| 14296 |
2021-10-29 18:33
|
 temp.dll 388c3456276b8e6e9fa8a827c4f37a76
TA551 BazarLoader PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic unpack itself Windows utilities Windows |
|
|
|
|
3.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14297 |
2021-10-29 18:35
|
 bypass.txt.ps1 529abb09970a8b6464375da0613893ea
Generic Malware Antivirus VirusTotal Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://52.150.26.35/PE.txt
|
1
|
1
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
5.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14298 |
2021-10-29 21:37
|
 temp.dll 1788ff60c96f28ec0386a838edaa48fb
Malicious Library UPX PE64 PE File OS Processor Check DLL VirusTotal Malware unpack itself WriteConsoleW crashed |
|
|
|
|
2.0 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14299 |
2021-10-30 11:41
|
 nano6129.exe 4c342f040ad8b94e4f814e1f62e488ed
Generic Malware Malicious Packer PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
nanoboss.duckdns.org(23.102.1.5)
23.102.1.5
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Possible NanoCore C2 60B
|
|
10.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14300 |
2021-10-30 11:44
|
 AsyncClient6121.exe 4c2634725187d2ccebaaaf92b231a1f0
RAT PWS .NET framework Generic Malware task schedule Malicious Packer Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P A Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS DDNS |
|
2
asyncspread.duckdns.org(23.102.1.5)
23.102.1.5
|
3
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
5.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14301 |
2021-10-30 11:46
|
 ClientDC.exe 71d66e7e53e0341af65a1510d4c2eb63
RAT PWS .NET framework Generic Malware Malicious Packer Antivirus Malicious Library UPX PE File OS Processor Check PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14302 |
2021-10-30 12:03
|
0011.wbk 6c4a4577b05acbeb2d7daecf27658d03
RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
25
http://www.mecasso.store/euzn/?GPJ=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&oX=Txo8nZfpM8h4 - rule_id: 6998
http://www.mecasso.store/euzn/?GPJ=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&oX=Txo8nZfpM8h4
http://www.jakital.com/euzn/
http://103.171.0.220/0011/vbc.exe
http://www.newbeautydk.com/euzn/
http://www.chaoxy.com/euzn/?GPJ=p54zT/BC/x4SoLDl4CDH46eZzoug/1aAOGG+RO71GifqYqkWwddMiniK8tFlkYqJGNGj/CA6&oX=Txo8nZfpM8h4
http://www.longshifa.online/euzn/?GPJ=uAv+hDNIaWKTJHmotFieJseyqVavRyN/hzmyr84dVQggb+iPx2yKvWnxBifTpegawz+9IKiJ&oX=Txo8nZfpM8h4
http://www.longshifa.online/euzn/
http://www.235296tyc.com/euzn/ - rule_id: 7003
http://www.235296tyc.com/euzn/
http://www.chezvitoria.com/euzn/
http://www.newbeautydk.com/euzn/?GPJ=6sAauxhCLdP7c3t2Bq+0dcztdOu3qC96/c3RA+P4V1r5NX6fjKtAwrvy/oq5eYG/IMq0e3QV&oX=Txo8nZfpM8h4
http://www.arceprojects.com/euzn/ - rule_id: 5431
http://www.esd66.com/euzn/
http://www.jakital.com/euzn/?GPJ=GUGPZqYkRSeqmYe7e5IS+Ei9iGFRID/i/07dgdYcr1Gx3jMum/GSR7RR4tExlRct2vCBg0O1&oX=Txo8nZfpM8h4
http://www.arceprojects.com/euzn/?GPJ=YRXSBiSDQSCZhMMUR8bbHnyPN+rRNpjXZ/H6tz5eiGlkZ6MPFWs4UspiD2SvKhVY+KpYofGz&oX=Txo8nZfpM8h4 - rule_id: 5431
http://www.mecasso.store/euzn/ - rule_id: 6998
http://www.mecasso.store/euzn/
http://www.aidenb.tech/euzn/
http://www.chaoxy.com/euzn/
http://www.aidenb.tech/euzn/?GPJ=1IX3VtbgCTbtlwCwA2UuwAMw7IFESF9lL1UJSvXyFA7beRMLnuzxa3L8x0fgk6lRopDxesZY&oX=Txo8nZfpM8h4
http://www.esd66.com/euzn/?GPJ=IQD8yqUxjaKbmWvxY5YgKaEhD1SzG9nYqUof4YAZsyxYzAzp9zRFmOd/JMKDibdr94YK0rFj&oX=Txo8nZfpM8h4
http://www.235296tyc.com/euzn/?GPJ=qPG280hY3bVwFWYgPYUPmF0yLOv8ZOX3N77VjzujjWFTLW7L05+D5h5Mp3mfBnzq5vwwDWs5&oX=Txo8nZfpM8h4 - rule_id: 7003
http://www.235296tyc.com/euzn/?GPJ=qPG280hY3bVwFWYgPYUPmF0yLOv8ZOX3N77VjzujjWFTLW7L05+D5h5Mp3mfBnzq5vwwDWs5&oX=Txo8nZfpM8h4
http://www.chezvitoria.com/euzn/?GPJ=GKdzzMH8ErMYBxlRei+3JyrXRgQOuFc7CB7CFsqySz81sLyYG5Fwl1ZfLnJdq0KjlXe5fq5T&oX=Txo8nZfpM8h4
|
22
www.chaoxy.com(211.149.163.114)
www.esd66.com(139.162.127.18)
www.aidenb.tech(156.67.72.160)
www.jakital.com(3.223.115.185)
www.arceprojects.com(217.160.0.187)
www.hgaffiliates.net()
www.longshifa.online(108.179.232.90)
www.newbeautydk.com(23.227.38.74)
www.chezvitoria.com(34.102.136.180)
www.mecasso.store(3.33.152.147)
www.235296tyc.com(172.67.187.226)
103.171.0.220
108.179.232.90 - mailcious
156.67.72.160
15.197.142.173
34.102.136.180 - mailcious
211.149.163.114
139.162.127.18
3.223.115.185 - mailcious
217.160.0.187 - mailcious
23.227.38.74 - mailcious
172.67.187.226
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
6
http://www.mecasso.store/euzn/
http://www.235296tyc.com/euzn/
http://www.arceprojects.com/euzn/
http://www.arceprojects.com/euzn/
http://www.mecasso.store/euzn/
http://www.235296tyc.com/euzn/
|
5.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14303 |
2021-10-30 12:05
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
22
http://www.longshifa.online/euzn/?Urth=uAv+hDNIaWKTJHmotFieJseyqVavRyN/hzmyr84dVQggb+iPx2yKvWnxBifTpegawz+9IKiJ&R2Jl9Z=JR-Pylih38z8
http://www.longshifa.online/euzn/
http://www.hrtaro.com/euzn/?Urth=+YfQRi9G+OJ9foaealRkr8LisM1crxi2VOPn4pm0QzAMut2NXQSv7KOAA77xRrkGBn/uu5YB&R2Jl9Z=JR-Pylih38z8
http://www.yourotcs.com/euzn/
http://www.heser.net/euzn/?Urth=3YIIvuVMPod2ghyVzlrVbDIKpMNjGC1jVshcE/xay47UBDuWohiRTIe7T0ywrtH6KgyQLQcn&R2Jl9Z=JR-Pylih38z8 - rule_id: 7002
http://www.heser.net/euzn/?Urth=3YIIvuVMPod2ghyVzlrVbDIKpMNjGC1jVshcE/xay47UBDuWohiRTIe7T0ywrtH6KgyQLQcn&R2Jl9Z=JR-Pylih38z8
http://www.mecasso.store/euzn/?Urth=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&R2Jl9Z=JR-Pylih38z8 - rule_id: 6998
http://www.mecasso.store/euzn/?Urth=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&R2Jl9Z=JR-Pylih38z8
http://www.mirai-energy.com/euzn/
http://www.mirai-energy.com/euzn/?Urth=+5dot/Um/aCw9VRcqHMkvSpgRj3TUDBdyqjJB+g9c7BNuG3ZT163ETXRjJvbKjSKvOHW+POd&R2Jl9Z=JR-Pylih38z8
http://www.hrtaro.com/euzn/
http://www.mecasso.store/euzn/ - rule_id: 6998
http://www.mecasso.store/euzn/
http://www.webtiyan.com/euzn/
http://www.webtiyan.com/euzn/?Urth=M/fuIQwK/ZOUk1ha5jOAEPH6Fi1UC0+LMnfjVDCh9LdHL89/7JzIvaFyxwOx9tG+xgqAWMBk&R2Jl9Z=JR-Pylih38z8
http://www.heser.net/euzn/ - rule_id: 7002
http://www.heser.net/euzn/
http://www.pepeavatar.com/euzn/ - rule_id: 7001
http://www.pepeavatar.com/euzn/
http://www.pepeavatar.com/euzn/?Urth=c52/idsZybo5+++XEfR74GyO3sFn94uB9Bi9sGgwmuYdSzcMkVUF1vuwnR+zyHyG1b/8nRaD&R2Jl9Z=JR-Pylih38z8 - rule_id: 7001
http://www.pepeavatar.com/euzn/?Urth=c52/idsZybo5+++XEfR74GyO3sFn94uB9Bi9sGgwmuYdSzcMkVUF1vuwnR+zyHyG1b/8nRaD&R2Jl9Z=JR-Pylih38z8
http://www.yourotcs.com/euzn/?Urth=Jq5AABYltJgia4nxN4nPQwsgHB5GKQbjMY80BC1dCGLaE2JFWzpybbqNbVech2C1JzELhHSE&R2Jl9Z=JR-Pylih38z8
|
17
www.heser.net(142.250.196.115)
www.pepeavatar.com(3.64.163.50)
www.mirai-energy.com(185.146.22.238)
www.hgaffiliates.net()
www.webtiyan.com(89.42.211.109)
www.longshifa.online(108.179.232.90)
www.mecasso.store(3.33.152.147)
www.yourotcs.com(208.91.197.27)
www.hrtaro.com(150.95.255.38)
185.146.22.238
108.179.232.90 - mailcious
89.42.211.109 - mailcious
15.197.142.173
208.91.197.27 - mailcious
150.95.255.38 - mailcious
3.64.163.50 - mailcious
142.250.66.83
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.heser.net/euzn/
http://www.mecasso.store/euzn/
http://www.mecasso.store/euzn/
http://www.heser.net/euzn/
http://www.pepeavatar.com/euzn/
http://www.pepeavatar.com/euzn/
|
8.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14304 |
2021-10-30 14:56
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14305 |
2021-11-01 09:14
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14306 |
2021-11-01 09:18
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14307 |
2021-11-01 09:24
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14308 |
2021-11-01 09:43
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14309 |
2021-11-01 09:48
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14310 |
2021-11-01 09:52
|
 vbc.exe 1463a8e3cbd8b63c709495a91ff95506
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|