| 13456 |
2021-10-12 18:39
|
 DHL INVOICE__TNSR0002153555677... 197da75ce810f55aaeab82c969b48abb
RAT Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.175.228)
79.134.225.7 - mailcious
172.217.31.228
13.107.21.200
142.250.66.36
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13457 |
2021-10-12 18:40
|
 Dsc~00093873643563-09873654356... e6d036148970dba75f7faa27b68696cf
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS crashed |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
2
ET MALWARE Possible NanoCore C2 60B
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13458 |
2021-10-12 18:40
|
 DTW~003987365435-3987653456378... 8338edb0559c1e6136c6bb061cbcff77
PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS crashed |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE Possible NanoCore C2 60B
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13459 |
2021-10-12 18:44
|
 LIST-TM~20098736536093876.exe 8338edb0559c1e6136c6bb061cbcff77
PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS crashed |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
2
ET MALWARE Possible NanoCore C2 60B
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13460 |
2021-10-12 18:44
|
 TRF08359668902.JPG.scr b115228fe5e180f505c081aa829c1a86
Generic Malware Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Remote Code Execution crashed |
|
|
|
|
11.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13461 |
2021-10-13 09:14
|
 oleApp13.exe 3124bed68bba6ffae57e420379d871b6
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.153)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13462 |
2021-10-13 09:15
|
 vbc.exe 37f6767279f5545650809e32e0beca81
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
6
http://www.suppershop.store/s6tn/?xPWD8pd=QVNpsJMpBgGpG2JQ0Dma4sDT8jrElQoz3HJVVEftfVLcCprd01Ik3hM1qAu4gTWMwVzvSFhh&9rjLtF=ffh4ZfOXa&sql=1
http://www.suppershop.store/s6tn/
http://www.farmavidacanarias.com/s6tn/
http://www.farmavidacanarias.com/s6tn/?xPWD8pd=xZ5e5Gm0aye54R3IRo2wNpzJIWEfB+XS0utdOciwVxaiHlnkTl1wePtzKhKfVUD9A8cyGpL+&9rjLtF=ffh4ZfOXa&sql=1
http://www.readingroomtnpasumo5.xyz/s6tn/
http://www.readingroomtnpasumo5.xyz/s6tn/?xPWD8pd=UpFxAwkrUGtFBYHGEM8uLvUidM4yAZ8dwTt6lP/3OYZhzoDiysclnIejmMVvklQrE9sL1AkC&9rjLtF=ffh4ZfOXa&sql=1
|
6
www.suppershop.store(81.169.145.161)
www.farmavidacanarias.com(172.67.219.74)
www.readingroomtnpasumo5.xyz(150.95.255.38)
104.21.24.155
150.95.255.38 - mailcious
81.169.145.161 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
10.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13463 |
2021-10-13 09:16
|
 vbc.exe e40726b44abd64042271651ca1caac11
NSIS Malicious Library PE File PE32 DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13464 |
2021-10-13 09:17
|
 cma.trf ea3c8e9f45bbf4f60b317741f0b8fefe
Generic Malware AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13465 |
2021-10-13 09:18
|
 475362202.exe db70c7f42b07a25fd11e7d0e43816a9f
RAT Generic Malware task schedule AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13466 |
2021-10-13 09:20
|
 centback1.html 65947a582a3d169cbb6a90679aea4799
Antivirus AntiDebug AntiVM MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
6
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1631016860680037568&zx=c27125d2-6838-4160-8af6-517db08baaf2
https://www.blogger.com/static/v1/widgets/3210581208-widgets.js
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
|
4
resources.blogblog.com(216.58.220.137)
www.blogger.com(216.58.220.137)
142.250.204.105
142.250.204.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13467 |
2021-10-13 09:21
|
 toolspab2.exe bac05d4f3b1ede73d936fae7ff3cdde6
UPX Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check Malware PDB Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13468 |
2021-10-13 09:22
|
 tortilla.exe a0c33ee191392f73670f80724d8e1104
RAT PWS .NET framework Generic Malware Antivirus Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
182.162.106.26
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13469 |
2021-10-13 09:23
|
 vbc.exe 095eb46a48c5dfe26b91e1915bd4d6c8
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga11/fre.php - rule_id: 5418
|
2
checkvim.com(45.9.73.172) - mailcious
45.9.73.172
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/ga11/fre.php
|
13.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13470 |
2021-10-13 09:24
|
 vbc.exe ded9770d3dc72897732f0e918124ce88
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|