| 13681 |
2021-10-16 13:26
|
 file.exe c200e4d07007a35710e92d7dfceb0324
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13682 |
2021-10-16 13:29
|
 vbc.exe cc92dedec89f09b08729784048f1060b
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
1
https://cdn.discordapp.com/attachments/893140719018074156/898293922470707280/Dkymiyhznmowgddxyesvhguburkkhid
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13683 |
2021-10-16 13:29
|
 vbc.exe 7ca5a6d622c55365fda10c9e9ba8ee88
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware Phishing suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
24
http://www.petanimals2021.com/hr8n/ - rule_id: 6413
http://www.metroprocesservers.com/hr8n/
http://www.apnagas.com/hr8n/ - rule_id: 6332
http://www.suvsangebotguenstigdeorg.com/hr8n/?b6=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&DbG=_DKdFj - rule_id: 6328
http://www.thirdize.com/hr8n/?b6=Qa3RkDOgafNf+melphWyZKlqUuAjhP8HGanOQow9UjkiPbTvHr8bFxEtMyTD6MWjfTHARvhq&DbG=_DKdFj
http://www.sairafashions.xyz/hr8n/ - rule_id: 6330
http://www.topomappro.com/hr8n/
http://www.taschenhimmel.guru/hr8n/?b6=yJ4GO29XYUJ6kbG1GRGXThACvN8qU+BD3SVuKAwHCyV4JpEO0MjgfQHHB8RtU9GLUJB1g/bU&DbG=_DKdFj - rule_id: 6337
http://www.thirdize.com/hr8n/
http://www.petanimals2021.com/hr8n/?b6=dhF4+GHKKWXHWz/d5EmptZUO4Y6cQInERplAOomPQSCFdac6mXYK7VAXrARsxAd8fsGWtC6P&DbG=_DKdFj - rule_id: 6413
http://www.goddesslifecbd.com/hr8n/?b6=GtvkudhA78tbF3WvE4bBZvCKlYqS4/vnN8UfWC/v3gZk1BTClvfo2IF/GomLTAo7w3kyh1zp&DbG=_DKdFj - rule_id: 6414
http://www.srivijayalakshmitravels.com/hr8n/?b6=9v/nC4SFMBfI4hKsuOB7MiStXQc7RohZ6Texmz1ZCQXWBvTc6q6eeiQy5bzdZDXxPhAdejER&DbG=_DKdFj
http://www.metroprocesservers.com/hr8n/?b6=icc3nfQfldM2yDnz3ARimeMTo44uwW9Ag7RC8nnojD1Z8vvluU+zwlSnkBHNfngv3DZkdM+B&DbG=_DKdFj
http://www.srivijayalakshmitravels.com/hr8n/
http://www.pochi-owarai.com/hr8n/?b6=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&DbG=_DKdFj - rule_id: 6329
http://www.suvsangebotguenstigdeorg.com/hr8n/ - rule_id: 6328
http://www.reals-markets-34.xyz/hr8n/?b6=JruannHobxWHEFJ95PsW3egWrPXikKWWzJJvQqVwFcQ4tWxJTo35fEXQkvPsOyc+Y9/rElxg&DbG=_DKdFj
http://www.pochi-owarai.com/hr8n/ - rule_id: 6329
http://www.taschenhimmel.guru/hr8n/ - rule_id: 6337
http://www.reals-markets-34.xyz/hr8n/
http://www.goddesslifecbd.com/hr8n/ - rule_id: 6414
http://www.sairafashions.xyz/hr8n/?b6=eY7bowusc/bCtxQMT3E4oiaJBtnJA6QvJzKziTbvMWKe2c93ynfcfmr+9Oy8QuoOqX4wikEz&DbG=_DKdFj - rule_id: 6330
http://www.apnagas.com/hr8n/?b6=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&DbG=_DKdFj - rule_id: 6332
http://www.topomappro.com/hr8n/?b6=wiN28mWLGHEs9NOlV0zmk/4GYpeBqpVs+O1x9r8Kp44813DxbzeXSS8fzAR5x5rXvYyL3ygx&DbG=_DKdFj
|
24
www.suvsangebotguenstigdeorg.com(185.53.179.94)
www.taschenhimmel.guru(34.102.136.180)
www.metroprocesservers.com(34.102.136.180)
www.pochi-owarai.com(118.27.122.218)
www.tigerpay-partners.com()
www.topomappro.com(101.100.203.40)
www.goddesslifecbd.com(34.102.136.180)
www.thirdize.com(206.188.193.204)
www.sairafashions.xyz(103.148.14.203)
www.petanimals2021.com(185.201.11.206)
www.drfgr1.com() - mailcious
www.reals-markets-34.xyz(185.156.72.15)
www.apnagas.com(208.91.197.91)
www.srivijayalakshmitravels.com(103.76.228.3)
185.53.179.94 - mailcious
101.100.203.40 - mailcious
185.156.72.15
34.102.136.180 - mailcious
185.201.11.206 - mailcious
103.76.228.3
206.188.193.204
103.148.14.203 - mailcious
208.91.197.91 - mailcious
118.27.122.218 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.petanimals2021.com/hr8n/
http://www.apnagas.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.sairafashions.xyz/hr8n/
http://www.taschenhimmel.guru/hr8n/
http://www.petanimals2021.com/hr8n/
http://www.goddesslifecbd.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.suvsangebotguenstigdeorg.com/hr8n/
http://www.pochi-owarai.com/hr8n/
http://www.taschenhimmel.guru/hr8n/
http://www.goddesslifecbd.com/hr8n/
http://www.sairafashions.xyz/hr8n/
http://www.apnagas.com/hr8n/
|
7.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13684 |
2021-10-16 13:32
|
 zool.exe 87cd2ddf31c62ed3219d2c559d4a9cb6
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.mylori.net/ef6c/?8pM0A2eH=dYV4FvE4untOqhJUUHmMS4MiaT9y7jEiob7/fgenPq9yvClivGcNDxr/HcpFKVtE0DHzORm4&Cdxx=inCHmv0P
http://www.stopmoshenik.online/ef6c/?8pM0A2eH=AItpU6mQCC6s81rj7necuGYpWrqi0PbHxxDMCTfv5nDjvQQMu+peq6WH+jA65E1HrZKOBeeG&Cdxx=inCHmv0P - rule_id: 5858
http://www.fis.photos/ef6c/?8pM0A2eH=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&Cdxx=inCHmv0P - rule_id: 5835
http://www.gaminghallarna.net/ef6c/?8pM0A2eH=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&Cdxx=inCHmv0P - rule_id: 5824
http://www.sensorypantry.com/ef6c/?8pM0A2eH=cw2PwNl+5NOQItrLnKllT2tGwrd+rdd5UTQlQyS8ptLSIxj973nGji9KRlDOdanBBwTAA2mM&Cdxx=inCHmv0P - rule_id: 5819
http://www.kinglot2499.com/ef6c/?8pM0A2eH=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&Cdxx=inCHmv0P - rule_id: 5829
http://www.kidzgovroom.com/ef6c/?8pM0A2eH=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&Cdxx=inCHmv0P - rule_id: 5814
http://www.gicaredocs.com/ef6c/?8pM0A2eH=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&Cdxx=inCHmv0P - rule_id: 5816
http://www.conquershirts.store/ef6c/?8pM0A2eH=95iB74+m3m1QSa2Yie21q98JT48wC3F76MvrX9tv4DSLixTQWiFMLp60PgPoHI6cr/owSd7w&Cdxx=inCHmv0P - rule_id: 5846
|
17
www.kinglot2499.com(34.102.136.180)
www.conquershirts.store(195.110.124.133) - mailcious
www.sensorypantry.com(34.102.136.180)
www.dbe648.com()
www.kidzgovroom.com(34.102.136.180)
www.gaminghallarna.net(194.9.94.85)
www.gicaredocs.com(208.91.197.27)
www.mylori.net(103.8.25.68)
www.fis.photos(192.0.78.25)
www.stopmoshenik.online(194.58.112.174)
195.110.124.133 - mailcious
208.91.197.27 - mailcious
34.102.136.180 - mailcious
194.58.112.174 - mailcious
192.0.78.25 - mailcious
194.9.94.86 - mailcious
103.8.25.68 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.stopmoshenik.online/ef6c/
http://www.fis.photos/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.sensorypantry.com/ef6c/
http://www.kinglot2499.com/ef6c/
http://www.kidzgovroom.com/ef6c/
http://www.gicaredocs.com/ef6c/
http://www.conquershirts.store/ef6c/
|
8.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13685 |
2021-10-16 13:33
|
 .wininit.exe b007ee7994afb90b45e3fb23d0acc313
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13686 |
2021-10-16 13:37
|
 zoo.exe 2c2811633faebf78e7bdefb5e8867faf
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.44mpt.xyz/ef6c/?FTRPbxU=jKy9H8VqZwiUle4gjb+CLEX9fpBCwuv2o754Pr7fJKTzkjLdsKrrwvS2m3F+8CxbXLoYiDn1&DxoHR=VDKPcJchZl9tJT - rule_id: 5869
http://www.gaminghallarna.net/ef6c/?FTRPbxU=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&DxoHR=VDKPcJchZl9tJT - rule_id: 5824
http://www.fis.photos/ef6c/?FTRPbxU=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&DxoHR=VDKPcJchZl9tJT - rule_id: 5835
http://www.ahljsm.com/ef6c/?FTRPbxU=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&DxoHR=VDKPcJchZl9tJT - rule_id: 5838
http://www.ambrandt.com/ef6c/?FTRPbxU=LpvmmmP8130l+/J4QjVaSApGnUfMJ5/j1z/KRz5qiZs92IprYNoIBOkfulD2ZI4sCy4j1IwA&DxoHR=VDKPcJchZl9tJT - rule_id: 5836
http://www.discovercotswoldcottages.com/ef6c/?FTRPbxU=BIDo9GBbq26+tRTULeHAa20kRn4DZ7/ZgIW2IC+7vRIIeELykZIx4inPOl/SIZLSvHjtcUe3&DxoHR=VDKPcJchZl9tJT - rule_id: 6105
http://www.freekagyans.com/ef6c/?FTRPbxU=kpxr/bFC7l3rMl6oOTLL9yT8CLcAAaNLZTC+YQJe+DOZzjEQ9TLw2kEJrxZCMv5aVRwmFn5W&DxoHR=VDKPcJchZl9tJT
http://www.shacksolid.com/ef6c/?FTRPbxU=JeohSOzV/eF3b++alSWyFy7AWxQU0a2IMxUYSulMFNSbZpwQl2hdImGcJZ3OYLlpDcL1Ncux&DxoHR=VDKPcJchZl9tJT - rule_id: 5818
http://www.kinglot2499.com/ef6c/?FTRPbxU=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&DxoHR=VDKPcJchZl9tJT - rule_id: 5829
http://www.narbaal.com/ef6c/?FTRPbxU=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&DxoHR=VDKPcJchZl9tJT - rule_id: 5815
http://www.restaurant-utopia.xyz/ef6c/?FTRPbxU=QQd8BU9Fy5B/Jf1+m4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N5pbbojH/ir2XBTcopEK&DxoHR=VDKPcJchZl9tJT - rule_id: 5839
|
24
www.freekagyans.com(46.17.172.173)
www.44mpt.xyz(23.225.32.156)
www.ahljsm.com(45.39.212.162)
www.ambrandt.com(156.234.138.25)
www.shacksolid.com(64.190.62.111)
www.restaurant-utopia.xyz(172.67.213.229)
www.gaminghallarna.net(194.9.94.86)
www.discovercotswoldcottages.com(91.136.8.131)
www.narbaal.com(198.54.117.212)
www.instatechnovelz.com()
www.geniuseven.net() - mailcious
www.fis.photos(192.0.78.25)
www.kinglot2499.com(34.102.136.180)
172.67.213.229 - mailcious
91.136.8.131 - mailcious
198.54.117.212 - mailcious
34.102.136.180 - mailcious
156.234.138.25 - mailcious
64.190.62.111 - mailcious
23.225.32.156 - mailcious
192.0.78.25 - mailcious
46.17.172.173
194.9.94.86 - mailcious
45.39.212.162 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.44mpt.xyz/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.fis.photos/ef6c/
http://www.ahljsm.com/ef6c/
http://www.ambrandt.com/ef6c/
http://www.discovercotswoldcottages.com/ef6c/
http://www.shacksolid.com/ef6c/
http://www.kinglot2499.com/ef6c/
http://www.narbaal.com/ef6c/
http://www.restaurant-utopia.xyz/ef6c/
|
8.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13687 |
2021-10-16 13:40
|
 DOCS-20211510-VP-KMC022021.scr bc87c171c5e5c075ebcb336ca4518452
Generic Malware UPX Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key |
|
1
185.140.53.75 - mailcious
|
|
|
17.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13688 |
2021-10-16 13:40
|
 Tax Payment Challan.exe 9c3259f246b2cd7518816219582660e6
Antivirus Admin Tool (Sysinternals etc ...) UPX PE File PE32 PNG Format JPEG Format VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process WriteConsoleW Interception ComputerName Remote Code Execution crashed |
|
|
|
|
4.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13689 |
2021-10-18 09:30
|
 Dv31BrowInst.exe 592bff278b2bf2551ca505447229c399
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder suspicious TLD Tofsee Windows DNS |
9
https://iplogger.org/1aFhd7
https://niemannbest.me/?username=david_us2 - rule_id: 6275
https://niemannbest.me/?username=david_us3 - rule_id: 6275
https://niemannbest.me/?username=david_us1 - rule_id: 6275
https://niemannbest.me/?username=david_us6 - rule_id: 6275
https://niemannbest.me/?username=david_us7 - rule_id: 6275
https://niemannbest.me/?username=david_us4 - rule_id: 6275
https://niemannbest.me/?username=david_us5 - rule_id: 6275
https://iplogger.org/1aHhd7
|
5
topniemannpickshop.cc()
niemannbest.me(172.67.221.103) - mailcious
iplogger.org(88.99.66.31) - mailcious
172.67.221.103
88.99.66.31 - mailcious
|
2
ET DNS Query for .cc TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
7
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
|
8.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13690 |
2021-10-18 09:31
|
 DownFlSetup166.exe 9f34928ecd64f71c6f2a7cdd85740586
RAT PWS .NET framework Generic Malware Themida Packer Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName Firmware DNS Cryptographic key Software crashed |
9
http://apps.identrust.com/roots/dstrootcax3.p7c
https://iplogger.org/1IXpS
https://iplogger.org/1qdds7
https://groo.extralive.site/
https://niemannbest.me/?username=p16_1 - rule_id: 6275
https://niemannbest.me/?username=p16_3 - rule_id: 6275
https://niemannbest.me/?username=p16_5 - rule_id: 6275
https://niemannbest.me/?username=p16_7 - rule_id: 6275
https://niemannbest.me/?username=p16_6 - rule_id: 6275
|
16
online-stock-solutions.com(172.67.144.208)
groo.extralive.site(45.130.41.15)
speeddatingstudio.com(104.21.94.228) - mailcious
iplogger.org(88.99.66.31) - mailcious
querahinor.xyz(45.129.99.59)
niemannbest.me(104.21.51.48) - mailcious
apps.identrust.com(222.122.182.200)
topniemannpickshop.cc()
45.129.99.59
172.67.144.208
88.99.66.31 - mailcious
104.21.94.228
172.67.221.103
188.68.201.6
121.254.136.57
45.130.41.15
|
2
ET DNS Query for .cc TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
|
17.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13691 |
2021-10-18 09:32
|
 customer6.exe 807f55cee679ba76724aee80756a0c4f
ASPack Malicious Library UPX PE64 PE File OS Processor Check Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Check virtual network interfaces IP Check Browser Remote Code Execution |
3
http://staticimg.youtuuee.com/api/?sid=664553&key=e31e220fe7337c68de757dbfab9338d2 - rule_id: 5258
http://staticimg.youtuuee.com/api/fbtime - rule_id: 6464
http://ip-api.com/json/
|
4
ip-api.com(208.95.112.1)
staticimg.youtuuee.com(45.136.151.102) - mailcious
45.136.151.102 - mailcious
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
2
http://staticimg.youtuuee.com/api/
http://staticimg.youtuuee.com/api/fbtime
|
4.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13692 |
2021-10-18 09:32
|
 DownFlSetup155.exe 7d09810664be0b0d9dab03e6652cfb26
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
10
https://iplogger.org/1qads7
https://online-stock-solutions.com/
https://iplogger.org/1qsds7
https://niemannbest.me/?username=p15_6 - rule_id: 6275
https://niemannbest.me/?username=p15_7 - rule_id: 6275
https://niemannbest.me/?username=p15_4 - rule_id: 6275
https://niemannbest.me/?username=p15_5 - rule_id: 6275
https://niemannbest.me/?username=p15_2 - rule_id: 6275
https://niemannbest.me/?username=p15_3 - rule_id: 6275
https://niemannbest.me/?username=p15_1 - rule_id: 6275
|
7
topniemannpickshop.cc()
online-stock-solutions.com(104.21.71.122)
niemannbest.me(104.21.51.48) - mailcious
iplogger.org(88.99.66.31) - mailcious
104.21.71.122
88.99.66.31 - mailcious
104.21.51.48 - mailcious
|
2
ET DNS Query for .cc TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
7
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
|
9.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13693 |
2021-10-18 09:34
|
 491302577.exe e7302252512b968f8b082e3a22ecca23
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://d.ckauni.ru/
|
5
apps.identrust.com(222.122.182.200)
d.ckauni.ru(81.177.141.85)
185.183.32.227
81.177.141.85 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13694 |
2021-10-18 09:34
|
 search_hyperfs_212.exe 816fb2a92609e69e339ee9677647b7f8
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File OS Processor Check PE32 DLL VirusTotal Malware PDB suspicious privilege Code Injection Check memory WMI unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13695 |
2021-10-18 09:36
|
 2103609787.exe 4058a27cf325710ab5a9020fe95e57f7
Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|