| 13561 |
2021-10-14 15:58
|
 j99zauz.jpg fddd5965364792568919cdf03a75f6e0
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.2 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13562 |
2021-10-14 16:00
|
 wv9tasf7.jpg 06d34db8e51b48f3ab3b2e56a44d4f74
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13563 |
2021-10-14 16:12
|
 art-717340505.xls 264088059456facc8baadf2a2ba6593a
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
4
http://x1.i.lencr.org/
https://bostonavenue.org/zunSJE0UYwbJ/sunise.html
https://pmqdermatology.com.au/0aafNmAW9/suraise.html
https://funzy.id/0KICC3zxK2nT/sunraie.html
|
8
pmqdermatology.com.au(101.0.119.207)
x1.i.lencr.org(104.74.211.103)
funzy.id(194.233.72.245)
bostonavenue.org(216.172.187.35)
101.0.119.207 - mailcious
194.233.72.245
104.74.211.103
216.172.187.35
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13564 |
2021-10-14 16:13
|
Payment_Receipt 2422.xls e63deaea51f7cc2064ff808e11e1ad55
VBA_macro Generic Malware KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13565 |
2021-10-14 16:14
|
 art-71766134.xls 4651c9768697acf3a15a80f61c8ae749
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
4
http://x1.i.lencr.org/
https://bostonavenue.org/zunSJE0UYwbJ/sunise.html
https://pmqdermatology.com.au/0aafNmAW9/suraise.html
https://funzy.id/0KICC3zxK2nT/sunraie.html
|
8
pmqdermatology.com.au(101.0.119.207)
x1.i.lencr.org(104.76.75.146)
bostonavenue.org(216.172.187.35)
funzy.id(194.233.72.245)
101.0.119.207 - mailcious
194.233.72.245
104.76.75.146
216.172.187.35
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13566 |
2021-10-14 16:16
|
 art-718184786.xls a9e51062b4512cfb98065c71ce7b2605
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
4
http://x1.i.lencr.org/
https://bostonavenue.org/zunSJE0UYwbJ/sunise.html
https://pmqdermatology.com.au/0aafNmAW9/suraise.html
https://funzy.id/0KICC3zxK2nT/sunraie.html
|
8
pmqdermatology.com.au(101.0.119.207)
x1.i.lencr.org(104.76.75.146)
funzy.id(194.233.72.245)
bostonavenue.org(216.172.187.35)
101.0.119.207 - mailcious
194.233.72.245
104.74.211.103
216.172.187.35
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13567 |
2021-10-14 16:45
|
Documents.lnk db8f42a798dd65d9bd8398c3e2564f06
Generic Malware AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Creates shortcut unpack itself crashed |
|
|
|
|
2.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13568 |
2021-10-14 16:45
|
 Advice from Standard Chartered... 57b0ad14b76c30bdaef9b5c06028a746
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
3
tochi.ddns.net(194.5.98.11)
37.235.1.174 - mailcious
194.5.98.11 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13569 |
2021-10-14 16:47
|
 1.dll a3dfaa6badd480c93af825510e7cd1d2
UPX Malicious Library PE64 PE File OS Processor Check DLL VirusTotal Malware Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check crashed |
|
|
|
|
2.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13570 |
2021-10-14 16:47
|
 EXPORT DOCUMENTS_CMR_INVOICE_I... 0a3212c04eeaed201c4038ab6dd3631b
Generic Malware UPX Antivirus DNS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
accept.ddns.net(197.210.55.106) - mailcious
197.210.55.106
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13571 |
2021-10-14 16:50
|
 KRSEL0000056286.JPG.scr d6f040b4d7d217b8525dff843feba635
Gen2 Gen1 Generic Malware UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName Remote Code Execution crashed |
|
|
|
|
13.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13572 |
2021-10-14 16:50
|
 IMG.00000201419.PNG.scr 664d73b23eddfcd0227786b9d0f5d022
Gen2 Gen1 Generic Malware UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
3
strongodss.ddns.net(197.210.84.249) - mailcious
185.19.85.175 - mailcious
197.210.84.249
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13573 |
2021-10-14 16:52
|
 New Order.exe 76ce20e50cfef6b8e5397b581105ba95
PWS .NET framework Generic Malware UPX Antivirus DNS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Malware download Nanocore Malware c&c powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
luf.ddns.net(79.134.225.71) - mailcious
79.134.225.71 - mailcious
37.235.1.174 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13574 |
2021-10-14 16:53
|
 Ord20211310570045368963AC.exe f6fde8532e45bb49f3220e64c10d11a1
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
5
http://www.partnerbebefits.com/gab8/?GPJ=V0qvKrnMUJDi81wWgfCGXFlKI9Inm7hsI52w8XiW782EdtYgyy70qnkOHaG3FEy6fk+0RrrY&oX=Txo8nZfhzrhh
http://www.boraeresici.com/gab8/?GPJ=C6SAXr8o/G/VasXP2qBsDB1rn5jVEpLr3WZGajDPG/enBmYnBlFkkW82TIheSrxSSIWa+io/&oX=Txo8nZfhzrhh
http://www.royzoom.com/gab8/?GPJ=ZIawR5WdNK8LsYg64y/ZuRppdufcVyCLEEhqXcgQhf+tR4phV0yge9w0mkSWMgIPzVTRYdnK&oX=Txo8nZfhzrhh
http://www.happyklikshop.com/gab8/?GPJ=mENu3k3BXCWZ2Tc/aQbax23yXM1wufSrwsbmwarZbMNjditOASquAUrBwrS1LEID6g38HMxw&oX=Txo8nZfhzrhh
http://www.aucoeurducadeau.com/gab8/?GPJ=5qlSZ+6CVF2mMX6CKg0IqzY1EC3Y5wWy7JN18ATTVTS3aqcQwyHFrUSTTu0cVUImGKaDUota&oX=Txo8nZfhzrhh
|
13
www.boraeresici.com(92.223.73.24)
www.royzoom.com(184.168.131.241)
www.aucoeurducadeau.com(213.186.33.5)
www.fullamodatoptan.com()
www.happyklikshop.com(109.106.253.204)
www.babyfloki.tech()
www.schnurrgallery.com()
www.partnerbebefits.com(103.224.182.242)
184.168.131.241 - mailcious
213.186.33.5 - mailcious
109.106.253.204
92.223.73.24
103.224.182.242 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
|
8.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13575 |
2021-10-14 16:54
|
 Ord20211310570045368964AL.exe 0cb1c28aaae7fb100c41281e5c9b6c2b
RAT PWS .NET framework Generic Malware task schedule Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
aliensoldier.duckdns.org(194.127.178.3)
194.127.178.3
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|