| 14491 |
2021-11-03 09:56
|
 vbc.exe d0a58eae99dfb90ea4aa5dbf24d2fb93
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
13.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14492 |
2021-11-03 10:00
|
 vbc.exe 11cbfa99fb5ebe8c09674e79b9834d96
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
13
http://www.palisadesstore.com/ddzw/?mfsl7bH=LwQSSZmFKq116JGVF/0nPPcUBWVsd/SLW5N2AEu8xRB8FPO8JQ7fj8OceGppuzoGtS6UuAu9&lZQ=7neHz4LxM
http://www.1207rossmoyne.com/ddzw/?mfsl7bH=LcdAyp9UhGnU0/En4/Gnshl/55/Xj+RSazUCag0Yulb+Lb/aCp0DqP3VqPYelJD3cCZaOJsZ&lZQ=7neHz4LxM
http://www.mikespotts.com/ddzw/?mfsl7bH=mk8GRRlrsEWHLX4GtkVXwGml9VwBCAg5qtWMStieodEVO8IiiibI6Nu+OP8utk0O5PU1HT+e&lZQ=7neHz4LxM
http://www.indousmedicalscribing.com/ddzw/?mfsl7bH=DRjOZjpI2ePD8liCP7nAEqld0QN3J7LPZkiMBFhhGIOFOLdgOHazcMvaZ45mzBGaWvYQOKFm&lZQ=7neHz4LxM
http://www.sportherd.com/ddzw/?mfsl7bH=rCtcxUrpi6xWOPxHR9QIazD6WLKYE8OL7gbDSdg1OmZV9tjji7TnyuMb4MUm6X4O20yFr/T8&lZQ=7neHz4LxM
http://www.schittstore.com/ddzw/?mfsl7bH=eu2i37xHcB7A6W2IRVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6JqlOvVlzNPIE1eHf1Zcs&lZQ=7neHz4LxM
http://www.juliamoranmartin.com/ddzw/?mfsl7bH=6Q7JXEhGn1nCiVzGW7OvR+w3qfbQF/Gh1STMm4wNuOhMgkpI2l4cOFz8lzrYHCV9ary/dAD1&lZQ=7neHz4LxM
http://www.wardrobewish.com/ddzw/?mfsl7bH=uA4UJt9CuJW2Fk/qMtECVhB4zRiz0JBHg2PhgT5FixFIsseZNzpFmLBp65IAN54qNvC2Kf2d&lZQ=7neHz4LxM
http://www.mammutphilippines.com/ddzw/?mfsl7bH=XKHX2v+fkBCunocGj3rFn4v4QvpoQkFCXwZofEueDHFtym0hNlNi4X+F8lnrY2pUFmsye07q&lZQ=7neHz4LxM
http://www.passionfruitny.com/ddzw/?mfsl7bH=j1WVYPKREe/iqZY/kWyb0aUoudGjuNgxSNOIs5VZ0Ce82FDJGRww/lsNfpSf2w0iyg22p7x+&lZQ=7neHz4LxM
http://www.shleppersmovingandstorage.com/ddzw/?mfsl7bH=nJVBLhUe1R7OLjQKnJ1+9B0dwuPw50mbu7VKOx7cWYJWAd8dKn2Ien29zK/OibqoKzMqUCH+&lZQ=7neHz4LxM
http://www.flashpointyouth.com/ddzw/?mfsl7bH=DtGmsEY2iNUZLLEVBi/ZCM9x7s+fqvGmeUpJsqhGzb7D/5NM434HcKBEzKv2yzGV8HcXfEpn&lZQ=7neHz4LxM
http://www.maininger.com/ddzw/?mfsl7bH=Al5s2weciqIrbGrSdgJl09FIEtaDwUgBVTp5oJs4d9EpwXdgHokngPi2WL0RGoaVCF/E0Wih&lZQ=7neHz4LxM
|
26
www.mammutphilippines.com(104.21.67.135)
www.passionfruitny.com(34.102.136.180)
www.schittstore.com(66.29.132.90)
www.flashpointyouth.com(156.240.151.177)
www.komotoy.com()
www.palisadesstore.com(34.102.136.180)
www.sportherd.com(162.243.47.214)
www.maininger.com(217.160.0.228)
www.wardrobewish.com(3.223.115.185)
www.mikespotts.com(104.21.76.57)
www.juliamoranmartin.com(217.116.0.191)
www.consept-cafe.com()
www.shleppersmovingandstorage.com(198.54.117.211)
www.1207rossmoyne.com(52.20.218.92)
www.indousmedicalscribing.com(34.102.136.180)
217.160.0.228
198.54.117.212 - mailcious
104.21.67.135
162.243.47.214
156.240.151.177
34.102.136.180 - mailcious
172.67.188.178
3.223.115.185 - mailcious
66.29.132.90
52.20.218.92
217.116.0.191
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14493 |
2021-11-03 10:02
|
 vbc.exe c6def7e067895d7c6f4b0f78270b9e2c
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
15
http://www.midatlanticbath.com/kqna/?FF=ggB/CL/KYRtKG6XlF3MzMphhLgqrG506l6vnNW5K6bJVc8waEANRFYYD3RhOV4cBkcToPXaa&AlO=O2MtmfRpT - rule_id: 6787
http://www.achyutlifesciences.com/kqna/?FF=asWl3V4IF2Q2DWn67+zvcIQTEiu5x496a9UiR3whzNCG2SwZhTxwEV7pZSN2Dnrub4ZDXyCK&llsp=fTRHzt4hznoXCf
http://www.thevishantiverse.art/kqna/?FF=/f/IcA6eDDPBLaOZcHBfDlfAbij2pImhanWAYHxYX02BEqYlDUoXYvshQCmTuxpCPFsxIcfP&llsp=fTRHzt4hznoXCf
http://www.surfsolutions.info/kqna/?FF=dcnZeOVVJSfvUaco8qQNZ9XrhbJ3we+xyEUMa9yoWpEuWq2eXXPIXA5TkXgJFjsZU/Pq8NER&llsp=fTRHzt4hznoXCf - rule_id: 6791
http://www.jcswkj.net/kqna/?FF=aK4LS/24crfyJFniV0tBnDYjbs/R2Z9mGbesLv5x/rI0+ZowC+SQ6lOEpvnTq1Fm4VU9hd0Z&llsp=fTRHzt4hznoXCf
http://www.candypalette.com/kqna/?FF=gfz7SykQtqnvqGHDVt9Sq/sQwFu3mmkE3P7hoh5mXhnlze04JbT/9GbgDzlkmDUFL9Oz3qhg&AlO=O2MtmfRpT - rule_id: 6786
http://www.netkopat.com/kqna/?FF=XCeMQl5kuZk/VAPz1x3NMFNaYm0TP5U/J5/9BEX1GnrVHj0GaV8zX9dSOYzSTsdbHQNQtFsF&llsp=fTRHzt4hznoXCf - rule_id: 6835
http://www.netkopat.com/kqna/?FF=XCeMQl5kuZk/VAPz1x3NMFNaYm0TP5U/J5/9BEX1GnrVHj0GaV8zX9dSOYzSTsdbHQNQtFsF&llsp=fTRHzt4hznoXCf
http://www.worldwidecorumuk.com/kqna/?FF=OBIcuqqGork2NsAIYqmQWIB+gSUu4IfRNNykabPIUkFakVgutSjYpuz1sjZ4AXSicZLr38Yo&llsp=fTRHzt4hznoXCf
http://www.rukygua.xyz/kqna/?FF=vdzyafBylavAbS+d3A7xFaH4XlS6aGXKpuM7CPthmaBAHS5g9tZURwvUOmhgWt080aEhAXR6&llsp=fTRHzt4hznoXCf
http://www.candypalette.com/kqna/?FF=gfz7SykQtqnvqGHDVt9Sq/sQwFu3mmkE3P7hoh5mXhnlze04JbT/9GbgDzlkmDUFL9Oz3qhg&llsp=fTRHzt4hznoXCf - rule_id: 6786
http://www.alifdanismanlik.com/kqna/?FF=mQnobkOfgPtywstNWl93w92LClziyi9exAIAZ2dbJOdepP7Ogt31xGCBzTFokFA1igwL7X4B&llsp=fTRHzt4hznoXCf - rule_id: 6831
http://www.alifdanismanlik.com/kqna/?FF=mQnobkOfgPtywstNWl93w92LClziyi9exAIAZ2dbJOdepP7Ogt31xGCBzTFokFA1igwL7X4B&llsp=fTRHzt4hznoXCf
http://www.fraserstephendop.com/kqna/?FF=/ubmoBp65Okyuu3LQpd6BICjkbw0SXb2/UwCCZwJ/Fe1H/pHrLEpRm6qotblqBtYRSTWmjxF&llsp=fTRHzt4hznoXCf - rule_id: 6838
http://www.fraserstephendop.com/kqna/?FF=/ubmoBp65Okyuu3LQpd6BICjkbw0SXb2/UwCCZwJ/Fe1H/pHrLEpRm6qotblqBtYRSTWmjxF&llsp=fTRHzt4hznoXCf
|
26
www.uko7wuyj.xyz()
www.e-commerce.company()
www.midatlanticbath.com(208.91.197.27)
www.alifdanismanlik.com(157.90.247.57)
www.fraserstephendop.com(198.54.117.210)
www.hjku.xyz()
www.achyutlifesciences.com(185.151.30.171)
www.jcswkj.net(154.23.109.135)
www.surfsolutions.info(138.201.145.141)
www.bagwashs.com()
www.thevishantiverse.art(34.102.136.180)
www.candypalette.com(216.194.173.79)
www.netkopat.com(154.31.59.73)
www.rukygua.xyz(172.67.149.149)
www.goodoffice.online()
www.worldwidecorumuk.com(34.102.136.180)
185.151.30.171
216.194.173.79 - mailcious
154.31.59.73
198.54.117.210 - mailcious
154.23.109.135
208.91.197.27 - mailcious
34.102.136.180 - mailcious
157.90.247.57
138.201.145.141 - mailcious
104.21.11.164
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
7
http://www.midatlanticbath.com/kqna/
http://www.surfsolutions.info/kqna/
http://www.candypalette.com/kqna/
http://www.netkopat.com/kqna/
http://www.candypalette.com/kqna/
http://www.alifdanismanlik.com/kqna/
http://www.fraserstephendop.com/kqna/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14494 |
2021-11-03 15:07
|
 vbc.exe c6def7e067895d7c6f4b0f78270b9e2c
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
15
http://www.guserq.com/kqna/?ETmlTT7=hkljuxSRvROwAr3jOVASm+JiIwGbCIPKtEIHIc5pEdCnOjI0REO2kzvTjKpMbmW8lyN5Fvcx&4hbDp=VR-XC
http://www.passivemen.com/kqna/?ETmlTT7=2h8tZaBaqG8Vl2xBtMM+A2YjN0Obm4YirwD1CLjU2X2DOC8Dtq2uVUyD4drZoYF5JZiqmQ5d&4hbDp=VR-XC
http://www.unlimitedrehab.com/kqna/?ETmlTT7=cFNgKBTbA1svsN6cC8/+W5UTP+1BdxdtTipUKJnf15V+/a8Yee6hrfZJvGg98qTC6E/a5FqG&4hbDp=VR-XC - rule_id: 6795
http://www.midatlanticbath.com/kqna/?ETmlTT7=ggB/CL/KYRtKG6XlF3MzMphhLgqrG506l6vnNW5K6bJVc8waEANRFYYD3RhOV4cBkcToPXaa&4hbDp=VR-XC - rule_id: 6787
http://www.lowestfars.com/kqna/?ETmlTT7=1zCkIHfMCYY5O/FxHBP+OF0kQW6XC9lYHGpHjTtqNHHv/wSuGduKfYb1fj6APC6feAzGuLcz&4hbDp=VR-XC
http://www.wyse-solutions.com/kqna/?ETmlTT7=JxhOHZPgXW3wVIIiPz5EXxBB9rBqG2gEAu7RnG3JMDt4Sy+2JcpywouTBsUxcEIaQvhPOtS+&4hbDp=VR-XC
http://www.surfsolutions.info/kqna/?ETmlTT7=dcnZeOVVJSfvUaco8qQNZ9XrhbJ3we+xyEUMa9yoWpEuWq2eXXPIXA5TkXgJFjsZU/Pq8NER&4hbDp=VR-XC - rule_id: 6791
http://www.achyutlifesciences.com/kqna/?ETmlTT7=asWl3V4IF2Q2DWn67+zvcIQTEiu5x496a9UiR3whzNCG2SwZhTxwEV7pZSN2Dnrub4ZDXyCK&2d=2dkPehNHB6nt6Tl
http://www.thevishantiverse.art/kqna/?ETmlTT7=/f/IcA6eDDPBLaOZcHBfDlfAbij2pImhanWAYHxYX02BEqYlDUoXYvshQCmTuxpCPFsxIcfP&4hbDp=VR-XC
http://www.murrayforcongress.com/kqna/?ETmlTT7=sLlzUFwwCG01/Bjx4l7u57/BeGZo5XBBaU9ly2fDmjFHIkYwos6SPmKFBJJn77rHLA1IDkNp&4hbDp=VR-XC
http://www.mchaskellproperties.com/kqna/?ETmlTT7=C34+CtfDjeKkmIVNjuli0xPH7zBhSWPth00NeQR/4hBo/hYfKhN+A/5nMzpMgd7j4fsrbe1I&2d=2dkPehNHB6nt6Tl
http://www.xn--schwche-8wa.com/kqna/?ETmlTT7=MFi57/eqtoCpgANzpJ5I2CZTyNyM1lKJdbuLxUdqgNtwARuCj0+Hp0N82MRQtNs2oFSvYj76&4hbDp=VR-XC
http://www.fraserstephendop.com/kqna/?ETmlTT7=/ubmoBp65Okyuu3LQpd6BICjkbw0SXb2/UwCCZwJ/Fe1H/pHrLEpRm6qotblqBtYRSTWmjxF&4hbDp=VR-XC - rule_id: 6838
http://www.fraserstephendop.com/kqna/?ETmlTT7=/ubmoBp65Okyuu3LQpd6BICjkbw0SXb2/UwCCZwJ/Fe1H/pHrLEpRm6qotblqBtYRSTWmjxF&4hbDp=VR-XC
http://www.xc6811.com/kqna/?ETmlTT7=68tkQBx2PKwjxkmTrTISIwTGVAu3KilizPvStMoPf3ssHs+zxw4HFFNuRbC9l1HBdvU0IxLi&4hbDp=VR-XC
|
31
www.fraserstephendop.com(198.54.117.212)
www.midatlanticbath.com(208.91.197.27)
www.unlimitedrehab.com(199.59.242.153)
www.achyutlifesciences.com(185.151.30.171)
www.mchaskellproperties.com(88.214.207.96)
www.lowestfars.com(154.210.71.198)
www.xn--schwche-8wa.com(194.150.248.6)
www.craftstockco.com()
www.surfsolutions.info(138.201.145.141)
www.bagwashs.com()
www.passivemen.com(3.223.115.185)
www.xc6811.com(67.211.65.42)
www.thevishantiverse.art(34.102.136.180)
www.guserq.com(34.102.221.37)
www.anthemmg.com()
www.murrayforcongress.com(154.64.119.178)
www.wyse-solutions.com(54.157.107.32)
185.151.30.171
154.64.119.178
67.211.65.42
54.156.84.168
199.59.243.200
208.91.197.27 - mailcious
198.54.117.217 - phishing
34.102.136.180 - mailcious
138.201.145.141 - mailcious
88.214.207.96 - mailcious
3.223.115.185 - mailcious
154.210.71.198
34.102.221.37
194.150.248.6
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.unlimitedrehab.com/kqna/
http://www.midatlanticbath.com/kqna/
http://www.surfsolutions.info/kqna/
http://www.fraserstephendop.com/kqna/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14495 |
2021-11-03 16:41
|
 proto-182171120.xls 830c9b0719e54774e1642decdfcd69ee
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://touragencybhutan.com/pISdnpsfb/y.html
https://realcotacoes.com.br/D7fBoHtyd/y.html
https://campoinvest.com.br/cPv4PgoU/y.html
|
5
campoinvest.com.br(162.241.3.25)
realcotacoes.com.br(162.241.3.25)
touragencybhutan.com(103.211.216.55)
162.241.3.25 - malware
103.211.216.55 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14496 |
2021-11-03 16:42
|
 miss-1732825037.xls af175b239064b801b2fc6aa1f158ffc4
Downloader KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14497 |
2021-11-03 16:46
|
 miss-1732825037.xls af175b239064b801b2fc6aa1f158ffc4
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
3
https://taketuitions.com/dTEOdMByori/j.html
https://constructorachg.cl/eFSLb6eV/j.html
https://oel.tg/MSOFjh0EXRR8/j.html
|
6
taketuitions.com(50.87.150.127)
constructorachg.cl(177.221.140.69)
oel.tg(162.144.21.165)
162.144.21.165 - malware
50.87.150.127
177.221.140.69 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14498 |
2021-11-03 16:52
|
 5332_1635879205_5518.exe 4fb120e5975e3a7b4c59a1cf7b8ebc75
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14499 |
2021-11-03 16:54
|
 uux.exe bd4ef60928a0418f2f42958444a3ffc4
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14500 |
2021-11-03 16:57
|
 snudutbimcg.exe 8f0f115b34448e21ca751ad0ca7a5f73
RAT Generic Malware Antivirus PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://45.133.1.84/hcgncghn/ConsoleApp19.bin
|
5
www.yahoo.com(202.165.107.49)
www.google.com(172.217.25.68)
45.133.1.84
172.217.174.196
202.165.107.49
|
|
|
7.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14501 |
2021-11-03 17:01
|
 qa.exe 068b5c216553c58c1068819bb8bd0195
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
20
http://www.iran-style.com/n8cr/?RVE=GXfO8B+dYCYwH7WfZsiiqwaUAAueNeu6MDNafot3+FTdKfteynY4gSrLUTempKfrY+jdfgZk&oX=Txo8nt4pMBsp
http://www.alexchen032104.com/n8cr/?RVE=EdcaDOzsnrgFHSEkgf65m1FrWY/Hf53INeAgoIBAXIwzlcDd64JyoQZysLIpk1YZWqFFBv8a&oX=Txo8nt4pMBsp
http://www.faceandco.clinic/n8cr/?RVE=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&oX=Txo8nt4pMBsp - rule_id: 7158
http://www.faceandco.clinic/n8cr/?RVE=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&oX=Txo8nt4pMBsp
http://www.karasevda-jor.com/n8cr/?RVE=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&oX=Txo8nt4pMBsp - rule_id: 7160
http://www.karasevda-jor.com/n8cr/?RVE=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&oX=Txo8nt4pMBsp
http://www.metaverse360.biz/n8cr/?RVE=a1iYZxDNUxPZ3BDpTTjp6GyZjjVUvaBttrRTAisrx3JfQWRNE2QL6zxye3rkeOOJStsSY+TA&oX=Txo8nt4pMBsp
http://www.pharmasolutionspr.net/n8cr/?RVE=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&oX=Txo8nt4pMBsp - rule_id: 7161
http://www.pharmasolutionspr.net/n8cr/?RVE=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&oX=Txo8nt4pMBsp
http://www.thesaltandpeppercompany.com/n8cr/?RVE=KEg72S8Kgq3jqU/Dvj3XtXev4vRdKH+I6PfdyGiW9oQHzuaf15VYTt2ur/Af8Lc7mGTrTCee&oX=Txo8nt4pMBsp
http://www.denim-dots.com/n8cr/?RVE=qwkzac1j/67F9bss9FYZBW87jp0Bt+sWJslQldl38e5d08yUah7TTEiAe+JGX9F5JVqNCAa/&oX=Txo8nt4pMBsp
http://www.metaverse360.biz/n8cr/?RVE=a1iYZxDNUxPZ3BDpTTjp6GyZjjVUvaBttrRTAisrx3JfQWRNE2QL6zxye3rkeOOJStsSY+TA&Mrn=uVjH
http://www.salvationshippingsecurity.com/n8cr/?RVE=78UME4TI/rV8xZ+buxbYQpMgVk8CS4P/0Mk5rSJGt63WJVcn3+gzRmywil+pDTVKA2ZCHb9f&oX=Txo8nt4pMBsp
http://www.mainponsel.com/n8cr/?RVE=mVFDnNjJ2vTsUPjU2vMB3+FXNX8eexEZxlIfz47NSAhBxvMoxs8esVMv/fjPY52Pp2B0mYDW&oX=Txo8nt4pMBsp
http://www.dellmoor.com/n8cr/?RVE=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&oX=Txo8nt4pMBsp - rule_id: 7162
http://www.dellmoor.com/n8cr/?RVE=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&oX=Txo8nt4pMBsp
http://www.godigitalwithpavitra.com/n8cr/?RVE=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&Mrn=uVjH - rule_id: 7163
http://www.godigitalwithpavitra.com/n8cr/?RVE=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&Mrn=uVjH
http://www.mygreatsport.com/n8cr/?RVE=6TrfVAfyv4wZJuUs2Y+7pQpWT8ScL4b/U6XAXH/1NoUMsx3E79jr4ZvGs9GXn/NNbXfgKcsF&oX=Txo8nt4pMBsp
http://www.aestheticgeneration.com/n8cr/?RVE=Rz970MULcJlEpQ6KB3BFBwmnE+Qwu9WizwqeBL5K2JZ4RTX0YwbwMuJMBXUYpxAAm/unvsS8&oX=Txo8nt4pMBsp
|
27
www.thesaltandpeppercompany.com(208.91.197.27)
www.exodiguis.com()
www.karasevda-jor.com(151.101.130.199)
www.mygreatsport.com(165.232.189.23)
www.istesdesv.xyz()
www.aestheticgeneration.com(172.67.160.172)
www.iran-style.com(185.73.226.144)
www.alexchen032104.com(108.167.140.88)
www.metaverse360.biz(3.33.152.147)
www.mainponsel.com(192.0.78.24)
www.faceandco.clinic(34.102.136.180)
www.pharmasolutionspr.net(34.102.136.180)
www.dellmoor.com(34.102.136.180)
www.godigitalwithpavitra.com(34.102.136.180)
www.salvationshippingsecurity.com(51.210.240.92)
www.denim-dots.com(182.50.132.242)
108.167.140.88
51.210.240.92 - mailcious
3.33.152.147
172.67.160.172
208.91.197.27 - mailcious
34.102.136.180 - mailcious
165.232.189.23
182.50.132.242 - mailcious
151.101.130.199
192.0.78.25 - mailcious
185.73.226.144
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
|
5
http://www.faceandco.clinic/n8cr/
http://www.karasevda-jor.com/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.dellmoor.com/n8cr/
http://www.godigitalwithpavitra.com/n8cr/
|
8.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14502 |
2021-11-03 17:07
|
 autosubplayer.exe f4519ce450e18f453ace6c4b565cae94
Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14503 |
2021-11-03 17:07
|
 soldd.exe eea8c7833f8322d29ff6c08a31ea8651
Generic Malware Antivirus PE File PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key Downloader |
2
https://fortnightgalaxyswapper.ru/sold.exe
https://fortnightgalaxyswapper.ru/Amongus.exe
|
2
fortnightgalaxyswapper.ru(81.177.135.61)
81.177.135.61 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14504 |
2021-11-03 17:17
|
 sold.exe 0ea242160e0b415f8a4713cbaba9e473
Generic Malware PE64 PE File VirusTotal Malware |
|
|
|
|
1.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14505 |
2021-11-03 17:20
|
 Amongus.exe df8c1f522f5a2032dfc62b7002810601
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Telegram PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW IP Check Tofsee ComputerName DNS |
1
http://ip-api.com/line?fields=query
|
4
ip-api.com(208.95.112.1)
api.telegram.org(149.154.167.220)
208.95.112.1
149.154.167.220
|
5
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup ip-api.com
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|