| 14401 |
2021-11-02 11:11
|
file.exe 3139e939a60a693862671d6b13741d3b
Gen2 Formbook Generic Malware Malicious Library UPX PE File OS Processor Check PE32 MSOffice File JPEG Format VirusTotal Malware unpack itself Windows utilities suspicious process AppData folder WriteConsoleW anti-virtualization Ransomware Windows |
|
|
|
|
5.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14402 |
2021-11-02 11:13
|
 vbc.exe 1bec7dd801cc1a898a1b345a192fb11f
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(119.207.65.153)
173.223.227.8
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14403 |
2021-11-02 11:14
|
 sefile.exe 64ffcd32bd5f7bbb7e456971e828b828
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14404 |
2021-11-02 11:19
|
 ConsoleApp9.exe 6be4cc72830abef3c36f9d7057e2f6c9
PWS Loki[b] Loki.m RAT .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.64.152)
store2.gofile.io(31.14.69.10) - mailcious
173.223.227.8
31.14.69.10 - mailcious
173.223.227.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14405 |
2021-11-02 11:21
|
 sqlservr.exe 8d412219be6c58284aa44787863e29cc
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
12.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14406 |
2021-11-02 11:21
|
 vcredist_2010.exe b118cd4261d84677a25e74b02aee6b5d
RAT PWS .NET framework Gen2 Gen1 Emotet Generic Malware NSIS Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Processor Check DLL .NET DLL MSOffice File GIF Format PE64 PNG Format VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName DNS |
16
http://113.212.88.60/Vv/1/WinPcap_4_1_3.exe
http://113.212.88.60/Vv/1/PcapDotNet.Core.Extensions_64.dll
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
http://113.212.88.60/Vv/resource.json
http://113.212.88.60/Vv/1/RuntimeBrokerBin_64.zip
http://113.212.88.60:88/log
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://113.212.88.60/Vv/1/vcredist_2010_x64.exe
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://113.212.88.60/Vv/1/PcapDotNet.Packets_64.dll
http://113.212.88.60/Vv/1/PcapDotNet.Analysis_64.dll
http://113.212.88.60/Vv/1/RuntimeBroker_64.zip
http://113.212.88.60/Vv/1/PcapDotNet.Core_64.dll
http://113.212.88.60/Vv/1/PcapDotNet.Base_64.dll
http://113.212.88.60/Vv/1/vcredist_2013_x64.exe
http://113.212.88.60/Vv/1/process.json
|
2
121.254.136.19
113.212.88.60
|
6
ET INFO Dotted Quad Host ZIP Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
|
13.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14407 |
2021-11-02 11:34
|
 SETUP_A.EXE 13fca45aea601df76b11c719c5425633
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware AutoRuns PDB Check memory Creates executable files ICMP traffic Windows utilities Disables Windows Security suspicious process AppData folder sandbox evasion Windows Remote Code Execution |
1
http://spgamea.kr/DOWN/AAAA.exe
|
2
spgamea.kr(1.234.82.84)
1.234.82.84
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
8.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14408 |
2021-11-02 11:37
|
 sodomy.exe 82cf57370e124c4813d271a271b602e3
Gen1 Gen2 Themida Packer Generic Malware Malicious Library UPX Anti_VM Malicious Packer PE File PE32 DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14409 |
2021-11-02 11:38
|
 pub3.exe 220979c6ad45de9d933fc57a73840204
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14410 |
2021-11-02 11:38
|
 vcredist.exe 28c5f954cd8979fb6edb52d086d38a25
RAT PWS .NET framework Gen2 Gen1 Emotet Generic Malware NSIS Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Processor Check DLL .NET DLL MSOffice File GIF Format PE64 PNG Format Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName DNS |
16
http://113.212.88.135/Vv/1/RuntimeBrokerBin_64.zip
http://113.212.88.135:88/log
http://113.212.88.135/Vv/1/PcapDotNet.Core_64.dll
http://113.212.88.135/Vv/1/vcredist_2013_x64.exe
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://113.212.88.135/Vv/1/PcapDotNet.Packets_64.dll
http://113.212.88.135/Vv/1/PcapDotNet.Base_64.dll
http://113.212.88.135/Vv/resource.json
http://113.212.88.135/Vv/1/PcapDotNet.Core.Extensions_64.dll
http://113.212.88.135/Vv/1/WinPcap_4_1_3.exe
http://113.212.88.135/Vv/1/PcapDotNet.Analysis_64.dll
http://113.212.88.135/Vv/1/vcredist_2010_x64.exe
http://113.212.88.135/Vv/1/process.json
http://113.212.88.135/Vv/1/RuntimeBroker_64.zip
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
|
1
|
6
ET INFO Dotted Quad Host ZIP Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
|
13.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14411 |
2021-11-02 11:38
|
 vbc.exe 6536dd2dcc6e7e59e74988d69c565aab
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(119.207.65.9)
182.162.106.104
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14412 |
2021-11-02 11:40
|
 xs.exe e9680f9e3f58e0e087d82243b07ce93b
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14413 |
2021-11-02 11:41
|
 rfq_ref1006.exe 7f961b43a8fe1463d59a76c597bc86f1
Emotet RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
193.122.6.168
104.21.19.200
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14414 |
2021-11-02 11:42
|
 RFQ_ref-020901006.exe 6666c938fcf95127577f91f01882cae6
Emotet RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(132.226.247.73)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14415 |
2021-11-02 11:43
|
 sa.exe 9d1ce1bf77fa0c73721fbd73269fc24b
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
3
http://www.findallclass.com/sl4w/?oPqLWL=kCV/FIfZxfFmzJxKj7aZffhVdUOkEqgZ5bZHEs6N9QXUciE7SpQlAbnjoozDJB0YroPV18tp&Lv0h=ZVyXVbS8c
http://www.theflourfactory.online/sl4w/?oPqLWL=a2oqy9nz6L5P4+5JZLs75vMiXmXKc4/fQL2IKL334cvENcHqkf3keYD41dhm701TqhPcfQ2d&Lv0h=ZVyXVbS8c
http://www.ledbulb.xyz/sl4w/?oPqLWL=YcH+O3zr2j868bhr1Ddrrm/IdzhIudC82VthSc1bFxhN6LCPS13XVKD2pq8huN9Q4u7NE0re&Lv0h=ZVyXVbS8c
|
7
www.frameyes.com()
www.theflourfactory.online(203.170.80.250)
www.ledbulb.xyz(64.190.62.111)
www.findallclass.com(162.241.253.42)
64.190.62.111 - mailcious
203.170.80.250 - phishing
162.241.253.42
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|