| 14431 |
2021-11-02 12:25
|
invoice_000899889.wbk d96431380975c0c711acd8795b99fd76
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.171.0.220/0077/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14432 |
2021-11-02 12:28
|
 Yandex1500.exe 38c0f733e983c0e12a6ab7ba2b1415ed
Generic Malware UPX Malicious Library PE64 PE File OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files ICMP traffic unpack itself AppData folder Tofsee DNS crashed |
|
2
mas.to(88.99.75.82)
88.99.75.82
|
3
ET DNS Query for .to TLD
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14433 |
2021-11-02 12:31
|
 winlogon.exe fd06b68ee03940e334f35b12e36ac718
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
12
http://www.domagolf.net/sywu/?w6A=pWCHhwZSB8QVaKAXyXHQ/feWfa0gotZo+yd5m/ANfGhLPfzR5bnQsT+hTkJWfzwyKFh8K9io&-ZP=W6O83na8w
http://www.hackensacksalon.com/sywu/?w6A=Mnq1bqiC49iBnkdWSYwkyTPzzdMFp6JEYXjvu8mvu3uFvmJ8P1TzqjsOhyyHXjE1E7yueDxs&-ZP=W6O83na8w
http://www.lighthouseta.com/sywu/?w6A=Fif6t9qBJS7PfbW+nV4zZIDOtUBpWKOdgsWufsEgrcVkaPOFX3rA+XhOwSnXgM/wsAdsDFIh&-ZP=W6O83na8w
http://www.kisah.xyz/sywu/?w6A=USn/s/Nw3xV+55U0SZdH7vYZi5cG3dzFHZRqO94C2q7bkP8vqLkNejL861JCezwhEQy9FwbC&-ZP=W6O83na8w
http://www.brieffinance.com/sywu/?w6A=79IAT+ehqG9gcLZadmU6oVO+UoItJgESjXslc308jYls3X8IJdNNO8prg0K9Trpv14OhLbhs&-ZP=W6O83na8w
http://www.greentonnage.info/sywu/?w6A=31AjcD+O/vkoDfHT81xlOZAWORGDp8vMbh6MjaA+OZmTL3IFlsvupoNvu11kki8t5+GWmUSf&-ZP=W6O83na8w
http://www.mikes-marine.com/sywu/?w6A=PbabmpsWFdXWMNTeeZ9jCNWPOn1z0XvHeI08BocNs8nNIG8Ni599zrxFdxp3gdzeKqca/8nw&-ZP=W6O83na8w
http://www.38leckiestreet.com/sywu/?w6A=/vgTM4p9Z9iBgidmSY6A4cWY0D0pZxvvQpGDn6K72F4Gd8RLtU+z71PJ62L3W5IEhfgKqCPr&-ZP=W6O83na8w
http://www.gengzicompute.com/sywu/?w6A=Sg/J+PD4SKoqXgcmmzEPzbkHChriOJdDtNPl57LzzQHkFhA1i4k5hjYuVkkFWhs3HT30LL4x&-ZP=W6O83na8w
http://www.pheasa.com/sywu/?w6A=BQWKLZqyrMJ7eqH6IGBOhz3kcEiVnMegmaSI8UN/kuWh4tWV0X7oy/aezhN+nJAS1pBTDNxh&-ZP=W6O83na8w
http://www.mikes-marine.com/sywu/?w6A=PbabmpsWFdXWMNTeeZ9jCNWPOn1z0XvHeI08BocNs8nNIG8Ni599zrxFdxp3gdzeKqca/8nw&YL0=9rN46F
http://www.thesavingsplaceforseniors.com/sywu/?w6A=iu47MEIDrgQO/UeWdsS4BFh94hPqX44shOdUJcCg7IkYfjAuxHXRq+jyqsiavnN3/bE4kK6e&-ZP=W6O83na8w
|
24
www.domagolf.net(198.54.115.202)
www.greentonnage.info(34.102.136.180)
www.bajajfinserv-amc.com()
www.thesavingsplaceforseniors.com(172.67.179.126)
www.gengzicompute.com(35.75.36.192)
www.registrarmilhas.online()
www.interrstellar.xyz()
www.pheasa.com(198.54.117.216)
www.brieffinance.com(34.102.136.180)
www.kisah.xyz(44.227.65.245)
www.38leckiestreet.com(52.147.15.202)
www.mikes-marine.com(172.81.119.116)
www.lighthouseta.com(182.50.132.242)
www.hackensacksalon.com(34.102.136.180)
www.ywboxiong.xyz()
172.81.119.116
198.54.115.202
198.54.117.212 - mailcious
52.147.15.202 - mailcious
34.102.136.180 - mailcious
182.50.132.242 - mailcious
172.67.179.126
35.75.36.192
44.227.65.245 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14434 |
2021-11-02 14:39
|
 1.xlsb dee6841dad2810dbb7d487803e3f2b4c
Excel Binary Workbook file format(xlsb) VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.8 |
|
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14435 |
2021-11-02 14:39
|
 Over Charges.xll b80ab428dca46779c14807ea7422452f
Generic Malware Malicious Library UPX PE64 PE File OS Processor Check DLL PDB Remote Code Execution |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14436 |
2021-11-02 14:39
|
 Unpaid month.xll aa0bd807de12aa711ec1b6fb34212a10
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.6 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14437 |
2021-11-02 14:44
|
 NEW DOCUMENTS_SCAN_IMAGE_JPEG_... 55bdb7f0041df344074f8176d9412be2
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14438 |
2021-11-02 14:44
|
 NEW ORDER EXPORT0021IMG9736403... 43b431fc0de6f60a36fb846f3d90a0b0
Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
futurist11.ddns.net(194.5.98.30) - mailcious
37.235.1.174 - mailcious
194.5.98.30
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
34 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14439 |
2021-11-02 14:46
|
 REVISED CONTRACT.exe 7b4520d03a7be5596c800642f3bd3132
Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
bohem11.ddns.net(185.244.30.6)
37.235.1.177 - mailcious
185.244.30.6
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.8 |
|
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14440 |
2021-11-02 16:19
|
 1.xlsb dee6841dad2810dbb7d487803e3f2b4c
Excel Binary Workbook file format(xlsb) VirusTotal Malware Check memory unpack itself suspicious process |
|
|
|
|
3.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14441 |
2021-11-02 17:41
|
 ConsoleApp82.exe d475a16d7396c7883d5ba4f865a0fc96
Generic Malware task schedule AntiDebug AntiVM PE File PE32 .NET EXE Dridex TrickBot VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Kovter Windows DNS Cryptographic key crashed |
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
9.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14442 |
2021-11-02 17:43
|
 ziyu.exe dc6c8fb72b02cf9237d1e53ae5f67d33
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.maderasbelpa.com/q36e/?rVIHUD=EqeW6SAl9FJzoeDHWj/YF9TgE8efKKQ4Pmg8ue1g5q5bEz8iOEUD/wlYbr13ZMIF3iNdSTYW&JL08lv=apITk4n0RzRXDj
http://www.cryptobittoday.com/q36e/?rVIHUD=DN3aVSZG/U0++lT+0fVvbufIBnAdZk+ZoHOaYfEXYW8R0x8OP+k20nLHFyxm+/QL+KRefSY+&JL08lv=apITk4n0RzRXDj
http://www.thelocal.team/q36e/?rVIHUD=qi3H4tEgcVwXD72sceGH+HK1WFwdKftW4mHCAeUScLw6Fjps1+Rxs5h+axJO8H8FB7z+5f8d&JL08lv=apITk4n0RzRXDj
http://www.zappbug.xyz/q36e/?rVIHUD=80PKnOqhWgN9+dHZllw+VIQgdRXBceevobQv1g5ZSBRNMlW6Hrl+2jCo8PsKVVVanm95zBDz&JL08lv=apITk4n0RzRXDj
http://www.ridgeviewcustombuilders.com/q36e/?rVIHUD=L55PozxYru8nt/ygCriiFFIZFhuy3wYqGUmubpbM5rtJlvXqMIahCKFL2JQhy/ceXa8FYM29&JL08lv=apITk4n0RzRXDj
http://www.iiilonline.com/q36e/?rVIHUD=pVofMjfCTyY3O/qureEJAO/yEXAm+0qTBMqG75Ke/4eusG2zjbK2wA1kpIk1HOIfGKGUHj7z&JL08lv=apITk4n0RzRXDj
http://www.drosselma.space/q36e/?rVIHUD=kltuCfhKvxyy9RCI8dBJjSc5PaFfYsfzEeGsxYSRKqEIU7GymTGRizCul3N7/fTeXwq0Stg/&JL08lv=apITk4n0RzRXDj
http://www.zerw2.com/q36e/?rVIHUD=Rntl1NDHd9XnQLwgazHh+Zc5uliS6OLgFgrLKpN7DQMYQsVoIfR806hPJBBKgUUeQ3E3JCNy&JL08lv=apITk4n0RzRXDj
http://www.levanttradegroup.com/q36e/?rVIHUD=xh+jwISDwMLdMjCO2eLJ1RMoxVH/jmr5ryDnG+1eSX1so3eWn5VyQ56AVFR8zPZipxIcTqmt&JL08lv=apITk4n0RzRXDj
http://www.lifeworkswap.com/q36e/?rVIHUD=Q0cF2NUfPjSIXvAVUhwbscpYkb6g6sx01Eb/JVEmkOE6Br4IyYelssa5hFYxMF5lm7zxf54r&JL08lv=apITk4n0RzRXDj
http://www.scarjamfam.com/q36e/?rVIHUD=+o1xI9CZ5TIVfhewedt6Nlo/cgi76wJS4nXbeV8SpkfKatp/sNiLSjEBuCfEng9dq1dygV1M&JL08lv=apITk4n0RzRXDj
|
24
www.zappbug.xyz(172.67.196.33)
www.iiilonline.com(109.106.254.230)
www.thelocal.team(3.33.152.147)
www.drosselma.space(92.119.113.254)
www.zerw2.com(44.227.65.245)
www.chainvfy-top.xyz()
www.levanttradegroup.com(34.102.136.180)
www.scarjamfam.com(3.64.163.50)
www.lichtladens.com()
www.ridgeviewcustombuilders.com(198.54.117.211)
www.lifeworkswap.com(217.21.190.175)
www.maderasbelpa.com(190.106.131.237)
www.cryptobittoday.com(13.115.25.84)
44.227.76.166 - mailcious
3.33.152.147
198.54.117.211 - phishing
217.21.190.175
13.115.25.84
34.102.136.180 - mailcious
92.119.113.254 - mailcious
3.64.163.50 - mailcious
104.21.60.115
109.106.254.230
190.106.131.237
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14443 |
2021-11-02 17:44
|
 Ref5412_Q_0120351252_ISO_03515... 67f245dff6917f0f2a26fd38b908e996
RAT NPKI Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(104.21.19.200)
checkip.dyndns.org(132.226.247.73)
216.146.43.70 - suspicious
109.106.254.230
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14444 |
2021-11-02 17:45
|
 ziy.hta 5c88bf7225ed953a328bf598abfd9ce6VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14445 |
2021-11-02 17:45
|
 game.exe adb8eadfafe1aa375ad6ec8328a5bc8d
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|