3616 |
2020-12-08 09:45
|
euremen.exe b076d449c2fa8d8f1d8b8b07254df976 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs suspicious TLD IP Check installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://checkip.amazonaws.com/ http://94.177.123.237:35200/IRemotePanel https://1ls32sh.worwokr.ru/RdeSWHLHdlCi https://api.ip.sb/geoip
|
11
WHOIS.APNIC.NET(172.104.77.201) checkip.amazonaws.com(34.193.115.2) whois.iana.org(192.0.32.59) 1ls32sh.worwokr.ru(81.177.165.230) api.ip.sb(172.67.75.172) 34.192.7.28 172.104.77.201 192.0.32.59 104.26.13.31 94.177.123.237 81.177.165.230 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
15.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3617 |
2020-12-08 10:02
|
EGO.exe f084742f15cd553f5628cfd035c5ca7c VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3618 |
2020-12-08 10:04
|
king.exe 0a8cd09f51156849bae020af7a7d09ea VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName DNS Cryptographic key Software |
|
|
|
|
11.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3619 |
2020-12-08 11:03
|
vbc.exe 9971aba6d9eca7e79d711b0b59e1edef Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
|
2
benweve.com(95.213.224.87) - mailcious 193.106.175.43
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3620 |
2020-12-08 11:03
|
vbc2.exe 411c1d448a08bc32258d2f8c301037f1 Malware download Azorult Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS |
1
http://paratuseventos.cl/doc/nov16/index.php
|
2
paratuseventos.cl(190.107.176.64) - mailcious 190.107.176.64 - mailcious
|
1
ET MALWARE AZORult v3.3 Server Response M3
|
|
12.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3621 |
2020-12-08 12:26
|
vbc.exe 9971aba6d9eca7e79d711b0b59e1edef Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://benweve.com/clock/five/fre.php - rule_id: 153
|
2
benweve.com(193.106.175.43) - mailcious 193.106.175.43
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://benweve.com/clock/five/fre.php
|
13.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3622 |
2020-12-08 17:35
|
app.exe e49071c84232e085109f1bb63d2d334d VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3623 |
2020-12-08 17:36
|
590906.jpg.exe 5ca4df20d2ec92c297a010650a777d4f |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3624 |
2020-12-08 17:46
|
Cerberus.exe 16e586d7d93daec3cae5cd79dddb627a VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs crashed |
1
http://setup.roblox.com/version
|
2
setup.roblox.com(52.216.12.62) 52.216.142.22
|
|
|
5.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3625 |
2020-12-08 17:46
|
document.doc 2fcf1e23188eeb3d447e0e5b679d4f81 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
|
1
198.12.125.13 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3626 |
2020-12-08 17:53
|
Host.exe ea930dacbcdccf4d29416392cdab6a36 NetWireRC VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Windows DNS DDNS |
|
2
kingshakes.linkpc.net(79.134.225.52) - mailcious 79.134.225.52 - mailcious
|
|
|
8.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3627 |
2020-12-08 17:54
|
nass.exe 5a99e9b25f0423fcedab39af22741b46 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW human activity check Tofsee Windows DNS Cryptographic key DDNS crashed |
8
https://hastebin.com/raw/ozakocuver https://hastebin.com/raw/afukimumiw https://hastebin.com/raw/qirinoloqe https://hastebin.com/raw/xohesulowe https://hastebin.com/raw/locupetepa https://hastebin.com/raw/iwukefezul https://hastebin.com/raw/mirihuqaju https://hastebin.com/raw/waciluzaqa
|
4
vremenew.ddns.net(79.134.225.12) hastebin.com(104.24.126.89) - mailcious 172.67.143.180 - mailcious 79.134.225.12
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3628 |
2020-12-08 21:29
|
AutoUpdate.exe b22aa7e622f8883df8cdcf5b573e043c VirusTotal Malware Checks debugger unpack itself malicious URLs |
|
|
|
|
4.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3629 |
2020-12-08 21:30
|
oxchjjhrwe.exe 036adb8395038b566c990ef4006f2cf5 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs Windows |
|
2
darkangel.ac.ug(217.8.117.77) 217.8.117.77 - malware
|
|
|
12.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3630 |
2020-12-08 21:33
|
n.exe 4d24c2a76368d1aae55284ccf73a6743 VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|