| 14266 |
2021-10-29 09:53
|
 loader1.exe d2664cef24240dc8eb16f39c37228757
NSIS Generic Malware Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder suspicious TLD DNS |
26
http://www.egyptian-museum.com/ga6b/
http://www.acacave.com/ga6b/
http://www.afghantattoos.com/ga6b/
http://www.qqcx666888.top/ga6b/
http://www.szkoleniawcag.online/ga6b/
http://www.soulwinningministry.com/ga6b/
http://www.mystudentregistration.com/ga6b/
http://www.infinityrope.store/ga6b/?lDKXxv3=L/c9eZQCXLd/YVoAQOP3tZ3B8nNkn+pww7YQb0Xhol9/59b8TqV7CKFWTb/5H/3WmVOflfic&Kzux=PnjtLHyHSr
http://www.onra.top/ga6b/?lDKXxv3=oElzuWp1f34WuFFQH0ElFrJlzB2XRtqeKiQMWTUoMD39vhgZ+y+e3BJkM1IQMs1XY69eCkQ6&Kzux=PnjtLHyHSr
http://www.onra.top/ga6b/
http://www.mystudentregistration.com/ga6b/?lDKXxv3=FVoCe1A8hVjRCYMBrNnCX0kDnu+C161o3wWxJxzL6alfMQ3NhDSyui/P1g/HSSLfHx6+Mmre&Kzux=PnjtLHyHSr
http://www.corvusexpeditii.xyz/ga6b/
http://www.qqcx666888.top/ga6b/?lDKXxv3=eIOqojsK4xpnapytTTDNeQQlEQNyaN45Mu2frT25CMa88Pt4x/OA2saBEpBSOPq2dGKSSZM3&Kzux=PnjtLHyHSr
http://www.nobodybutgod.com/ga6b/
http://www.belledescontos.com/ga6b/
http://www.szkoleniawcag.online/ga6b/?lDKXxv3=gnsA4ZbKwcCBT4B1BZOwnz85wF4eeNbRrbSFWu41EJQIcvRDWo1d+7UOhMG+MofppSWBY2n5&Kzux=PnjtLHyHSr
http://www.infinityrope.store/ga6b/
http://www.gritzcharlestonluxuryinn.store/ga6b/?lDKXxv3=I7+lOFJZANFPU21x37A527c95H/aJlATolxoDPbL88ZB7wUaWO1fPidq8y9dbqc40d5vraaW&Kzux=PnjtLHyHSr
http://www.belledescontos.com/ga6b/?lDKXxv3=jgYBUTBv6juzDCabe4OWCqutfSnVgXfaFkkijkSn/1f1jJLEA2ITjcU5AEV22xDLWIcCZZOm&Kzux=PnjtLHyHSr
http://www.soulwinningministry.com/ga6b/?lDKXxv3=QlWlhrdmA38F39wdH59qDKgCLzke0jtbLkghOfWKUCAF1Rx/+ASUr0tJhxHvOSZs2DWzt0F9&Kzux=PnjtLHyHSr
http://www.corvusexpeditii.xyz/ga6b/?lDKXxv3=7T8vebYEf2GnHvqeOh/0TgFFgNzfckxTcBNzZeSGzjlNLlbJ9NDPNSTqSdLNqh5j9wLWy4Dd&Kzux=PnjtLHyHSr
http://www.acacave.com/ga6b/?lDKXxv3=LZj7dIufhWlgov4/daUw8E4ZVYKGDHaQ4e5klmj4Sj863sAeUYBdGT0Z9uhDs1Zyx3HrxG1c&Kzux=PnjtLHyHSr
http://www.afghantattoos.com/ga6b/?lDKXxv3=2Ru1HfNJkzg9zqDfItmBkvjjxlVS0LNfThNY9X9fgrCeE16wu3v6AqM2D0FDDG0AnjNX5uQ/&Kzux=PnjtLHyHSr
http://www.gritzcharlestonluxuryinn.store/ga6b/
http://www.nobodybutgod.com/ga6b/?lDKXxv3=BS+Mkr60hnaz2VUqn6F4jElENEwbATWztr1txOlCDy4YTJ8rldrX7GuvTHEqc04l9LT0WVoV&Kzux=PnjtLHyHSr
http://www.egyptian-museum.com/ga6b/?lDKXxv3=CYKd0A9ffzzmh+HMixfnmJt+Ibe3PgwQT1IowcrJSMkSzDwRXwABXy8G05QumwrEDOfj2gVO&Kzux=PnjtLHyHSr
|
27
www.belledescontos.com(23.227.38.74)
www.szkoleniawcag.online(89.191.148.30)
www.find0utnowfy.info()
www.egyptian-museum.com(143.95.1.174)
www.acacave.com(23.230.206.51)
www.qqcx666888.top(43.129.169.28)
www.corvusexpeditii.xyz(88.214.207.96)
www.nobodybutgod.com(34.98.99.30)
www.gritzcharlestonluxuryinn.store(34.102.136.180)
www.infinityrope.store(23.227.38.74)
www.onra.top(104.233.161.7)
www.afghantattoos.com(3.64.163.50)
www.theselectdifference.com()
www.soulwinningministry.com(3.223.115.185)
www.mystudentregistration.com(107.180.0.6)
43.129.169.28
104.233.161.7
34.102.136.180 - mailcious
107.180.0.6
3.64.163.50 - mailcious
88.214.207.96 - mailcious
23.230.206.51
3.223.115.185 - mailcious
23.227.38.74 - mailcious
89.191.148.30
34.98.99.30 - phishing
143.95.1.174
|
5
ET MALWARE FormBook CnC Checkin (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
6.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14267 |
2021-10-29 09:54
|
FiCas AG Job Description.lnk 3c324706e3bae0b7187b134a813011cb
Generic Malware Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting Check virtual network interfaces suspicious process malicious URLs Tofsee Interception |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
|
4
note.onedocshare.com(149.28.162.113)
apps.identrust.com(23.216.159.81)
149.28.162.113 - mailcious
23.65.188.19
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14268 |
2021-10-29 09:56
|
 InvoicePO102Indexparamout.exe 1ed03bf8277e77c921aaba41343b9368
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14269 |
2021-10-29 10:02
|
 temp.dll cd3e23cddeb92b7397eaf960da34c237
PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic unpack itself Windows utilities WriteConsoleW Windows |
|
|
|
|
3.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14270 |
2021-10-29 10:04
|
 SilentClient.exe 2b0d06e1d3523e021ae6df87589d564c
Generic Malware Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware DNS |
|
1
|
|
|
3.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14271 |
2021-10-29 10:08
|
 temp.dll 1788ff60c96f28ec0386a838edaa48fb
Malicious Library UPX PE64 PE File OS Processor Check DLL VirusTotal Malware unpack itself |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14272 |
2021-10-29 10:10
|
 hta.hta d12cde9ca145f75251c08af9cef0b7f3
NPKI AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
4.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14273 |
2021-10-29 10:50
|
 hta.hta d12cde9ca145f75251c08af9cef0b7f3
NPKI AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14274 |
2021-10-29 11:04
|
 stash-266322727.xls 6ad4c6c9e7f2a68596dc2c7cc7af10a8
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ini-ippatmajalengka.com/9dv886HWC/l.html
https://merwedding.com.tr/vckdH4zr1/l.html
https://prestigeldnservices.co.uk/71RgP1QoL/l.html
|
6
ini-ippatmajalengka.com(103.253.212.91)
prestigeldnservices.co.uk(204.11.59.195)
merwedding.com.tr(78.142.209.142)
78.142.209.142 - malware
204.11.59.195 - mailcious
103.253.212.91 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14275 |
2021-10-29 11:06
|
 stash-266976238.xls 9c6aa1a04e32f40f6f0c0206a5f9a0b1
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ini-ippatmajalengka.com/9dv886HWC/l.html
https://merwedding.com.tr/vckdH4zr1/l.html
https://prestigeldnservices.co.uk/71RgP1QoL/l.html
|
6
ini-ippatmajalengka.com(103.253.212.91)
prestigeldnservices.co.uk(204.11.59.195)
merwedding.com.tr(78.142.209.142)
78.142.209.142 - malware
204.11.59.195 - mailcious
103.253.212.91 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14276 |
2021-10-29 14:16
|
 pop-up_excel_calendar_setup.ex... aa1966419284a4a503c101bd7db7a2a0
RAT PWS .NET framework Gen1 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 .NET EXE PE64 DLL GIF Format VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Browser ComputerName |
|
|
|
|
7.0 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14277 |
2021-10-29 15:03
|
 temp.dll cd3e23cddeb92b7397eaf960da34c237
TA551 BazarLoader PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic unpack itself Windows utilities WriteConsoleW Windows |
|
|
|
|
3.4 |
|
14 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14278 |
2021-10-29 16:40
|
23410028317313.tgz 00ec9a97b93697a509ef1123e0b5704cVirusTotal Malware |
|
|
|
|
0.6 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14279 |
2021-10-29 16:53
|
 23410028317313.exe f6b2bced4580a167eae96eb2c8501670
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.8 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14280 |
2021-10-29 17:50
|
 .csrss.exe c2c509a61a1d811d29ade6067e54c011
PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga14/fre.php
|
1
secure01-redirect.net(94.142.141.221)
|
|
|
12.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|