32 VirusTotal Malware suspicious privilege unpack itself suspicious process AntiVM_Disk sandbox evasion WriteConsoleW shadowcopy delete Ransom Message Creates autorun.inf VM Disk Size Check Ransomware GameoverP2P Zeus Windows Trojan Banking crashed |
|
|
|
|
8.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13408 |
2021-10-12 10:05
|
 sefile3.exe 6bb7dc4a3db387ced8c05711f6bbfc8d
Generic Malware Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13409 |
2021-10-12 10:07
|
 vbc.exe 0c699aa8699b1bccd7c223aaa47ffd0e
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13410 |
2021-10-12 10:07
|
 csrss.exe e54d1bcdd9d7af8f91758cfa17be9224
Lokibot PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
2
checkvim.com(45.9.73.172) - mailcious
45.9.73.172
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd4/fre.php
|
14.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|