| 15451 |
2021-11-16 21:57
|
https://linksharing.samsungclo... 2d0fe7f6fd0de180792f960e19f09c1e
Generic Malware Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PNG Format MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
16
https://linksharing.samsungcloud.com/resources/images/share_link.png
https://linksharing.samsungcloud.com/resources/images/category/category_ic_broken.png
https://linksharing.samsungcloud.com/resources/js/app/sharelink.js?ver=21042209
https://linksharing.samsungcloud.com/resources/js/jquery/jquery.numeric.min.js
https://linksharing.samsungcloud.com/cuTdhqX2XLpd
https://linksharing.samsungcloud.com/resources/js/jquery/jquery-2.2.0.min.js
https://linksharing.samsungcloud.com/resources/js/common/handlebars.min-latest.js
https://linksharing.samsungcloud.com/resources/js/common/handlebars.helper.js
https://linksharing.samsungcloud.com/resources/images/loadingbar.gif
https://linksharing.samsungcloud.com/resources/js/common/remoteshare.prototype.js?ver=20061701
https://linksharing.samsungcloud.com/resources/images/Samsung_Orig_Wordmark_BLACK_RGB.png
https://linksharing.samsungcloud.com/resources/js/common/moment.min.js
https://linksharing.samsungcloud.com/resources/css/layout.css?ver=21012103
https://linksharing.samsungcloud.com/resources/images/category/category_ic_apk.png
https://linksharing.samsungcloud.com/resources/js/app/remoteshare.js?ver=20070601
https://linksharing.samsungcloud.com/resources/images/share_link_32.png
|
2
linksharing.samsungcloud.com(54.68.213.116)
44.238.138.209
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15452 |
2021-11-17 06:29
|
packet1.pcapng aa4efea61e703e80ebfe0f03d51034db
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15453 |
2021-11-17 07:46
|
 obinnazx.exe a15f32098d89e911d22ea91bffb4dd7d
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows |
1
http://www.getmavin.com/ad6n/?p0G=OjJsxC4geh8I7FqpHa9UrgAH/E1KMhjJ+gcNVa/pzu129pZ482obDOVio5WqFRS9BSrfkXt2&DXEXx=X6jPuRePGH0PXF8P
|
3
www.getmavin.com(35.185.181.239)
www.project-global-corp.us()
35.185.181.239
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15454 |
2021-11-17 07:48
|
 ETS_041002000456_067961.exe 288f4c34cb160d5d19bf6253bb3edbd2
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.247.73)
132.226.8.169
172.67.188.154
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15455 |
2021-11-17 07:48
|
 ETS_03102000456_0607301.exe 5684f15da978ad73d44fe789eda5bd8f
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(132.226.247.73)
132.226.8.169
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15456 |
2021-11-17 07:50
|
 vbc.exe 906d95b6530a90ce328e418d2905d233
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(93.189.47.205)
93.189.47.205
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15457 |
2021-11-17 07:50
|
 ETS_04100000456_0634741.exe fefe653b5da22eef8506d9c534b98085
RAT NPKI Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(132.226.247.73)
172.67.188.154
132.226.247.73
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15458 |
2021-11-17 07:52
|
 vbc.exe f14fcc9ba3f2310617eb2791db59a702
PWS Loki[b] Loki.m Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(93.189.47.205)
93.189.47.205
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15459 |
2021-11-17 07:53
|
 mode-cry.exe 8cec5b455b359860f5a7aa647331783f
RAT Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
8
http://www.ceramicfinishing.com/n58i/?BRjh4N=+Rs7EkKJ9nC5R4pSEiT2YngIN36piw3al8LxLxiH96aUukE+tfuosgB2nCpI+NLBjM8PJX0q&J46Tz=ARm8z0AXOho0l0p0
http://www.dgredg.com/n58i/?BRjh4N=1Lq7LF0ntItHTNtmIzwdP1Lf7WzIxIJFH3MjbUP9GZ27RfoHQ26Ib5y2lTwDxLgwc9rt6MSP&J46Tz=ARm8z0AXOho0l0p0
http://www.smokersoutletinc.com/n58i/?BRjh4N=5UXjEy3qtPasRjwirbU21i6O37Lor1jWu2m05Me1/8+sn2gOcdu+xcYhHiP/jpkJNBOmhhuo&J46Tz=ARm8z0AXOho0l0p0
http://www.abetttermountbethel.com/n58i/?BRjh4N=N7DE5u1U4fOL0ilborjUwsLvYfOzBR0FDt/+0a2DezgJKO4tm6ThJVxI8l7XCkIcO9hMk87n&J46Tz=ARm8z0AXOho0l0p0
http://www.dsknit.com/n58i/?BRjh4N=SoKM3gHEWCBWgdUJzSLCKeauc0V37QuEskfBqIKKO1rm+wpQUSSqpp7kY0wxGvSqaTO25VSq&J46Tz=ARm8z0AXOho0l0p0
http://www.gdmo112.com/n58i/?BRjh4N=wicQen1ff3fRM08VnZMTzPtaRw1xTvZDFcZ4henDOdH9UHSkNu/mptd4xDAE6swP9J849hZG&J46Tz=ARm8z0AXOho0l0p0
http://www.makingitreignz.com/n58i/?BRjh4N=U3jsdgp8CDPcVzUFF4v7nlk0sWC9y6sI+RhE9xOYErFVjtQIs/TTt3K+xGjNiiNAejKA27CK&J46Tz=ARm8z0AXOho0l0p0
http://www.salomesac.com/n58i/?BRjh4N=aZfo+S27NrbfQQhEr8v2KchNwgf0tHTkYwom9YPvjlEyQeeVCfyp9AG6dFYVWO2tY8aKQlCW&J46Tz=ARm8z0AXOho0l0p0
|
17
www.dsknit.com(50.62.168.3)
www.ceramicfinishing.com(34.102.136.180)
www.dgredg.com(108.186.180.80)
www.makingitreignz.com(198.54.117.218)
www.smokersoutletinc.com(166.88.19.180)
www.publicitysocial.com()
www.salomesac.com(198.23.62.250)
www.gdmo112.com(198.50.252.64)
www.idaivos.com()
www.abetttermountbethel.com(34.102.136.180)
50.62.168.3 - malware
198.23.62.250 - phishing
166.88.19.180 - mailcious
108.186.180.80
198.54.117.215 - mailcious
34.102.136.180 - mailcious
198.50.252.64 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15460 |
2021-11-17 07:54
|
 vbc.exe 49ab86d22178e95f5b65b75a68f9a01d
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://secure01-redirect.net/ga20/fre.php - rule_id: 6926
http://secure01-redirect.net/ga20/fre.php
|
3
secure01-redirect.net(93.189.47.205)
172.67.188.154
93.189.47.205
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/ga20/fre.php
|
14.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15461 |
2021-11-17 07:56
|
 urchzx.exe 6bc174f341262c62fd0b4650f1f23b0d
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
10
http://www.idfcfirstbankannualreports.com/c28n/?v6A=Byn1q/FqRS1bywClSIlg9VTpv0ULBFiRiavDbl5uLz0E1VQ/1FcAXDYuMDuDOEnbWT7sDDnx&1bS=W6RpsLp8e
http://www.everdaypromotions.com/c28n/?v6A=/a7JSy4WdlrAvmBB4aPDpC+9Qm9F37Gdv2dpD4gbh9A3L5OjFXZwYLdktjrzpBVpNx3zgT/C&1bS=W6RpsLp8e
http://www.littlegalaxy.space/c28n/?v6A=Mukhagiths1oDqputph4DwAXHPcdu9rqUs5D8HK3A5RBW7p5TQDvrWlWxb4ufsdVNrHFJIhW&1bS=W6RpsLp8e
http://www.teaching-hero.net/c28n/?v6A=0N8k8QGWftwT/EoB5DCQmXBQMzXZaq9Z93S6/nXzgfX0/B52rjI7GeRJ+F0Rx5ur96xJZjH8&1bS=W6RpsLp8e
http://www.alou-mall.com/c28n/?v6A=Aq4OZz0P1Cm0taznhBx8DbuhWEo5YYqHD/Xyz5mUsLgWMkRMPXDBNHV51GA40DFB7l/XS9RJ&1bS=W6RpsLp8e
http://www.maxflowo2.net/c28n/?v6A=/x0PCv/IbsUdSkO4plv12/frGl5tB/J4HO/84/NztFr6Vnef68M7MqrwIoIB80+4/tmnpowE&1bS=W6RpsLp8e
http://www.corporativogrupomg.com/c28n/?v6A=orO9m6opkfnmZnHzgzpXGc1GtTIiBHjetz2M3r2QwqpumH3/uJsYGUGtGIcsMSlOx666nfca&1bS=W6RpsLp8e
http://www.pickleheads.com/c28n/?v6A=4mjjZOMIphcMbkg0xvmmxU3Vm7lD+tDMH/rhHhcA0VsU/aMNXX4nfF8nk0yicK2t+1yKOCHB&1bS=W6RpsLp8e
http://www.businessfoxes.com/c28n/?v6A=4TrpA9SgobkegYLeweBatJoZovAv/E4EU6OC4vvLbok40PL2JlI/KtOWQ04Y/YCHn10KPUNb&1bS=W6RpsLp8e
http://www.gerez.cloud/c28n/?v6A=0U8GD0EJ/fXtvPVjxN/mDsqTH1VAr34tdE5N08x0v5QAZQTjQQEwHLTPPpJL/lqSW+T8rA4j&1bS=W6RpsLp8e
|
22
www.everdaypromotions.com(63.250.43.135)
www.gerez.cloud(213.186.33.5)
www.idfcfirstbankannualreports.com(103.14.99.90)
www.corporativogrupomg.com(198.20.92.61)
www.maxflowo2.net(74.208.236.26)
www.voedseitobacco.com()
www.pickleheads.com(3.223.115.185)
www.businessfoxes.com(104.21.40.47)
www.littlegalaxy.space(141.138.169.229)
www.alou-mall.com(54.179.12.202)
www.teaching-hero.net(136.243.160.50)
103.14.99.90
141.138.169.229 - mailcious
63.250.43.134
213.186.33.5 - mailcious
136.243.160.50
74.208.236.26
3.223.115.185 - mailcious
172.67.175.191
18.139.206.21
198.20.92.61
104.21.19.200
|
3
ET INFO HTTP Request to Suspicious *.cloud Domain
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .cloud TLD
|
|
9.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15462 |
2021-11-17 07:56
|
 vbc.exe db134497d2c27e8de932b80925a9684f
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/gb2/fre.php - rule_id: 7819
http://secure01-redirect.net/gb2/fre.php
|
2
secure01-redirect.net(93.189.47.205)
93.189.47.205
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/gb2/fre.php
|
13.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15463 |
2021-11-17 07:57
|
 ScanPMT.exe ee65c71e0dc1cb592033a71dcdea0964
Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
3
http://www.congregacionansestral.com.co/b3n1/?ETYPCTH=rc0Mox3+4rcBqetXaDk29sIcCgcFnCrVzv5/2p36QCPcR12irfRFDA1lACQEGaL9hIUel/dG&VRfXC=00GP1JE0pzJtH07P
http://www.facom.us/b3n1/?ETYPCTH=eJWmw7T3nxsgchtzkUmAevUO1Qxii7tY0XPsCBXn4DDIkqPBFjpg3F7J9lxoleMyCW58oJ6v&VRfXC=00GP1JE0pzJtH07P
http://www.acd-informatique.fr/b3n1/?ETYPCTH=gG8/6HrPEyi0Rw9couGf8OjEmOR6xL2M1wvyKuo/GnJyVljHPmpleM7eI8a1xylUn+aypwZN&VRfXC=00GP1JE0pzJtH07P
|
8
www.congregacionansestral.com.co(190.60.234.22)
www.acd-informatique.fr(109.234.161.241)
www.facom.us(104.21.12.79)
www.shellload.com()
172.67.151.233
172.67.188.154
190.60.234.22
109.234.161.241
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.8 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15464 |
2021-11-17 07:58
|
 erasizevar.png 586c8bd1ff77c2b9ec844a9d35654228
Emotet Malicious Library UPX PE File PE32 Report suspicious privilege buffers extracted unpack itself Check virtual network interfaces suspicious process ComputerName Remote Code Execution DNS crashed |
|
6
179.189.229.254 - mailcious
103.105.254.17 - mailcious
185.56.175.122 - mailcious
65.152.201.203 - mailcious
46.99.188.223 - mailcious
60.51.47.65 - mailcious
|
2
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 9
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15465 |
2021-11-17 07:59
|
 vbc.exe 0e2cb83d70db215f56ee6af75325c661
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW ComputerName DNS |
1
http://111.90.149.196/ALINK.txt
|
1
|
|
|
4.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|