| 13861 |
2021-10-21 08:13
|
 451200001308IMG.exe 104bfff4e7a7f04efd06e865cce96c4d
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.81)
store2.gofile.io(31.14.69.10) - mailcious
96.16.99.43
31.14.69.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13862 |
2021-10-21 08:18
|
 vbc.exe f83c7eb1b65ad46bc00d8c95ce4c1275
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13863 |
2021-10-21 08:21
|
 iKrjYFB.exe d75805611df55ea0b527e2c8b37be919
Emotet Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File PE32 OS Proc Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://eth0.me/
http://7fdt.federguda.ru/
|
6
eth0.me(5.132.162.27)
HgqhpFebtO.HgqhpFebtO()
7fdt.federguda.ru(81.177.141.85)
81.177.141.85 - mailcious
195.2.93.45
5.132.162.27
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
19.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13864 |
2021-10-21 08:25
|
invc_000780000060.wbk 226035129ac9645a54d6e4af36f5b5b0
RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.46.199.226/00550055/vbc.exe
|
2
checkvim.com() - mailcious
198.46.199.226
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13865 |
2021-10-21 08:32
|
inv_0098788000.wbk 9aaf287388698afd5ef8bfeb1fb8ee24
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
13
http://www.digisor.com/mxnu/?uZfX=UVMBiiaCgBTVCfU1vNNEq08V9m7XAvZZglUNdI143I2X7Zl4GMtYquItbp7SrE/Ljcqvb/Ed&Vnw0_=-Z1l72l0kFHhurC
http://www.revgeek.com/mxnu/?uZfX=LFHT7yJDHTG5j2x991585jkXyYBkZkjzIUaPFc8bTKfmXG7pnxx1T4PiHIQyjDj8X+wed1XV&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6656
http://www.265411.com/mxnu/?uZfX=25s1ERxOA1FsQEL58dsMzLXIm6T2LEHWrovGfnVbwWX5qUTqFcrkTCI5ju9rUaWf+2K12S96&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6734
http://www.funkidsroomdecor.com/mxnu/?uZfX=iFpbfMx0kR1NhQJhtaFPfzg8Nsy3dm+jXQd2Fi3YicbHa3sz/htfiB2IN3yla1aALZWfkU50&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6395
http://www.desongli.com/mxnu/?uZfX=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6643
http://www.gatescres.com/mxnu/?uZfX=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6387
http://www.whitebot.xyz/mxnu/?uZfX=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6647
http://www.epilasyonmerkeziankara.com/mxnu/?uZfX=bngcEK+xZs1ednOYrpus6XFKnrxKN2uCCnQcEZtwxddq7ZQQDv/23m99KJW03q/XcaqcaNGj&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6388
http://www.closetu.com/mxnu/?uZfX=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6644
http://www.hanjyu.com/mxnu/?uZfX=e1Tv98kFs0Gi2+72/XvHySgQIb+R11LQEZu1blwPIgW3VgOqIrXEf8kBKhEPSuWOnZ0Oxl1j&Vnw0_=-Z1l72l0kFHhurC
http://192.227.228.38/0080008/vbc.exe
http://www.naplesconciergerealty.com/mxnu/?uZfX=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6394
http://www.029atk.xyz/mxnu/?uZfX=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&Vnw0_=-Z1l72l0kFHhurC - rule_id: 6486
|
28
www.gatescres.com(3.33.152.147)
www.promovart.com() - mailcious
www.closetu.com(3.223.115.185)
www.naplesconciergerealty.com(34.102.136.180)
www.uggs-line.com()
www.desongli.com(108.186.180.79)
www.epilasyonmerkeziankara.com(5.9.250.2)
www.265411.com(192.249.80.207)
www.hanjyu.com(107.186.149.170)
www.blue-ivy-boutique-au.com() - mailcious
www.whitebot.xyz(172.104.153.244)
www.029atk.xyz(172.247.0.172)
www.funkidsroomdecor.com(192.254.189.87)
www.digisor.com(52.58.78.16)
www.revgeek.com(156.234.138.23)
108.186.180.79 - mailcious
52.58.78.16 - mailcious
5.9.250.2 - mailcious
156.234.138.23 - mailcious
172.104.153.244 - mailcious
15.197.142.173
192.227.228.38
34.102.136.180 - mailcious
192.249.80.207 - mailcious
192.254.189.87 - mailcious
107.186.149.170
3.223.115.185 - mailcious
104.233.181.170
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.revgeek.com/mxnu/
http://www.265411.com/mxnu/
http://www.funkidsroomdecor.com/mxnu/
http://www.desongli.com/mxnu/
http://www.gatescres.com/mxnu/
http://www.whitebot.xyz/mxnu/
http://www.epilasyonmerkeziankara.com/mxnu/
http://www.closetu.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.029atk.xyz/mxnu/
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13866 |
2021-10-21 08:33
|
 FTD_21000160852.exe 63c984080f6aaec5b7f2dca4af13c5f8
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
195.2.93.45
132.226.247.73
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13867 |
2021-10-21 08:34
|
 updater.exe 4ae4ab4a84a78e5b00b5edf0941d4354
RAT PWS .NET framework Generic Malware Antivirus UPX PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself human activity check DNS DDNS |
|
2
vonix.hopto.org(94.189.165.227)
94.189.165.227
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13868 |
2021-10-21 08:38
|
 toolspab2.exe 0aa9e41d45a609dae2f9e507f38f24bb
Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 Malware PDB Code Injection Checks debugger buffers extracted unpack itself Remote Code Execution |
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13869 |
2021-10-21 08:42
|
 biz-1268037327.xls 5bba6b76de46547bcb02fd539261257e
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://capaxion.cl/7SjU50ph/h.gif
https://sahmanish.com.np/QtIKuTt6hBz/h.gif
|
4
capaxion.cl(161.97.71.28)
sahmanish.com.np(149.255.59.21)
149.255.59.21 - mailcious
161.97.71.28
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13870 |
2021-10-21 08:44
|
 biz-1268549549.xls ddfbaf703dde24059d7176488119a78c
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://capaxion.cl/7SjU50ph/h.gif
https://sahmanish.com.np/QtIKuTt6hBz/h.gif
|
4
capaxion.cl(161.97.71.28)
sahmanish.com.np(149.255.59.21)
149.255.59.21 - mailcious
161.97.71.28
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13871 |
2021-10-21 08:46
|
 biz-1267896036.xls 420b2cc7bf39507ded9f96d8af3745e9
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://capaxion.cl/7SjU50ph/h.gif
https://sahmanish.com.np/QtIKuTt6hBz/h.gif
|
4
capaxion.cl(161.97.71.28)
sahmanish.com.np(149.255.59.21)
149.255.59.21 - mailcious
161.97.71.28
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13872 |
2021-10-21 08:52
|
 vbc.exe 36e60a2ecd13869a78ad7bc9312681d0
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
14
http://www.naplesconciergerealty.com/mxnu/?Bn=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6394
http://www.beachpawsmobilegrooming.com/mxnu/?Bn=3UKcWFD9qZdXpkVuTcyfqHC/sdECx0yJ3q4li0xBqZgcBHBJtb4svrVHA8vfZfIzEwm5PxFs&lvKh=X2MpoVAPDvDTUR1
http://www.877961.com/mxnu/?Bn=aHYJt+cF3uKE/jjIR1o9yP3wzE0OqMGB2AjKuxgiPGP7v0vlkCnn7S+a/Vapc30Z99lnekHH&vRitR=7nGDYVy8sr - rule_id: 6477
http://www.029atk.xyz/mxnu/?Bn=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6486
http://www.desongli.com/mxnu/?Bn=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6643
http://www.mortgagerates.solutions/mxnu/?Bn=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6648
http://www.procurovariedades.com/mxnu/?Bn=e63Yw596e9MjmhIdNsSN67oqb96/kwQ/AvXQ3UsARMy+g2BaAqseTyVnaYCqY6LOFgU8MBS4&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6662
http://www.sasanos.com/mxnu/?Bn=vShkcGmQMOINLoOK1pp5XZ1rGlflh1VAH/34JiSotphbghGO08HZN9gmT907Sqcijb1eTDKK&vRitR=7nGDYVy8sr
http://www.tbrhc.com/mxnu/?Bn=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6645
http://www.technichoffghosts.com/mxnu/?Bn=/Fzie1hELeLn7MgSxS1T5SAjvZfamumVbzPuvONP0wKdG4fvdY2IoYOIDGhEOLvFBokHwHx6&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6728
http://www.bloomberq.online/mxnu/?Bn=o/KNCiHRrXr1o29jsX2904nvUZgzeoF4AFrLsvPkY5gMkei+B/BqpGS5xpPFUL1iDO9N2GeW&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6393
http://www.dealsbonaza.com/mxnu/?Bn=2XZi6uL7RRI0HDIg3Z0ea+lj0YcIWEabg1/ZNYSjdnZm54tZzsSO4EI/xU1ISKPr2aPXOSCI&lvKh=X2MpoVAPDvDTUR1
http://www.sattaking-gaziabad.xyz/mxnu/?Bn=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6653
http://www.gatescres.com/mxnu/?Bn=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&lvKh=X2MpoVAPDvDTUR1 - rule_id: 6387
|
30
www.gatescres.com(15.197.142.173)
www.dealsbonaza.com(51.210.156.16)
www.beachpawsmobilegrooming.com(34.102.136.180)
www.naplesconciergerealty.com(34.102.136.180)
www.mortgagerates.solutions(64.190.62.111)
www.uggs-line.com()
www.desongli.com(108.186.180.79)
www.sattaking-gaziabad.xyz(185.28.21.80)
www.qlfa8gzk8f.com() - mailcious
www.taquerialoteria.com() - mailcious
www.877961.com(1.32.254.106)
www.sasanos.com(66.29.130.249)
www.029atk.xyz(172.247.0.173)
www.procurovariedades.com(192.185.131.238)
www.tbrhc.com(154.208.173.145)
www.bloomberq.online(51.81.27.134)
www.technichoffghosts.com(45.156.25.115)
45.156.25.115 - mailcious
108.186.180.79 - mailcious
51.81.27.134 - mailcious
185.28.21.80 - mailcious
15.197.142.173
34.102.136.180 - mailcious
23.225.30.171
154.208.173.145 - mailcious
192.185.131.238 - mailcious
1.32.254.106 - mailcious
51.210.156.16
64.190.62.111 - mailcious
66.29.130.249
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
11
http://www.naplesconciergerealty.com/mxnu/
http://www.877961.com/mxnu/
http://www.029atk.xyz/mxnu/
http://www.desongli.com/mxnu/
http://www.mortgagerates.solutions/mxnu/
http://www.procurovariedades.com/mxnu/
http://www.tbrhc.com/mxnu/
http://www.technichoffghosts.com/mxnu/
http://www.bloomberq.online/mxnu/
http://www.sattaking-gaziabad.xyz/mxnu/
http://www.gatescres.com/mxnu/
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13873 |
2021-10-21 09:04
|
 vbc.exe 7e03d277e60e3ab52416937b82a9f23d
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13874 |
2021-10-21 10:40
|
http://209.141.41.233/Porcal4.... 27828516c38739491a3d20e733850aa5
Gen2 Antivirus Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice Fil VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
8 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13875 |
2021-10-21 11:07
|
 Porcal4.exe 27828516c38739491a3d20e733850aa5
Gen2 Gen1 RAT Generic Malware Antivirus Malicious Library UPX ASPack Malicious Packer PE File OS Processor Check PE32 PNG Format DLL .NET DLL MSOffice File .NET EXE VirusTotal Malware Buffer PE PDB suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware ComputerName Remote Code Execution DNS crashed |
|
1
185.7.214.157 - mailcious
|
|
|
6.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|