| 14086 |
2021-10-27 10:09
|
 abb01.exe 05c21bf3df38d5b8365db71d94dbca37
Malicious Library UPX PE File OS Processor Check PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
12
http://www.7looks-mocha-totalbeauty.com/xzes/?Kdvl=N6kvuAW+pCGZGgyc93Dxm1bATb9xJ8kGsAh+h2nj/e1BNDsoH7tPsC1FoxTYrwS+AS0aA/4N&ndidbP=U48Ho
http://www.coalitionloop.com/xzes/?Kdvl=sVc4hg8Nb35a1Qv00Jvuyl/wkeTMhydkmRbldsgA1PWAcLBgfFlJh6yqTVpSuz5X8HcTsuQ7&ndidbP=U48Ho
http://www.bestplacementconsultancy.com/xzes/?Kdvl=LjnthlTuvRl4J+3EIJ9NP1/gRJUgaULyYZVaExJaoM7uisdc1HZlEM0fi29oNoOz30dzFEUW&ndidbP=U48Ho
http://www.alphaore.com/xzes/?Kdvl=4eNc2sSPq0I3hKWHlTSoHHBaaA6Q4rCJrKGoZ0/NjQeIUxPu2TRevZPQl0/5uQYKhlbicKS0&ndidbP=U48Ho
http://www.punkidz.com/xzes/?Kdvl=rzqcJvjlgSW5Q0DcIIC8xd++pVURv744ENb9aTZyPenicGvfgL24Ud0ynRSTOJQXBUt7w4JB&ndidbP=U48Ho
http://www.distressedthenblessed.com/xzes/?Kdvl=qta2XgKQK0sYIuKkmdNCsYOZQAr8lLiHkRPEQ6p0qzzA/zCHqYc5ezSCSmHJ8lrWarA+AXEj&ndidbP=U48Ho
http://www.theravewizards.com/xzes/?Kdvl=hsby6OIGcqifg7QfYLSyJdZ7YeDc2IcIgsU+0vl3XqAOvbSXWpzKVJM6PZuB2eHAu9gllUpH&ndidbP=U48Ho
http://www.printyourdays.com/xzes/?Kdvl=WvVdSYazqKi8GE8+azEVjLioWRcomDeCwGXpfuOsOesbk9wXqWr6PQqFFZj71fIVZO7r9iJc&ndidbP=U48Ho
http://www.captekbrasil.com/xzes/?Kdvl=nm3KboQC3LfSgL/zvgWiiAhLuySCjSAIrKPwMPaNYLQTgNUrE1tMoNUDfMG3u5xrJqSESYJN&ndidbP=U48Ho
http://www.publiccoins.online/xzes/?Kdvl=VW6AQLcnjxoI7jrxDei1g2cODa3ue2eSFsZ4Bvo9DMyQyK8UAjcUFoPJ8IfPQZF1RDPYIp/Z&ndidbP=U48Ho
http://www.xn--80akukchh.xn--80asehdb/xzes/?Kdvl=CYE3a7bRRPoZ8oLCQIn7MUnG5eL5n4hmaAvMM6ZOb9duInsoaLpTWfgE2J3oFykNq7tVuO80&ndidbP=U48Ho
http://www.joannhydeyoga.com/xzes/?Kdvl=M74vbXcjuii9CfP4+YoAkrjESC9Z5XZA/+idMnJLcA1l+40jQcdiWeACfFgfibc/BPlrFTVI&ndidbP=U48Ho
|
25
www.xn--80akukchh.xn--80asehdb(195.24.68.30)
www.punkidz.com(156.234.182.39)
www.elsist.online()
www.bestplacementconsultancy.com(34.102.136.180)
www.coalitionloop.com(142.250.199.115)
www.captekbrasil.com(34.102.136.180)
www.publiccoins.online(198.187.31.159)
www.joannhydeyoga.com(66.235.200.145)
www.alphaore.com(3.223.115.185)
www.printyourdays.com(104.21.48.190)
www.distressedthenblessed.com(162.241.218.205)
www.theravewizards.com(198.54.117.210)
www.hcbg.online()
www.7looks-mocha-totalbeauty.com(183.90.231.50)
198.54.117.218 - mailcious
66.235.200.145 - mailcious
172.217.31.243
162.241.218.205 - malware
104.21.48.190
34.102.136.180 - mailcious
195.24.68.30
156.234.182.39
3.223.115.185 - mailcious
198.187.31.159 - malware
183.90.231.50
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14087 |
2021-10-27 10:09
|
 sefile.exe 274054f8343ab8e7e4422e325e9aa874
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14088 |
2021-10-27 10:10
|
 vbc.exe 2d84b38efa4ce09e9b92c7d9cdfaadfa
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
6
http://www.dfwbcs.com/upi8/?Bh=9h5CbKDVDzkshHoOgJI3pMKgzd4816R0MjMtxhnzqjkrAU53n3NbbT57bLCn7m3zYNKtK5a2&SzrhP4=EzrtzlQp
http://www.laminaparfum.com/upi8/?Bh=8YHAeEZ8Dimj/jNc3Kzp7ngxsdWywFXEuUyZlSJX/zTM0SohTECf56+lq8KOKpVP+kph1T3A&SzrhP4=EzrtzlQp
http://www.yuanyindongman.com/upi8/?Bh=gTdqh/zpCxmAWtzvHvMRGbxUEDSYUkB45hilxMk/neSPhZ8zQ6GFBkc5VWEXMmBOjmKyilcN&SzrhP4=EzrtzlQp
http://www.adornel.online/upi8/?Bh=WCYcamE4OpyvlGAM/6VYMp5sz4MiornE7eOrtWBiw93c7YzR/9rQfjXC9Ao6JY/ZAx2dt/o2&SzrhP4=EzrtzlQp
http://www.kkp72.com/upi8/?Bh=YcB89yHWLwCS8AZyEBPpaSAYGCBzkicTMDeWNCbhfhuPhQ6ry9w8mTcEmG6CAsjJddhW3t6+&SzrhP4=EzrtzlQp
http://www.szhemgc.com/upi8/?Bh=vyvuJqyoO+CSQlusYu6jmQFmLZgCYEaXFKNa8VT2LnjyJONEbTvq/+tM6svelUDGUujbGNmq&SzrhP4=EzrtzlQp
|
15
www.szhemgc.com(118.123.22.156)
www.kkp72.com(3.113.186.52)
www.adornel.online(194.245.148.189)
www.yuanyindongman.com(59.83.204.156)
www.taziyesayfalari.net()
www.hsbgs-asia.com()
www.dfwbcs.com(35.204.150.5)
www.laminaparfum.com(173.249.0.223)
118.123.22.156
113.1.0.33
35.204.150.5
13.230.149.252
123.157.255.158
173.249.0.223
194.245.148.189
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14089 |
2021-10-27 10:13
|
 temple.exe aa097cd2ea67822b909850f8f6df13b2
Gen1 Gen2 Themida Packer Generic Malware Malicious Library UPX Anti_VM Malicious Packer PE File PE32 DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14090 |
2021-10-27 10:13
|
 .csrss.exe e54e7ec5aa72f4d5bb128553728fb209
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
8
http://www.weberwines.tax/euzn/?8p=rrblNUwXaF09u3mrCbtzJUAcItARcizJXqK8tRqRy7UZfQx0GnrhUftu7TFVxz4251JgXOGw&wZ=H2J8n4y
http://www.heser.net/euzn/?8p=3YIIvuVMPod2ghyVzlrVbDIKpMNjGC1jVshcE/xay47UBDuWohiRTIe7T0ywrtH6KgyQLQcn&wZ=H2J8n4y
http://www.mecasso.store/euzn/?8p=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&wZ=H2J8n4y
http://www.gold12guide.art/euzn/?8p=fG/1TTLa6+7U56mtX+B4aGEWRZbcVvvrrPCAadpaTDUqE3GL44eZkkQ9Crkv0cVWXzLtUrfa&wZ=H2J8n4y
http://www.pepeavatar.com/euzn/?8p=c52/idsZybo5+++XEfR74GyO3sFn94uB9Bi9sGgwmuYdSzcMkVUF1vuwnR+zyHyG1b/8nRaD&wZ=H2J8n4y
http://www.235296tyc.com/euzn/?8p=qPG280hY3bVwFWYgPYUPmF0yLOv8ZOX3N77VjzujjWFTLW7L05+D5h5Mp3mfBnzq5vwwDWs5&wZ=H2J8n4y
http://www.baibuaherb.com/euzn/?8p=txChVvbQXjI9PLvjaTp0YZLPDAtzuyqbih5pAFD4cVDNzSb4eTi8CUJ3NmKGE4sEw5SlkR8L&wZ=H2J8n4y
http://www.herbalmedication.xyz/euzn/?8p=2R7YJWwCBBpytsqtiVkPZQg/Kf6xNwUZJHDVkC35/SOaGMLBhX9HHpVWwkHu5dCAZCxH7WXo&wZ=H2J8n4y
|
18
www.heser.net(142.250.199.115)
www.pepeavatar.com(3.64.163.50)
www.gold12guide.art(202.165.66.108)
www.herbalmedication.xyz(44.227.65.245)
www.mcrjadr5.xyz()
www.mecasso.store(3.33.152.147)
www.baibuaherb.com(172.67.162.70)
www.weberwines.tax(209.17.116.163)
www.235296tyc.com(172.67.187.226)
104.21.64.215
209.17.116.163 - mailcious
15.197.142.173
3.64.163.50 - mailcious
142.250.199.83
123.157.255.158
202.165.66.108 - mailcious
172.67.162.70
44.227.65.245 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14091 |
2021-10-27 10:14
|
 game.exe afdd13f1365200afbcadcfe2c702c785
Malicious Library UPX PE File OS Processor Check PE32 PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14092 |
2021-10-27 10:14
|
 sefile3.exe a652999a5f462a68a3b68ce0a817b5c0
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14093 |
2021-10-27 10:16
|
 askinstall59.exe b0148682e7c912ae740355e8a37c23f6
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie UPX PE File OS Processor Check PE32 PNG Format Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash Windows utilities suspicious process suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cjnovone.top/Home/Index/lkdinl - rule_id: 6119
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1GWfv7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(149.28.253.196) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
www.cjnovone.top(188.225.87.175) - mailcious
iplogger.org(88.99.66.31) - mailcious
149.28.253.196
103.155.92.58 - mailcious
88.99.66.31 - mailcious
188.225.87.175 - mailcious
|
3
ET INFO HTTP Request to a *.top domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
3
http://www.cjnovone.top/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
10.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14094 |
2021-10-27 10:16
|
 sqlservr.exe ffc90ece293d4a8d6d7d5da217ab51be
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=5277961 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
14.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14095 |
2021-10-27 10:19
|
 vbc.exe 2bd0212a01ee6f425e6eb61ae258def9
Emotet Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
1
https://cdn.discordapp.com/attachments/902132472924479511/902136733435592744/Wbjhzkbevojgqfhfalbqxnykvunmobi
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14096 |
2021-10-27 10:24
|
 stanzx.exe 810a82f75517c167b50617cd983ba22a
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Browser ComputerName crashed |
|
1
|
|
|
7.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14097 |
2021-10-27 10:25
|
 csrss.exe 24c4b3e55ca7f7cbd70f48c1f3ea3448
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
1
162.159.129.233 - malware
|
|
|
2.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14098 |
2021-10-27 10:27
|
 vbc.exe 980c080857ff5a30b52a62d8649042da
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
8
http://www.royallecleaning.com/mwev/?elX=HsmrIALRyQMPJkOtf5nMI/V00TunQUINtHtLXN2Hj1uqs6T8fON4gG2lu2ZQbwqStmDdpZMN&uVjH=M6ELu
http://www.meadow-spring.com/mwev/?elX=AXKNqAVP4icanAHbCFq6yaNvpNWACugF4SaRk4eQpvxiYHDfhkcuZey4jl/IYER7WT0Gk/ii&uVjH=M6ELu
http://www.wodemcil.com/mwev/?elX=5C+T7PVd166DbdB6FeQuhNv/d9EMoF2LadMqGiNjgPkx6R99crYP0CVhXmmrTYOrWwTzxJxb&uVjH=M6ELu
http://www.anabolenpower.net/mwev/?elX=1aElzbtfxnqwB9QOMKXqYBRKsvVya9Cu8bBvd9KBukbI9o4Rr6JGhdXty0xPX7T5TGwrnXBW&uVjH=M6ELu
http://www.liyahgadgets.com/mwev/?elX=g1Z6fijHILhIWnYWTIp+4FjUMYhbb0wZRNLDOiUXPeqjelwmMdoeuMJZvq7y8sTA4qv2iqe4&uVjH=M6ELu
http://www.jbarecipes.com/mwev/?elX=z9jnTQpAUXMnMN5RCswoaYuC+KWnCL9cDj9OfOoU4Ly0ODb7DmRNv60upgIvcro7L3TpX9bI&uVjH=M6ELu
http://www.thegurusigavebirthto.com/mwev/?elX=6Sc3LlBJxZZC4+mEboPE99cD6wuRe5iQ+Pzmr10Fl76FDXQrWG9i3gEbb3AnXvsJeMTBS4sp&uVjH=M6ELu
http://www.inbloomsolutions.com/mwev/?elX=33WkjvwBuyHi/iWLA1rz8E1qL1SITs3X96+7cXaqO4Peqq1EMylBeZD5o3TAqlFnRZHDFvIo&uVjH=M6ELu
|
17
www.jbarecipes.com(54.196.16.164)
www.sandman.network()
www.meadow-spring.com(79.170.40.4)
www.inbloomsolutions.com(34.102.136.180)
www.liyahgadgets.com(151.101.193.211)
www.custercountycritique.com()
www.royallecleaning.com(34.102.136.180)
www.wodemcil.com(70.35.199.82)
www.anabolenpower.net(2.57.90.16)
www.thegurusigavebirthto.com(192.0.78.25)
54.196.16.164
70.35.199.82
34.102.136.180 - mailcious
79.170.40.4
2.57.90.16 - mailcious
192.0.78.24 - mailcious
146.75.49.211
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14099 |
2021-10-27 10:28
|
 done.exe 83a00ad620a300149c0f6b9c3791f821
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
4
http://www.rollingrallys.com/sl4w/?kfL4bD=bxNqDo2FQwxq07tQVHEPYIPbWCvE1369cDnAJzUpNTpK4C/yo0zTvriAZc1F13aaZhCEhMwc&jBZx=DneXo
http://www.trustedfurnituretransport.net/sl4w/?kfL4bD=SU6djegnNokhXatHD0Zt/RgvM6Zh0SA/H/J8xjjIneGyQtz5eA+PvmJcxeEsuLxakaSqDUJr&jBZx=DneXo
http://www.gulfsidemorgageservices.com/sl4w/?kfL4bD=7+0WVGGe/x3LX559cMkONJoyosZ/ZZUoMq8pBstyBBU5VO2caztg0u2E4IT74Mw0M9pmC6Ic&jBZx=DneXo
http://www.thegunlogic.com/sl4w/?kfL4bD=QgR+mVZR/tCl+4LWlCJ+sOG5pCcKXvmBqZ02+TsfiNaO5znL7BBFK4fPMxE3wC0XtHd+7E0U&jBZx=DneXo
|
8
www.gulfsidemorgageservices.com(199.59.242.153)
www.rollingrallys.com(66.96.162.132)
www.thegunlogic.com(34.102.136.180)
www.trustedfurnituretransport.net(202.124.241.178)
66.96.162.132 - mailcious
199.59.242.153 - mailcious
34.102.136.180 - mailcious
202.124.241.178 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14100 |
2021-10-27 10:28
|
 guide-1763783064.xls b3e7cae9729b0aff260863e5c19730b3
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
4
http://x1.i.lencr.org/
https://giversherbalproducts.com/Ad47XRSH/fok.html
https://specialistedu.com.hk/495ivO4PQTRk/fok.html
https://denkyiraman.co.uk/hqzqxPNha/fok.html
|
7
x1.i.lencr.org(104.74.211.103)
denkyiraman.co.uk(198.38.82.168)
giversherbalproducts.com(198.38.82.168)
specialistedu.com.hk(103.27.32.22)
104.74.211.103
198.38.82.168 - mailcious
103.27.32.22
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|