| 43576 |
2021-02-01 23:45
|
1b31bced0a564bed9f60264f061dcd... 7fb109c410846c73a5d67a5b9b665491
Check memory Checks debugger Creates executable files unpack itself malicious URLs sandbox evasion Remote Code Execution DNS |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43577 |
2021-02-01 23:45
|
6c99c19d6da741af943a35016bb05b... 11b4d2182aeaeb0462319bec4e5f09c2
VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself Windows utilities malicious URLs Windows Advertising Remote Code Execution |
|
|
|
|
5.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43578 |
2021-02-01 23:41
|
winlog4.exe cdcc17e1b5807fe352b847ba8efc3c1a
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43579 |
2021-02-01 23:39
|
winlog4.exe cdcc17e1b5807fe352b847ba8efc3c1a
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
8
http://www.peteza-in-france.com/hvu9/
http://www.kharismahadi.com/hvu9/?iBIXfj=F1OwUPQiCh/0Vn11cuVzVNWd3pqqCu/Q6rT3g++mklU4g1BvaCQjh0CEjC0+YXwn//vntoIj&_R-d4b=ZL0XMDvPuhP
http://www.maskeando.com/hvu9/?iBIXfj=xxNu+5c7YTM/GfN/JwE906pSNlgwn0LIx6brQrQZFJpFs6yNskxbccxi+miW8at+kAu3XTK0&_R-d4b=ZL0XMDvPuhP
http://www.hometuitionteachers.com/hvu9/?iBIXfj=MYXCQXVE065r2MvwhucU+1iGYEu7Pq+6VTN/7AJiZkPIlTjYryhddItG/120EZa9xP4CVtiK&_R-d4b=ZL0XMDvPuhP
http://www.hometuitionteachers.com/hvu9/
http://www.maskeando.com/hvu9/
http://www.kharismahadi.com/hvu9/
http://www.peteza-in-france.com/hvu9/?iBIXfj=Y3ZEwa2X9Gxr04NROSXx6H85JJnIy+8XvbopnuVGE2V2ItqO8nIJaNEw7odhffLPwmh6+g2b&_R-d4b=ZL0XMDvPuhP
|
12
www.kharismahadi.com(139.162.30.170)
www.peteza-in-france.com(52.89.50.242)
www.delraymessageandtherapy.com(198.167.136.103)
www.ralph-jones-home-plans.com(35.172.94.1) - mailcious
www.maskeando.com(82.98.132.55)
www.hometuitionteachers.com(3.128.254.231)
52.89.50.242
139.162.30.170
100.24.208.97
198.167.136.103
3.128.254.231
82.98.132.55
|
|
|
11.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43580 |
2021-02-01 23:36
|
yarox.scr 13ae0f94a8dbf3b2e3c18d63807a081b
VirusTotal Malware |
|
|
|
|
0.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43581 |
2021-02-01 23:31
|
winlog2.exe e0a35464c8997bf189d9de32563fa11b
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
10
http://www.juliandehaas.com/eaud/
http://www.erkdigitalmarketing.com/eaud/
http://www.crossingfinger.com/eaud/
http://www.pinnacle.international/eaud/?t8o8st4=zo7puN8gV8DGK9HXsm6Cwx8RcQQDhOYKvLxpmyKcvbkpUEhRd7HZFkT8XYtzTDrdxvnF57vn&kPm0q=K4kP
http://www.crossingfinger.com/eaud/?t8o8st4=e4ONIDLUYselYHPsd8uOYRVVdhM0r2jxjHKup047uZTxNCySf2cuYsiltYvh1J4mBTAHYHXk&kPm0q=K4kP
http://www.beambitioussummit.com/eaud/
http://www.beambitioussummit.com/eaud/?t8o8st4=HJXYRoXhtEL770Yl6f0+wIDI2J9nyHcE/fFH5HmOAB5jvbcB/qpiSD+bFWIA02TiRAny4fU6&kPm0q=K4kP
http://www.juliandehaas.com/eaud/?t8o8st4=R+vkoRTt4ezXlmzlRhPNzUzMTJKIj07cHHJJK+4O9SKVLnlPl8vKCx8zlaSH/tbOUlIVXXo0&kPm0q=K4kP
http://www.pinnacle.international/eaud/
http://www.erkdigitalmarketing.com/eaud/?t8o8st4=hWBGdLuHOK78MHRD5yKlLN9LK4h7ho2fVMqVxEc+KlLTJDB9aOklGiRqiHpsW0n2biEWcw58&kPm0q=K4kP
|
13
www.pinnacle.international(161.35.190.79)
www.learnhour.net() - mailcious
www.crossingfinger.com(154.83.105.183)
www.casinocerto.com(213.186.33.5) - mailcious
www.erkdigitalmarketing.com(192.0.78.24)
www.beambitioussummit.com(34.80.190.141)
www.juliandehaas.com(5.157.87.204)
161.35.190.79
154.83.105.183
213.186.33.5 - mailcious
34.80.190.141 - mailcious
192.0.78.24 - mailcious
5.157.87.204
|
|
|
9.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43582 |
2021-02-01 23:31
|
winlog3.exe 839479471405527c2783b6ad79c1bc40
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.queromake.com/xle/?EZA4Ip=02FU7RCryUwUO1L3OanG76MvBiHCbBFpVmN0SV3cUMbph04cnI+y7TFjc9OSVdnpx95W2GvZ&GzrXY=Axo8389
http://www.winton.school/xle/?EZA4Ip=63sZlfPz0fzk+gefsezcfMIXyleq3IuiloqbfjP6qxWPzREkHOPhhfs4ZO34XbZ517SWuqyH&GzrXY=Axo8389
|
6
www.queromake.com(23.227.38.74)
www.theatomicshots.com(198.49.23.144) - mailcious
www.winton.school(198.54.117.216)
23.227.38.74 - mailcious
198.54.117.212 - mailcious
198.185.159.144 - mailcious
|
|
|
9.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43583 |
2021-02-01 23:24
|
vbc2.exe e0a35464c8997bf189d9de32563fa11b
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows |
6
http://www.weoneqa.com/eaud/?-Z=l4RSrSTvA7ZBDB3bFnvp5TuJb2qsc3WQSXs0AcdUbA2GCX19ShwUPxXYKxLqHnKfTob8UGrB&rZ=X48HRfqP
http://www.putlocker2.site/eaud/
http://www.weoneqa.com/eaud/
http://www.pensionbackup.com/eaud/?-Z=WhMSavTyHOvE10sn7jXZ2zxDwiIZq0gTquvqJfSvKmtyQpKMFvyYAkki+71dbH2Nl6XhnONj&rZ=X48HRfqP
http://www.putlocker2.site/eaud/?-Z=AVoJMHczv7t2NCxoE+I144p7NbX+tyrB4sHs6CGWopObE6oYIg1+WLgm8dresjrhTrO2D4kG&rZ=X48HRfqP
http://www.pensionbackup.com/eaud/
|
11
www.putlocker2.site(185.53.177.13)
www.pensionbackup.com(34.102.136.180)
www.geraldreed.com(54.208.77.124) - mailcious
www.gigashit.com()
www.weoneqa.com(66.97.33.176)
www.missfoxie.com(34.102.136.180) - mailcious
www.realestatejewel.com()
185.53.177.13 - mailcious
34.102.136.180 - mailcious
66.97.33.176
54.208.77.124 - mailcious
|
|
|
12.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43584 |
2021-02-01 23:23
|
winlog.exe f81ddb2074613d44e6ec49e156fef866
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
1
http://www.themodsmith.net/rse/?0T3DHf7=j+6b55Mb7VmWgSMJIX//DfXMTOCAgWL7/8H2+qJ3ptl9bQPg2uYWuOGRcUheNQevmxuvPKTa&zXb4g4=UfrxPp
|
3
www.consumerabc.info()
www.themodsmith.net(184.168.131.241)
184.168.131.241 - mailcious
|
|
|
9.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43585 |
2021-02-01 23:19
|
vbc.exe 5ca35c6d01a8ebcce0c2444ea6a7a55b
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.mymoneyoil.com/tmz/?MZkp=lRL4YTr1KoW8roWiDSIqJHckbb3W0KzdCktgvd/uU9hJgsdvanULgc7NeIlw75rSxGCCttPJ&U48Hj=NtetP01048jTcRN
http://www.badstar.net/tmz/?MZkp=soNcoPEqXrij2eEQXreneZuYDx5TVTPv8pYtQ4bVJvC/lSaNU9r8s58hQQvEf0OpUa1Ai8j6&U48Hj=NtetP01048jTcRN
|
4
www.badstar.net(185.134.245.113)
www.mymoneyoil.com(34.102.136.180)
185.134.245.113
34.102.136.180 - mailcious
|
|
|
8.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43586 |
2021-02-01 23:18
|
ugopx.scr 963e6283c7d4698f10614845807f8f0b
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS |
1
http://193.239.147.103/base/DF848891A7D216BAACD4B0E05C8D13AC.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
3.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43587 |
2021-02-01 23:14
|
svchost2.exe abaf4a16881e4133a46eb7db1ad760c9
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://becharnise.ir/fa1/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43588 |
2021-02-01 23:13
|
svchost.exe 2c463f7c03f8264a1b9ad8e9bc8721a7
VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
1.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43589 |
2021-02-01 23:01
|
regasm.exe 2c57c1290f030436fb3addefe840fe5a
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43590 |
2021-02-01 23:00
|
Protected Client.vbs 816473174f6851458936b335d48f4d85
Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Java Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
|
6
isrealpicker.duckdns.org(185.19.85.159)
fundhubusa.com(199.188.200.124) - malware
google.com(172.217.27.78)
199.188.200.124 - malware
185.19.85.159
216.58.220.142
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
|
|
21.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|