3766 |
2020-12-16 09:55
|
Speeder_1.0.0.3_qd13.exe a6d2cae21d592a602211a854dc4dc91a VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Tofsee Browser ComputerName DNS |
45
http://speedup.jiezhansifang.com/openapi/speedup/v1/getGameList.do?channelId=13 http://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854 http://resource-speedup.jiezhansifang.com/speedup/images/game/images/52c64bea221d0ee934ffe01795d39d4a.jpg http://resource-speedup.jiezhansifang.com/speedup/images/game/pubg.jpg http://resource-speedup.jiezhansifang.com/speedup/images/ad/ad-4.png https://client-revision.jiezhansifang.com/modules/constant/config_5cd1dcc.js https://client-revision.jiezhansifang.com/resource/images/layout_mask_98ae434.png https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546335 https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546332 https://client-revision.jiezhansifang.com/modules/util/wxLogin_feabe64.js https://client-revision.jiezhansifang.com/modules/util/helper_31ef72e.js https://res.wx.qq.com/connect/zh_CN/htmledition/js/jquery.min3696b4.js https://client-revision.jiezhansifang.com/modules/app/index_c47f623.js https://hm.baidu.com/hm.js?8603659db96c7aa11111e7d2cf361c4e https://client-revision.jiezhansifang.com/modules/util/disableScale_ad56695.js https://client-revision.jiezhansifang.com/resource/js/conf/mod-conf_c04f440.js https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://client-revision.jiezhansifang.com/resource/css/client_z.png https://client-revision.jiezhansifang.com/modules/pkg/conf_db4e6ed.js https://client-revision.jiezhansifang.com/modules/pkg/coms_950264e.js https://client-revision.jiezhansifang.com/resource/js/modjs/1.0.13/mod_0f4920e.js https://client-revision.jiezhansifang.com/authInfo?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546331 https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=83ab9561022ec376dd0d18f99888529d&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://client-revision.jiezhansifang.com/modules/pkg/page-common_ea1051e.js https://client-revision.jiezhansifang.com/resource/css/client.css https://client-revision.jiezhansifang.com/modules/util/channel_5c9966b.js https://client-revision.jiezhansifang.com/modules/pkg/lib_c4b765a.js https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569904 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569905 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569906 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569907 https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=1178776312&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%3Fclient%3Dxm%26qd%3D13%23login&v=1.2.80&lv=1&api=6_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&tt=%E5%8A%A0%E9%80%9F%E5%99%A8 https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546333&reqId=1608096546334 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569903 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569908 https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546336&reqId=1608096546337 https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=77078479&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&v=1.2.80&lv=1&api=4_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%23login&tt=%E5%8A%A0%E9%80%9F%E5%99%A8 https://client-revision.jiezhansifang.com/?client=xm&qd=13 https://open.weixin.qq.com/connect/qrcode/091dIIJr1ugJFa19 https://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854 https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=3e5a8d4ab7b80ec3521f7c047e96ff8a&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://res.wx.qq.com/connect/zh_CN/htmledition/style/impowerApp45a337.css https://client-revision.jiezhansifang.com/modules/pkg/page-login_7fc304f.js https://client-revision.jiezhansifang.com/resource/images/layout_bg-theme-1_632e2ef.png https://client-revision.jiezhansifang.com/modules/util/track_587265c.js
|
16
reg-saas.whweidu.com(47.114.110.100) lp.open.weixin.qq.com(203.205.232.67) client-revision.jiezhansifang.com(58.216.9.68) res.wx.qq.com(150.109.206.166) reg.jiezhansifang.com(47.114.110.100) client.jiezhansifang.com(58.216.9.68) resource-speedup.jiezhansifang.com(58.216.9.68) hm.baidu.com(103.235.46.191) - mailcious speedup.jiezhansifang.com(58.216.9.68) open.weixin.qq.com(203.205.239.172) 203.205.234.140 58.216.9.68 203.205.239.171 103.235.46.191 - mailcious 150.109.206.154 47.114.110.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3767 |
2020-12-16 10:37
|
vbc.exe ebc762f4d1d6557fcfb73fc7eb1d5b7a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://benweve.com/clock/five/fre.php - rule_id: 153
|
2
benweve.com(95.213.224.89) - mailcious 95.213.224.89 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://benweve.com/clock/five/fre.php
|
14.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3768 |
2020-12-16 10:37
|
win32.exe f4fccdb6286107ca3592406e356a6b5e Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(176.118.165.175) - mailcious 176.118.165.175
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
15.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3769 |
2020-12-16 11:06
|
XokBnqWMZ4B9pbd.exe e9dbec32351a5bd0a3f94b8314e4d958 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
185.239.242.219 - mailcious
|
|
|
17.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3770 |
2020-12-16 12:23
|
1312.gif.1.exe b2a9a4e1656bdb5749de4f228dc9f307 VirusTotal Malware |
|
|
|
|
1.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3771 |
2020-12-16 12:23
|
1SystemWindows.exe d100a087bc378ea7fb3afc39bc164984 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
4
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1608088546&mv=u&mvi=7&pcm2cms=yes&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:785814653&cup2hreq=d24eedb90b0e27ebe0b6054a63c6cfca8e31297d6eb8148ac15b766c4c760631 https://update.googleapis.com/service/update2
|
2
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 59.18.45.210
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3772 |
2020-12-16 12:50
|
http://54.169.255.180/.cache/A... ff1f1a2332f563aebf955780642344f1 Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
1
http://54.169.255.180/.cache/AP.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3773 |
2020-12-16 16:17
|
1312.gif.2.exe d41d8cd98f00b204e9800998ecf8427e |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3774 |
2020-12-16 16:18
|
1312.gif.3.exe b2a9a4e1656bdb5749de4f228dc9f307 VirusTotal Malware DNS |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3775 |
2020-12-16 16:23
|
5555555555.jpg.exe 613062734b9244597bee0607b8432e9f |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3776 |
2020-12-16 16:23
|
chidu.exe 994caae4cc6731bdb8447a8b13314f68 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
|
|
|
13.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3777 |
2020-12-16 16:27
|
csrs.exe 3a94c5b0350d50bf1485156e75a82ded VirusTotal Malware Buffer PE Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs |
|
|
|
|
5.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3778 |
2020-12-16 16:27
|
CKC.exe 7379d1bbf5b0a85cade31143413cf9e6 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows ComputerName DNS Cryptographic key crashed |
1
|
2
api.ipify.org(184.73.247.141) 54.243.164.148
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
10.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3779 |
2020-12-16 16:34
|
CKC.exe 7379d1bbf5b0a85cade31143413cf9e6 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows ComputerName Cryptographic key crashed |
1
|
2
api.ipify.org(23.21.42.25) 54.235.189.250
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
9.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3780 |
2020-12-16 16:35
|
damianox.scr b41a91991dcb97e8e7d43c368cc58c57 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
11.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|