| 13846 |
2021-10-20 17:44
|
 rundll32.exe 725291dd1448ff28fe626c6dae96e7d4
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.sophiagunterman.art/fqiq/?w2J=xr2hRkHSJ+UsXowxi6McaJRxgcInZTFjwe9eYARVx2PKFNYpXRh/IJY1HCqVtWxffV7QcJh9&tFQt=YP4Dk0O8 - rule_id: 6606
http://www.sanlifalan.com/fqiq/ - rule_id: 6750
http://www.mask60.com/fqiq/?w2J=HUSK5F4DxgQLt1G3qr1OuZFCvozuCLIarGxAupoMbcTbfppgzHV+EoahLpMSxOJM6qDoDl7R&tFQt=YP4Dk0O8
http://www.tablescaperendezvous4two.com/fqiq/ - rule_id: 6747
http://www.wolmoda.com/fqiq/?w2J=S+cpy0umECTwuTE52eQvldFGZ7uWQHdiwg92XpTlC9HPK4+x2Wa76IO+IolmVoAcN8bu+dPq&tFQt=YP4Dk0O8 - rule_id: 6688
http://www.esyscoloradosprings.com/fqiq/ - rule_id: 6444
http://www.esyscoloradosprings.com/fqiq/?w2J=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&tFQt=YP4Dk0O8 - rule_id: 6444
http://www.sanlifalan.com/fqiq/?w2J=prTEVkQv/aIuaJ5tknUsCYHPcHrUQSHWro/2zNHeF4wHPtFNVSB8ZmBi9ORqDWcgPylN7lnN&tFQt=YP4Dk0O8 - rule_id: 6750
http://www.tablescaperendezvous4two.com/fqiq/?w2J=6JOAu55ahQuW4nGm3x3zF3lJbu5eEm2HTNrnzqBc/qIL0noTMPzpzXdnuN9xnnUaregthFw6&tFQt=YP4Dk0O8 - rule_id: 6747
http://www.fleetton.com/fqiq/?w2J=3MX+rG6tAMAShknpmcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BCc9gfZkgofTO4Lhy2g7&tFQt=YP4Dk0O8
http://www.mask60.com/fqiq/
http://www.ipatchwork.today/fqiq/ - rule_id: 6685
http://www.fleetton.com/fqiq/
http://www.wolmoda.com/fqiq/ - rule_id: 6688
http://www.ipatchwork.today/fqiq/?w2J=4uUO9SnGhH7qrBLLau2QeKM25d/gV3/zp2Vn/jpTz6zTrds8IKqZgGZbt3S1nhaRXztFEuL7&tFQt=YP4Dk0O8 - rule_id: 6685
http://www.sophiagunterman.art/fqiq/ - rule_id: 6606
|
17
www.shenjiclass.com() - mailcious
www.sanlifalan.com(104.165.34.6)
www.sophiagunterman.art(34.225.31.148)
www.wolmoda.com(75.2.115.196)
www.mask60.com(116.212.126.191)
www.ipatchwork.today(34.233.132.165)
www.fleetton.com(44.227.76.166)
www.esyscoloradosprings.com(108.167.135.122) - mailcious
www.tablescaperendezvous4two.com(34.102.136.180)
116.212.126.191
34.102.136.180 - mailcious
75.2.115.196 - mailcious
104.165.34.6 - mailcious
34.233.132.165 - mailcious
108.167.135.122 - mailcious
44.227.65.245 - mailcious
34.225.31.148 - phishing
|
2
SURICATA HTTP unable to match response to request
ET MALWARE FormBook CnC Checkin (GET)
|
12
http://www.sophiagunterman.art/fqiq/
http://www.sanlifalan.com/fqiq/
http://www.tablescaperendezvous4two.com/fqiq/
http://www.wolmoda.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.sanlifalan.com/fqiq/
http://www.tablescaperendezvous4two.com/fqiq/
http://www.ipatchwork.today/fqiq/
http://www.wolmoda.com/fqiq/
http://www.ipatchwork.today/fqiq/
http://www.sophiagunterman.art/fqiq/
|
8.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13847 |
2021-10-20 17:45
|
 vbc.exe 95dbac1d5762155f81369b309e48d13f
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Report c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
3
checkvim.com(77.87.212.189) - mailcious
179.189.229.254 - mailcious
77.87.212.189
|
8
ET CNC Feodo Tracker Reported CnC Server group 9
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
13.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13848 |
2021-10-20 17:49
|
 vbc.exe 39b814d05cc6de9aeb935ac49c11e28f
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
2
185.7.214.157
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13849 |
2021-10-20 17:50
|
 boobb.exe 975b9c5518e9839fd0c6ee927370edf2
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13850 |
2021-10-20 17:50
|
 news.exe d7eac25ddf1e2da8348052e2290bf485
NSIS Malicious Library UPX PE File PE32 DLL Malware download Nanocore Malware c&c Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
2
newme122.3utilities.com(23.105.131.228)
23.105.131.228
|
2
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
ET MALWARE Possible NanoCore C2 60B
|
|
9.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13851 |
2021-10-20 17:52
|
 migfbewnaeopmguywjfffrvgqg.exe 2c4879e89081ba55d518f1c457072ac3
NPKI email stealer Generic Malware Malicious Library UPX Malicious Packer DNS Code injection KeyLogger Escalate priviledges Downloader persistence AntiDebug AntiVM PE File PE32 .NET EXE PE64 OS Processor Check DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AntiVM_Disk VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
|
2
ildriendfrirotoi.zapto.org(194.5.98.249)
194.5.98.249
|
1
ET POLICY DNS Query to DynDNS Domain *.zapto .org
|
|
13.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13852 |
2021-10-20 17:52
|
 tdh_0082205005img.exe 26108db5b69562376697d90215395c87
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(193.122.130.0)
193.122.6.168
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13853 |
2021-10-20 17:52
|
 Porcal4.exe 27828516c38739491a3d20e733850aa5
Gen2 Gen1 RAT Generic Malware Antivirus Malicious Library UPX ASPack Malicious Packer PE File OS Processor Check PE32 PNG Format DLL .NET DLL MSOffice File .NET EXE VirusTotal Malware Buffer PE PDB suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware ComputerName Remote Code Execution DNS crashed |
|
1
|
|
|
6.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13854 |
2021-10-20 17:52
|
 dllhost.exe c78d5e89ebecb4d88d3ab36bc47fd7ba
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
2
http://www.laserobsession.com/kzk9/?t8rpHju=BoVX2CJQF+p2iHk60DuMcLQVHEJppVREEjkDd/abHZBR2v0p57VFG8usKR1c/aYG9RLvWw3m&9r7T-=K4k0
http://www.mavericksone.com/kzk9/?t8rpHju=rq48oJmZB+Nu8FT21DdkZ2f0m8hZKYephRx+62F2ipzmwypzXmASC0Qg8KcLbyIjdv5SQP2s&9r7T-=K4k0
|
6
www.tentfull.com()
www.laserobsession.com(198.185.159.145)
www.mavericksone.com(34.102.136.180)
172.67.188.154
34.102.136.180 - mailcious
198.185.159.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13855 |
2021-10-20 17:53
|
 ooooo.exe 11b360256d049349f51a67e92fd49ae4
AgentTesla(IN) Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13856 |
2021-10-20 17:56
|
 origggg.exe ff6a62c5f7b65a3c8a193dad5705c563
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
6.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13857 |
2021-10-20 18:00
|
1.ppam e5a35f8c565ddea415804d4b05244e28
Generic Malware Antivirus AntiDebug AntiVM PNG Format VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName Cryptographic key |
12
http://bitly.com/doaksodksueasdweu
http://www.bitly.com/doaksodksueasdweu
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ajsidjasidwxoxwkwjddududjf.blogspot.com/p/1.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ajsidjasidwxoxwkwjddududjf.blogspot.com/p/1.html%26type%3Dblog%26bpli%3D1&go=true
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/blogin.g?blogspotURL=https://ajsidjasidwxoxwkwjddududjf.blogspot.com/p/1.html&type=blog
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://ajsidjasidwxoxwkwjddududjf.blogspot.com/p/1.html
https://www.blogger.com/static/v1/widgets/2918676466-widgets.js
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6774392999284712153&zx=85794840-8ad6-4a84-840a-c6730a24bab7
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
|
10
www.bitly.com(67.199.248.15) - mailcious
ajsidjasidwxoxwkwjddududjf.blogspot.com(142.250.196.129) - mailcious
resources.blogblog.com(172.217.161.41)
accounts.google.com(172.217.25.77)
www.blogger.com(172.217.161.41)
172.217.25.9
67.199.248.15 - mailcious
142.250.66.41
142.250.66.97
172.217.25.13
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13858 |
2021-10-21 08:07
|
 WIRE TRANSFER.exe 3d6ede6db43836cf8a5304f7e9f3a1cd
Generic Malware Admin Tool (Sysinternals etc ...) UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
sylviaoslh01.ddns.net(91.193.75.135)
91.193.75.135
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13859 |
2021-10-21 08:08
|
invoice_00930003322.wbk 59efb49438295ee8736f72f126d94ed5
RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.167.90.69/005005/vbc.exe
|
2
checkvim.com() - mailcious
103.167.90.69 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13860 |
2021-10-21 08:11
|
 kred.exe d5e1b1e2d4448b7af40c177a7cff819b
Generic Malware Themida Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://polj.silverhead.site/
|
5
apps.identrust.com(119.207.65.74)
polj.silverhead.site(45.130.41.15)
45.130.41.15 - malware
144.76.183.53 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|