| 14341 |
2021-11-01 11:02
|
 rollerkind2.exe f066b1dcc3c84091ecd2ad23e9c10d3a
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
3.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14342 |
2021-11-01 11:03
|
 8903MBACK.exe 0b4726d9561f5205802edfac4b88cc3f
Generic Malware Malicious Packer PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself human activity check Windows ComputerName DNS DDNS |
|
2
mback5338.duckdns.org(103.151.123.194)
103.151.123.194
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
7.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14343 |
2021-11-01 11:04
|
 7632KL.exe 91639b335d38504c8bb1771dbd2b98ae
Generic Malware Malicious Packer PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself human activity check Windows ComputerName DNS DDNS |
|
2
justinalwhitedd554.duckdns.org(185.228.19.147)
185.228.19.147
|
2
ET MALWARE Possible NanoCore C2 60B
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
7.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14344 |
2021-11-01 11:06
|
 Netwire_prevent.exe a4a8a89ce20e6f60d67140336e0a53cc
AgentTesla NetWire RAT email stealer browser info stealer Google Chrome User Data Malicious Library UPX Socket DNS KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder DNS DDNS |
|
3
nwire733.duckdns.org(185.228.19.147)
103.151.123.194
185.228.19.147
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
7.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14345 |
2021-11-01 11:06
|
 7632.exe 40b8eb513d3b5150daa1f62be7e10b64
Generic Malware Malicious Packer PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself human activity check Windows ComputerName DNS DDNS |
|
3
mback5338.duckdns.org(103.151.123.194)
103.151.123.194
185.228.19.147
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.0 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14346 |
2021-11-01 11:08
|
 obizx.exe 29d0ed1ca60e07577f03d4a17b598d67
Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
1
https://cdn.discordapp.com/attachments/903211351529381901/903590250696286218/Psijmezhywzuigxndupjupuuxltarmp
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14347 |
2021-11-01 11:08
|
invoice_0098330000.wbk 088e80a24debb252fdf1355384bfab8e
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
1
http://192.227.228.38/0014/vbc.exe
|
2
99.86.207.50
192.227.228.38
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14348 |
2021-11-01 11:10
|
 clapp.exe 41160c159e96fe0d09c15781bd7584c4
Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key crashed |
|
1
185.215.113.29 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
|
|
10.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14349 |
2021-11-01 11:11
|
 willams.exe ecfb81ad00696938f4107bb963706e40
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14350 |
2021-11-01 11:14
|
 updateadmin2.bat 8a8a26331aea7126ede07c9988343045
Generic Malware Antivirus Malicious Packer Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE64 PE Fil Malware download Cobalt Strike Cobalt VirusTotal Malware c&c powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
4
http://108.62.12.61/home2
http://108.62.12.61:99/home
http://194.5.212.190/load/trendmicro2.dll
http://108.62.12.61:99/jquery-3.3.1.min.js
|
3
nutsstats.com()
108.62.12.61
194.5.212.190
|
6
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
|
|
10.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14351 |
2021-11-01 11:15
|
 LuminarAI.exe 7f9ea44699d6223da7f2534cfb3337d8
Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware DNS |
|
1
162.159.129.233 - malware
|
|
|
1.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14352 |
2021-11-01 11:15
|
invc_0004500005000.wbk 95b2667f1a1f47ebb18aeccc1a229443
RTF File doc VirusTotal Malware buffers extracted RWX flags setting |
|
|
|
|
2.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14353 |
2021-11-01 11:17
|
 askinstall60.exe 3d3d006726a944136a63820c48a81ee5
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie UPX PE File OS Processor Check PE32 PNG Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic exploit crash Windows utilities suspicious process WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.jjnices.top/Home/Index/lkdinl
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1mxKf7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(149.28.253.196) - mailcious
www.jjnices.top(91.210.171.115)
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
149.28.253.196
103.155.92.58 - mailcious
88.99.66.31 - mailcious
91.210.171.115
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
2
http://www.iyiqian.com/
https://www.listincode.com/
|
10.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14354 |
2021-11-01 11:25
|
 askinstall25.exe 867f1890d45a83e6c39f629212f52949
AgentTesla Gen2 Trojan_PWS_Stealer BitCoin browser info stealer Credential User Data Generic Malware Google Chrome Malicious Packer Malicious Library SQLite Cookie UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files ICMP traffic exploit crash unpack itself Windows utilities suspicious process malicious URLs suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.jjnices.top/Home/Index/lkdinl
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1b4887
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(149.28.253.196) - mailcious
www.jjnices.top(91.210.171.115)
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
149.28.253.196
103.155.92.58 - mailcious
88.99.66.31 - mailcious
91.210.171.115
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
2
http://www.iyiqian.com/
https://www.listincode.com/
|
12.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14355 |
2021-11-01 11:25
|
 Mira_PS.exe d31c7d2c2cfa9b2baced699c04a00107
Gen2 Gen1 RAT Emotet PWS .NET framework Formbook NPKI Schwerer Generic Malware UPX Antivirus Malicious Packer Malicious Library ASPack Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 GIF Format DLL MSOffice File PE64 PNG Format .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Tofsee Ransomware Windows ComputerName Cryptographic key |
2
https://iplogger.org/1kF3u7
https://files.catbox.moe/amw1cy.zip
|
4
files.catbox.moe(107.160.74.131) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
107.160.74.131 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|