| 3706 |
2020-12-11 18:35
|
baron.exe a6fb36f357cadbaf2c45e7598b3a8b5d
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
2
http://www.ruaysatu99.com/bw82/?u4=i+9stTbx/MW0+Tcz0EE6I6cBHO+UXpYkX0sdRWETn3hxejK1QgwJZPhRy7i6Ky+JFyNPISSc&mt=V48Dup_8
http://www.ruaysatu99.com/bw82/
|
5
www.ruaysatu99.com(104.28.26.19)
www.chrisbubser.digital()
www.twistedtailgatesweeps1.com(184.168.131.241)
172.67.129.48
184.168.131.241 - mailcious
|
|
|
10.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3707 |
2020-12-12 09:56
|
FTT.exe cc5fad28fad2e205e36753bfae4c7277
VirusTotal Malware AutoRuns Windows |
|
|
|
|
3.8 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3708 |
2020-12-12 09:58
|
document.doc 09b4dc7085245d88d5afdaf7933a2cc2
VirusTotal Malware exploit crash unpack itself malicious URLs Exploit DNS crashed |
1
http://hawkloger.shortcm.li/
|
3
hawkloger.shortcm.li(35.157.135.19)
100.26.26.203
192.3.22.9 - malware
|
|
|
5.8 |
M |
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3709 |
2020-12-12 15:15
|
fw2.exe 9b8b7fb36bcd5fd0b30b293f6799bb77
VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3710 |
2020-12-12 15:16
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Windows Browser ComputerName DNS Cryptographic key Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.235.142.93)
174.129.214.20
94.103.95.216
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
16.6 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3711 |
2020-12-12 15:27
|
1210_80556334.doc de9538b9867e559105756da43f5c2ad2
Vulnerability VirusTotal Malware Code Injection Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
1
|
6
api.ipify.org(23.21.42.25)
nuatanste.com(185.43.223.169) - mailcious
leffersinda.ru(185.43.223.169) - mailcious
thircussovirom.ru(185.43.223.169) - mailcious
185.43.223.169 - mailcious
54.221.253.252
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
11.4 |
|
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3712 |
2020-12-12 15:27
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
|
|
|
10.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3713 |
2020-12-12 15:44
|
soft.exe d4d4997b433348f7745b065f1fb2d578
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory buffers extracted Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.225.66.103)
184.73.247.141
195.154.168.132
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3714 |
2020-12-12 15:44
|
RJ48GY8lXm6fMXW.exe 290d7e0e76c015ae40d502a03b508cff
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
185.239.242.219 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
18.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3715 |
2020-12-12 16:11
|
Update.exe bf97f1dcf3b0f3dcedb078aa16535e45
VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName crashed |
2
http://www.google.com/
https://pastebin.com/raw/WhrqseC3
|
4
pastebin.com(104.23.99.190) - mailcious
www.google.com(172.217.174.100)
104.23.99.190 - mailcious
172.217.25.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3716 |
2020-12-12 16:12
|
un.exe c586c158732d51fa4b3d5e6f440e0f58
VirusTotal Malware Check memory RWX flags setting unpack itself malicious URLs anti-virtualization DNS |
|
|
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3717 |
2020-12-12 18:34
|
oosnhsyysjmns.png.exe bd1f17c3f5f6d4b8b97bcb4d330daec4
VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3718 |
2020-12-12 18:36
|
svchost.exe 670d8ac68d823b18a7c41bbd2094c2d9
NetWireRC VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization Windows ComputerName DNS Cryptographic key DDNS Software |
|
2
rnnfibi.hopto.org(79.134.225.30)
79.134.225.30 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3719 |
2020-12-13 13:36
|
look.exe c26859c4a7dce369457b656a5922876e
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Check memory buffers extracted WMI Creates executable files ICMP traffic unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS crashed Downloader |
|
3
aogmphregion.org.za(154.0.164.141) - malware
154.0.164.141 - malware
195.140.214.82 - mailcious
|
1
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
|
|
11.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3720 |
2020-12-13 13:36
|
svchost2.exe 4c7063ec0fb39986822bdb17dfb14ade
VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS DDNS crashed |
1
https://dl.dropboxusercontent.com/s/bvsipv3zdl08djj/BY_Fransesco.dll?dl=0
|
5
tasmgrtaskmgr.ddns.net(160.154.81.135)
dl.dropboxusercontent.com(162.125.80.15) - malware
dl.dropbox.com(162.125.80.15) - malware
162.125.80.15 - malware
160.154.81.135
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|