| 13666 |
2021-10-16 13:01
|
 FSD~039876363-30987.Com 6dff455b59af4478e43bf4ef5daa9f6f
RAT PWS .NET framework Generic Malware UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13667 |
2021-10-16 13:03
|
 Hjs~0093876353673-98376536783.... 7d63624fabc2c8179bc4935080fc0604
RAT PWS .NET framework Generic Malware UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13668 |
2021-10-16 13:04
|
 New Order.exe ab21627d840ca71be2fd3d2397657a54
AgentTesla(IN) RAT Generic Malware UPX Antivirus Malicious Packer Malicious Library DNS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
emedoo.ddns.net(185.140.53.133) - mailcious
185.140.53.133 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13669 |
2021-10-16 13:05
|
 trend-1804391448.xls 883e781ec9576dddd2277c73bc0bf26e
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://elcbd.net/QJ89y2Nztyh/alena.html
https://pmbtvonline.com/HHQxjY8UnnDR/ale.html
https://saftronics.co.za/WRpRfTpvJ/alen.html
|
6
saftronics.co.za(196.37.111.115)
pmbtvonline.com(192.185.227.95)
elcbd.net(209.222.97.206)
209.222.97.206
196.37.111.115 - mailcious
192.185.227.95 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13670 |
2021-10-16 13:08
|
 trend-1804618933.xls 7219c4992a9852eaf8b619b165c17cc7
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://elcbd.net/QJ89y2Nztyh/alena.html
https://pmbtvonline.com/HHQxjY8UnnDR/ale.html
https://saftronics.co.za/WRpRfTpvJ/alen.html
|
6
saftronics.co.za(196.37.111.115)
pmbtvonline.com(192.185.227.95)
elcbd.net(209.222.97.206)
209.222.97.206
196.37.111.115 - mailcious
192.185.227.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13671 |
2021-10-16 13:10
|
 trend-1805140215.xls 0c9961a5d8c7ee6bda37f75d1a59e8d9
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://elcbd.net/QJ89y2Nztyh/alena.html
https://pmbtvonline.com/HHQxjY8UnnDR/ale.html
https://saftronics.co.za/WRpRfTpvJ/alen.html
|
6
saftronics.co.za(196.37.111.115)
pmbtvonline.com(192.185.227.95)
elcbd.net(209.222.97.206)
209.222.97.206
196.37.111.115 - mailcious
192.185.227.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13672 |
2021-10-16 13:11
|
 clipe.exe 2c55be40df541743683b7be0cdcd31bc
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13673 |
2021-10-16 13:12
|
 TRAN31.exe c53015e5e1f2f0fd85f21e00b65f80e2
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13674 |
2021-10-16 13:20
|
 csrss.exe b2fdec3c92a41a4e140b334184ef4e30
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13675 |
2021-10-16 13:22
|
 rundll32.exe 09c8e4c071be047a8e47bc7da2144a86
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.yamacorp.digital/fqiq/?oPqLRL=M8EV+3ovsEMdktBkEix26icKR/EOtVSURZNfj8BEgByaWxyramv04i2EvFiTdonxleLcsdR4&Lv0h=ZVypVbS8c
http://www.weeden.xyz/fqiq/
http://www.srofkansas.com/fqiq/ - rule_id: 6445
http://www.esyscoloradosprings.com/fqiq/ - rule_id: 6444
http://www.yamacorp.digital/fqiq/
http://www.4bellemaison.com/fqiq/
http://www.seal-brother.com/fqiq/?oPqLRL=mnFbYCr+AW78Kl2ulk1rPiA6Of2qOAThWlvrEIJbjMlKOtQ7tqTA3v+J7YK2FP1KSWelWkwc&Lv0h=ZVypVbS8c
http://www.hanenosuke.com/fqiq/
http://www.sophiagunterman.art/fqiq/?oPqLRL=xr2hRkHSJ+UsXowxi6McaJRxgcInZTFjwe9eYARVx2PKFNYpXRh/IJY1HCqVtWxffV7QcJh9&Lv0h=ZVypVbS8c
http://www.esyscoloradosprings.com/fqiq/?oPqLRL=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&Lv0h=ZVypVbS8c - rule_id: 6444
http://www.weeden.xyz/fqiq/?oPqLRL=USYLug/oA1YO3zHhBpyf49MelhMmknrjwB+F0T6I7p0aWr8Ic8GlSHHjxu6xNcH2bdjI/bcO&Lv0h=ZVypVbS8c
http://www.4bellemaison.com/fqiq/?oPqLRL=pVy0te3+f5YTkdzZvZ2VLxiaenEFjhJOmtKP8w+eQDwc/hJpDlGml3GHPqPqoWWLi+7PNiIM&Lv0h=ZVypVbS8c
http://www.sophiagunterman.art/fqiq/
http://www.srofkansas.com/fqiq/?oPqLRL=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&Lv0h=ZVypVbS8c - rule_id: 6445
http://www.seal-brother.com/fqiq/
http://www.hanenosuke.com/fqiq/?oPqLRL=xeMdXENerBxjIMz2FKChqf1nt0cxl+Ge/IuoWLeYNAKPizmuJVRlAC2vXkQEDiA7tI/nE2A5&Lv0h=ZVypVbS8c
|
19
www.mountlaketerraceapartments.com()
www.hanenosuke.com(104.21.96.28)
www.sophiagunterman.art(34.225.31.148)
www.4bellemaison.com(52.147.15.202)
www.srofkansas.com(199.59.242.153)
www.qywyfeo8.xyz() - mailcious
www.yamacorp.digital(185.61.153.108)
www.seal-brother.com(59.106.13.53)
www.esyscoloradosprings.com(108.167.135.122)
www.weeden.xyz(192.185.5.49)
www.dmc--llc.com()
35.169.40.107 - mailcious
108.167.135.122 - mailcious
172.67.150.160
185.61.153.108 - phishing
52.147.15.202 - mailcious
192.185.5.49
199.59.242.153 - mailcious
59.106.13.53
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
SURICATA HTTP unable to match response to request
|
4
http://www.srofkansas.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.srofkansas.com/fqiq/
|
8.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13676 |
2021-10-16 13:22
|
 .lsass.exe f1d94fcc611053cd5162e70dc36fddfa
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13677 |
2021-10-16 13:22
|
 ole.exe 53e0ffb4bae3b44092706ccb01cf99f5
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=719442
|
1
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
11.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13678 |
2021-10-16 13:22
|
 kv3.dll 5c76498485ac6534b1b1aa0d6d543762
Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13679 |
2021-10-16 13:24
|
 chrome.exe a6654b9757e5cecbd124a6d157c11ec0
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Checks debugger buffers extracted unpack itself Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
23.59.72.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13680 |
2021-10-16 13:26
|
 Oxqfxohrjqryauuonybvsdergonzry... a8521386eacf0f858077249faa381763
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
3
https://ok0muq.by.files.1drv.com/y4mXn3SB0c_rGmgXxjbH3WmsppOibbL1oZlW_b9zNu1Rx8XhZjP5jfvuXh4_Qxkk7alRd6tzyqugEoIqRqia9VXhCi-qHc4nV1eEqqZYxL09QqabDodVVaeAjr9QKU4OcnvpEiaLJn_lNvvRk5nSRSglAUUEkH2uR3f2HucXpts-XB8ZMJS-8maqxetjB-Cp_5UTXnZqAhAKCsuyMmQrFYK3Q/Oxqfxohrjqryauuonybvsdergonzryw?download&psid=1
https://onedrive.live.com/download?cid=8CDD9A903CA2B7A1&resid=8CDD9A903CA2B7A1%21121&authkey=AE4pGuvsTEf3vdI
https://ok0muq.by.files.1drv.com/y4mqHdWeQYGK5cbxmAzdiBSNTk4dffD-Ux0OULCWBTQdnmGloOWxVwE84xYkIhVD9KkYQ9lq_2wnzd0HMh6CgniFyiFiDaIpIHHYq1pIdhQtBjSorBL-s0HLwukMAbS0of6PmckxpqSsT_GI8ycKX1OiicltQgceZjhZoGLoNx40m0l0qTLluxGC1FTgeLgLPGO2srxxLy08oKJJMgx4wFpKA/Oxqfxohrjqryauuonybvsdergonzryw?download&psid=1
|
4
onedrive.live.com(13.107.42.13) - mailcious
ok0muq.by.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|