| 14071 |
2021-10-26 18:16
|
 SecuROM.exe 41ed34b70460e1eb3b561fbc89b65052
Generic Malware UPX Malicious Library PE64 PE File OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee DNS crashed |
|
2
mas.to(88.99.75.82)
88.99.75.82
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .to TLD
|
|
3.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14072 |
2021-10-26 18:18
|
 Sample_10120351200_ISO_035123.... 8078dc94b90c42ba12f6ece2330c0586
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
132.226.247.73
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
15.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14073 |
2021-10-27 08:03
|
 solex.exe 9e37ecd7b3a3cc19e3fb569a8f79f2c0
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14074 |
2021-10-27 09:28
|
 cross2007.exe 2626a621fab10eec02e1c3dc2ab29361
Gen2 Malicious Library UPX PE File OS Processor Check PE32 Malware download VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
6
http://prodownload.live/ixset.php?ip=175.208.134.150&mcid=1
http://prodownload.live/ixlive.php?uid=1
http://prodownload.live/ixpkey.php
http://prodownload.live/ixptexts.php
http://prodownload.live/setad.php
http://prodownload.live/iam//index.php
|
2
prodownload.live(74.208.236.24)
74.208.236.24 - malware
|
5
ET MALWARE CrownAdPro CnC Activity M3
ET MALWARE CrownAdPro CnC Activity M4
ET MALWARE CrownAdPro CnC Activity M1
ET MALWARE CrownAdPro CnC Activity M2
ET MALWARE CrownAdPro CnC Activity M5
|
|
6.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14075 |
2021-10-27 09:28
|
 vbc.exe a1b4d8c4d876a9dc57c0a75bdef1f13b
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
3
https://onedrive.live.com/download?cid=4C66C628080BCD75&resid=4C66C628080BCD75%21115&authkey=AJjK25H3RYrnKoA
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1635294283&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D4C66C628080BCD75%26resid%3D4C66C628080BCD75%2521115%26authkey%3DAJjK25H3RYrnKoA&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1635294282&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D4C66C628080BCD75%26resid%3D4C66C628080BCD75%2521115%26authkey%3DAJjK25H3RYrnKoA&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
|
4
login.live.com(40.126.35.129)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
40.126.16.165
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14076 |
2021-10-27 09:32
|
 LOIC.exe e6fa3028cd03318496852718143d256f
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14077 |
2021-10-27 09:37
|
 A67gmDqdYqpHVq5d122pdf.exe 6318403488d61f1b6827886675f4180f
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
193.122.130.0
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
13.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14078 |
2021-10-27 09:40
|
 E7pPa8kXU2X9H8nyCZseBfpdf.exe e168c49cc388f05d310f780f70661c47
Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14079 |
2021-10-27 10:01
|
 vbc.exe 9413abe81e45cc16409f67dae8e0fa65
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
12.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14080 |
2021-10-27 10:01
|
 rundll32.exe 9b5b273ed09f8565eb795f35ba1e33c6
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.kangrungao.com/fqiq/?Bh=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&SzrhP4=EzrtzlQp
http://www.esyscoloradosprings.com/fqiq/?Bh=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&SzrhP4=EzrtzlQp - rule_id: 6444
http://www.eclecticrenaissancewoman.com/fqiq/?Bh=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&SzrhP4=EzrtzlQp
http://www.ribbonofficial.com/fqiq/?Bh=MhZqZeIjocZO8TTrBOs++VNt6zdxCxYLlsPuJAiQzU371teukL1ZYFZBA4It4Rq6QPk1WBTT&SzrhP4=EzrtzlQp
http://www.floaterslaser.com/fqiq/?Bh=cd5R1bQmbqnLvLG63I3E0k/wUnqrUWXrQuGYWdnnzDIYGyWqiJOfWgNnmMSyom/RYKC7YMH4&SzrhP4=EzrtzlQp - rule_id: 6689
http://www.markarge.com/fqiq/?Bh=XEjjI14tUtVaEH1QyrI6OtCMD91wQ8G2c0pwY2Wm0y537Ju/QhVbfyWLrlCWZSdAfVrEc7mJ&SzrhP4=EzrtzlQp
http://www.lavishbynovell.com/fqiq/?Bh=A0k50bUP9Xo0F1fuesuUyOcgxOBnaOltcHXAUh5ipYJu8U4xshhCEanj2JPK9AjCHyuZW1cJ&SzrhP4=EzrtzlQp
|
17
www.begukiu0.info()
www.mountlaketerraceapartments.com() - mailcious
www.markarge.com(182.50.132.242)
www.eclecticrenaissancewoman.com(74.220.199.6)
www.ribbonofficial.com(23.227.38.74)
www.lavishbynovell.com(37.97.254.27)
www.esyscoloradosprings.com(108.167.135.122) - mailcious
www.kangrungao.com(101.32.31.22)
www.floaterslaser.com(81.169.145.161)
www.dmc--llc.com() - mailcious
108.167.135.122 - mailcious
81.169.145.161 - mailcious
74.220.199.6 - mailcious
182.50.132.242 - mailcious
101.32.31.22
37.97.254.27 - suspicious
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP unable to match response to request
|
2
http://www.esyscoloradosprings.com/fqiq/
http://www.floaterslaser.com/fqiq/
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14081 |
2021-10-27 10:03
|
 vbc.exe f1119af41aa1a22ea18df0c7b51aac11
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
9.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14082 |
2021-10-27 10:03
|
 vbc.exe 6ff3af29fcf1cabca1e7df8a6094e4a3
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
4
http://www.miaintervista.com/b2c0/?FVWt=U8O6kRJAqCrKAzN8h3rSiV6YS3+F71/8oy2ywOxlTPPEAAUY03Ods+UYspTxL8ni9w1lhzNG&uRmXV=kjFPdLKXqZLtWb - rule_id: 6358
http://www.hi-loentertainment.com/b2c0/?FVWt=h+tO3E4hFG1yu4TvmYvKfGb/NE9o5KfVZIH68S7yQPQpykMulMHmlhWQj/t5Jr0vsQ0T8HVV&uRmXV=kjFPdLKXqZLtWb
http://www.vi88.info/b2c0/?FVWt=9nW/OVHQ1XpTvpMusTdL+d4k59iYmTaoVhYIWL8vz0e2o7OkRPl/Jeq3QN9xrgEGq3IVy9cv&uRmXV=kjFPdLKXqZLtWb - rule_id: 6357
http://www.newstodayupdate.com/b2c0/?FVWt=ngE3zTESEmF1TlzaI1JtRqVv6LVi69c0ageAEF+ggQEJgbQkBMu6yGJsOdi7lkxHgRVmVRi9&uRmXV=kjFPdLKXqZLtWb - rule_id: 5526
|
10
www.philme.net(91.195.240.94)
www.newstodayupdate.com(34.102.136.180)
www.hi-loentertainment.com(192.64.113.210)
www.miaintervista.com(50.62.172.157)
www.vi88.info(142.250.199.115)
91.195.240.94 - phishing
34.102.136.180 - mailcious
50.62.172.157 - phishing
192.64.113.210
142.250.66.83
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
3
http://www.miaintervista.com/b2c0/
http://www.vi88.info/b2c0/
http://www.newstodayupdate.com/b2c0/
|
11.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14083 |
2021-10-27 10:05
|
 file.exe 0c9545e5c6c941d4288d1089b5a34e39
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14084 |
2021-10-27 10:05
|
 .csrss.exe e17907e78bff51fd0ffc739cf604de30
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14085 |
2021-10-27 10:07
|
 vbc.exe c30565830025332db48b9f38ddb2ab3f
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|