| 3916 |
2020-12-23 18:05
|
yarobelo.scr c7c46db118df6a8d6c9deb69fa6b765b
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(54.225.66.103)
crt.comodoca.com(91.199.212.52)
54.225.169.28
91.199.212.52
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3917 |
2020-12-23 18:05
|
winscr.exe 3574650da1cff1dff8f334feafeadd5a
Troldesh Charming Kitten VirusTotal Malware AutoRuns Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces malicious URLs sandbox evasion Ransomware Windows Tor ComputerName Remote Code Execution DNS |
|
5
82.149.227.126
171.25.193.9 - mailcious
194.109.206.212 - mailcious
95.216.137.135
88.90.251.2
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 833
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 745
ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware.Troldesh)
|
|
9.4 |
M |
59 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3918 |
2020-12-23 18:21
|
yarobelo.scr c7c46db118df6a8d6c9deb69fa6b765b
Browser Info Stealer FTP Client Info Stealer Charming Kitten VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
5
api.ipify.org(23.21.42.25)
crt.comodoca.com(91.199.212.52)
91.199.212.52
95.216.137.135
54.225.220.115
|
2
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 833
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3919 |
2020-12-23 18:21
|
YREKQN5ZLNQ.doc 6a129baf7b95f27a985be69e4bc724c9
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://97.120.3.198/zzy9swtzxmsf9t/binacwuo5zg8wkfu1e/x6ydic3r/jnb3sc/7f3v3j151mmwc/ - rule_id: 196
|
3
www.aciparis.com(160.153.137.14) - malware
160.153.137.14 - mailcious
97.120.3.198 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3920 |
2020-12-23 18:23
|
bine.exe 643d71110f8f60590bd795e97317bd86
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
|
|
|
|
9.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3921 |
2020-12-23 18:24
|
1ABG7OS11fImC.dll 858bad49be45f10f8110a16e4f327f46
VirusTotal Malware Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://97.120.3.198/lvtjrxo45s7p38ab/73k2mgxpq/p4v2c82il8sq2riof5/by8zcf2hxvoiem/rdf350h49ce6h0p9k0/ - rule_id: 196
|
1
|
|
1
|
6.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3922 |
2020-12-23 18:27
|
io5O6T4F0h7ZH76.dll 5981b313d6b1882ed0161e200d12232e
VirusTotal Malware Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://97.120.3.198/r8lt70wyoolvf9it/9arb05butn5yloqsbay/yls6xsvzyfn0q9twe5/rc7dib40obgukos3rf/rbmu2ums7f/ - rule_id: 196
|
1
|
|
1
|
6.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3923 |
2020-12-23 18:27
|
bine.exe 643d71110f8f60590bd795e97317bd86
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
17
http://www.woodlandpizzahartford.com/bw82/?mL08q=EgjYCCjbkfVj9ehGxTuHAhcpQboFBLSXtFcJRUu6FmW11AJT4F0+EqeE2EWzm0j+z/EHekc6&JBZ4ix=OVjTZr - rule_id: 169
http://www.curateherstories.com/bw82/
http://www.medkomp.online/bw82/?mL08q=XXvds6kwhVjrEh3bbLk7tXX7tGMBUmL1J7R6G33gDvMEBKB80x6mpl7sj8ceVwuu+Sawoxbm&JBZ4ix=OVjTZr
http://www.medkomp.online/bw82/
http://www.h2oturkiye.com/bw82/
http://www.magiclabs.media/bw82/?mL08q=P2+pz5IrkU8P5mOmr1TQmwqfNtgh4ua+i28lAlYonz3NKvuB08r74ddbhMNfRAfc3W+32ZUt&JBZ4ix=OVjTZr
http://www.dealsonwheeeles.com/bw82/?mL08q=YNoZp1cTd9PqP9uDymFogp2JCj7FMVLhyOh44kprRzKNcwLKy4v5xqVwVWSgg8W/6SpbGSjN&JBZ4ix=OVjTZr
http://www.nikolaichan.com/bw82/?mL08q=nYWM/rwQuQgzzYTiZtrUCAZuUhwRv7E+HND77r6KFUMhbDslxCvF9el30pcIChwmKYIjSfOm&JBZ4ix=OVjTZr
http://www.h2oturkiye.com/bw82/?mL08q=CMr/hCS6mwvsPbXaRlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+flRvYqW9xmZKpkswsok7&JBZ4ix=OVjTZr
http://www.rizrvd.com/bw82/?mL08q=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&JBZ4ix=OVjTZr - rule_id: 170
http://www.rizrvd.com/bw82/?mL08q=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&JBZ4ix=OVjTZr
http://www.woodlandpizzahartford.com/bw82/ - rule_id: 169
http://www.dealsonwheeeles.com/bw82/
http://www.curateherstories.com/bw82/?mL08q=2vyuGwHiQ7EvXBHfLyrkWp+hlAiWIN0rCXJnc3deUzDL3Fz4XyzD01gktZirWyXaZbBAW+QZ&JBZ4ix=OVjTZr
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.magiclabs.media/bw82/
http://www.nikolaichan.com/bw82/
|
15
www.nikolaichan.com(216.58.220.147)
www.medkomp.online(81.200.118.106)
www.h2oturkiye.com(94.73.146.42)
www.curateherstories.com(34.102.136.180)
www.rizrvd.com(34.102.136.180) - mailcious
www.dealsonwheeeles.com(182.50.132.242)
www.woodlandpizzahartford.com(104.31.80.238) - mailcious
www.magiclabs.media(198.49.23.144)
216.58.200.19
104.31.81.238 - mailcious
198.49.23.145 - mailcious
34.102.136.180 - mailcious
94.73.146.42 - mailcious
81.200.118.106
182.50.132.242 - mailcious
|
|
4
http://www.woodlandpizzahartford.com/bw82/
http://www.rizrvd.com/bw82/
http://www.woodlandpizzahartford.com/bw82/
http://www.rizrvd.com/bw82/
|
10.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3924 |
2020-12-23 18:30
|
R5VVFQEN7P2YCUP.doc cab5254b1b78ca7a2c96c4f9d4ba3b40
Vulnerability VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
3.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3925 |
2020-12-23 18:33
|
regasm.exe 1d9086709ae0ee4dd4055b9fef5fca4c
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/kayo/gate.php - rule_id: 191
|
2
begadi.ga(46.173.218.183) - mailcious
46.173.218.183
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/kayo/gate.php
|
12.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3926 |
2020-12-23 18:34
|
R5VVFQEN7P2YCUP.doc cab5254b1b78ca7a2c96c4f9d4ba3b40
Vulnerability VirusTotal Malware unpack itself DNS |
|
|
|
|
3.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3927 |
2020-12-24 09:03
|
svchost.exe 08ef8917e644417f578ed3be5033a77e
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/chud/gate.php - rule_id: 161
|
2
begadi.ga(46.173.218.183) - mailcious
46.173.218.183
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/chud/gate.php
|
13.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3928 |
2020-12-24 09:03
|
win32.exe 2f0c8a1bb15284bdbbbe38c24a2aa491
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(46.173.218.183) - mailcious
46.173.218.183
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
14.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3929 |
2020-12-24 09:16
|
winlog.exe c61f9f9c9e4cda47016cfd944778af19
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/akin/gate.php - rule_id: 186
|
2
webtex.ga(46.173.218.183) - mailcious
46.173.218.183
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://webtex.ga/akin/gate.php
|
12.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3930 |
2020-12-24 09:21
|
https://ucf7440f11e64fe794a0c8... dafe01ff19d72fb69ae0592c98440748
Dridex Malware Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
ucf7440f11e64fe794a0c894bca3.dl.dropboxusercontent.com(162.125.80.15) - mailcious
162.125.80.15 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|