| 13606 |
2021-10-15 09:14
|
 game.exe 6aa2ecbc4dec00bba7febafced91e048
UPX Malicious Library PE File PE32 OS Processor Check PDB unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13607 |
2021-10-15 09:15
|
 VLTKTanthuTN.exe 72ae1ef77048260282b4e791eede5e3c
RAT PWS .NET framework Generic Malware Malicious Packer PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces human activity check Windows crashed keylogger |
3
http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
http://kimyen.net/vltk/tanthu/VLTKTanthuPb.txt
http://kimyen.info/vltk/tanthu/VLTKTanthuPb.txt
|
14
time.nist.gov(132.163.96.2)
kimyen.info(103.28.36.10)
utcnist.colorado.edu(128.138.140.44)
time.ien.it(193.204.114.105)
ptbtime1.ptb.de(192.53.103.108)
free.timeanddate.com(151.101.193.176)
kimyen.net(103.255.237.239) - malware
128.138.140.44
103.28.36.10
146.75.49.176
128.138.141.172
103.255.237.239 - malware
192.53.103.108
193.204.114.105
|
|
|
9.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13608 |
2021-10-15 09:16
|
 1562391525.exe 604b759172262363118ab37833ca63bb
PE File PE32 VirusTotal Malware unpack itself Windows utilities WriteConsoleW Windows ComputerName |
|
|
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13609 |
2021-10-15 09:17
|
 112.exe 503015d7869b5edd64e07b0c733df2fc
Lazarus Family Themida Packer UPX Anti_VM Malicious Library PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Remote Code Execution Firmware DNS Cryptographic key crashed |
1
http://138.124.186.66:3552/
|
1
|
|
|
7.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13610 |
2021-10-15 09:19
|
 update.exe 9488b446052990dfb70a62e3efa57477
Generic Malware Antivirus Malicious Packer Malicious Library Create Service DGA Socket DNS Code injection Sniff Audio HTTP Internet API KeyLogger FTP ScreenShot Http API Escalate priviledges Downloader P2P Steal credential AntiDebug AntiVM PE File PE32 PE VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
2
pool.supportxmr.com(149.202.83.171) - mailcious
37.187.95.110 - mailcious
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
8.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13611 |
2021-10-15 09:40
|
 me.exe 8cbc2f3f7e55f6d8a1e28816d9621d0a
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Disables Windows Security Check virtual network interfaces WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
193.122.6.168
172.67.188.154
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13612 |
2021-10-15 09:41
|
 LS.exe 50bc873b8e08fdc5832350f377a1b5a7
UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows crashed |
|
|
|
|
4.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13613 |
2021-10-15 09:41
|
 vbc.exe 10397feb14b5e8aad2b1e8fd3686763c
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13614 |
2021-10-15 09:42
|
 vbc.exe 607afbfc6f90d724bd7014ca4ab30be5
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
20
http://www.yourhomestimate.com/wogm/?jDKP8=OiSf9jV3Npz/RZJgbb0bKL9e2athsvXRQV6jCPdiTUSk124+vr4+cLKhD6dZYTypWjoW5Nc5&8p3=IbtHbD
http://www.eygtogel021.com/wogm/
http://www.pokipass-niigata.com/wogm/
http://www.muescabynes.quest/wogm/
http://www.muescabynes.quest/wogm/?jDKP8=Cp2YzvgLUfohnHjhVFBNosoQ2J5qGB8UGxOLTRa7K8nkaGFbF9DyFpQO+4Qxvwo23h3ZSf7z&8p3=IbtHbD
http://www.workospbit.space/wogm/
http://www.pokipass-niigata.com/wogm/?jDKP8=5JB5Sfq0uItgtJtC5HDt9qd+awyibUOSqveCkor2hMTAiAHHLxQY8a2Rwp3Q+p3+yguzgVgy&8p3=IbtHbD
http://www.workospbit.space/wogm/?jDKP8=tAL4F5NLH4VmvVC1AGtDqpAVgb8tD+i+qrKuhbccqAXskllAguOxxUH0apD5Y6EEQuKJRsNk&8p3=IbtHbD
http://www.insightmyhome.com/wogm/?jDKP8=85BUmEEX/LdX7Ydf+9I0bWyJhbr74kbGW+J4EcMhGlvjV6F5mj5NWVmgik83SynmBl96r7SB&8p3=IbtHbD
http://www.straetah.com/wogm/
http://www.weeklywars.com/wogm/
http://www.sinagropuree.com/wogm/
http://www.weeklywars.com/wogm/?jDKP8=4vPo1SJ4QXujYzlw76fQXs7HvlTQbV0+0txMnGRghQaMN633jA6UZgSWswdwEnRAOgPWuZC1&8p3=IbtHbD
http://www.blessedfurnitures.com/wogm/
http://www.insightmyhome.com/wogm/
http://www.blessedfurnitures.com/wogm/?jDKP8=zV6Dv0kcLx7IGnnwhXAN0xDRsIYVVts8P2q2S3hOBQp88DOpKfnLZ8aifiCKR08hOFrs3RzE&8p3=IbtHbD
http://www.eygtogel021.com/wogm/?jDKP8=OLfsUZOZM89huaQ2Rhq4Iq6vg35ZMytgB5JTmZSEOAiHvxtp6AgRBdz2Ob59YcBboWHm0lh9&8p3=IbtHbD
http://www.sinagropuree.com/wogm/?jDKP8=nwMgSNojV35EyJ9hphk06is8J3BDs4E1a66hewTnIuP7M3cS+zLeGjThioYS1Y8r0L7sYBrx&8p3=IbtHbD
http://www.straetah.com/wogm/?jDKP8=VugJ8iGiQbMyEpiZcguIhpak7udmJ3C00wBMtiXi6+Au/rTbCR/obkne6QZn8sjGYaJfXaMw&8p3=IbtHbD
http://www.yourhomestimate.com/wogm/
|
21
www.workospbit.space(185.215.4.14)
www.yourhomestimate.com(198.54.117.244)
www.straetah.com(104.18.26.58)
www.pokipass-niigata.com(183.181.96.120)
www.blessedfurnitures.com(104.21.9.160)
www.eygtogel021.com(172.67.200.237)
www.chantaldesign.space()
www.sinagropuree.com(154.23.109.132)
www.insightmyhome.com(5.79.70.98)
www.weeklywars.com(34.102.136.180)
www.muescabynes.quest(37.123.118.150)
37.123.118.150 - mailcious
183.181.96.120
172.67.200.237 - mailcious
154.23.109.132
34.102.136.180 - mailcious
198.54.117.244 - phishing
185.215.4.14
5.79.70.98
104.21.9.160
104.18.26.58
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13615 |
2021-10-15 09:44
|
 vbc.exe 215e5cc2650d15c79ab17bd24e8458b9
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13616 |
2021-10-15 09:44
|
 aeopmguywjffmigwnfbefrvgqg.exe 8d81b074c6351ef6cb801ddbc24d4354
PWS Loki[b] Loki.m Generic Malware task schedule Antivirus DNS KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder WriteConsoleW IP Check Windows ComputerName DNS Cryptographic key DDNS crashed |
1
|
6
sommerishere.sytes.net(194.5.98.99) - mailcious
mommerishere.sytes.net(154.118.104.87)
ip-api.com(208.95.112.1)
154.118.104.87
194.5.98.99
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13617 |
2021-10-15 09:46
|
 vbc.exe 025eaccfdecb9df000e526122ce84aa2
UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13618 |
2021-10-15 09:46
|
 vbc.exe 09a2d9ea4a18f01aff698b8cfc98a87e
UPX Malicious Library PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13619 |
2021-10-15 09:49
|
 PrimeAuth.exe 6e88324fa975a177ec1aae3a7e9cbf0c
RAT PWS .NET framework Generic Malware UPX Malicious Library PE File PE32 OS Processor Check .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13620 |
2021-10-15 09:50
|
 1st0build.exe fa36788c0488fe6f660e5ea1e9ca277a
RAT PWS .NET framework Generic Malware ASPack Malicious Packer UPX Malicious Library Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://cdn.discordapp.com/attachments/893177342426509335/897835449870090250/D3E31C82.jpg
https://b.ckauni.ru/
https://cdn.discordapp.com/attachments/893177342426509335/897835452164366366/FBFC4F80.jpg
|
7
apps.identrust.com(119.207.65.153)
b.ckauni.ru(81.177.141.85)
cdn.discordapp.com(162.159.130.233) - malware
212.193.30.193
81.177.141.85 - mailcious
162.159.129.233 - malware
182.162.106.26
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|