| 13951 |
2021-10-22 09:36
|
 dllhost.exe 6923309c1cf759930f67710ac9dfd328
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows DNS |
1
http://www.yumiacraftlab.com/kzk9/?xN60vPA8=+Ig0HUENFZj5bYnhgJo9WI2w4WSCLtKmjOpHUL28k1EPbK5ekJJxyg6bW63Md+JObtJ9L8ql&9r=2dRPGZEx8
|
5
www.ourtownmax.net()
www.yumiacraftlab.com(34.102.136.180)
www.sebastian249.com()
34.102.136.180 - mailcious
208.95.112.1
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13952 |
2021-10-22 09:38
|
 vbc.exe 75d7e4d1730247c05bd66666c8902d56
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13953 |
2021-10-22 09:40
|
 vbc.exe efe651adf6dfc657dfe4d65434e2de5c
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
2
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634863115&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D1836E41CA02A0786%26resid%3D1836E41CA02A0786%2521127%26authkey%3DAOx84Mv6sv3iPME&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=1836E41CA02A0786&resid=1836E41CA02A0786%21127&authkey=AOx84Mv6sv3iPME
|
4
login.live.com(20.190.163.20)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
40.126.16.163
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13954 |
2021-10-22 09:46
|
 hswaxn.exe c0fd2bdc5772986959399b514d854a9c
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13955 |
2021-10-22 09:48
|
 hswaxn.exe c0fd2bdc5772986959399b514d854a9c
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
36 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13956 |
2021-10-22 11:15
|
 REE20212110575259OCT.exe 9c00fc940483cff2a0f3f619db16ad54
PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
8
http://www.dwticket.com/gab8/?RR=HOeYYU0SOE5oBEWYEJfQlPqAuMlhJCJqNltQQ8P1ZCsBwPVGflaZC0gWM6xtBsiq7k9qF/Iu&rP0xPb=8pMPQv
http://www.royzoom.com/gab8/?RR=ZIawR5WdNK8LsYg64y/ZuRppdufcVyCLEEhqXcgQhf+tR4phV0yge9w0mkSWMgIPzVTRYdnK&rP0xPb=8pMPQv - rule_id: 6494
http://www.hoedetamni.quest/gab8/?RR=Zf6VUcDX8pplrTFlSUrwMEMdRMHbm2PdB5lK9i72fbf3yYXitiZmAhqsEZoP0weDi8Lt5HBd&rP0xPb=8pMPQv
http://www.boraeresici.com/gab8/?RR=C6SAXr8o/G/VasXP2qBsDB1rn5jVEpLr3WZGajDPG/enBmYnBlFkkW82TIheSrxSSIWa+io/&rP0xPb=8pMPQv - rule_id: 6496
http://www.donerightcleaningnation.info/gab8/?RR=nJF/EarIVI5Qk4/nkKqB5E8nYaEjku2rKmG4yev569YVDjTCBnN42BpL3GUrnktlAcqJ5MJn&rP0xPb=8pMPQv
http://www.duocvietpharmacy.com/gab8/?RR=UORo3IfrbXgOVCBiwz8H30B54EFwHnTBxT9tOqS6gRUO74gX21pm7ETNcpAoGCferi4tV5m1&rP0xPb=8pMPQv
http://www.hokozaki.com/gab8/?RR=9UqA4We6CmJOZtdlrtx8Ll2PAB5bY0fc2EBVlPc3Z1q0wA4JYe3Rllr0D4AWeYjh1yNqb1oO&rP0xPb=8pMPQv
http://www.big-food.biz/gab8/?RR=LyDWg/CbKx7XCNBvEg0eZR1cQLqXvz1qY5+JBDlT0r1TOlXYu0a/AMMMX2MSX+io67Q/a5cW&rP0xPb=8pMPQv
|
19
www.boraeresici.com(92.223.73.24)
www.hoedetamni.quest(37.123.118.150)
www.donerightcleaningnation.info(34.102.136.180)
www.royzoom.com(3.33.152.147)
www.purodetalle.com()
www.dwticket.com(154.95.193.109)
www.duocvietpharmacy.com(103.101.161.13)
www.big-food.biz(34.80.190.141)
www.babyfloki.tech() - mailcious
www.pinupcams.info()
www.hokozaki.com(75.2.85.42)
75.2.85.42
154.95.193.109
37.123.118.150 - mailcious
15.197.142.173
34.102.136.180 - mailcious
103.101.161.13 - mailcious
34.80.190.141 - mailcious
92.223.73.24 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
SURICATA HTTP Unexpected Request body
|
2
http://www.royzoom.com/gab8/
http://www.boraeresici.com/gab8/
|
10.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13957 |
2021-10-22 11:32
|
 QS.exe 8febef9e39284335678e45955722d6a6
Malicious Library UPX PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows Remote Code Execution crashed |
|
|
|
|
4.6 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13958 |
2021-10-22 11:34
|
 .vbc.exe 61f55bceba5b9a52c750555d62fc7ae9
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
11
http://www.syktxny.com/og2w/?HzrLR=8nCUkDMhhpUJRG43K21tXcgfonDfOShSkumyTfFE8rS8vc8c9x3KWZtckQdcrOjDdiF8eozj&Qh-Ha=tBwxNhWXOzSD&sql=1
http://www.syktxny.com/og2w/
http://www.royallecleaning.com/og2w/
http://www.tamzeedhossain.xyz/og2w/?HzrLR=2n8A1PfAVAzhZ3Hc4aY9dwANXyB5d3RIGzd/lG0EaSO3J5o8WGm6pS7XNEVcLC/w0j6f90Gx&Qh-Ha=tBwxNhWXOzSD&sql=1
http://www.tamzeedhossain.xyz/og2w/
http://www.royallecleaning.com/og2w/?HzrLR=RMYdZkGlKd9/cr2q5T7ZE6ssqe4CFpRGJ/mMAD2/ND62kBwptZEMascQDDeN8P25ASvuBy5k&Qh-Ha=tBwxNhWXOzSD&sql=1
http://www.riverdenim.com/og2w/?HzrLR=8Qx1tP3sSR3Pi0BPI5Y3Wscd1rolyxc4xXpahl252jPQw5aPvU+EM4W1Ph9GZj366CKy6bjY&Qh-Ha=tBwxNhWXOzSD&sql=1
http://www.riverdenim.com/og2w/
https://3jaqfq.am.files.1drv.com/y4m9NcDd_ZUc-GHIuKUJyY5hL6x3aLUxl-YC6RJP1LELDrHXkb4STEbYPsABvitxp7nPbLk9le36HVSTTDIiO0Trb7b1V7RTuFcf2-bU-I2nFaemAFuadfU0NoWSqbpkPK8rRQZjfl6YHBLX5qU-9GOQ9k4bjaSe72pWfC52uClmJHPOlKOOP_TcruMbLJ-CEdQ_EEBWOneCB3_bqGPDui2pw/Ajihoeuvpfseywgzvkdmaxhisrgsstr?download&psid=1
https://3jaqfq.am.files.1drv.com/y4mDJ-FDsSGp1PeATbALhO1LMI7cTJ9FePRrkNEtWG3rHFjt_i4rSUCWbQOGLNAmBI8N37baAfkTDo1nGhbOSuT7MK0ywZgPNGT33Noc102eAtOnfb-1XQGdUtGu9u38cLgAYzEvGmRo6bJ_gbtHFbm5E4_W8w2XTJKegmp-GqeyNrZsM69-AooFcQoTiVbnroYqmVVen8sASYkwAwmXz-dFA/Ajihoeuvpfseywgzvkdmaxhisrgsstr?download&psid=1
https://onedrive.live.com/download?cid=E9FFBDDD0AB75605&resid=E9FFBDDD0AB75605%21109&authkey=ABYj71iorCY38jA
|
12
onedrive.live.com(13.107.42.13) - mailcious
www.tamzeedhossain.xyz(172.104.184.240)
www.syktxny.com(156.233.233.109)
www.royallecleaning.com(34.102.136.180)
www.riverdenim.com(204.11.56.48)
3jaqfq.am.files.1drv.com(13.107.42.12)
172.104.184.240
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
204.11.56.48 - phishing
156.233.233.109
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET MALWARE FormBook CnC Checkin (POST) M2
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
|
|
12.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13959 |
2021-10-22 11:34
|
 catzx.exe 722745a1b594b935445310f8b4f0b9af
Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
drrkingsleym001.ddns.net(103.133.109.121)
103.133.109.121
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13960 |
2021-10-22 11:35
|
 vbc.exe 1f0a0de6491ff5fb6c2e095a9104777b
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13961 |
2021-10-22 11:37
|
 ucv8e7nhw53f88ef37s9.exe 3a8369a0ce3b79b7a0e7200ff88d1b91
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.8 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13962 |
2021-10-22 11:37
|
LS.exe 0ee296f164c65caaf03788bff0f45d45 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13963 |
2021-10-22 11:39
|
 obinnazx.exe af594d3a1f091246b196ac370b8b4900
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
2
http://www.stonezhang.top/ed9s/?9rjHOnr=QaZzM5dsxaWBELzh8eh/u+3/X6/gtJo0P9J5E2edw+yoz+NxwohgU+o5N/R3lq2THEL52Cnt&lZ6D=p4spVPQXcjxHrzA0
http://www.lj-safe-keepinganwgt76.xyz/ed9s/?9rjHOnr=ZKwKhYu4bdLZ3wLn8gOwM6JLr04D5dF7sa/VPRyn7T8dwqXpHXOXyTaOiz9I27Xp5VyMg4V3&lZ6D=p4spVPQXcjxHrzA0
|
5
www.stonezhang.top(47.243.19.85)
www.lj-safe-keepinganwgt76.xyz(150.95.255.38)
www.paypal-caseid581.com()
150.95.255.38 - mailcious
47.243.19.85
|
5
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13964 |
2021-10-22 11:41
|
 IMG_572452.exe 95029e00a50b60c370c4fcdc60cb0b6d
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13965 |
2021-10-22 12:01
|
 seasonzx.exe 664920ea617d6c5f15c228b7374aa15f
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.fzdzcnj.com/s18y/?W6=Hl0lIW8ISzLTFJqvj934xRUyvEaEj7Zky1fsZOvthMlAvBUAW+5/IDgCzncAdJS5VTnohmkm&UlSt=DVoxsVvX_bCDbl
http://www.block-facebook.com/s18y/?W6=F/o8tUBbN7Q4bEYlsRgrRfhLcegYO4G5KTt6+aMIm42HsVV/9SustWGyb4PboDVkac3n0IW7&UlSt=DVoxsVvX_bCDbl
|
4
www.block-facebook.com(146.148.34.125)
www.fzdzcnj.com(172.80.91.152)
146.148.34.125
172.80.91.152
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|