3706 |
2020-12-11 18:35
|
baron.exe a6fb36f357cadbaf2c45e7598b3a8b5d VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
2
http://www.ruaysatu99.com/bw82/?u4=i+9stTbx/MW0+Tcz0EE6I6cBHO+UXpYkX0sdRWETn3hxejK1QgwJZPhRy7i6Ky+JFyNPISSc&mt=V48Dup_8 http://www.ruaysatu99.com/bw82/
|
5
www.ruaysatu99.com(104.28.26.19) www.chrisbubser.digital() www.twistedtailgatesweeps1.com(184.168.131.241) 172.67.129.48 184.168.131.241 - mailcious
|
|
|
10.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3707 |
2020-12-12 09:56
|
FTT.exe cc5fad28fad2e205e36753bfae4c7277 VirusTotal Malware AutoRuns Windows |
|
|
|
|
3.8 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3708 |
2020-12-12 09:58
|
document.doc 09b4dc7085245d88d5afdaf7933a2cc2 VirusTotal Malware exploit crash unpack itself malicious URLs Exploit DNS crashed |
1
http://hawkloger.shortcm.li/
|
3
hawkloger.shortcm.li(35.157.135.19) 100.26.26.203 192.3.22.9 - malware
|
|
|
5.8 |
M |
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3709 |
2020-12-12 15:15
|
fw2.exe 9b8b7fb36bcd5fd0b30b293f6799bb77 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3710 |
2020-12-12 15:16
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Windows Browser ComputerName DNS Cryptographic key Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.235.142.93) 174.129.214.20 94.103.95.216
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
16.6 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3711 |
2020-12-12 15:27
|
1210_80556334.doc de9538b9867e559105756da43f5c2ad2 Vulnerability VirusTotal Malware Code Injection Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
1
|
6
api.ipify.org(23.21.42.25) nuatanste.com(185.43.223.169) - mailcious leffersinda.ru(185.43.223.169) - mailcious thircussovirom.ru(185.43.223.169) - mailcious 185.43.223.169 - mailcious 54.221.253.252
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
11.4 |
|
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3712 |
2020-12-12 15:27
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
|
|
|
10.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3713 |
2020-12-12 15:44
|
soft.exe d4d4997b433348f7745b065f1fb2d578 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory buffers extracted Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.225.66.103) 184.73.247.141 195.154.168.132
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3714 |
2020-12-12 15:44
|
RJ48GY8lXm6fMXW.exe 290d7e0e76c015ae40d502a03b508cff Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
185.239.242.219 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
18.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3715 |
2020-12-12 16:11
|
Update.exe bf97f1dcf3b0f3dcedb078aa16535e45 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName crashed |
2
http://www.google.com/ https://pastebin.com/raw/WhrqseC3
|
4
pastebin.com(104.23.99.190) - mailcious www.google.com(172.217.174.100) 104.23.99.190 - mailcious 172.217.25.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3716 |
2020-12-12 16:12
|
un.exe c586c158732d51fa4b3d5e6f440e0f58 VirusTotal Malware Check memory RWX flags setting unpack itself malicious URLs anti-virtualization DNS |
|
|
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3717 |
2020-12-12 18:34
|
oosnhsyysjmns.png.exe bd1f17c3f5f6d4b8b97bcb4d330daec4 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3718 |
2020-12-12 18:36
|
svchost.exe 670d8ac68d823b18a7c41bbd2094c2d9 NetWireRC VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization Windows ComputerName DNS Cryptographic key DDNS Software |
|
2
rnnfibi.hopto.org(79.134.225.30) 79.134.225.30 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3719 |
2020-12-13 13:36
|
look.exe c26859c4a7dce369457b656a5922876e Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Check memory buffers extracted WMI Creates executable files ICMP traffic unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS crashed Downloader |
|
3
aogmphregion.org.za(154.0.164.141) - malware 154.0.164.141 - malware 195.140.214.82 - mailcious
|
1
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
|
|
11.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3720 |
2020-12-13 13:36
|
svchost2.exe 4c7063ec0fb39986822bdb17dfb14ade VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS DDNS crashed |
1
https://dl.dropboxusercontent.com/s/bvsipv3zdl08djj/BY_Fransesco.dll?dl=0
|
5
tasmgrtaskmgr.ddns.net(160.154.81.135) dl.dropboxusercontent.com(162.125.80.15) - malware dl.dropbox.com(162.125.80.15) - malware 162.125.80.15 - malware 160.154.81.135
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|