| 13786 |
2021-10-19 10:57
|
 background-2.png 42bd688964c63e6bdeca18b87dadf2ad
AntiDebug AntiVM PNG Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13787 |
2021-10-19 10:58
|
 5f205bc2c1b4b_v.gif 9ce99ec458daf212f9812a90f3fadd13
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13788 |
2021-10-19 10:58
|
 5f205bc497791_v.css 0e646e2e128c473d6fba7996a4a94e40
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13789 |
2021-10-19 16:34
|
 RemoteCMD - 3.0.exe 70ca048c47aa97e95e1ea36ce2514ac3
Gen2 Generic Malware ASPack Antivirus Malicious Library UPX PE File PE32 VirusTotal Malware Creates executable files WriteConsoleW Remote Code Execution |
|
|
|
|
1.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13790 |
2021-10-19 16:40
|
 askinstall25.exe 61d264f734124d172092b1598a913121
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie UPX PE File OS Processor Check PE32 PNG Format Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cjnovone.top/Home/Index/lkdinl - rule_id: 6119
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1b4887
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
www.cjnovone.top(188.225.87.175) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
3
http://www.cjnovone.top/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
10.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13791 |
2021-10-19 16:43
|
 mon.exe d5e15de49142f442f0932e1f0634675b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.arcflorals.com/ef6c/?E48=kGlMeYY5BdILFMvYVNR7bZ0Mn33Q8LI2mKSsuAJB2+8tGFV37lUpti1UFknkbAVSBI+8nqql&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5817
http://www.fis.photos/ef6c/?E48=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5835
http://www.planetgreennetwork.com/ef6c/?E48=viiOdeoYufNRN60WkpfLEAw1fJ1OatCxqWV4tuVbpGnby6TfOu9tKnuCwWlJt5WAZl2p+p2R&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5873
http://www.goldsteelconstruction.com/ef6c/?E48=+ynMDYrLpnTu4DfE9YT4eJW6S19U/jXmPWBe5dZQ+v1t/rZPvFp+0gZRwCHmFKY3Fyif9Dcg&BZO034=YrhH5rAP6J-TD2h0
http://www.eddytattoo.com/ef6c/?E48=wm8HtgYU6K5xBZHPsxi7+EX3qPsJdGwRxoT7oAVpurukD76RSgTu7ISzClKHz9CJah1eQNxC&BZO034=YrhH5rAP6J-TD2h0
http://www.lafabriqueabeilleassurances.com/ef6c/?E48=2QYE7mkSl4x2jlZo54GRK50GO3C76nvR62kgjEMbDIxrMKFbsYZiIeVfmB5iSiZWlGlMGs/r&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5872
http://www.clf010.com/ef6c/?E48=Bd/A1B2Xlx1/VvyPmZy81MokZhoyKr0JLZIYHKA2ldK2bxVDj61bbzDCW/TjJZTPQA/hnmk/&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 6469
http://www.levanttradegroup.com/ef6c/?E48=9g8sfBGzWY6JJ+yJLDpPQys/8ShNqhTPTp4cpY8RvCwAQwKx0UrfmPEzoi+Z1D/DgpYog5qv&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5859
http://www.kidzgovroom.com/ef6c/?E48=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5814
http://www.govusergroup.com/ef6c/?E48=N5yAIzzPvIdqoqJ3aV/wdndIILsjG1yD75IcTmUgg2IU59G+YJKqbdhtrw9qqSyAgMIiKVbn&BZO034=YrhH5rAP6J-TD2h0 - rule_id: 5847
|
20
www.arcflorals.com(198.71.233.83)
www.levanttradegroup.com(34.102.136.180)
www.lhznqyl.press()
www.planetgreennetwork.com(34.102.136.180)
www.kidzgovroom.com(34.102.136.180)
www.eddytattoo.com(3.223.115.185)
www.charlottewright.online()
www.govusergroup.com(216.239.136.99)
www.goldsteelconstruction.com(63.250.43.8)
www.fis.photos(192.0.78.24)
www.lafabriqueabeilleassurances.com(217.70.184.50)
www.clf010.com(45.39.212.188)
198.71.233.83 - mailcious
34.102.136.180 - mailcious
217.70.184.50 - mailcious
216.239.136.99 - mailcious
3.223.115.185 - mailcious
192.0.78.25 - mailcious
45.39.212.188 - mailcious
63.250.43.8
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.arcflorals.com/ef6c/
http://www.fis.photos/ef6c/
http://www.planetgreennetwork.com/ef6c/
http://www.lafabriqueabeilleassurances.com/ef6c/
http://www.clf010.com/ef6c/
http://www.levanttradegroup.com/ef6c/
http://www.kidzgovroom.com/ef6c/
http://www.govusergroup.com/ef6c/
|
7.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13792 |
2021-10-19 16:46
|
 dllhost.exe 655400c95408ab33a90686b581a100d0
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.jamnvibez.com/kzk9/?FrJd4VD=RD97+sYQI0XqiDdkgpzgSdWBYlciYaDFU1FGUcVBT4psxDAeA+lJB7BpU+r7Fjhs4LDiOT9/&Vnw0Z=-Z2h6rwPQ2dhNVd
http://www.fourwaira.com/kzk9/?FrJd4VD=jpbsMCdQcyIiRjwJxwpW4+ck0RmyGC3M4w6i6YV8jHR4vv9J5XguPad0A8kXdPUVZ76zsTs3&Vnw0Z=-Z2h6rwPQ2dhNVd
|
4
www.fourwaira.com(192.185.35.70)
www.jamnvibez.com(104.26.14.140)
172.67.74.94
192.185.35.70 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13793 |
2021-10-19 16:48
|
 mon90.exe b7e2519de2759907f645492f484c39fc
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
18
http://www.levanttradegroup.com/ef6c/?6lXXNxw8=9g8sfBGzWY6JJ+yJLDpPQys/8ShNqhTPTp4cpY8RvCwAQwKx0UrfmPEzoi+Z1D/DgpYog5qv&3f=Yn9ps04xrhS - rule_id: 5859
http://www.lacucinadesign.com/ef6c/ - rule_id: 5833
http://www.thehomedesigncentre.com/ef6c/ - rule_id: 5855
http://www.gicaredocs.com/ef6c/?6lXXNxw8=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&3f=Yn9ps04xrhS - rule_id: 5816
http://www.sensorypantry.com/ef6c/ - rule_id: 5819
http://www.lacucinadesign.com/ef6c/?6lXXNxw8=9TcXST3u6WT+pAlmYAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p2hxsWhOg+dHKCBclHOd&3f=Yn9ps04xrhS - rule_id: 5833
http://www.kidzgovroom.com/ef6c/ - rule_id: 5814
http://www.arcflorals.com/ef6c/?6lXXNxw8=kGlMeYY5BdILFMvYVNR7bZ0Mn33Q8LI2mKSsuAJB2+8tGFV37lUpti1UFknkbAVSBI+8nqql&3f=Yn9ps04xrhS - rule_id: 5817
http://www.yeyelm744.com/ef6c/?6lXXNxw8=py3wLkMjkCQUnrtMjMuweSzljtf41F1OQ4vI/gne8vtV4RQAg2yAGXyPfsj9FUUfcHu/E+eO&3f=Yn9ps04xrhS - rule_id: 6089
http://www.arcflorals.com/ef6c/ - rule_id: 5817
http://www.sensorypantry.com/ef6c/?6lXXNxw8=cw2PwNl+5NOQItrLnKllT2tGwrd+rdd5UTQlQyS8ptLSIxj973nGji9KRlDOdanBBwTAA2mM&3f=Yn9ps04xrhS - rule_id: 5819
http://www.thehomedesigncentre.com/ef6c/?6lXXNxw8=9wsWOtXIBwVQgnAdKHWMBZ2XTuANRe7RvMDkkEur0h7nsDNFbjXu49qLHHcqWq2d/uilIqbn&3f=Yn9ps04xrhS - rule_id: 5855
http://www.yeyelm744.com/ef6c/ - rule_id: 6089
http://www.kidzgovroom.com/ef6c/?6lXXNxw8=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&3f=Yn9ps04xrhS - rule_id: 5814
http://www.gicaredocs.com/ef6c/ - rule_id: 5816
http://www.levanttradegroup.com/ef6c/ - rule_id: 5859
http://www.redelirevearyseuiop.xyz/ef6c/?6lXXNxw8=+zggs108Zt88mF3I15I6Vl7MIKEVgTDkllssvVc7oGo+vC3UJFm7tcArJeeO3BpO4YdkYwbo&3f=Yn9ps04xrhS - rule_id: 5826
http://www.redelirevearyseuiop.xyz/ef6c/ - rule_id: 5826
|
17
www.redelirevearyseuiop.xyz(198.54.117.244)
www.arcflorals.com(198.71.233.83)
www.thehomedesigncentre.com(182.50.132.242)
www.levanttradegroup.com(34.102.136.180)
www.sensorypantry.com(34.102.136.180)
www.kidzgovroom.com(34.102.136.180)
www.docomoau.xyz() - mailcious
www.gicaredocs.com(208.91.197.27)
www.lacucinadesign.com(34.102.136.180)
www.yeyelm744.com(154.208.173.238)
154.208.173.238 - mailcious
198.71.233.83 - mailcious
34.102.136.180 - mailcious
20.43.94.199
208.91.197.27 - mailcious
198.54.117.244 - phishing
182.50.132.242 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
18
http://www.levanttradegroup.com/ef6c/
http://www.lacucinadesign.com/ef6c/
http://www.thehomedesigncentre.com/ef6c/
http://www.gicaredocs.com/ef6c/
http://www.sensorypantry.com/ef6c/
http://www.lacucinadesign.com/ef6c/
http://www.kidzgovroom.com/ef6c/
http://www.arcflorals.com/ef6c/
http://www.yeyelm744.com/ef6c/
http://www.arcflorals.com/ef6c/
http://www.sensorypantry.com/ef6c/
http://www.thehomedesigncentre.com/ef6c/
http://www.yeyelm744.com/ef6c/
http://www.kidzgovroom.com/ef6c/
http://www.gicaredocs.com/ef6c/
http://www.levanttradegroup.com/ef6c/
http://www.redelirevearyseuiop.xyz/ef6c/
http://www.redelirevearyseuiop.xyz/ef6c/
|
9.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13794 |
2021-10-19 16:49
|
 mon-08.exe ec1b280b8817840e6017001c5acc34a4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.szesdkj.com/ef6c/?EZA4Dv=fLa1O6LgDU4JmATAWF+Un0DhSyi8xEXua0Xgw1gdYMhmHbBdgR9nT+JgCDSJbt7Dlll1cLDk&DzrLH=VBZHTpkXnn1TKz - rule_id: 5830
http://www.conquershirts.store/ef6c/?EZA4Dv=95iB74+m3m1QSa2Yie21q98JT48wC3F76MvrX9tv4DSLixTQWiFMLp60PgPoHI6cr/owSd7w&DzrLH=VBZHTpkXnn1TKz - rule_id: 5846
http://www.fis.photos/ef6c/?EZA4Dv=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&DzrLH=VBZHTpkXnn1TKz - rule_id: 5835
http://www.goldsteelconstruction.com/ef6c/?EZA4Dv=+ynMDYrLpnTu4DfE9YT4eJW6S19U/jXmPWBe5dZQ+v1t/rZPvFp+0gZRwCHmFKY3Fyif9Dcg&DzrLH=VBZHTpkXnn1TKz
http://www.szyyglass.com/ef6c/?EZA4Dv=WJZ/PBlgU2sqxbhuKWSW0gAF450CRpcifwWN2Hn02+HJZd2OB2qk7jd6844pcDa/ZUIS0tAu&DzrLH=VBZHTpkXnn1TKz - rule_id: 5843
http://www.publicationsplace.com/ef6c/?EZA4Dv=69obzrOqqjyeWfIWJOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtImRdCopiSdNHcaNy3Iv&DzrLH=VBZHTpkXnn1TKz - rule_id: 5871
http://www.ahljsm.com/ef6c/?EZA4Dv=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&DzrLH=VBZHTpkXnn1TKz - rule_id: 5838
|
17
www.conquershirts.store(195.110.124.133) - mailcious
www.ahljsm.com(45.39.212.162)
www.szesdkj.com(170.130.13.86)
www.publicationsplace.com(108.170.14.102)
www.discovercotswoldcottages.com(91.136.8.131)
www.goldsteelconstruction.com(63.250.43.7)
www.szyyglass.com(172.120.106.61)
www.geniuseven.net() - mailcious
www.fis.photos(192.0.78.25)
172.120.106.61 - mailcious
63.250.43.7
108.170.14.102 - mailcious
195.110.124.133 - mailcious
170.130.13.86 - mailcious
91.136.8.131 - mailcious
192.0.78.25 - mailcious
45.39.212.162 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.szesdkj.com/ef6c/
http://www.conquershirts.store/ef6c/
http://www.fis.photos/ef6c/
http://www.szyyglass.com/ef6c/
http://www.publicationsplace.com/ef6c/
http://www.ahljsm.com/ef6c/
|
8.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13795 |
2021-10-19 16:51
|
 1.exe bfbbb8571fc1d4dbd8053e5154cda305
VMProtect Malicious Library PE File PE32 VirusTotal Malware RWX flags setting unpack itself Checks Bios sandbox evasion anti-virtualization DNS |
|
2
91.136.8.131 - mailcious
185.121.177.177 - mailcious
|
|
|
4.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13796 |
2021-10-19 17:11
|
1311719753.ppt 3e804f9f266483ec4884546f08e396a8
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself Tofsee |
1
https://www.bitly.com/jfklsdjfsgyfsdh
|
2
www.bitly.com(67.199.248.14) - mailcious
67.199.248.15 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13797 |
2021-10-19 17:13
|
Purchase orders with bank deta... 87b2f6337fbea5ee3f10eb1b210dd795
VBA_macro Generic Malware AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Tofsee Interception |
1
https://www.bitly.com/ajdwwrufqwehjwijjd
|
2
www.bitly.com(67.199.248.14) - mailcious
67.199.248.15 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13798 |
2021-10-20 08:10
|
 csrss.exe a6cf11855cd106ea4fcc35c40906331b
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13799 |
2021-10-20 08:11
|
 vbc.exe f583feb26da2d5b49c45c7b00e537803
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php
|
2
bobbyelectronics.xyz(104.21.92.21)
104.21.92.21
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13800 |
2021-10-20 08:11
|
 TDH_71036210065IMG.exe 7afe2c262a2733bc25fe30a077621766
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.247.73)
172.67.188.154
132.226.247.73
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|