43576 |
2021-02-01 23:45
|
1b31bced0a564bed9f60264f061dcd... 7fb109c410846c73a5d67a5b9b665491 Check memory Checks debugger Creates executable files unpack itself malicious URLs sandbox evasion Remote Code Execution DNS |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43577 |
2021-02-01 23:45
|
6c99c19d6da741af943a35016bb05b... 11b4d2182aeaeb0462319bec4e5f09c2 VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself Windows utilities malicious URLs Windows Advertising Remote Code Execution |
|
|
|
|
5.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43578 |
2021-02-01 23:41
|
winlog4.exe cdcc17e1b5807fe352b847ba8efc3c1a VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43579 |
2021-02-01 23:39
|
winlog4.exe cdcc17e1b5807fe352b847ba8efc3c1a VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
8
http://www.peteza-in-france.com/hvu9/ http://www.kharismahadi.com/hvu9/?iBIXfj=F1OwUPQiCh/0Vn11cuVzVNWd3pqqCu/Q6rT3g++mklU4g1BvaCQjh0CEjC0+YXwn//vntoIj&_R-d4b=ZL0XMDvPuhP http://www.maskeando.com/hvu9/?iBIXfj=xxNu+5c7YTM/GfN/JwE906pSNlgwn0LIx6brQrQZFJpFs6yNskxbccxi+miW8at+kAu3XTK0&_R-d4b=ZL0XMDvPuhP http://www.hometuitionteachers.com/hvu9/?iBIXfj=MYXCQXVE065r2MvwhucU+1iGYEu7Pq+6VTN/7AJiZkPIlTjYryhddItG/120EZa9xP4CVtiK&_R-d4b=ZL0XMDvPuhP http://www.hometuitionteachers.com/hvu9/ http://www.maskeando.com/hvu9/ http://www.kharismahadi.com/hvu9/ http://www.peteza-in-france.com/hvu9/?iBIXfj=Y3ZEwa2X9Gxr04NROSXx6H85JJnIy+8XvbopnuVGE2V2ItqO8nIJaNEw7odhffLPwmh6+g2b&_R-d4b=ZL0XMDvPuhP
|
12
www.kharismahadi.com(139.162.30.170) www.peteza-in-france.com(52.89.50.242) www.delraymessageandtherapy.com(198.167.136.103) www.ralph-jones-home-plans.com(35.172.94.1) - mailcious www.maskeando.com(82.98.132.55) www.hometuitionteachers.com(3.128.254.231) 52.89.50.242 139.162.30.170 100.24.208.97 198.167.136.103 3.128.254.231 82.98.132.55
|
|
|
11.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43580 |
2021-02-01 23:36
|
yarox.scr 13ae0f94a8dbf3b2e3c18d63807a081b VirusTotal Malware |
|
|
|
|
0.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43581 |
2021-02-01 23:31
|
winlog2.exe e0a35464c8997bf189d9de32563fa11b VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
10
http://www.juliandehaas.com/eaud/ http://www.erkdigitalmarketing.com/eaud/ http://www.crossingfinger.com/eaud/ http://www.pinnacle.international/eaud/?t8o8st4=zo7puN8gV8DGK9HXsm6Cwx8RcQQDhOYKvLxpmyKcvbkpUEhRd7HZFkT8XYtzTDrdxvnF57vn&kPm0q=K4kP http://www.crossingfinger.com/eaud/?t8o8st4=e4ONIDLUYselYHPsd8uOYRVVdhM0r2jxjHKup047uZTxNCySf2cuYsiltYvh1J4mBTAHYHXk&kPm0q=K4kP http://www.beambitioussummit.com/eaud/ http://www.beambitioussummit.com/eaud/?t8o8st4=HJXYRoXhtEL770Yl6f0+wIDI2J9nyHcE/fFH5HmOAB5jvbcB/qpiSD+bFWIA02TiRAny4fU6&kPm0q=K4kP http://www.juliandehaas.com/eaud/?t8o8st4=R+vkoRTt4ezXlmzlRhPNzUzMTJKIj07cHHJJK+4O9SKVLnlPl8vKCx8zlaSH/tbOUlIVXXo0&kPm0q=K4kP http://www.pinnacle.international/eaud/ http://www.erkdigitalmarketing.com/eaud/?t8o8st4=hWBGdLuHOK78MHRD5yKlLN9LK4h7ho2fVMqVxEc+KlLTJDB9aOklGiRqiHpsW0n2biEWcw58&kPm0q=K4kP
|
13
www.pinnacle.international(161.35.190.79) www.learnhour.net() - mailcious www.crossingfinger.com(154.83.105.183) www.casinocerto.com(213.186.33.5) - mailcious www.erkdigitalmarketing.com(192.0.78.24) www.beambitioussummit.com(34.80.190.141) www.juliandehaas.com(5.157.87.204) 161.35.190.79 154.83.105.183 213.186.33.5 - mailcious 34.80.190.141 - mailcious 192.0.78.24 - mailcious 5.157.87.204
|
|
|
9.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43582 |
2021-02-01 23:31
|
winlog3.exe 839479471405527c2783b6ad79c1bc40 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.queromake.com/xle/?EZA4Ip=02FU7RCryUwUO1L3OanG76MvBiHCbBFpVmN0SV3cUMbph04cnI+y7TFjc9OSVdnpx95W2GvZ&GzrXY=Axo8389 http://www.winton.school/xle/?EZA4Ip=63sZlfPz0fzk+gefsezcfMIXyleq3IuiloqbfjP6qxWPzREkHOPhhfs4ZO34XbZ517SWuqyH&GzrXY=Axo8389
|
6
www.queromake.com(23.227.38.74) www.theatomicshots.com(198.49.23.144) - mailcious www.winton.school(198.54.117.216) 23.227.38.74 - mailcious 198.54.117.212 - mailcious 198.185.159.144 - mailcious
|
|
|
9.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43583 |
2021-02-01 23:24
|
vbc2.exe e0a35464c8997bf189d9de32563fa11b VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows |
6
http://www.weoneqa.com/eaud/?-Z=l4RSrSTvA7ZBDB3bFnvp5TuJb2qsc3WQSXs0AcdUbA2GCX19ShwUPxXYKxLqHnKfTob8UGrB&rZ=X48HRfqP http://www.putlocker2.site/eaud/ http://www.weoneqa.com/eaud/ http://www.pensionbackup.com/eaud/?-Z=WhMSavTyHOvE10sn7jXZ2zxDwiIZq0gTquvqJfSvKmtyQpKMFvyYAkki+71dbH2Nl6XhnONj&rZ=X48HRfqP http://www.putlocker2.site/eaud/?-Z=AVoJMHczv7t2NCxoE+I144p7NbX+tyrB4sHs6CGWopObE6oYIg1+WLgm8dresjrhTrO2D4kG&rZ=X48HRfqP http://www.pensionbackup.com/eaud/
|
11
www.putlocker2.site(185.53.177.13) www.pensionbackup.com(34.102.136.180) www.geraldreed.com(54.208.77.124) - mailcious www.gigashit.com() www.weoneqa.com(66.97.33.176) www.missfoxie.com(34.102.136.180) - mailcious www.realestatejewel.com() 185.53.177.13 - mailcious 34.102.136.180 - mailcious 66.97.33.176 54.208.77.124 - mailcious
|
|
|
12.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43584 |
2021-02-01 23:23
|
winlog.exe f81ddb2074613d44e6ec49e156fef866 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
1
http://www.themodsmith.net/rse/?0T3DHf7=j+6b55Mb7VmWgSMJIX//DfXMTOCAgWL7/8H2+qJ3ptl9bQPg2uYWuOGRcUheNQevmxuvPKTa&zXb4g4=UfrxPp
|
3
www.consumerabc.info() www.themodsmith.net(184.168.131.241) 184.168.131.241 - mailcious
|
|
|
9.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43585 |
2021-02-01 23:19
|
vbc.exe 5ca35c6d01a8ebcce0c2444ea6a7a55b VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.mymoneyoil.com/tmz/?MZkp=lRL4YTr1KoW8roWiDSIqJHckbb3W0KzdCktgvd/uU9hJgsdvanULgc7NeIlw75rSxGCCttPJ&U48Hj=NtetP01048jTcRN http://www.badstar.net/tmz/?MZkp=soNcoPEqXrij2eEQXreneZuYDx5TVTPv8pYtQ4bVJvC/lSaNU9r8s58hQQvEf0OpUa1Ai8j6&U48Hj=NtetP01048jTcRN
|
4
www.badstar.net(185.134.245.113) www.mymoneyoil.com(34.102.136.180) 185.134.245.113 34.102.136.180 - mailcious
|
|
|
8.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43586 |
2021-02-01 23:18
|
ugopx.scr 963e6283c7d4698f10614845807f8f0b VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS |
1
http://193.239.147.103/base/DF848891A7D216BAACD4B0E05C8D13AC.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
3.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43587 |
2021-02-01 23:14
|
svchost2.exe abaf4a16881e4133a46eb7db1ad760c9 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://becharnise.ir/fa1/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43588 |
2021-02-01 23:13
|
svchost.exe 2c463f7c03f8264a1b9ad8e9bc8721a7 VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
1.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43589 |
2021-02-01 23:01
|
regasm.exe 2c57c1290f030436fb3addefe840fe5a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43590 |
2021-02-01 23:00
|
Protected Client.vbs 816473174f6851458936b335d48f4d85 Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Java Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
|
6
isrealpicker.duckdns.org(185.19.85.159) fundhubusa.com(199.188.200.124) - malware google.com(172.217.27.78) 199.188.200.124 - malware 185.19.85.159 216.58.220.142
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
|
|
21.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|