| 13441 |
2021-10-12 11:03
|
 REVISED PURCHASE ORDER pdf.exe 3a73f43f58edbac5b2a007e7fcf807af
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
norly519.ddns.net(154.113.173.1) - mailcious
154.113.173.1
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13442 |
2021-10-12 11:05
|
 Scanned documents copy doc_jpe... cd8989a4c98c56de9ed561206b3ec52c
NPKI Generic Malware Antivirus DNS Code injection AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
accept.ddns.net(197.210.78.156) - mailcious
197.210.78.156
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13443 |
2021-10-12 11:09
|
 doc-1114816112.xls aa6fecbcd7c0b2728acb3cbd8be81417
VBA_macro Generic Malware Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://onlineyogacourse.org/5hgP7n5nTC/a.html
https://rabedc.com/msdcluV8y5nf/alf.html
https://partiuvamosviajar.com/xYIJTUcGxvF1/alfo.html
|
6
onlineyogacourse.org(123.30.182.76) - mailcious
rabedc.com(192.185.145.142) - mailcious
partiuvamosviajar.com(192.185.177.14) - mailcious
123.30.182.76 - malware
192.185.145.142 - mailcious
192.185.177.14 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13444 |
2021-10-12 11:11
|
 doc-1112793309.xls e270dccc95b502bb0f3e8efe9ea80f26
VBA_macro Generic Malware Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://onlineyogacourse.org/5hgP7n5nTC/a.html
https://rabedc.com/msdcluV8y5nf/alf.html
https://partiuvamosviajar.com/xYIJTUcGxvF1/alfo.html
|
6
onlineyogacourse.org(123.30.182.76) - mailcious
rabedc.com(192.185.145.142) - mailcious
partiuvamosviajar.com(192.185.177.14) - mailcious
123.30.182.76 - malware
192.185.145.142 - mailcious
192.185.177.14 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13445 |
2021-10-12 11:14
|
 doc-1114667776.xls 7553ddb9cacc62a99f6d9d59fc4ae003
VBA_macro Generic Malware Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://onlineyogacourse.org/5hgP7n5nTC/a.html
https://rabedc.com/msdcluV8y5nf/alf.html
https://partiuvamosviajar.com/xYIJTUcGxvF1/alfo.html
|
6
onlineyogacourse.org(123.30.182.76) - mailcious
rabedc.com(192.185.145.142) - mailcious
partiuvamosviajar.com(192.185.177.14) - mailcious
123.30.182.76 - malware
192.185.145.142 - mailcious
192.185.177.14 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13446 |
2021-10-12 14:29
|
http://185.222.57.85/00011/vbc... cda5dff7abc114308bd9491cacb36e0d
RAT PWS .NET framework Generic Malware DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal credential Downloader P2P persistence AntiDebug AntiVM PE File PE Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
|
1
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
33 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13447 |
2021-10-12 15:52
|
http://172.245.163.145/new/new... 25c79316d2ccebb98a7ae05864d447b3
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM MSOffice File PE File PE32 .NET EXE Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed Downloader |
|
1
172.245.163.145 - malware
|
6
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
23 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13448 |
2021-10-12 18:22
|
 vbc.exe 5d3ab00975539e36a4175835d3fc15e6
UPX Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13449 |
2021-10-12 18:24
|
 tt.exe 82e8c0c279d95dc0f9ab425cdfeffdec
Antivirus PE File PE32 VirusTotal Malware AutoRuns Creates executable files unpack itself AppData folder sandbox evasion Windows |
|
2
a.zzvvppnn.xyz(43.129.7.15)
43.129.7.15 - malware
|
|
|
7.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13450 |
2021-10-12 18:25
|
 doitgood.exe b8772380cffacc7cc944c92e4bcfd506
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13451 |
2021-10-12 18:26
|
 vbc.exe 5197fb0ac1eee3ae19fcf6117ea49e9a
NSIS Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
24
http://www.frutza.com/hr8n/?-ZnP=54t2vpPv71jjQzzefBz2+uAT+3Oft8MwLuGTij4t8xbFk9zmHnLnqZMOkfAUcdCtH7FhQ9Jc&5jR=NV34q8
http://www.petanimals2021.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/?-ZnP=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&5jR=NV34q8 - rule_id: 6328
http://www.noobcakes.com/hr8n/
http://www.goddesslifecbd.com/hr8n/?-ZnP=GtvkudhA78tbF3WvE4bBZvCKlYqS4/vnN8UfWC/v3gZk1BTClvfo2IF/GomLTAo7w3kyh1zp&5jR=NV34q8
http://www.secure01bchslogin.com/hr8n/?-ZnP=/xCQRyoVMWVnh23tRG8vfAMo2MFBA+pRIDM06yAvE/Fg6D1CIShQVBVEbqNYVVAHcuTqles7&5jR=NV34q8
http://www.sairafashions.xyz/hr8n/ - rule_id: 6330
http://www.ctgroweasy.com/hr8n/?-ZnP=oktFf35aZ05lNJGqsgvc0hYQ6ZLeIL+XRmM2AcINrffpo5ltP3vNCbXX5wxUT3HXnWZvQfgm&5jR=NV34q8
http://www.secure01bchslogin.com/hr8n/
http://www.ctgroweasy.com/hr8n/
http://www.redherring.agency/hr8n/
http://www.petanimals2021.com/hr8n/?-ZnP=dhF4+GHKKWXHWz/d5EmptZUO4Y6cQInERplAOomPQSCFdac6mXYK7VAXrARsxAd8fsGWtC6P&5jR=NV34q8
http://www.supere-mart.net/hr8n/
http://www.frutza.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/ - rule_id: 6328
http://www.pochi-owarai.com/hr8n/ - rule_id: 6329
http://www.supere-mart.net/hr8n/?-ZnP=AihrlvyEfuX/eN6KnJ6uXmHDW+BKHHVEbZwCU0FJPiqCVv66AdPIafnXa8duWoJlSBw5T++4&5jR=NV34q8
http://www.noobcakes.com/hr8n/?-ZnP=pPe9LcDTHYLYFitI7WSSobgkEtJUafWqfNcEWvMzKOvFk2APBn1anSbkb37t4/ak/bAwtUMh&5jR=NV34q8
http://www.goddesslifecbd.com/hr8n/
http://www.redherring.agency/hr8n/?-ZnP=Msb0E+nHxXTk+kRHU817jyd7jk0ZtYL78GCylVtt06iZTpAscdQZhKi5jYPsypr0fRcRxBIc&5jR=NV34q8
http://www.mintnft.energy/hr8n/?-ZnP=u4R8TVwRDDNaWwz2bBKL4ieXlqimmGnTV66wn/EuM1uAmhApNufJvTotRV6NwEqPSqMfW0Xp&5jR=NV34q8
http://www.mintnft.energy/hr8n/
http://www.pochi-owarai.com/hr8n/?-ZnP=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&5jR=NV34q8 - rule_id: 6329
http://www.sairafashions.xyz/hr8n/?-ZnP=eY7bowusc/bCtxQMT3E4oiaJBtnJA6QvJzKziTbvMWKe2c93ynfcfmr+9Oy8QuoOqX4wikEz&5jR=NV34q8 - rule_id: 6330
|
23
www.suvsangebotguenstigdeorg.com(185.53.179.94)
www.frutza.com(104.21.15.204)
www.integrityinlending.com()
www.secure01bchslogin.com(184.164.70.9)
www.pochi-owarai.com(118.27.122.218)
www.noobcakes.com(198.54.117.211)
www.redherring.agency(34.102.136.180)
www.supere-mart.net(23.227.38.74)
www.goddesslifecbd.com(34.102.136.180)
www.ctgroweasy.com(34.102.136.180)
www.petanimals2021.com(185.201.11.206)
www.acmcnetwork.com() - mailcious
www.sairafashions.xyz(103.148.14.203)
www.mintnft.energy(34.102.136.180)
184.164.70.9
172.67.164.55
185.53.179.94 - mailcious
198.54.117.211 - phishing
34.102.136.180 - mailcious
185.201.11.206
23.227.38.74 - mailcious
103.148.14.203 - mailcious
118.27.122.218 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.sairafashions.xyz/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.sairafashions.xyz/hr8n/
|
8.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13452 |
2021-10-12 18:27
|
 dllhost.exe 1fe73fe4d37cae6a02262b5164f3def0
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.lendingadvantage.com/kzk9/?DVoxs=Lu7dOz/3Ty5qUA8xZ/YzyhENdsMsHh3E+AhbHYGUq3VOyD44pXfnL6ZlMr1v7TgzK/sckNiE&5j=UlPt
|
3
www.lendingadvantage.com(52.128.23.153)
www.windajol.com()
52.128.23.153 - mailcious
|
2
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
|
9.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13453 |
2021-10-12 18:27
|
 xnewlooksetup_02ucpdqhtploavf8... cc0b5f382a9b229b6b5fc5b441e09dc9
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 VirusTotal Malware Checks debugger Creates executable files unpack itself AppData folder DNS |
|
1
|
|
|
3.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13454 |
2021-10-12 18:29
|
 sefile.exe 723f6ae7f4c00cfee0fbb5eb3a92cc62
Malicious Library PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13455 |
2021-10-12 18:39
|
 DOC-10-11-2021.exe a334a1e5158e652d89bedf83421569ab
RAT Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces human activity check Tofsee Windows DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.175.228)
194.5.98.3 - mailcious
142.250.207.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|