| 14416 |
2021-11-02 11:44
|
 .vbc.exe 6117ec91b644303e86e5a9db8c6d9eea
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14417 |
2021-11-02 11:45
|
 AAAA.exe 353bbe59184e2235c71991c24de394d9
Generic Malware Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware Check memory unpack itself ComputerName DNS |
|
1
|
|
|
2.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14418 |
2021-11-02 11:46
|
 23.exe e7287d94a2212da20e7e574102851645
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14419 |
2021-11-02 11:47
|
 RFQ_ref-02090100233.exe cbf1876a063270b217a80812e315aec3
Emotet RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows ComputerName DNS DDNS |
1
http://checkip.dyndns.org/
|
3
checkip.dyndns.org(216.146.43.70)
193.122.130.0
104.21.19.200
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
11.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14420 |
2021-11-02 11:49
|
 ov.exe 9c87428041d39d0be69711fa64cb4035
PWS Loki[b] Loki.m RAT Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://195.133.18.192/oxsxo/fre.php
|
2
195.133.18.192
104.21.19.200
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14421 |
2021-11-02 11:49
|
 Softw75TradingB27534.exe 58ecff4987136b922cc6d1dc523fd6d9
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://iplogger.org/1kZCu7
https://iplogger.org/1kLCu7
|
7
apps.identrust.com(119.207.65.19)
iplogger.org(88.99.66.31) - mailcious
my-all-group.bar(104.21.95.21)
whealclothing.xyz()
61.111.58.34 - malware
88.99.66.31 - mailcious
172.67.169.45
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14422 |
2021-11-02 11:51
|
 maxfile.exe ed2ccc5a265e2b2ba9faf326349ce58e
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
3
http://www.ximmgepn.xyz/dyh6/?FF=m7mJBtGCnG5TVc4ReSyQMy3V1N6/PuooX2bCSHJ2SWOIS/9VaOV1f0BewfqRdnYc7h+DW27G&llsp=fTRHzt4hzn4XCf
http://www.kathleenmock.net/dyh6/?FF=veXVV/uO8eWr4vGl5Lx83Gc/HQMwKmi+0wt1MNsVBzL0bCXgx5AM9CNKvNHpO1tgXHV/L8ov&llsp=fTRHzt4hzn4XCf
http://www.anaxita.com/dyh6/?FF=e1sV4iIAm3W+2fgt/yVAOOjF2UsGa3xT/dFBxHCILvFkdpke+8w/hijfuvnxAUXgv57PQqkt&llsp=fTRHzt4hzn4XCf
|
7
www.kathleenmock.net(208.91.197.39)
www.anaxita.com(209.99.40.222)
www.ximmgepn.xyz(104.21.83.83)
www.viral22.com()
208.91.197.39 - mailcious
172.67.218.59
209.99.40.222 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14423 |
2021-11-02 12:16
|
 rundll32.exe 2515726e608312c9ad0c845e53f0499c
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows |
6
http://www.sanlifalan.com/fqiq/?af-8_FRh=prTEVkQv/aIuaJ5tknUsCYHPcHrUQSHWro/2zNHeF4wHPtFNVSB8ZmBi9ORqDWcgPylN7lnN&UlSp=GVgTZXS8Kvx0RZ - rule_id: 6750
http://www.srofkansas.com/fqiq/?af-8_FRh=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&UlSp=GVgTZXS8Kvx0RZ - rule_id: 6445
http://www.hanenosuke.com/fqiq/?af-8_FRh=xeMdXENerBxjIMz2FKChqf1nt0cxl+Ge/IuoWLeYNAKPizmuJVRlAC2vXkQEDiA7tI/nE2A5&UlSp=GVgTZXS8Kvx0RZ - rule_id: 6608
http://www.saint444.com/fqiq/?af-8_FRh=eXgEUzChbduGYiNOMCJq1lzrrQ1CIuaunm8NPy3G0K4s0BtpaBzDfGZEH2DMYdQWokGBQ7FM&UlSp=GVgTZXS8Kvx0RZ
http://www.applebroog.industries/fqiq/?af-8_FRh=0RH9gkF4+S66YbdBg5arrRt8ci9oBvnO84hTkOxxIVwmdJGohZyCC7mOG5N6PcmeIk25yT0k&UlSp=GVgTZXS8Kvx0RZ - rule_id: 6686
http://www.qianhaijcc.com/fqiq/?af-8_FRh=+GyJfJw7hTzGSWjLzSxzubcql+EX4XT+GbaCNiPPdvi0qO0hFgG0Ehnd2eXgZFp2PjMwiybO&UlSp=GVgTZXS8Kvx0RZ
|
12
www.sanlifalan.com(104.165.34.6)
www.srofkansas.com(199.59.242.153)
www.applebroog.industries(209.17.116.163)
www.hanenosuke.com(172.67.150.160)
www.qianhaijcc.com(23.110.31.106)
www.saint444.com(63.250.44.164)
209.17.116.163 - mailcious
172.67.150.160 - mailcious
63.250.44.164
23.110.31.106
199.59.242.153 - mailcious
104.165.34.6 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.sanlifalan.com/fqiq/
http://www.srofkansas.com/fqiq/
http://www.hanenosuke.com/fqiq/
http://www.applebroog.industries/fqiq/
|
10.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14424 |
2021-11-02 12:16
|
 vbc.exe c0225f76705c05744918c724e3018649
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.royallecleaning.com/mwev/?ARmdX8=HsmrIALRyQMPJkOtf5nMI/V00TunQUINtHtLXN2Hj1uqs6T8fON4gG2lu2ZQbwqStmDdpZMN&KX6tW=0rmT5ZjPmbshPnQ0 - rule_id: 6988
http://www.royallecleaning.com/mwev/?ARmdX8=HsmrIALRyQMPJkOtf5nMI/V00TunQUINtHtLXN2Hj1uqs6T8fON4gG2lu2ZQbwqStmDdpZMN&KX6tW=0rmT5ZjPmbshPnQ0
http://www.sweetascaramelllc.com/mwev/?ARmdX8=1dgSwdT6iUfXJhnZMPGbosNbqy8frS/bAP6nSrHpcwjRB5DRuVVqLLDEtFes5YR1zw4AUvn1&KX6tW=0rmT5ZjPmbshPnQ0
http://www.thepatriottutor.com/mwev/?ARmdX8=/F+5fWxCaYec331bQY3aplUtTlhxOTv5tqm7kZyG1N03wxzrV71zo6o8BaaVLz3vSpc09MhZ&KX6tW=0rmT5ZjPmbshPnQ0
http://www.vinhomes-grand-park.com/mwev/?ARmdX8=+A5f1+5KU/VQJUIdmInlKEVxY8aL5K/QWJJwfdi7fw4L7afC02fAbPQICF0jz2WSofxc+YO3&KX6tW=0rmT5ZjPmbshPnQ0
http://www.fulvousemollientplanet.com/mwev/?ARmdX8=vthKUgsi1WUC3wg/Fuh07g/ARRJh8nN5iXMY1IOUkIOGRst8HaQDSsvzM421sGAnkmdeGog+&KX6tW=0rmT5ZjPmbshPnQ0
http://www.scion-go-getter.com/mwev/?ARmdX8=Y+Hyy1N5D5MxwHpLzGerXtl/+e9k+2VYdp+JCOaNjGnZwwqutoqB71RoDgAXCJ7sEd8Lkw64&KX6tW=0rmT5ZjPmbshPnQ0
http://www.lzgirlz.com/mwev/?ARmdX8=3CLo7xM/0Sn17sJZB/EECplawXlGZ+Z9N99jYgo26tSUwZqib7lJXKN2Yr8FiIXkjxSqkjkT&KX6tW=0rmT5ZjPmbshPnQ0
http://www.liyahgadgets.com/mwev/?ARmdX8=g1Z6fijHILhIWnYWTIp+4FjUMYhbb0wZRNLDOiUXPeqjelwmMdoeuMJZvq7y8sTA4qv2iqe4&KX6tW=0rmT5ZjPmbshPnQ0 - rule_id: 6990
http://www.liyahgadgets.com/mwev/?ARmdX8=g1Z6fijHILhIWnYWTIp+4FjUMYhbb0wZRNLDOiUXPeqjelwmMdoeuMJZvq7y8sTA4qv2iqe4&KX6tW=0rmT5ZjPmbshPnQ0
|
15
www.vinhomes-grand-park.com(125.212.221.113)
www.sweetascaramelllc.com(23.227.38.74)
www.scion-go-getter.com(35.209.150.94)
www.thepatriottutor.com(34.102.136.180)
www.foxandmew.com()
www.mrteez.club()
www.liyahgadgets.com(151.101.193.211)
www.fulvousemollientplanet.com(23.227.38.74)
www.lzgirlz.com(34.102.136.180)
www.royallecleaning.com(34.102.136.180)
34.102.136.180 - mailcious
125.212.221.113 - phishing
146.75.49.211
23.227.38.74 - mailcious
35.209.150.94
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.royallecleaning.com/mwev/
http://www.liyahgadgets.com/mwev/
|
9.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14425 |
2021-11-02 12:17
|
 vbc.exe 27966cb801b7c85686d6a5cf79dbb8ec
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14426 |
2021-11-02 12:17
|
 rewend.exe 4cff82e973b1d0aa013a8d1fcdce9803
Themida Packer PE64 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14427 |
2021-11-02 12:19
|
 mix.exe 863db22615785c834f8ac8ed325404e4
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14428 |
2021-11-02 12:19
|
 new.exe 6bd8ecd283c51100366d205a8f3446d5
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
3
newme122.3utilities.com(35.172.128.117) - mailcious
newme1122.3utilities.com()
35.172.128.117
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
10.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14429 |
2021-11-02 12:21
|
 vbc.exe e1b6b517ec229115f6c81d8a7ababe19
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14430 |
2021-11-02 12:23
|
 file.exe ebd30cc26cf38d0bf84f36d9715af9fd
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|