3811 |
2020-12-18 12:16
|
CKC.exe 5fa29b2a0a86144477ff75ad70fe603d Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Cryptographic key crashed |
8
http://api.ipify.org/ https://hastebin.com/raw/anapozaxem https://hastebin.com/raw/ohabiqahos https://hastebin.com/raw/litakejowi https://hastebin.com/raw/sosoreqiqe https://hastebin.com/raw/jolekimoso https://hastebin.com/raw/boyebaxako https://hastebin.com/raw/ejemahopop
|
4
api.ipify.org(54.225.220.115) hastebin.com(104.24.126.89) - mailcious 172.67.143.180 - mailcious 54.225.66.103
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup api.ipify.org
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3812 |
2020-12-18 15:40
|
Jormungandr4.exe 13b9ee8bc19bde796a4c17a8e082e5a4 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3813 |
2020-12-18 15:40
|
jEgLNI40Ro9O775.exe 7f267b65bf69ce79699d4893158df1ce VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
6
http://www.whereinthezooareyou.com/e66m/?7n=DIL8tOhcg9HP3GwfV7qlioXlfu61iezVxIewch9gOr11yg86URjwoHMDV8tdy2sPgTSrBSzm&SZ=Y4C0ilYp7ZstNr7 http://www.helpwithutilitypaymentsnow.info/e66m/ http://www.helpwithutilitypaymentsnow.info/e66m/?7n=FEBAs7i0n4z6X0AiZh/5DZVdGmu7EkYB9YilD3B809caGLX74ShuCT+CLCnCyqApewF4Hhwd&SZ=Y4C0ilYp7ZstNr7 http://www.whereinthezooareyou.com/e66m/ http://www.momos-fast.com/e66m/ http://www.momos-fast.com/e66m/?7n=mxB+TmBlf/svbcyv5zfKBRhZ9+bTIZrwDTYgjpnV+ollFfetE9VJXIqqR6fiqHo7v3thMxx/&SZ=Y4C0ilYp7ZstNr7
|
10
www.galentherapeutics.com() www.helpwithutilitypaymentsnow.info(18.218.104.7) www.newsong.services() www.lavenderholdingsgroup.com() www.whereinthezooareyou.com(185.230.61.211) www.momos-fast.com(34.102.136.180) www.gazr.technology() 185.230.61.96 34.102.136.180 - mailcious 18.218.104.7
|
|
|
9.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3814 |
2020-12-18 16:18
|
loader.hta eb55d80407a08dbfa854c7e6ebc7178a VirusTotal Malware malicious URLs |
|
|
|
|
1.8 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3815 |
2020-12-18 16:18
|
net.exe a5965a9592a240bcaaaaafdcfaef13d2 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself malicious URLs anti-virtualization installed browsers check Windows Browser ComputerName Cryptographic key |
|
|
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3816 |
2020-12-18 16:47
|
loader.hta eb55d80407a08dbfa854c7e6ebc7178a VirusTotal Malware malicious URLs crashed |
|
|
|
|
1.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3817 |
2020-12-18 16:48
|
regasm.exe 2dd315281d64b04beca11cc61101baaa VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs DNS |
|
|
|
|
6.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3818 |
2020-12-18 17:47
|
win32.exe 6179cc7f3caa1ab44cf06fc4917813e4 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(185.193.143.118) - mailcious 185.193.143.118
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
13.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3819 |
2020-12-18 17:47
|
svchost.exe 50b29294dbc99f5c880e59ce9e08c983 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/chud/gate.php - rule_id: 161
|
2
begadi.ga(185.193.143.118) - mailcious 185.193.143.118
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO DNS Query for Suspicious .ga Domain ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/chud/gate.php
|
13.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3820 |
2020-12-18 17:53
|
102w.jpg.exe 7ee7f1272a292fff71d189f5f3b908ca VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://paste.ee/r/MZBBS https://paste.ee/r/TK7t6
|
2
paste.ee(104.18.49.20) - mailcious 172.67.219.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3821 |
2020-12-18 17:53
|
kg.exe 8c29b3b5d7de4173ce340ff4c2dffe10 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3822 |
2020-12-18 18:31
|
svchost.exe ed427d483fedf9e80f4a3cbba7638b06 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization ComputerName Software |
1
http://www.collaborativeprosperity.com/kgw/?tZUP=ZTGFXILPBGyvvjWZr7XaEGL3pYrty2mW6bog9Ez6xTGxXN0WUyjWA3yW7Ca1/fiMcxzlU7Cj&9r4L1=FdC0
|
3
www.collaborativeprosperity.com(34.102.136.180) www.viagraytqwi.com() 34.102.136.180 - mailcious
|
|
|
13.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3823 |
2020-12-18 18:31
|
regasm.exe 4578b188645f157291b8081faf680a4a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Trojan DNS Software |
|
2
begadi.ga(185.193.143.118) - mailcious 185.193.143.118
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3824 |
2020-12-18 18:37
|
vbc.exe f653761c51d9032885abee7c4da9b06c VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3825 |
2020-12-18 18:37
|
winlog.exe ded64e567dba740ae8a47527ae486651 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/akin/gate.php - rule_id: 186
|
2
webtex.ga(185.193.143.118) - mailcious 185.193.143.118
|
8
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response
|
1
http://webtex.ga/akin/gate.php
|
13.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|