| 14221 |
2021-10-28 18:12
|
 P.O#2456hanger.exe 6786ba299e0224069b0f695b924c9df0
AgentTesla(IN) Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14222 |
2021-10-28 18:14
|
Payment_Receipt_ 1791.xls c2889891f65e5dec8038d662a03bb2a5
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14223 |
2021-10-28 18:15
|
 SecuriteInfo.com.Variant.Razy.... 617b1fd1bfdab72e5562c0c2f7600bcb
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14224 |
2021-10-28 18:20
|
 bghost.exe 83754fa016cb31ea372d1b3f6c34708d
UPX PE64 PE File VirusTotal Malware AutoRuns Malicious Traffic Windows |
2
http://youbotter.click/stream.php
http://youbotter.click/
|
2
youbotter.click(167.71.28.113)
167.71.28.113
|
1
ET USER_AGENTS Go HTTP Client User-Agent
|
|
4.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14225 |
2021-10-28 18:24
|
 vbc.exe 9980e7e39379cbe367adf3b7443dd319
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Tofsee Windows DNS crashed |
9
http://www.hubmedia.digital/rqan/?ARmdX8=vzr0Av30tV&Q2J=jKXuqpJ845LlYgXLN57GGReLMLujtTvdbdtZr6KDyHbeGyC6N93DxSGPylyr0R/BLC7uEPiJ
http://www.buratacoin.com/rqan/?Q2J=Jt/jULqvuHmFHTQHoInL/hgvG9NOCzgC+ifeqw8dEamPSAWqFa2LRIXLynF/lbhL2qE+xTiF&ARmdX8=vzr0Av30tV - rule_id: 6093
http://www.cardboutiqueapp.com/rqan/?ARmdX8=vzr0Av30tV&Q2J=7XmFwjbCeixI2TDSYCNwr0HgHUHoiQEi/VPj3ka7wDWICz/dm8qqNJY2vVzGU6p/p2qyOoMU - rule_id: 6216
http://www.delocdinh.com/rqan/?ARmdX8=vzr0Av30tV&Q2J=9+ltUe4Es3ydY2P59+460GeH7BXYQI/omiZxZpx1KJYKq++oKHgZPCowv5/QmVkI6ItS41fc
http://www.anthonyaarnold.com/rqan/?Q2J=nXb8TAZPYTKJnRrZC8GfrTSCrGoVlau1gQGn5GO75UMd983Q3NLO89qWBoHnTj4RfZv8bfb0&ARmdX8=vzr0Av30tV
https://pdzxoa.db.files.1drv.com/y4m_O1zVrsu4yM38s1h0XXuc6gMBIvbfaHcCwBZZ8_ckbvOg4zAD_VMxuI54uU9k0KgfsyTuQIy4ApBOnB8B9G7YxSipIIFZebrdPC-hzvkCJHP2pcI3CVkS5w0hWyiiXRkE0UmoV0fwW6XWlm-_RbM8cYrRTNT8LZaL6HA91bGHqKXWKLZbgaiPU0B6rqfAs6jrcs8PVIXgJ7zpwlxIhtirA/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
https://pdzxoa.db.files.1drv.com/y4miZSeYgjdCfzvZiFaRNZDDiOec4mE-vtZ8TwjIP5UcupVO3whh951XVdDw9LviCkdXoqiuFTtKEHHZ5lTtqrf3SQ85kictk50f50Y1i_sExzGdOvU4kyxaglk23yo3xoo7h-mc-qYkQ98A-MK_Ncl43Mnmjo5Z2QWUEGSemWl-GQpUHjpooeSMDmC7FD4HtYPYmcsF0eDPVWtm6YokKzF1Q/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
https://onedrive.live.com/download?cid=50DB9D917FD3F0DD&resid=50DB9D917FD3F0DD%21114&authkey=AIwRtImV0tqYgK0
https://pdzxoa.db.files.1drv.com/y4mr2aaBbKzkO-TXX2xqbJmRaUYNoTauKGoRW7_JnK6wEAqtxDJjnJ2kqZcylgJ1KgIMt_w0LsZouncEguMeXwPTYEqo7Se16yv6rPgrZwL04Ej8DYBLONeJAR6hsDuhH0yc3QkyixasilefFu4kS1CAYdmFGviN4aarYrr1Efp9IzOeJZ5bzD7NKfDtqDvp2D-j7kCPwDgb0BGBKWvx1CL5w/Zostiqnylyrdnslddbckuhjvjxshyfe?download&psid=1
|
18
www.lakshhomesbalram.info()
pdzxoa.db.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
www.anthonyaarnold.com(198.54.117.218)
www.cambabez.xyz() - mailcious
www.hubmedia.digital(2.57.90.16)
www.delocdinh.com(112.213.89.167)
www.sergomosta.com() - mailcious
www.cardboutiqueapp.com(185.129.100.113)
www.buratacoin.com(54.39.107.28)
54.39.107.28 - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
198.54.117.217 - phishing
185.129.100.113 - mailcious
167.71.28.113
2.57.90.16 - mailcious
112.213.89.167 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.buratacoin.com/rqan/
http://www.cardboutiqueapp.com/rqan/
|
9.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14226 |
2021-10-28 18:26
|
Payment_Receipt_ 1791.xls c2889891f65e5dec8038d662a03bb2a5
VBA_macro Generic Malware KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14227 |
2021-10-29 07:36
|
 vbc.exe 1b4af97e5bb29267e445511854e12b87
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php - rule_id: 6744
|
2
bobbyelectronics.xyz(104.21.92.21) - mailcious
104.21.92.21 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobbyelectronics.xyz/five/fre.php
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14228 |
2021-10-29 07:36
|
invc_0070032233.wbk cf62058e0e077981fa8535c0d47f12ea
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS DDNS crashed Downloader |
4
http://23.106.223.27/vbc.exe
https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
https://pkc5hq.by.files.1drv.com/y4mXHvA4annmU58YyoOm5IbUsOjHQkt8q8czhufn7SvhH_9ENeZ-hZCEVtU8HfJcyZqybwtJhT99lOdljmUKIJV6mEDjvRJN7qaSuTHjHe0P1Uks0H3eThDcBWxr_GDuW5ssjF1L07fN6gOidautQhhbxAbZRDoxBKxbzH3LFBtezqfaA5PtN-orcz2O8r_j7cZsCvccczTmxYMdT99EAN2XQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
https://pkc5hq.by.files.1drv.com/y4mbAoLripoDP3gbIunXf6AhB9wxgfIIoSbjKMJfKMtjRD33rmLjnaP5rsqgnEP1T6_Bdb2MUO_hsDTIM1sHFVa3ef8ahu_e_3RkXt2wnnhpDIEFjkcRXiurYGt-QnwFtyGNWMEdG4wfsEmrYjQkmSI7A3RWRn5ab-Q2d9vhvXn9hv63QOUhRmJ_nqqZ6NNjqH_lhDWSLFYs9j6TXFBQCTb8w/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
|
10
onedrive.live.com(13.107.42.13) - mailcious
sheilabeltagy4m.hopto.org(23.105.131.236)
micheal3m.hopto.org(23.105.131.236)
johnie3m.hopto.org(23.105.131.236)
pkc5hq.by.files.1drv.com(13.107.42.12)
sugarcane.hopto.org()
13.107.42.13 - mailcious
13.107.42.12 - malware
23.106.223.27
23.105.131.236
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14229 |
2021-10-29 07:43
|
 rundll32.exe ad0e9142963cac524f3474d8f9b90a4f
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
18
http://www.weeden.xyz/fqiq/ - rule_id: 6603
http://www.clinicscluster.com/fqiq/?jrTDmX=woKSgF6PWqdOVJ+XqLECyRzWT6gfRe7mgXg/479saEs9am2OBdXx0181fBs2SDsh/Ug2MjSj&p0D=QfrHnNSxqR0PU4N
http://www.healthyweekendtips.com/fqiq/?jrTDmX=nFNrhldW1G3Iuc6NBw1UbSwwpktYb/50pHeyo/0a7tjLnrEnAw7KG36PTjcGJ5KEduXnU9Wd&p0D=QfrHnNSxqR0PU4N - rule_id: 6446
http://www.srofkansas.com/fqiq/ - rule_id: 6445
http://www.hillcresthomegroup.com/fqiq/?jrTDmX=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&p0D=QfrHnNSxqR0PU4N - rule_id: 7070
http://www.hillcresthomegroup.com/fqiq/?jrTDmX=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&p0D=QfrHnNSxqR0PU4N
http://www.seal-brother.com/fqiq/ - rule_id: 6601
http://www.cotchildcare.com/fqiq/
http://www.cotchildcare.com/fqiq/?jrTDmX=OmCJUEnXV7P0Uz61PKp9U0DomyEu2+yoRYW3e87DTGJYrESr+zJ/zO0cOkjAwmwmSmwGprfn&p0D=QfrHnNSxqR0PU4N
http://www.hartfulcleaning.com/fqiq/?jrTDmX=uHvuYmjit4fallNp1Ej7vtyQWzU3HFRSMqXztfeWYNDOTP1U0scGwGT4FHCGKhM8svXnQnS7&p0D=QfrHnNSxqR0PU4N
http://www.srofkansas.com/fqiq/?jrTDmX=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&p0D=QfrHnNSxqR0PU4N - rule_id: 6445
http://www.healthyweekendtips.com/fqiq/ - rule_id: 6446
http://www.seal-brother.com/fqiq/?jrTDmX=mnFbYCr+AW78Kl2ulk1rPiA6Of2qOAThWlvrEIJbjMlKOtQ7tqTA3v+J7YK2FP1KSWelWkwc&p0D=QfrHnNSxqR0PU4N - rule_id: 6601
http://www.clinicscluster.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/ - rule_id: 7070
http://www.hillcresthomegroup.com/fqiq/
http://www.hartfulcleaning.com/fqiq/
http://www.weeden.xyz/fqiq/?jrTDmX=USYLug/oA1YO3zHhBpyf49MelhMmknrjwB+F0T6I7p0aWr8Ic8GlSHHjxu6xNcH2bdjI/bcO&p0D=QfrHnNSxqR0PU4N - rule_id: 6603
|
16
www.healthyweekendtips.com(172.67.216.2)
www.hartfulcleaning.com(34.80.190.141)
www.clinicscluster.com(34.102.136.180)
www.srofkansas.com(199.59.242.153)
www.seal-brother.com(59.106.13.53)
www.hillcresthomegroup.com(3.33.152.147)
www.cotchildcare.com(199.59.242.153)
www.controldatasa.com()
www.weeden.xyz(192.185.5.49)
172.67.216.2
15.197.142.173
34.102.136.180 - mailcious
192.185.5.49 - mailcious
199.59.242.153 - mailcious
59.106.13.53 - mailcious
34.80.190.141 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.weeden.xyz/fqiq/
http://www.healthyweekendtips.com/fqiq/
http://www.srofkansas.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/
http://www.seal-brother.com/fqiq/
http://www.srofkansas.com/fqiq/
http://www.healthyweekendtips.com/fqiq/
http://www.seal-brother.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/
http://www.weeden.xyz/fqiq/
|
8.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14230 |
2021-10-29 07:43
|
 InvoicePO102IndexLtdParamout.e... dc738e765ddc4e0a9663ca40239b7df9
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14231 |
2021-10-29 07:56
|
 vbc.exe 8341a43885eb6960bd658ba5a1c8b84d
Malicious Library UPX PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS DDNS crashed |
3
https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
https://pkc5hq.by.files.1drv.com/y4mvzsRcwXGDSbbaIRnJHJoy7rydv1mvZGvUJpoUdNzrZxzT50L19Wph96_2DA6hfmyi-su6AGdLXSBndNqYJz_bklxD9wT9Qe_mvrcJZ-C8AGVNG3aKny2ZgeSOtfCH9den21Vwp_cdPKF7UXwGbE2IyXXt6S5DmG3q9HkkhkX0pLOtVgKl_IEz6NUVlS3o_qvkRvDIt1nAEb6EcNkJUm-KQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
https://pkc5hq.by.files.1drv.com/y4mDWdC-H4D_BoPjpW5tZZG5TPbFf0FF-zxaibY2r4d7dPuPlTLE6jXIfMJrUs-VZ6Y2nxcu7AhEOjd0ZsCwKVF09E5Kw6lNiIQHALwKH7ZaGvuZVl1jJAeZP6y7-KCKXu-pARqtbA_1CgvSXhuQH_8JBEEghb1NCPjI35isq6BbLdHAohzji8w6f-jDMLvSrHWblDkH_UUsgPu_rgx-fOADg/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
|
9
onedrive.live.com(13.107.42.13) - mailcious
sheilabeltagy4m.hopto.org(23.105.131.236)
micheal3m.hopto.org(23.105.131.236)
johnie3m.hopto.org(23.105.131.236)
pkc5hq.by.files.1drv.com(13.107.42.12)
sugarcane.hopto.org()
13.107.42.13 - mailcious
13.107.42.12 - malware
23.105.131.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14232 |
2021-10-29 09:06
|
 .lsass.exe f6741a7f14669cbb4dffc16029381a91
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process AppData folder WriteConsoleW VMware anti-virtualization Windows ComputerName Cryptographic key Software crashed |
2
http://www.bookanyclick.com/hs3h/?JjUdE2=N2wrYjy29kSOT4NGIPQyaCDlzJzAe5M9Os8Vy9dsMfLAOBFmOT1VxF5pVFIYJ9imXQ6clAqp&lzul=z8oHnHbh3L
http://www.kagawa-rentacar.com/hs3h/?JjUdE2=MUcuOaoaWzdiqsc041tkxtCPxCWBE2NvTm+WO+dxYC+JZdi3iYXCypXvjqYhOL988ujoI2pK&lzul=z8oHnHbh3L
|
5
www.kagawa-rentacar.com(133.130.64.128)
www.bookanyclick.com(94.136.40.51)
www.torgetmc.xyz()
133.130.64.128 - mailcious
94.136.40.51 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
16.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14233 |
2021-10-29 09:06
|
 c8u1msi.jpg 2215b04e57387c4925aff75b65ce2fca
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14234 |
2021-10-29 09:08
|
 oit9ql.jpg 0cfb719775ab7f2be4454602e6a51d90
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14235 |
2021-10-29 09:08
|
 .wininit.exe 4f811d4d3659bf698a270ebea91dd3ed
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/fd3/fre.php
|
12.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|