| 43591 |
2021-02-01 22:48
|
OBAAA.exe bac9014a9ed1a27a92d6f13e3de236c1
Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
16.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43592 |
2021-02-01 22:48
|
pablox.scr 8097dd099b5b30cc949253b22c59aeb9
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://becharnise.ir/fa4/fre.php
http://193.239.147.103/base/2901708420C1FF8D8B61D7369E94CC84.html - rule_id: 225
|
3
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121
193.239.147.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://193.239.147.103/base/
|
13.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43593 |
2021-02-01 22:37
|
new.exe fd11932ba1ac909889ecb291e5555d25
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs human activity check Windows ComputerName DNS DDNS |
|
3
nazareen12.ddns.net(79.134.225.52)
79.134.225.52 - mailcious
185.140.53.183
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
11.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43594 |
2021-02-01 22:36
|
kingtroupz.scr 93c18a3630eb1cb922a3761c45ae6dc2
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/98A066FCFAB6D30A84F0EC123516A557.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.4 |
M |
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43595 |
2021-02-01 22:25
|
IMG_1660392.pdf.exe e7064208a3674a61a91b3dd886a1a503
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
162.88.193.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43596 |
2021-02-01 22:25
|
is.exe 34effb36eea9746901723c2690bec3c7
VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
paste.ee(172.67.219.133) - mailcious
104.21.45.223 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43597 |
2021-02-01 22:11
|
document.doc 9e1772002f8791df8ccc8534c234e971
VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
14
http://www.thedancehalo.com/bw82/ - rule_id: 174
http://www.thedancehalo.com/bw82/?GTgP=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&5j2=Ulq8E - rule_id: 174
http://www.ondemandbarbering.com/bw82/
http://www.activagebenefits.net/bw82/?GTgP=kkzs7wdmjdk7n45UjfiLHnYXY/z1ZZpbk/YksZMR2IH2vaFa+RYbCAbMSAFheW9HER5RLpU/&5j2=Ulq8E
http://www.activagebenefits.net/bw82/
http://www.rizrvd.com/bw82/?GTgP=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&5j2=Ulq8E - rule_id: 170
http://www.rizrvd.com/bw82/?GTgP=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&5j2=Ulq8E
http://www.ninasangtani.com/bw82/
http://3.34.179.142/deskopc/hkcmd.exe
http://www.illfingers.com/bw82/?GTgP=oL6WGk535ShIMWn5X5nbn/aOUoaL8VsOPK21+5lbgTOaDrSYSQVH4Z9wRk26hxOpEjraHrRl&5j2=Ulq8E
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.illfingers.com/bw82/
http://www.ninasangtani.com/bw82/?GTgP=93QlrcGOmhPsmOLgwQd5PEYiUPAOZQsvIL0jPQXRPmTWIMdxoi8MiiqiyXGvZznnQGjs4sZc&5j2=Ulq8E
http://www.ondemandbarbering.com/bw82/?GTgP=/uLN5+r0nTwG6mTCqOKXvxUOX9d2FCRa7e+MtK6cN7T3OLj7ozaH392B6MC00J0ZZtqhoxnm&5j2=Ulq8E
|
13
www.illfingers.com(162.241.217.138)
www.thedancehalo.com(34.102.136.180) - mailcious
www.activagebenefits.net(34.102.136.180)
www.healthyfifties.com(198.20.125.69) - mailcious
www.rizrvd.com(34.102.136.180) - mailcious
www.ondemandbarbering.com(182.50.132.242)
www.blacksailus.com()
www.ninasangtani.com(34.102.136.180)
162.241.217.138
34.102.136.180 - mailcious
182.50.132.242 - mailcious
198.20.125.69 - mailcious
3.34.179.142 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
4
http://www.thedancehalo.com/bw82/
http://www.thedancehalo.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
|
6.4 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43598 |
2021-02-01 22:11
|
hkcmd.exe b8fbbf48619bf863aba9e5eb8fb3f81e
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs |
11
http://www.activagebenefits.net/bw82/?sBvD8D=kkzs7wdmjdk7n45UjfiLHnYXY/z1ZZpbk/YksZMR2IH2vaFa+RYbCAbMSAFheW9HER5RLpU/&APcT7P=djFDaHXHkHmL
http://www.thedancehalo.com/bw82/ - rule_id: 174
http://www.illfingers.com/bw82/?sBvD8D=oL6WGk535ShIMWn5X5nbn/aOUoaL8VsOPK21+5lbgTOaDrSYSQVH4Z9wRk26hxOpEjraHrRl&APcT7P=djFDaHXHkHmL
http://www.wmarquezy.com/bw82/ - rule_id: 181
http://www.activagebenefits.net/bw82/
http://www.wmarquezy.com/bw82/?sBvD8D=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&APcT7P=djFDaHXHkHmL - rule_id: 181
http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL - rule_id: 170
http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL
http://www.illfingers.com/bw82/
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.thedancehalo.com/bw82/?sBvD8D=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&APcT7P=djFDaHXHkHmL - rule_id: 174
|
13
www.nikolaichan.com(216.58.197.179) - mailcious
www.exlineinsurance.com(182.50.132.242) - mailcious
www.illfingers.com(162.241.217.138)
www.thedancehalo.com(34.102.136.180) - mailcious
www.activagebenefits.net(34.102.136.180)
www.rizrvd.com(34.102.136.180) - mailcious
www.wmarquezy.com(192.0.78.25) - mailcious
www.blacksailus.com()
162.241.217.138
34.102.136.180 - mailcious
216.58.197.179 - deface
182.50.132.242 - mailcious
192.0.78.24 - mailcious
|
|
6
http://www.thedancehalo.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
http://www.thedancehalo.com/bw82/
|
9.0 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43599 |
2021-02-01 16:46
|
document.doc ae9cd0d00d776cbef69043a7d2f025c3
Dridex VirusTotal Malware exploit crash unpack itself malicious URLs Tofsee Exploit crashed |
|
2
bribble.com(35.208.60.152)
35.208.60.152
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
3.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43600 |
2021-02-01 12:35
|
vbc.exe 7aecb24d8babdcdf05a5848e7029e94f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows Cryptographic key |
5
http://www.paeonystore.com/kre/?XbcPulJH=fVdkn5N/DitBhQggR74LEaJAM/79H7ZPaeruS3BugSBUurHi6N1DFnDlSn6gB1X2ZzUpTF80&Ez=ctK0
http://www.trumpgangsters.com/kre/?XbcPulJH=9UI7BRcJrOVJiYXGY1wy7EXB5HGDpYNsxFhLtRPahjl+xHtXDFL8Nrwwr3SB4a5CSm/aZ5Pr&Ez=ctK0
http://www.1823a.com/kre/?XbcPulJH=tgBv8+Uuglqxhn5vYThYYFONh49n2qhe+6hhsETYco4wQgAmxdUJOX1YqPiQK2+3qjYQNw+V&Ez=ctK0
http://www.neverstopip.com/kre/?XbcPulJH=qMhmFMOJUb0oqJiblOF4ZjX2Hn0liLqRT6TyR3D4E52tgVnGOdNkf6QKQbmF98mnTd58WGhq&Ez=ctK0
http://www.pawantakespawn.com/kre/?XbcPulJH=0hFF07bkIl12u3jYu3U87KAD+fBNC/VwfLazYSnr9vcKzPwJ5Ffis/qtA9V8wyqijEj+wKfA&Ez=ctK0
|
9
www.1823a.com(104.233.238.207)
www.neverstopip.com(34.102.136.180)
www.trumpgangsters.com(34.102.136.180)
www.pawantakespawn.com(23.82.12.31)
www.paeonystore.com(8.210.69.194)
8.210.69.194
104.233.238.207
34.102.136.180 - mailcious
23.82.12.31 - suspicious
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43601 |
2021-02-01 12:28
|
pppp.exe b88c6ae98565520b5abf0dbc67522f1d
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.26.4)
172.217.31.163
172.217.175.100
172.217.175.14 - mailcious
37.46.150.67 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43602 |
2021-02-01 12:28
|
sppp.exe b12bb3159a945df7c5944b6f4192516d
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.26.4)
172.217.31.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43603 |
2021-02-01 12:26
|
OBBBOP.exe 06f4d22f42e1d2406d5dd25c69aa92ac
Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(216.58.197.228)
172.217.174.100
193.239.147.32 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43604 |
2021-02-01 12:22
|
obbbb.exe 52f0b3acdd40bc050d4c0cdac026cf73
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612149378&mv=m&mvi=7&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:844178793&cup2hreq=c803d7ebab594fd900f99d3cf4c07af6f5ab610770c94bf3fe7fb489e4cb2eff
https://www.google.com/
|
5
www.google.com(172.217.26.4)
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
172.217.24.132 - suspicious
59.18.45.210
45.15.143.216
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43605 |
2021-02-01 12:21
|
sil.exe 8ecb4e5a7e2da81cfc68069c61d873a0
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|