| 14251 |
2021-10-29 09:34
|
 pd.exe c7b844578dca69166f414ea0c28e0384
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
4.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14252 |
2021-10-29 09:34
|
 bin.exe cf7c842dfbf541a670dc5bc914516847
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
1
https://cdn.discordapp.com/attachments/893177342426509335/903191029929361409/D39069DB.jpg
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14253 |
2021-10-29 09:36
|
 A540bo3mQDlYqpH30620D.exe 781fb23a988efab21e4ab321aa932b09
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14254 |
2021-10-29 09:37
|
 EgAXWEL.exe a21083e3799762685013f624ef688c60
Emotet NPKI Malicious Library UPX Anti_VM Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File Browser Info Stealer Malware download VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution DNS Cryptographic key crashed |
1
|
4
eth0.me(5.132.162.27)
MhwAjjBLPUoogFMX.MhwAjjBLPUoogFMX()
195.2.93.45
5.132.162.27
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
16.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14255 |
2021-10-29 09:38
|
 ens.exe e38e18c6b8fc1f9abd0ed7ce9aa45fda
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14256 |
2021-10-29 09:40
|
 kontrol.exe ae2ab79ae3a03b8af8ca9aa7a3e9d445
NSIS Generic Malware Malicious Library UPX PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
1
www.meadow-spring.com(79.170.40.4)
|
|
|
10.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14257 |
2021-10-29 09:40
|
 vbc.exe ff1c94584214d5eef525a0d3ff196a8b
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
16
http://www.primetire.net/mwev/
http://www.qask.top/mwev/?jPg8=qE5bhU2rfuvSOEXtbyOfkgx1PC6A3veX4X/KGzMuR23PBBsMnLebpzO3NVDHSa/lfKHUqBlj&P0D=AdsxIRr
http://www.bjxxc.com/mwev/?jPg8=+cHbYlIGBAVtPctvPq0XFGSuGYhOa/tdOYBt8plfdlvFl5TaVW10KRWwk6BFStBsG9BoFguW&P0D=AdsxIRr
http://www.tikomobile.store/mwev/
http://www.primetire.net/mwev/?jPg8=zbuTtjHTIyJcCQ75HIAcR70VDcSt4ckw8+YdHRNR49yiTDLEDqTCZoacxt1ESzoNMak3RFV3&P0D=AdsxIRr
http://www.yourvirtualevent.services/mwev/?jPg8=59U8lBHLMKGMdVSWzB48AOW2YGIcffBPT8arLkbScMsXjSC3N75m4hpfWCyrNOJOTjkR8L4e&P0D=AdsxIRr
http://www.tikomobile.store/mwev/?jPg8=/zd6oxG8a93jjpS0cHlZDp/zFP0nYcFn0Ybx4g9INNSWAcHaWI/47spAy4WNZohH37cV8MZ6&P0D=AdsxIRr
http://www.bjxxc.com/mwev/
http://www.schooldiry.com/mwev/
http://www.schooldiry.com/mwev/?jPg8=JT891w3mrETFXfIgInRhQPqJo7rQZ+TJMvuUzR4wisAtM3CriaBxHCyk2U+JdJFKluARD6VQ&P0D=AdsxIRr
http://www.thegurusigavebirthto.com/mwev/?jPg8=6Sc3LlBJxZZC4+mEboPE99cD6wuRe5iQ+Pzmr10Fl76FDXQrWG9i3gEbb3AnXvsJeMTBS4sp&P0D=AdsxIRr - rule_id: 6986
http://www.thegurusigavebirthto.com/mwev/?jPg8=6Sc3LlBJxZZC4+mEboPE99cD6wuRe5iQ+Pzmr10Fl76FDXQrWG9i3gEbb3AnXvsJeMTBS4sp&P0D=AdsxIRr
http://www.yourvirtualevent.services/mwev/
http://www.qask.top/mwev/
http://www.thegurusigavebirthto.com/mwev/ - rule_id: 6986
http://www.thegurusigavebirthto.com/mwev/
|
17
www.schooldiry.com(103.224.182.246)
www.qask.top(104.233.161.201)
www.mrteez.club()
www.primetire.net(213.190.6.117)
www.fourthandwhiteoak.com()
www.bjxxc.com(156.239.98.158)
www.tikomobile.store(87.236.16.208)
www.yourvirtualevent.services(34.102.136.180)
www.thegurusigavebirthto.com(192.0.78.24)
195.2.93.45
213.190.6.117
34.102.136.180 - mailcious
156.239.98.158
104.233.161.201
103.224.182.246 - suspicious
192.0.78.25 - mailcious
87.236.16.208 - mailcious
|
4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
|
2
http://www.thegurusigavebirthto.com/mwev/
http://www.thegurusigavebirthto.com/mwev/
|
9.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14258 |
2021-10-29 09:43
|
 fed.exe e574ad4af9b6fc033fdf0b54ca7bf014
PWS Loki[b] Loki.m RAT Gen1 Gen2 Generic Malware Malicious Packer Malicious Library UPX Socket DNS Internet API HTTP KeyLogger ScreenShot Http API AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Ransomware Zeus Windows Browser Email ComputerName DNS Software |
1
http://45.133.1.13/xsaz/index.php
|
1
|
3
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.3 Server Response M1
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
|
|
18.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14259 |
2021-10-29 09:44
|
 vx.exe b8b06e334cfa1e325851a840065b6aa1
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
6
http://www.mundodeplantasyjardineria.com/sl4w/?8pgTVrp0=Sz5F0hhTWuyLbGbdNo38kMXFARIiPeqFV1F4heNNKyhjPcCKin5OaBV6KiN8coe95ElLHQtU&BZO034=x4X4gd9xi
http://www.thelittlebee.store/sl4w/?8pgTVrp0=pW5BymMniPuDIyN4h+/Cz1WSn7yQSodoDHF2TCguXWUv3BV+yCeJLr00BNyz4gz0G3lbCgUH&BZO034=x4X4gd9xi
http://www.trustedfurnituretransport.net/sl4w/?8pgTVrp0=SU6djegnNokhXatHD0Zt/RgvM6Zh0SA/H/J8xjjIneGyQtz5eA+PvmJcxeEsuLxakaSqDUJr&BZO034=x4X4gd9xi - rule_id: 6984
http://www.trustedfurnituretransport.net/sl4w/?8pgTVrp0=SU6djegnNokhXatHD0Zt/RgvM6Zh0SA/H/J8xjjIneGyQtz5eA+PvmJcxeEsuLxakaSqDUJr&BZO034=x4X4gd9xi
http://www.mdnnoeli.xyz/sl4w/?8pgTVrp0=BnibipHhyvNw3vhe0wol5AOubF0kupJ2VzFkU7RNVxyixZjYoFLSjqlJrzgQ4EYImPmVYZaY&BZO034=x4X4gd9xi
http://www.ageddspa.xyz/sl4w/?8pgTVrp0=f46LrelELX9mofNZRi7HKbB3Rg7KLVb8n8zQ7/tWSKeE1yI39pJIaGNnJqKkvfeCu6od+paJ&BZO034=x4X4gd9xi
|
10
www.thelittlebee.store(23.227.38.74)
www.ageddspa.xyz(172.67.157.106)
www.mdnnoeli.xyz(104.21.39.187)
www.trustedfurnituretransport.net(202.124.241.178)
www.mundodeplantasyjardineria.com(156.67.74.29)
104.21.39.187
172.67.157.106
156.67.74.29
202.124.241.178 - mailcious
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.trustedfurnituretransport.net/sl4w/
|
8.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14260 |
2021-10-29 09:45
|
 loader2.exe 25f27297055176dde7fb735ee70eaa8f
NSIS Generic Malware Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
12
http://www.canopuslector.com/o2go/?Dxlpd=ZAUpSgkpEDg8niFzuNKe6gEWnHhBWtidA2LwxNth08Qz4PbCXRD40C59E3bfaaHzXCIDtzc4&mnSh=TxlhkdU
http://www.daybydayneeds.com/o2go/
http://www.fanaticscardgroup.com/o2go/
http://www.cfaatampa.com/o2go/
http://www.koltemp.com/o2go/?Dxlpd=d/I/y4E919y90/NgD6lGRdsG+efKLObNvHJeST29zYsXDGROtBHMrcb1ki8bN5CEtxKsUn6o&mnSh=TxlhkdU
http://www.canopuslector.com/o2go/
http://www.expatriatecafe.com/o2go/
http://www.daybydayneeds.com/o2go/?Dxlpd=/FrPOgiDhDip/ySNZI8OLKS5OxIhXPdMrfM/1s/okw0wECr+nAKcZ38irIHgJAMCO3WjHnMc&mnSh=TxlhkdU
http://www.cfaatampa.com/o2go/?Dxlpd=Pl/Ol+nOsw6/w/y+aU9P1RKojiUc7vyeNPaxTQPmfD352vP1/9QBqpNGE02dwnx78NU/bhk7&mnSh=TxlhkdU
http://www.expatriatecafe.com/o2go/?Dxlpd=+cW4o3L1nfvEkkPOkZGTjQfjWekF/hM2MaTEXDdcC09Onuz+XEMDyox0luu0PClFcWinXzsf&mnSh=TxlhkdU
http://www.fanaticscardgroup.com/o2go/?Dxlpd=8H0rDLcccfrSnzJo6xqaIh8cFRP5shFVfEo30ND+W3j0LJ9pYzmIPxBjjF03wuELOtv43EjU&mnSh=TxlhkdU
http://www.koltemp.com/o2go/
|
22
www.bizz-connects.com()
www.diyetema.xyz()
www.contactcenter9.email()
www.beijingrongfeng.com(23.110.124.89)
www.fanaticscardgroup.com(198.54.117.211)
www.sanchalanprokashon.com()
www.macadamangel.com()
www.daewon-talks.net()
www.helcarpostos.com()
www.daybydayneeds.com(23.227.38.74)
www.vezmnmnr.xyz()
www.expatriatecafe.com(154.64.119.157)
www.canopuslector.com(76.223.34.22)
www.cfaatampa.com(34.80.190.141)
www.koltemp.com(199.59.242.153)
34.80.190.141 - mailcious
23.110.124.89
199.59.242.153 - mailcious
198.54.117.216 - phishing
13.248.160.216
154.64.119.157
23.227.38.74 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
|
7.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14261 |
2021-10-29 09:45
|
 eo.exe fb0d1d127da05d102f94ef77ab205875
PWS Loki[b] Loki.m RAT Generic Malware Socket DNS Internet API HTTP KeyLogger ScreenShot Http API AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Browser ComputerName DNS |
1
http://45.133.1.13/xsaz/index.php
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
9.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14262 |
2021-10-29 09:45
|
 set.exe 4d1524f643dfdc491de426572a7d38e6
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://63.250.40.204/~wpdemo/file.php?search=719442 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
11.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14263 |
2021-10-29 09:47
|
 os.exe 95ba9d5a5cd05fec041a876e1e2b66b2
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14264 |
2021-10-29 09:48
|
 xso.exe 257679d1ffeaa47dcea2491b13637e50
RAT Generic Malware UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
3
http://www.buildstarconst.com/sl4w/?6l8P=rWwJ7ET0sHd4gGkB9dVKIEIoJ+RqQrFmVMEdCyZm6skUMbIw/1NiBsgVzJPxFFkOUojtFvF6&mlvx=fZU8pTY0MT2trP
http://www.roxytocin.art/sl4w/?6l8P=EubUdb3A3+v3zBAO2yMZszRUAX6MySP9IuHIW5t779IK3kZlpI6b33bDf1ILvDReab3Uu77l&mlvx=fZU8pTY0MT2trP
http://www.getgoldwithmrsbest.com/sl4w/?6l8P=1JDKyruM/74jwNm/2X+0t2d5cjjeO1YF2ZZr07xm6iLte28LljOvl4p69ACcbMMjDgnwMGvg&mlvx=fZU8pTY0MT2trP
|
7
www.roxytocin.art(198.54.117.210)
www.getgoldwithmrsbest.com(198.54.117.215)
www.buildstarconst.com(66.96.162.129)
www.susu521.com()
198.54.117.211 - phishing
66.96.162.129
198.54.117.216 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14265 |
2021-10-29 09:53
|
Declaration of Asset.pdf.lnk 47fe3905ba9f09a7b2d4fee3981e9f87
NPKI Generic Malware AntiDebug AntiVM GIF Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process AntiVM_Disk VM Disk Size Check Tofsee Interception DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://ministryofinterior.fileserve.work/189/1/431/2/0/0/1817120272/n6hq7TuwvcKAP8AQky5iyUDRHxTFwXg9RNVSr5Qd/files-ea38b848/hta
|
4
apps.identrust.com(23.216.159.9)
ministryofinterior.fileserve.work(155.94.160.234)
155.94.160.234
121.254.136.57
|
2
ET INFO Observed DNS Query to .work TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|