| 13426 |
2021-10-12 10:27
|
 .rundll32.exe c0e5a274d66774418c9bf4e813c89c4a
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
4
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
|
6
kbfvzoboss.bid
alphastand.trade(194.195.211.98)
alphastand.win
alphastand.top(45.77.226.209)
195.133.18.117
136.243.159.53 - mailcious
|
|
|
13.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13427 |
2021-10-12 10:31
|
 vbc.exe f8ba5db8bad75222081bc6b9297126a4
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
17
http://www.cqjiubai.com/b2c0/?4h3=2mB11SWBJeqsgLNZA9zX/rPpM7w8/BYzIGvx7juRdznywYGtUU63q37Ob037EXJAMFZjx+qK&wR=OtxxL0H
http://www.vi88.info/b2c0/?4h3=9nW/OVHQ1XpTvpMusTdL+d4k59iYmTaoVhYIWL8vz0e2o7OkRPl/Jeq3QN9xrgEGq3IVy9cv&wR=OtxxL0H
http://www.bjyxszd520.xyz/b2c0/?4h3=5qV1DKUMuUjGYA3fL9Pa3UT7jkO10ReW4RDeeNH3REkhhnXD3tzsQzU5ZcYFcAWgQIO9RqwE&wR=OtxxL0H
http://www.techgobble.com/b2c0/?4h3=q0dXbruL9oNHgDNzXREEnDl3G9h920ZNi0fApm82DH99dfUbxZI06fwsOh645v3B9aqBjOf+&wR=OtxxL0H
http://www.dxxlewis.com/b2c0/?4h3=9ahEnHZeeTorCCf1BxWsn/rXQiL42ezX5ROQBOh91FMP3dxhyP3zcRxjW2sluygknGFgWtoi&wR=OtxxL0H - rule_id: 5523
http://www.bf396.com/b2c0/?4h3=t6gJF9Utg2R4XQWg3Jwsp6zjCr1F/wRH5aVZWPLHkjAeWQCJMgrTj/P6SQNfZnptjg9RDyBj&wR=OtxxL0H
http://www.andajzx.com/b2c0/?4h3=Nq7JSK+51V7V0vjsJnL9p1r/W1Jbb2TTrmgKvFPqBIsOAwiUsCJvp9Cz7BVgNHhjE1W2hlTO&Jt7=XPv4sFjP
http://www.miaintervista.com/b2c0/?4h3=U8O6kRJAqCrKAzN8h3rSiV6YS3+F71/8oy2ywOxlTPPEAAUY03Ods+UYspTxL8ni9w1lhzNG&wR=OtxxL0H
http://www.newhousebr.com/b2c0/?4h3=tu4Fqrlz3jutJmre2Rx60Zos9k5v6uCXeSCipD5cEktMuls1Hb9yFYuxRiVsxBEgqzn2HLYX&wR=OtxxL0H
http://www.thesewhitevvalls.com/b2c0/?4h3=Rsl6eVz+VG29WY9Bu4YLklwV2F0wFlRiIbC8zFPJmNkqxdaonT0ibfmv5LT+hZ22IxZBrwvg&wR=OtxxL0H
http://www.itpronto.com/b2c0/?4h3=9u+FmzK7Yk+TwphW4opg/QCnkjDckJkdmnZ3+DIAOFIsEucOKAOsq9EbeEbVQoCe7mI/Jlaf&wR=OtxxL0H
http://www.starsspell.com/b2c0/?4h3=fiodKOJeeFjr5i7wyUoUA/NOfrt4VaPFcy7anj0Z3n97zhRBB4UQ9ZHkR1fAW7F9y1g8Qbo1&wR=OtxxL0H
http://www.carts-amazon.com/b2c0/?4h3=HN6lmWAuQ/DxQquH7lRwrlIaFZSjtluPDf2XNvJEXw6TUq+t2SSyYh9kubxDLCQOheuA1B4N&wR=OtxxL0H
http://www.aydeyahouse.com/b2c0/?4h3=CKOO/2uucFXNyCj1zxJrZ9Hl5SoFLqUlaBxiRj+OPv9VLhKNyJ6PWtJCdtT9HZpkOa8Hxs7C&wR=OtxxL0H
http://www.onayli.net/b2c0/?4h3=XveokmG9E8gkzs4xexerB5+6O8SujSXm7eZBq+reORrLsi0MFSbRgQLwLddNHplqBkfGpbrR&Jt7=XPv4sFjP
http://www.lnagvv.space/b2c0/?4h3=rxQGpNn47tzcu1feKv/WbC4wyhDm+g4ynHbpcs1t7HcpnOmGkI/eNYw9RjQ8vbSFELLc0Tgu&wR=OtxxL0H
http://www.shobhajoshi.com/b2c0/?4h3=6CHuhRUN+BtpWXJjS7zsdqmaS0UbWfnfJ9FpRsupU2DPBPWeOjnZ1tQZruUItz+4YY4EaK5q&wR=OtxxL0H
|
33
www.techgobble.com(104.219.248.94)
www.aydeyahouse.com(23.227.38.74)
www.bjyxszd520.xyz(103.71.237.11) - mailcious
www.onayli.net(45.34.37.29)
www.carts-amazon.com(34.102.136.180)
www.shobhajoshi.com(103.67.235.120)
www.cqjiubai.com(108.186.180.63)
www.vi88.info(172.217.175.51)
www.thesewhitevvalls.com(172.105.103.207) - mailcious
www.andajzx.com(107.163.179.182)
www.lnagvv.space(104.18.27.58)
www.newhousebr.com(23.227.38.74)
www.dxxlewis.com(207.97.200.47)
www.miaintervista.com(50.62.172.157)
www.bf396.com(94.74.96.218)
www.starsspell.com(70.40.216.229)
www.itpronto.com(154.55.180.127)
108.186.180.63
23.227.38.74 - mailcious
207.97.200.47 - mailcious
50.62.172.157 - phishing
70.40.216.229
34.102.136.180 - mailcious
182.160.8.206
172.105.103.207
103.67.235.120 - phishing
154.55.180.127
45.34.37.29
107.163.179.182
104.219.248.94
142.250.66.51
104.18.26.58
103.71.237.11
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.dxxlewis.com/b2c0/
|
5.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13428 |
2021-10-12 10:31
|
 sl7.exe fd39db32feeef52113caa2c006e1e04e
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13429 |
2021-10-12 10:34
|
 templezx.exe d888198eb60c6c80d039ae12adb1e86f
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.8.169)
216.146.43.71
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13430 |
2021-10-12 10:37
|
 system.exe 5d816026f283ad04417b9ec38a29de81
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee DNS |
13
http://www.searchingspacespot.com/mexq/?JDK8bDY=lpKGlVLGNHQejzc8T/1Yui9sqRHpxAt980rD6/pXKWR4kOk/Esz5LgexIHGW5O24eSUfcM8Y&BX=E2J4tHWP_V2
http://www.sotlbb.com/mexq/?JDK8bDY=wUUdxrpvKnHjVGviLlbiN0d/s+StjvpCRVNvkb7xvBr2mYBUsQfFbNlzWBD300HAYvHiq6Rq&BX=E2J4tHWP_V2
http://www.wmh3gk2fzw2m.biz/mexq/?JDK8bDY=UyUE9kQD2x0NeQsdW0XUMy2W5i5z8llb4rGWC4I5jJBYHOEz6j34RyUiYVdu4xyLAbElxCEC&BX=E2J4tHWP_V2
http://www.xn--lcka2cufqed6765c4ef1x1g.xyz/mexq/?JDK8bDY=ICqO6PnmVWxgkW6VmUJeeFZwrbgCSCZrIX6+mVYzJyHCyIhr5yMB+GsmJ/ILQlzFyCc3sTKg&BX=E2J4tHWP_V2
http://www.cyebang.com/mexq/?JDK8bDY=g6L0/Z2cdy+PQR0/l6rXBhzWGtzMcF3Ol137FLHMI1/7C2CX6Ije7QQ81WlooZwAwjE41ZtU&BX=E2J4tHWP_V2
http://www.mabnapakhsh.com/mexq/?JDK8bDY=OU1GtVXDbsnAoZAJ+r3UhPtpR181l/ARJ5oFEWbh76Mk/J1Ds5ZKsjMHrQjA03ZUl7BK7iZc&BX=E2J4tHWP_V2
http://www.girlspiter.club/mexq/?JDK8bDY=fzhR5iDoK/FMbNanNPgySKtGhsLhyiuSpsOSscLZe2SSRgDl3GCmdM/c8tfRmghpgq4HDdiJ&BX=E2J4tHWP_V2
http://www.promiseface.com/mexq/?JDK8bDY=zlS6lJ6TIwWjbSvtugQ/2qpaVbEDvrPTP2GJSFClDW0PJPQvISYtc1ILXeqX+qk9BWPhfhLv&BX=E2J4tHWP_V2 - rule_id: 6319
http://www.uniqued.net/mexq/?JDK8bDY=/3l62yGpIujmRd23NYyOlMT7eauth93xr/VrnqvY3AX4beNsr7BJ6oW+mJu6AhSMiBiHOIq9&BX=E2J4tHWP_V2 - rule_id: 6315
http://www.rd26x.com/mexq/?JDK8bDY=NkB1NXPBFDbDKRQZsa3bgqux4BDsfoNouiBmY062wfTHfxIwCLTnegL+vUKelNVaBIOAn2Cu&BX=E2J4tHWP_V2
http://www.zamarasystem.com/mexq/?JDK8bDY=IpqNqv0O7XNQoDVXX4yFHUH7VRliJnhxicL0cWaIY68A61Zjj4pLnCTIwF7r9iYi6pGSwZZa&BX=E2J4tHWP_V2
https://cdn.discordapp.com/attachments/893177342426509335/897124528768032848/9722D04C.jpg
https://cdn.discordapp.com/attachments/893177342426509335/897124531213336656/F526E587.jpg
|
27
www.searchingspacespot.com(185.30.34.153)
www.uniqued.net(23.227.38.74)
www.cyebang.com(154.216.110.149)
www.iphone13promax.design()
www.xn--lcka2cufqed6765c4ef1x1g.xyz(150.95.59.9)
www.bestwarsawhotels.com(91.134.15.231)
www.sotlbb.com(154.86.222.107)
www.zamarasystem.com(102.38.50.130)
www.rd26x.com(172.104.94.112)
www.aliexpress-br.com() - mailcious
www.wmh3gk2fzw2m.biz(103.26.164.134)
www.promiseface.com(23.227.38.74)
cdn.discordapp.com(162.159.130.233) - malware
www.girlspiter.club(23.105.244.169)
www.mabnapakhsh.com(198.54.117.216)
150.95.59.9
162.159.134.233 - malware
154.86.222.107
103.26.164.134
198.54.117.212 - mailcious
91.134.15.231
154.216.110.149
23.105.244.169
102.38.50.130
23.227.38.74 - mailcious
185.30.34.153
172.104.94.112
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
2
http://www.promiseface.com/mexq/
http://www.uniqued.net/mexq/
|
9.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13431 |
2021-10-12 10:38
|
 dyno.exe 8fb7b0d584386defa56169e341f6ee64
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13432 |
2021-10-12 10:41
|
 vbc.exe c0eb90010d882e33340c40bde08474cb
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
14
http://www.epilasyonmerkeziankara.com/mxnu/?DbG=bngcEK+xZs1ednOYrpus6XFKnrxKN2uCCnQcEZtwxddq7ZQQDv/23m99KJW03q/XcaqcaNGj&QZ0=ehutZJ_xFDE4-J
http://www.onehigh.club/mxnu/?DbG=52TJ8f0Vxw2BzXpbfWSfaWlDTRlua2mq3mQuHpcP7nL3PE2hO33OHCZ6ItQZVKuqvI9FSTzz&QZ0=ehutZJ_xFDE4-J
http://www.crystaltopagent.net/mxnu/?DbG=3yd5RwoD26MqTRMAl0ytU+h0AIpWjTpihncvDxCNudFFpkke93ChM56zl8nuLHoRn3erkMWM&QZ0=ehutZJ_xFDE4-J
http://www.zacky6.online/mxnu/?DbG=FzUzammgU9aQ1s5hRj9mM0gM5+choujEg0J0kLQ3qFn1h3eEbPcU9JTHQ7DQF/hO9GoOOKrJ&QZ0=ehutZJ_xFDE4-J
http://www.funkidsroomdecor.com/mxnu/?DbG=iFpbfMx0kR1NhQJhtaFPfzg8Nsy3dm+jXQd2Fi3YicbHa3sz/htfiB2IN3yla1aALZWfkU50&QZ0=ehutZJ_xFDE4-J
http://www.elfkuhnispb.store/mxnu/?DbG=ic/kFHBRNSKXHjmNM38FBMuRbw3fBCZ7iuaSOdjj1yTMDPRe/v2BcKSXvjh2Jy3BNbvVwMon&QZ0=ehutZJ_xFDE4-J
http://www.watch12.online/mxnu/?DbG=Wwxnrk8QVUv5zJRb083odjQH0YGPU5EP2v6EZvM0jAjlaPPaw/+RtT6o3ZZTXnQZ3dh49LEi&QZ0=ehutZJ_xFDE4-J
http://www.gatescres.com/mxnu/?DbG=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&QZ0=ehutZJ_xFDE4-J
http://www.washingtonboatrentals.com/mxnu/?DbG=5sVEEjOk2P+NjahlCkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc7CiKRuye+TxtlUaUEX3&QZ0=ehutZJ_xFDE4-J
http://www.deepscanlabs.com/mxnu/?DbG=Ut36E/q1WE7j3wr+yahEM5coyottHioOSqgv0fVsDgvbMwDayAXlZ6ycgWfm9ADUt+XFPcPN&QZ0=ehutZJ_xFDE4-J
http://www.bloomberq.online/mxnu/?DbG=o/KNCiHRrXr1o29jsX2904nvUZgzeoF4AFrLsvPkY5gMkei+B/BqpGS5xpPFUL1iDO9N2GeW&QZ0=ehutZJ_xFDE4-J
http://www.campusguideconsulting.com/mxnu/?DbG=L7zrcpP2MHclxtEQkgGLeT9HdMuUjtcVWcC+l1rQ4d5yylj0ZTyGk0KuxEHEcypiIPWpKB0U&jL3Tir=PPG0kHGp2Ts4MbTp
http://www.naplesconciergerealty.com/mxnu/?DbG=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&QZ0=ehutZJ_xFDE4-J
http://www.influxair.com/mxnu/?DbG=TsJoTwgkypMLnzNnd4lSdIwskag8Ao4FDEHlqFMN0Q3o8pEdXPLUbYsOOSivgNo+I+lTFgxg&QZ0=ehutZJ_xFDE4-J
|
29
www.watch12.online(162.241.85.108)
www.gatescres.com(184.168.131.241)
www.promovart.com()
www.funkidsroomdecor.com(192.254.189.87)
www.naplesconciergerealty.com(34.102.136.180)
www.campusguideconsulting.com(141.136.43.26)
www.deepscanlabs.com(34.102.136.180)
www.onehigh.club(209.99.64.33)
www.epilasyonmerkeziankara.com(5.9.250.2)
www.washingtonboatrentals.com(3.64.163.50)
www.influxair.com(65.21.250.85)
www.bloomberq.online(51.81.27.134)
www.crystaltopagent.net(34.102.136.180)
www.elfkuhnispb.store(45.130.41.10)
www.zacky6.online(118.27.122.92)
www.megapollice.online()
51.81.27.134
5.9.250.2
209.99.64.33 - mailcious
162.241.85.108
184.168.131.241 - mailcious
34.102.136.180 - mailcious
141.136.43.26
3.64.163.50 - mailcious
192.254.189.87
118.27.122.92
65.21.250.85
172.67.188.154
45.130.41.10 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13433 |
2021-10-12 10:47
|
 HGF_093876533679-09876535678.e... 8e674224762af6cc955b9d3c7c068cd3
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS crashed |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13434 |
2021-10-12 10:56
|
 HWL~0009484744-0498748944.exe c50aaf4127d885495ad3aa6d8b167931
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13435 |
2021-10-12 10:56
|
 AMC P.O1082021.JPG.scr 9a4a8643db95a8c0fe52af8675a5d1b1
Generic Malware Malicious Library Malicious Packer DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
2
strongodss.ddns.net(185.19.85.175) - mailcious
185.19.85.175 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.6 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13436 |
2021-10-12 10:57
|
 IM~0020298762542567TG.exe acda37bfd9f06bcde95dc9939ff6e765
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
12.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13437 |
2021-10-12 10:57
|
 Ikm~0020298762542567SD.exe acda37bfd9f06bcde95dc9939ff6e765
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS crashed |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
14.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13438 |
2021-10-12 10:59
|
 NEW ORDER EXPO_51052 IMG002398... 39eb239744f692d451e934fd467f02c0
Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
futurist11.ddns.net(194.5.98.46) - mailcious
37.235.1.174 - mailcious
194.5.98.46 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13439 |
2021-10-12 10:59
|
 Ponuda.exe 5cc35185a46c641109924dad40ebedc8
RAT AgentTesla(IN) Generic Malware Antivirus Malicious Packer UPX Malicious Library DNS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
emedoo.ddns.net(185.140.53.133)
185.140.53.133 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13440 |
2021-10-12 11:02
|
 PROFORMA INVOICE. P.O.exe 8f0c65d388502f0a9825f4bf5b9c7e7a
Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
redvelvet.ddns.net(194.5.98.5)
194.5.98.5 - mailcious
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|