43591 |
2021-02-01 22:48
|
OBAAA.exe bac9014a9ed1a27a92d6f13e3de236c1 Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
16.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43592 |
2021-02-01 22:48
|
pablox.scr 8097dd099b5b30cc949253b22c59aeb9 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://becharnise.ir/fa4/fre.php http://193.239.147.103/base/2901708420C1FF8D8B61D7369E94CC84.html - rule_id: 225
|
3
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 193.239.147.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://193.239.147.103/base/
|
13.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43593 |
2021-02-01 22:37
|
new.exe fd11932ba1ac909889ecb291e5555d25 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs human activity check Windows ComputerName DNS DDNS |
|
3
nazareen12.ddns.net(79.134.225.52) 79.134.225.52 - mailcious 185.140.53.183
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
11.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43594 |
2021-02-01 22:36
|
kingtroupz.scr 93c18a3630eb1cb922a3761c45ae6dc2 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/98A066FCFAB6D30A84F0EC123516A557.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.4 |
M |
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43595 |
2021-02-01 22:25
|
IMG_1660392.pdf.exe e7064208a3674a61a91b3dd886a1a503 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43596 |
2021-02-01 22:25
|
is.exe 34effb36eea9746901723c2690bec3c7 VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
paste.ee(172.67.219.133) - mailcious 104.21.45.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43597 |
2021-02-01 22:11
|
document.doc 9e1772002f8791df8ccc8534c234e971 VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
14
http://www.thedancehalo.com/bw82/ - rule_id: 174 http://www.thedancehalo.com/bw82/?GTgP=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&5j2=Ulq8E - rule_id: 174 http://www.ondemandbarbering.com/bw82/ http://www.activagebenefits.net/bw82/?GTgP=kkzs7wdmjdk7n45UjfiLHnYXY/z1ZZpbk/YksZMR2IH2vaFa+RYbCAbMSAFheW9HER5RLpU/&5j2=Ulq8E http://www.activagebenefits.net/bw82/ http://www.rizrvd.com/bw82/?GTgP=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&5j2=Ulq8E - rule_id: 170 http://www.rizrvd.com/bw82/?GTgP=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&5j2=Ulq8E http://www.ninasangtani.com/bw82/ http://3.34.179.142/deskopc/hkcmd.exe http://www.illfingers.com/bw82/?GTgP=oL6WGk535ShIMWn5X5nbn/aOUoaL8VsOPK21+5lbgTOaDrSYSQVH4Z9wRk26hxOpEjraHrRl&5j2=Ulq8E http://www.rizrvd.com/bw82/ - rule_id: 170 http://www.illfingers.com/bw82/ http://www.ninasangtani.com/bw82/?GTgP=93QlrcGOmhPsmOLgwQd5PEYiUPAOZQsvIL0jPQXRPmTWIMdxoi8MiiqiyXGvZznnQGjs4sZc&5j2=Ulq8E http://www.ondemandbarbering.com/bw82/?GTgP=/uLN5+r0nTwG6mTCqOKXvxUOX9d2FCRa7e+MtK6cN7T3OLj7ozaH392B6MC00J0ZZtqhoxnm&5j2=Ulq8E
|
13
www.illfingers.com(162.241.217.138) www.thedancehalo.com(34.102.136.180) - mailcious www.activagebenefits.net(34.102.136.180) www.healthyfifties.com(198.20.125.69) - mailcious www.rizrvd.com(34.102.136.180) - mailcious www.ondemandbarbering.com(182.50.132.242) www.blacksailus.com() www.ninasangtani.com(34.102.136.180) 162.241.217.138 34.102.136.180 - mailcious 182.50.132.242 - mailcious 198.20.125.69 - mailcious 3.34.179.142 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
4
http://www.thedancehalo.com/bw82/ http://www.thedancehalo.com/bw82/ http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/
|
6.4 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43598 |
2021-02-01 22:11
|
hkcmd.exe b8fbbf48619bf863aba9e5eb8fb3f81e VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs |
11
http://www.activagebenefits.net/bw82/?sBvD8D=kkzs7wdmjdk7n45UjfiLHnYXY/z1ZZpbk/YksZMR2IH2vaFa+RYbCAbMSAFheW9HER5RLpU/&APcT7P=djFDaHXHkHmL http://www.thedancehalo.com/bw82/ - rule_id: 174 http://www.illfingers.com/bw82/?sBvD8D=oL6WGk535ShIMWn5X5nbn/aOUoaL8VsOPK21+5lbgTOaDrSYSQVH4Z9wRk26hxOpEjraHrRl&APcT7P=djFDaHXHkHmL http://www.wmarquezy.com/bw82/ - rule_id: 181 http://www.activagebenefits.net/bw82/ http://www.wmarquezy.com/bw82/?sBvD8D=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&APcT7P=djFDaHXHkHmL - rule_id: 181 http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL - rule_id: 170 http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL http://www.illfingers.com/bw82/ http://www.rizrvd.com/bw82/ - rule_id: 170 http://www.thedancehalo.com/bw82/?sBvD8D=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&APcT7P=djFDaHXHkHmL - rule_id: 174
|
13
www.nikolaichan.com(216.58.197.179) - mailcious www.exlineinsurance.com(182.50.132.242) - mailcious www.illfingers.com(162.241.217.138) www.thedancehalo.com(34.102.136.180) - mailcious www.activagebenefits.net(34.102.136.180) www.rizrvd.com(34.102.136.180) - mailcious www.wmarquezy.com(192.0.78.25) - mailcious www.blacksailus.com() 162.241.217.138 34.102.136.180 - mailcious 216.58.197.179 - deface 182.50.132.242 - mailcious 192.0.78.24 - mailcious
|
|
6
http://www.thedancehalo.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.wmarquezy.com/bw82/ http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/ http://www.thedancehalo.com/bw82/
|
9.0 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43599 |
2021-02-01 16:46
|
document.doc ae9cd0d00d776cbef69043a7d2f025c3 Dridex VirusTotal Malware exploit crash unpack itself malicious URLs Tofsee Exploit crashed |
|
2
bribble.com(35.208.60.152) 35.208.60.152
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
3.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43600 |
2021-02-01 12:35
|
vbc.exe 7aecb24d8babdcdf05a5848e7029e94f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows Cryptographic key |
5
http://www.paeonystore.com/kre/?XbcPulJH=fVdkn5N/DitBhQggR74LEaJAM/79H7ZPaeruS3BugSBUurHi6N1DFnDlSn6gB1X2ZzUpTF80&Ez=ctK0 http://www.trumpgangsters.com/kre/?XbcPulJH=9UI7BRcJrOVJiYXGY1wy7EXB5HGDpYNsxFhLtRPahjl+xHtXDFL8Nrwwr3SB4a5CSm/aZ5Pr&Ez=ctK0 http://www.1823a.com/kre/?XbcPulJH=tgBv8+Uuglqxhn5vYThYYFONh49n2qhe+6hhsETYco4wQgAmxdUJOX1YqPiQK2+3qjYQNw+V&Ez=ctK0 http://www.neverstopip.com/kre/?XbcPulJH=qMhmFMOJUb0oqJiblOF4ZjX2Hn0liLqRT6TyR3D4E52tgVnGOdNkf6QKQbmF98mnTd58WGhq&Ez=ctK0 http://www.pawantakespawn.com/kre/?XbcPulJH=0hFF07bkIl12u3jYu3U87KAD+fBNC/VwfLazYSnr9vcKzPwJ5Ffis/qtA9V8wyqijEj+wKfA&Ez=ctK0
|
9
www.1823a.com(104.233.238.207) www.neverstopip.com(34.102.136.180) www.trumpgangsters.com(34.102.136.180) www.pawantakespawn.com(23.82.12.31) www.paeonystore.com(8.210.69.194) 8.210.69.194 104.233.238.207 34.102.136.180 - mailcious 23.82.12.31 - suspicious
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43601 |
2021-02-01 12:28
|
pppp.exe b88c6ae98565520b5abf0dbc67522f1d VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.26.4) 172.217.31.163 172.217.175.100 172.217.175.14 - mailcious 37.46.150.67 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43602 |
2021-02-01 12:28
|
sppp.exe b12bb3159a945df7c5944b6f4192516d VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.26.4) 172.217.31.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43603 |
2021-02-01 12:26
|
OBBBOP.exe 06f4d22f42e1d2406d5dd25c69aa92ac Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(216.58.197.228) 172.217.174.100 193.239.147.32 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43604 |
2021-02-01 12:22
|
obbbb.exe 52f0b3acdd40bc050d4c0cdac026cf73 VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612149378&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:844178793&cup2hreq=c803d7ebab594fd900f99d3cf4c07af6f5ab610770c94bf3fe7fb489e4cb2eff https://www.google.com/
|
5
www.google.com(172.217.26.4) r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 172.217.24.132 - suspicious 59.18.45.210 45.15.143.216
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43605 |
2021-02-01 12:21
|
sil.exe 8ecb4e5a7e2da81cfc68069c61d873a0 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|