| 13531 |
2021-10-14 09:53
|
 1170423485.exe 7171b247521e630152953ce57aa6908e
Malicious Packer PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
f.komaiasowu.ru(81.177.141.85)
139.99.118.252
81.177.141.85 - mailcious
|
|
|
8.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13532 |
2021-10-14 09:54
|
 108.exe ea5d06ebac99fcea217fecc743c259f5
UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check PE64 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
2
http://a0589357.xsph.ru/dow.exe
http://b.komaiasowu.ru/
|
5
a0589357.xsph.ru(141.8.192.193)
b.komaiasowu.ru(81.177.141.85)
164.132.202.45
81.177.141.85 - mailcious
141.8.192.193 - malware
|
3
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
15.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13533 |
2021-10-14 09:56
|
 file.exe e1489864463ec55743b9663fb7084a96
UPX Malicious Library PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13534 |
2021-10-14 09:58
|
 e64v7wm.jpg 1b9e338e3d92bda52862a729c6dbb9c6
Gen2 Gen1 Malicious Library PE File PE32 DLL PDB Check memory unpack itself crashed |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13535 |
2021-10-14 10:00
|
 ks2gtc2n.jpg ba80b5374b01f366c6055033059a7a17
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB Check memory unpack itself crashed |
|
|
|
|
1.4 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13536 |
2021-10-14 10:03
|
 vbc.exe a65b1815177ef9eba7e5e894bbf65a3c
Admin Tool (Sysinternals etc ...) UPX Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13537 |
2021-10-14 15:19
|
 vbc.exe 2292debf2685fda1410be586bd7d25b1
Admin Tool (Sysinternals etc ...) UPX Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13538 |
2021-10-14 15:20
|
Bank-Details.xlsx 69edca098ec730f1aa9302c24923fcff
KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Malware download Vulnerability VirusTotal Malware MachineGuid Malicious Traffic Checks debugger buffers extracted exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.158.101/09008/vbc.exe - rule_id: 6433
|
1
192.227.158.101 - malware
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
1
http://192.227.158.101/09008/vbc.exe
|
5.6 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13539 |
2021-10-14 15:22
|
 vbc.exe 80c6546b0a2097556b4218e620c63853
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software crashed |
1
http://checkvim.com/ga11/fre.php - rule_id: 5418
|
2
checkvim.com(185.217.198.252) - mailcious
185.217.198.252
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://checkvim.com/ga11/fre.php
|
13.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13540 |
2021-10-14 15:23
|
 vbc.exe 31ce7d8522a4ee3ba72ed934e7ffd70b
NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
21
http://www.mudatstudio.com/hr8n/?MZg8=gUaQ/+3s/kFGf10Bdd8lj7WBkIz9GsQxMveD/qPqZzJE0ReW2q5Df9vdRW11VznkrH2iE1ue&uTxXo=ojOPdxR8gB
http://www.redherring.agency/hr8n/ - rule_id: 6416
http://www.redherring.agency/hr8n/?MZg8=Msb0E+nHxXTk+kRHU817jyd7jk0ZtYL78GCylVtt06iZTpAscdQZhKi5jYPsypr0fRcRxBIc&uTxXo=ojOPdxR8gB - rule_id: 6416
http://www.bercatv.com/hr8n/?MZg8=/yRRgDSwLMsWxKA4f5KuELmjy/mqUWJqcFQmTFbv5od3MFYL2Xoy8Nze6PPGHjgxg3JBbnV1&uTxXo=ojOPdxR8gB
http://www.saamcoheir.quest/hr8n/ - rule_id: 6333
http://www.apnagas.com/hr8n/?MZg8=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&uTxXo=ojOPdxR8gB - rule_id: 6332
http://www.bercatv.com/hr8n/
http://www.chatelab.network/hr8n/?MZg8=3oN9XgLBJtDXNs2zngQn2dVK6Uxi1QAVFf1LLML5AQ9srmgBfwUts4HpZdFn/GyEF4+HDuxo&uTxXo=ojOPdxR8gB
http://www.chatelab.network/hr8n/
http://www.secure01bchslogin.com/hr8n/ - rule_id: 6408
http://www.apnagas.com/hr8n/ - rule_id: 6332
http://www.suvsangebotguenstigdeorg.com/hr8n/?MZg8=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&uTxXo=ojOPdxR8gB - rule_id: 6328
http://www.libbybruce.space/hr8n/?MZg8=tvOOJymLPTo+u55ddd5JgP/eYwawdK1IFhff86iTT/s0UFVHuQ3vbuf5ifvAKeBftP33/qgK&uTxXo=ojOPdxR8gB - rule_id: 6336
http://www.pochi-owarai.com/hr8n/?MZg8=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&uTxXo=ojOPdxR8gB - rule_id: 6329
http://www.baumer-instruments.com/hr8n/?MZg8=q42LDbLer29Q12jt65bKw12quuQGKu9GNRKcDfylwoI+Av0krotLDNZCIm4LxOiWVzWcVna9&uTxXo=ojOPdxR8gB
http://www.suvsangebotguenstigdeorg.com/hr8n/ - rule_id: 6328
http://www.baumer-instruments.com/hr8n/
http://www.secure01bchslogin.com/hr8n/?MZg8=/xCQRyoVMWVnh23tRG8vfAMo2MFBA+pRIDM06yAvE/Fg6D1CIShQVBVEbqNYVVAHcuTqles7&uTxXo=ojOPdxR8gB - rule_id: 6408
http://www.mudatstudio.com/hr8n/
http://www.libbybruce.space/hr8n/ - rule_id: 6336
http://www.pochi-owarai.com/hr8n/ - rule_id: 6329
|
24
www.suvsangebotguenstigdeorg.com(185.53.179.94)
www.saamcoheir.quest(37.123.118.150)
www.bercatv.com(154.208.173.49)
www.drfgr1.com()
www.secure01bchslogin.com(184.164.70.9)
www.chatelab.network(34.102.136.180)
www.redherring.agency(34.102.136.180)
www.baumer-instruments.com(89.31.143.1)
www.preadmirer.info() - mailcious
www.libbybruce.space(23.227.38.74)
www.pochi-owarai.com(118.27.122.218)
www.mudatstudio.com(35.214.244.56)
www.apnagas.com(208.91.197.91)
www.jeetopesekashback.xyz() - mailcious
184.164.70.9 - mailcious
37.123.118.150 - mailcious
185.53.179.94 - mailcious
34.102.136.180 - mailcious
89.31.143.1 - mailcious
35.214.244.56
154.208.173.49
23.227.38.74 - mailcious
208.91.197.91 - mailcious
118.27.122.218 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
13
http://www.redherring.agency/hr8n/
http://www.redherring.agency/hr8n/
http://www.saamcoheir.quest/hr8n/
http://www.apnagas.com/hr8n/
http://www.secure01bchslogin.com/hr8n/
http://www.apnagas.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.libbybruce.space/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.secure01bchslogin.com/hr8n/
http://www.libbybruce.space/hr8n/
http://www.pochi-owarai.com/hr8n/
|
7.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13541 |
2021-10-14 15:35
|
 rundll32.exe 51dcc89ed1035a6c2fc57ada8dcb4dc2
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.healthyweekendtips.com/fqiq/?tXU4=nFNrhldW1G3Iuc6NBw1UbSwwpktYb/50pHeyo/0a7tjLnrEnAw7KG36PTjcGJ5KEduXnU9Wd&Ulq86=GTgP1na8nVSXkp
http://www.srofkansas.com/fqiq/
http://www.ecarehomes.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.hirayaawards.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/?tXU4=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&Ulq86=GTgP1na8nVSXkp
http://www.srofkansas.com/fqiq/?tXU4=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&Ulq86=GTgP1na8nVSXkp
http://www.healthyweekendtips.com/fqiq/
http://www.ecarehomes.com/fqiq/?tXU4=kE7Vu6vPDcd1WfWVKKteHdpK4u5SUBt14Yatq6Mzh32VxiCRLzk8hIpR+XL7Q/vEg46arPR2&Ulq86=GTgP1na8nVSXkp
http://www.hirayaawards.com/fqiq/?tXU4=ioMS2OB6gtffPyZHC2v0o2NbJMBvgda4J5Uj88jwpqxw8lz3q3Yy68AoxtXePEBB3Y0v4zlH&Ulq86=GTgP1na8nVSXkp
|
13
www.healthyweekendtips.com(172.67.216.2)
www.kirtansangeet.com(62.138.8.22)
www.pharmacistcharisma.com()
www.srofkansas.com(199.59.242.153)
www.qywyfeo8.xyz()
www.esyscoloradosprings.com(108.167.135.122)
www.ecarehomes.com(34.102.136.180)
www.hirayaawards.com(172.217.175.51)
104.21.78.41 - phishing
108.167.135.122
34.102.136.180 - mailcious
199.59.242.153 - mailcious
74.125.204.121
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP unable to match response to request
|
|
9.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13542 |
2021-10-14 15:36
|
 vbc.exe ab92b4fd3e3524b4b238b23ce7eda0e8
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.65.137)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
62.138.8.22
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13543 |
2021-10-14 15:37
|
 asdERTYgh56F.exe b866823e1f8f4a52376bd108c457dd78
Gen2 Gen1 Generic Malware UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process sandbox evasion WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
2
ezeani.duckdns.org(194.5.98.48)
194.5.98.48
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13544 |
2021-10-14 15:38
|
 Documents.exe c2f9ae069b620080b761d9280473e7aa
Gen2 Gen1 Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows Remote Code Execution crashed |
|
|
|
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13545 |
2021-10-14 15:38
|
 123.dll 584aa8473d873ecccb7601672550f4dc
Emotet Gen1 UPX Malicious Library PE File PE32 OS Processor Check DLL Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://45.36.99.184/sat4/TEST22-PC_W617601.F57A8FB7AD33F1A6BBC8B31029F34741/5/file/
|
5
179.189.229.254 - mailcious
216.166.148.187 - mailcious
60.51.47.65 - mailcious
185.56.175.122 - mailcious
45.36.99.184 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|