| 43501 |
2021-02-03 18:51
|
light.exe 3722074c541640dafeaf62c0e12080c0
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43502 |
2021-02-03 18:50
|
licenser.txt.exe 63e7beb498ebe532263c977d71f664c3
VirusTotal Malware Buffer PE Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
4.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43503 |
2021-02-03 18:47
|
jayx.scr f0247e5dd3b7ddcfb059cac5ea5b91c3
VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43504 |
2021-02-03 18:47
|
kingtroupx.scr 683900ad1d44fb2616653b936ac1f9e1
VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43505 |
2021-02-03 18:43
|
file.exe b8b7b4f5bc704558dcf41a39c2f9fd6d
VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43506 |
2021-02-03 18:41
|
bobbyx.exe c578ab7bf915d54643e598c11c9922ea
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.freedomtobelarus.com/dtn/?jPj8q=pAWirrp/fm40Mzg0P4OvA9BHLrOI3whi39hXxyapcIMqtm5FaQF3VybaPfTU0uQl+BN46Zb4&P0D=Adsx7ry
|
2
www.freedomtobelarus.com(23.227.38.74)
23.227.38.74 - mailcious
|
|
|
8.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43507 |
2021-02-03 18:35
|
417594IMG_29866.pdf.exe d778c0c06c91dec54fc46fe02d1f7e1a
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS |
4
http://www.fairschedulinglaws.com/bf3/?BZR8Db=Cj8ceRiRCr5Wq+1qlshrPALQuR0KNoRqUH9gaKjizJb28mKJtUOTLfZWFbHVVHVW2FfOYYfE&VRNt=wBZhTR28eHU8oX
http://www.thenewsdig.com/bf3/?BZR8Db=iZRO08akuTiXZjxfJxub8c39I4zSoqsscmDPKxsYigP/SRN6qaWl3jm+0DV/OaodXzHLlgXL&VRNt=wBZhTR28eHU8oX
http://www.thehostingroad.com/bf3/?BZR8Db=l8I6XPgsFNYwHdCfh8gT1y9i2fKE+hPHZa8CRZAjVNP6EoQ24RiPbKFJIFcct0ZB0DJqbnGI&VRNt=wBZhTR28eHU8oX
https://www.google.com/
|
8
www.fairschedulinglaws.com(34.102.136.180)
www.google.com(216.58.220.100)
www.thehostingroad.com(68.183.162.131)
www.thenewsdig.com(34.102.136.180)
www.expresslacross.com()
68.183.162.131
34.102.136.180 - mailcious
172.217.26.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43508 |
2021-02-03 18:34
|
ana.exe efed0f9fe0d138e7efe50e663e7f3a98
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43509 |
2021-02-03 18:22
|
139913IMG_33687.pdf.exe 4e37d001d53117d028fa01eb27b48f18
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.161.70)
216.146.43.71
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43510 |
2021-02-03 18:22
|
aguerox.scr c96bca895f08287e145cf97fa5b4158f
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://becharnise.ir/fa15/fre.php
http://193.239.147.103/base/2C72DA610917F3D48463446C0D190DB7.html - rule_id: 225
|
3
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
193.239.147.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://193.239.147.103/base/
|
15.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43511 |
2021-02-03 18:12
|
winlog4.exe 524ac66f24321c6da65f2b098978bff7
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
12
http://www.thebabylashes.com/gqx2/
http://www.tmpaas.com/gqx2/
http://www.theofficialtoluwani.com/gqx2/?nPntH4=upR2KFKjs42p1EdP4ql1+FytJ5veHcIKVvPJe+9hsDBmELSeELrVJP2ZA2YHWwOMOjSiJC6f&Lh3l=ZTdtL8t8yx
http://www.theofficialtoluwani.com/gqx2/
http://www.shaffglowing.com/gqx2/?nPntH4=KhA/zwXnJUgsBxEHuGzVV5+gy2rf8S/xUCEhxADior6XXCc1M4KkV7Go+fDVN/HCwemfANa+&Lh3l=ZTdtL8t8yx
http://www.tmpaas.com/gqx2/?nPntH4=5JpUkVtS0JNuUoRlf+CFDHpP4Uxy07qT9+hKEWZ21aajybDa6hG7iO1an+96ZpJK7db/pMaD&Lh3l=ZTdtL8t8yx
http://www.shaffglowing.com/gqx2/
http://www.oaklandraidersjerseyspop.com/gqx2/
http://www.donboscohistorycorner.com/gqx2/?nPntH4=+N3LpDhTi/fP7Hwf9yN+rTh7hlKS/+ht+RV6ys2fj+a4t5CqqKB2KdcgeWwIOpMcpe/YHAwJ&Lh3l=ZTdtL8t8yx
http://www.oaklandraidersjerseyspop.com/gqx2/?nPntH4=EgmJjZ22Ewk3ZUBAMVOOKgrHeYQOJcLzmrSGfMm6T5GCaNHOwgoPLqek76Dq2OYiVDVEigp6&Lh3l=ZTdtL8t8yx
http://www.donboscohistorycorner.com/gqx2/
http://www.thebabylashes.com/gqx2/?nPntH4=GNK9yXShMMK+HA+mQO0UuqFPWoPP84MnG3zjeho+qZgE6xGhoImbl1IUPjhBqmb49Fd79M+M&Lh3l=ZTdtL8t8yx
|
14
www.tmpaas.com(43.243.108.245)
www.shaffglowing.com(185.210.145.3)
www.donboscohistorycorner.com(165.227.229.15)
www.theofficialtoluwani.com(34.102.136.180)
www.thebabylashes.com(23.227.38.74)
www.oaklandraidersjerseyspop.com(3.234.181.234)
www.teamworkdash.com(34.102.136.180) - mailcious
www.inreachpt.com(34.102.136.180) - mailcious
185.210.145.3
43.243.108.245
34.102.136.180 - mailcious
3.234.181.234 - mailcious
23.227.38.74 - mailcious
165.227.229.15
|
|
|
9.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43512 |
2021-02-03 18:11
|
winlog3.exe 5ec4108db8c98d030cea2bb1ea95b725
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.ppeaceandgloves.com/aky/?tHrt=fJr/bXrOOydqPygeucC36RKPLZWaOswXVxbDwO1Xd9dOOwwVQBbu3banfdOux07squRMjBgr&UtzXc=GFNlYtxHSPupeV
http://www.bytecommunication.com/aky/?UtzXc=GFNlYtxHSPupeV&tHrt=rii9xW2yAVjkIq2xZOjNE/j5Fqela4Uc8+1TqvkS5Mpd2SL5/rCEfL/s7QB2eT+WoS6hJ8+t
|
5
www.ppeaceandgloves.com(91.195.241.137)
www.smithvilletexashistory.com()
www.bytecommunication.com(108.62.32.215)
108.62.32.215
91.195.241.137 - mailcious
|
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43513 |
2021-02-03 17:51
|
winlog2.exe 84756d09ad2ebedc58b7a9c1f8eef37a
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
8
http://www.fadhilaaqiqah.com/oean/?0VJtG4=sNIx3+d+Vk9EHeH7EC9q5Tmy2l1x0RXkuchRdpUVobrYMUbUhiEqq/j39KrEvBnVPyS3H2Zf&jFNTe=aFNTkfKp
http://www.binggraesantorini.com/oean/
http://www.5037adairway.com/oean/
http://www.binggraesantorini.com/oean/?0VJtG4=/Tb7qIo2lpboAMxAj7Gh2hKFZ23w4lXxZLQB9l6RwaFPFjPRBAPhOCcTAbF5URuiUHLgEz+l&jFNTe=aFNTkfKp
http://www.ceejing.com/oean/?0VJtG4=sNeCokEil3n05bCMuHkoGVQWeq3WOq80ehrkGAbIdyTAKn0wwoYT6FA2uGnC4/MYFICEqumS&jFNTe=aFNTkfKp
http://www.fadhilaaqiqah.com/oean/
http://www.ceejing.com/oean/
http://www.5037adairway.com/oean/?0VJtG4=UDbslJB1q+rri679tZMgD4X+MNMiKzOXjqs7zZj0KYuc4U4K27OQ1IdPl9lyNCPJCUK9RLqX&jFNTe=aFNTkfKp
|
15
www.binggraesantorini.com(52.58.78.16)
www.classifoods.com(91.195.241.137) - mailcious
www.ceejing.com(45.32.95.179)
www.villacascabel.com(34.102.136.180) - mailcious
www.spreadaccounts.com(78.153.213.7) - mailcious
www.5037adairway.com(184.168.131.241)
www.piemontelaw.net() - mailcious
www.fadhilaaqiqah.com(172.67.219.15)
78.153.213.7 - mailcious
104.21.78.86
184.168.131.241 - mailcious
45.32.95.179
91.195.241.137 - mailcious
52.58.78.16 - mailcious
34.102.136.180 - mailcious
|
|
|
9.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43514 |
2021-02-03 17:50
|
winlog.exe d64f47ad1647d93473130d1e301adbb0
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
10
http://www.teamworkdash.com/gqx2/?5jrD_Rw=ZQeVLdaP9EWyqX8bXjuqV8BLV5S5w9PqgUgyzPf0MLEvcbi2aaDTCxVd2NzhYgYAniygw7pi&Dne0g=AFQPa05PwphlOzx
http://www.eligetucafetera.com/gqx2/?5jrD_Rw=ugyBOnsIFYLtxifZElK+MG66jquXJo8uwGSdrHtlO+FUNhRVEpehsSBNBQXnM6G4YAUs1vTR&Dne0g=AFQPa05PwphlOzx
http://www.spiderofthesea.com/gqx2/
http://www.fanninhomesforless.com/gqx2/?5jrD_Rw=fdOSUXvE6wZzQ9cHW2YQH5fCAX4vARqGP9sfwvXn2tyGLR//bC18tYmBxGkEL6jypmB19dZF&Dne0g=AFQPa05PwphlOzx
http://www.prayerswithmary.com/gqx2/?5jrD_Rw=njfRlhVj6EFspW2a0FRdDD3+20pPuTSuw1g6+/A6xC/1keaDHuewSnbFvm47zIyGVFI7XEui&Dne0g=AFQPa05PwphlOzx
http://www.fanninhomesforless.com/gqx2/
http://www.spiderofthesea.com/gqx2/?5jrD_Rw=Q1blzfWd1iL5ZbYIfd4CXQmcA8vflGzyEF+Kxk/VYfDAqqdZkJ9amDqbv+xKX/wj3ZCwkuYh&Dne0g=AFQPa05PwphlOzx
http://www.prayerswithmary.com/gqx2/
http://www.eligetucafetera.com/gqx2/
http://www.teamworkdash.com/gqx2/
|
12
www.eligetucafetera.com(186.64.118.110)
www.prayerswithmary.com(172.217.175.19)
www.inreachpt.com(34.102.136.180) - mailcious
www.spiderofthesea.com(34.102.136.180)
www.thefanexam.com(99.84.233.212) - mailcious
www.teamworkdash.com(34.102.136.180)
www.fanninhomesforless.com(34.102.136.180)
www.starlinkwebservices.com(34.102.136.180) - mailcious
172.217.31.147 - phishing
65.8.168.33
34.102.136.180 - mailcious
186.64.118.110
|
|
|
8.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43515 |
2021-02-03 17:33
|
vbc.exe 766ba75de87fda229a25dbccd8a6218f
VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee DNS crashed |
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|