43501 |
2021-02-03 18:51
|
light.exe 3722074c541640dafeaf62c0e12080c0 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43502 |
2021-02-03 18:50
|
licenser.txt.exe 63e7beb498ebe532263c977d71f664c3 VirusTotal Malware Buffer PE Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
4.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43503 |
2021-02-03 18:47
|
jayx.scr f0247e5dd3b7ddcfb059cac5ea5b91c3 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43504 |
2021-02-03 18:47
|
kingtroupx.scr 683900ad1d44fb2616653b936ac1f9e1 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43505 |
2021-02-03 18:43
|
file.exe b8b7b4f5bc704558dcf41a39c2f9fd6d VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43506 |
2021-02-03 18:41
|
bobbyx.exe c578ab7bf915d54643e598c11c9922ea VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.freedomtobelarus.com/dtn/?jPj8q=pAWirrp/fm40Mzg0P4OvA9BHLrOI3whi39hXxyapcIMqtm5FaQF3VybaPfTU0uQl+BN46Zb4&P0D=Adsx7ry
|
2
www.freedomtobelarus.com(23.227.38.74) 23.227.38.74 - mailcious
|
|
|
8.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43507 |
2021-02-03 18:35
|
417594IMG_29866.pdf.exe d778c0c06c91dec54fc46fe02d1f7e1a VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS |
4
http://www.fairschedulinglaws.com/bf3/?BZR8Db=Cj8ceRiRCr5Wq+1qlshrPALQuR0KNoRqUH9gaKjizJb28mKJtUOTLfZWFbHVVHVW2FfOYYfE&VRNt=wBZhTR28eHU8oX http://www.thenewsdig.com/bf3/?BZR8Db=iZRO08akuTiXZjxfJxub8c39I4zSoqsscmDPKxsYigP/SRN6qaWl3jm+0DV/OaodXzHLlgXL&VRNt=wBZhTR28eHU8oX http://www.thehostingroad.com/bf3/?BZR8Db=l8I6XPgsFNYwHdCfh8gT1y9i2fKE+hPHZa8CRZAjVNP6EoQ24RiPbKFJIFcct0ZB0DJqbnGI&VRNt=wBZhTR28eHU8oX https://www.google.com/
|
8
www.fairschedulinglaws.com(34.102.136.180) www.google.com(216.58.220.100) www.thehostingroad.com(68.183.162.131) www.thenewsdig.com(34.102.136.180) www.expresslacross.com() 68.183.162.131 34.102.136.180 - mailcious 172.217.26.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43508 |
2021-02-03 18:34
|
ana.exe efed0f9fe0d138e7efe50e663e7f3a98 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43509 |
2021-02-03 18:22
|
139913IMG_33687.pdf.exe 4e37d001d53117d028fa01eb27b48f18 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.161.70) 216.146.43.71 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43510 |
2021-02-03 18:22
|
aguerox.scr c96bca895f08287e145cf97fa5b4158f Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://becharnise.ir/fa15/fre.php http://193.239.147.103/base/2C72DA610917F3D48463446C0D190DB7.html - rule_id: 225
|
3
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious 193.239.147.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://193.239.147.103/base/
|
15.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43511 |
2021-02-03 18:12
|
winlog4.exe 524ac66f24321c6da65f2b098978bff7 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
12
http://www.thebabylashes.com/gqx2/ http://www.tmpaas.com/gqx2/ http://www.theofficialtoluwani.com/gqx2/?nPntH4=upR2KFKjs42p1EdP4ql1+FytJ5veHcIKVvPJe+9hsDBmELSeELrVJP2ZA2YHWwOMOjSiJC6f&Lh3l=ZTdtL8t8yx http://www.theofficialtoluwani.com/gqx2/ http://www.shaffglowing.com/gqx2/?nPntH4=KhA/zwXnJUgsBxEHuGzVV5+gy2rf8S/xUCEhxADior6XXCc1M4KkV7Go+fDVN/HCwemfANa+&Lh3l=ZTdtL8t8yx http://www.tmpaas.com/gqx2/?nPntH4=5JpUkVtS0JNuUoRlf+CFDHpP4Uxy07qT9+hKEWZ21aajybDa6hG7iO1an+96ZpJK7db/pMaD&Lh3l=ZTdtL8t8yx http://www.shaffglowing.com/gqx2/ http://www.oaklandraidersjerseyspop.com/gqx2/ http://www.donboscohistorycorner.com/gqx2/?nPntH4=+N3LpDhTi/fP7Hwf9yN+rTh7hlKS/+ht+RV6ys2fj+a4t5CqqKB2KdcgeWwIOpMcpe/YHAwJ&Lh3l=ZTdtL8t8yx http://www.oaklandraidersjerseyspop.com/gqx2/?nPntH4=EgmJjZ22Ewk3ZUBAMVOOKgrHeYQOJcLzmrSGfMm6T5GCaNHOwgoPLqek76Dq2OYiVDVEigp6&Lh3l=ZTdtL8t8yx http://www.donboscohistorycorner.com/gqx2/ http://www.thebabylashes.com/gqx2/?nPntH4=GNK9yXShMMK+HA+mQO0UuqFPWoPP84MnG3zjeho+qZgE6xGhoImbl1IUPjhBqmb49Fd79M+M&Lh3l=ZTdtL8t8yx
|
14
www.tmpaas.com(43.243.108.245) www.shaffglowing.com(185.210.145.3) www.donboscohistorycorner.com(165.227.229.15) www.theofficialtoluwani.com(34.102.136.180) www.thebabylashes.com(23.227.38.74) www.oaklandraidersjerseyspop.com(3.234.181.234) www.teamworkdash.com(34.102.136.180) - mailcious www.inreachpt.com(34.102.136.180) - mailcious 185.210.145.3 43.243.108.245 34.102.136.180 - mailcious 3.234.181.234 - mailcious 23.227.38.74 - mailcious 165.227.229.15
|
|
|
9.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43512 |
2021-02-03 18:11
|
winlog3.exe 5ec4108db8c98d030cea2bb1ea95b725 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.ppeaceandgloves.com/aky/?tHrt=fJr/bXrOOydqPygeucC36RKPLZWaOswXVxbDwO1Xd9dOOwwVQBbu3banfdOux07squRMjBgr&UtzXc=GFNlYtxHSPupeV http://www.bytecommunication.com/aky/?UtzXc=GFNlYtxHSPupeV&tHrt=rii9xW2yAVjkIq2xZOjNE/j5Fqela4Uc8+1TqvkS5Mpd2SL5/rCEfL/s7QB2eT+WoS6hJ8+t
|
5
www.ppeaceandgloves.com(91.195.241.137) www.smithvilletexashistory.com() www.bytecommunication.com(108.62.32.215) 108.62.32.215 91.195.241.137 - mailcious
|
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43513 |
2021-02-03 17:51
|
winlog2.exe 84756d09ad2ebedc58b7a9c1f8eef37a VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
8
http://www.fadhilaaqiqah.com/oean/?0VJtG4=sNIx3+d+Vk9EHeH7EC9q5Tmy2l1x0RXkuchRdpUVobrYMUbUhiEqq/j39KrEvBnVPyS3H2Zf&jFNTe=aFNTkfKp http://www.binggraesantorini.com/oean/ http://www.5037adairway.com/oean/ http://www.binggraesantorini.com/oean/?0VJtG4=/Tb7qIo2lpboAMxAj7Gh2hKFZ23w4lXxZLQB9l6RwaFPFjPRBAPhOCcTAbF5URuiUHLgEz+l&jFNTe=aFNTkfKp http://www.ceejing.com/oean/?0VJtG4=sNeCokEil3n05bCMuHkoGVQWeq3WOq80ehrkGAbIdyTAKn0wwoYT6FA2uGnC4/MYFICEqumS&jFNTe=aFNTkfKp http://www.fadhilaaqiqah.com/oean/ http://www.ceejing.com/oean/ http://www.5037adairway.com/oean/?0VJtG4=UDbslJB1q+rri679tZMgD4X+MNMiKzOXjqs7zZj0KYuc4U4K27OQ1IdPl9lyNCPJCUK9RLqX&jFNTe=aFNTkfKp
|
15
www.binggraesantorini.com(52.58.78.16) www.classifoods.com(91.195.241.137) - mailcious www.ceejing.com(45.32.95.179) www.villacascabel.com(34.102.136.180) - mailcious www.spreadaccounts.com(78.153.213.7) - mailcious www.5037adairway.com(184.168.131.241) www.piemontelaw.net() - mailcious www.fadhilaaqiqah.com(172.67.219.15) 78.153.213.7 - mailcious 104.21.78.86 184.168.131.241 - mailcious 45.32.95.179 91.195.241.137 - mailcious 52.58.78.16 - mailcious 34.102.136.180 - mailcious
|
|
|
9.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43514 |
2021-02-03 17:50
|
winlog.exe d64f47ad1647d93473130d1e301adbb0 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
10
http://www.teamworkdash.com/gqx2/?5jrD_Rw=ZQeVLdaP9EWyqX8bXjuqV8BLV5S5w9PqgUgyzPf0MLEvcbi2aaDTCxVd2NzhYgYAniygw7pi&Dne0g=AFQPa05PwphlOzx http://www.eligetucafetera.com/gqx2/?5jrD_Rw=ugyBOnsIFYLtxifZElK+MG66jquXJo8uwGSdrHtlO+FUNhRVEpehsSBNBQXnM6G4YAUs1vTR&Dne0g=AFQPa05PwphlOzx http://www.spiderofthesea.com/gqx2/ http://www.fanninhomesforless.com/gqx2/?5jrD_Rw=fdOSUXvE6wZzQ9cHW2YQH5fCAX4vARqGP9sfwvXn2tyGLR//bC18tYmBxGkEL6jypmB19dZF&Dne0g=AFQPa05PwphlOzx http://www.prayerswithmary.com/gqx2/?5jrD_Rw=njfRlhVj6EFspW2a0FRdDD3+20pPuTSuw1g6+/A6xC/1keaDHuewSnbFvm47zIyGVFI7XEui&Dne0g=AFQPa05PwphlOzx http://www.fanninhomesforless.com/gqx2/ http://www.spiderofthesea.com/gqx2/?5jrD_Rw=Q1blzfWd1iL5ZbYIfd4CXQmcA8vflGzyEF+Kxk/VYfDAqqdZkJ9amDqbv+xKX/wj3ZCwkuYh&Dne0g=AFQPa05PwphlOzx http://www.prayerswithmary.com/gqx2/ http://www.eligetucafetera.com/gqx2/ http://www.teamworkdash.com/gqx2/
|
12
www.eligetucafetera.com(186.64.118.110) www.prayerswithmary.com(172.217.175.19) www.inreachpt.com(34.102.136.180) - mailcious www.spiderofthesea.com(34.102.136.180) www.thefanexam.com(99.84.233.212) - mailcious www.teamworkdash.com(34.102.136.180) www.fanninhomesforless.com(34.102.136.180) www.starlinkwebservices.com(34.102.136.180) - mailcious 172.217.31.147 - phishing 65.8.168.33 34.102.136.180 - mailcious 186.64.118.110
|
|
|
8.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43515 |
2021-02-03 17:33
|
vbc.exe 766ba75de87fda229a25dbccd8a6218f VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee DNS crashed |
|
2
cdn.discordapp.com(162.159.130.233) - malware 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|