| 43651 |
2021-01-28 09:43
|
b8bejqqlu.zip.exe a4b9e098c98cd47e18f8c6a1ad8897c1
VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43652 |
2021-01-28 09:43
|
engkeyz.scr 0eda2db28f1121fb5d2d6a4095f56c98
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/B9C222805990160F9B6328AD0B8E747E.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
13.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43653 |
2021-01-28 09:23
|
vbc.exe fcbfe0655ddb6609b6145f5798e7c9bf
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43654 |
2021-01-28 09:19
|
111.exe 7fe2322db3d58f5b993fadbaaff908be
Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Browser Email ComputerName DNS Software |
1
http://168.119.251.131/index.php
|
1
|
3
ET MALWARE AZORult Variant.4 Checkin M2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.2 Server Response M1
|
|
15.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43655 |
2021-01-28 09:19
|
document.doc e2c1faf78a91f45c6f641d24d639865d
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://198.144.176.167/hkcmd/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43656 |
2021-01-27 18:43
|
http://mkontakt.az/111.exe 7fe2322db3d58f5b993fadbaaff908be
Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mkontakt.az/111.exe
|
2
mkontakt.az(181.214.31.82) - malware
181.214.31.82 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43657 |
2021-01-27 18:23
|
x2.exe 39de62da4dfeff9120a26dde09bdc502
VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
3
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1611738980&mv=m&mvi=7&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:3980937290&cup2hreq=19d6c928944230667bafc7586f7fa28265e20679d0e05b3cab22276b420157df
|
3
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
108.177.125.100
59.18.45.210
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43658 |
2021-01-27 18:22
|
x.exe 0b184fd1c1c4004732543ec8fcfb2dec
VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43659 |
2021-01-27 18:11
|
winlog.exe 3ed71f97489274760b6cf02192304259
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
16
http://www.304shaughnessygreen.info/oean/
http://www.rentapalla.com/oean/?tFQt=uJMS4n8hnAfXh1eQEpEiAtJtgQ+Goi3J4PdJxqA1a4iBE1ZCLNY3VKBiZQq62bMdHueqr4Es&CTsX=ctxlUjex
http://www.whitehatiq.com/oean/
http://www.noreservationsxpress.com/oean/
http://www.keboate.club/oean/
http://www.spreadaccounts.com/oean/
http://www.whitehatiq.com/oean/?tFQt=KWGdH6HDVOkHecSJWqueEpGu4EnLOQ+fhcKc7xJOVn1RfkZtY0+vTtgZvstCJF/v0hGzsVaB&CTsX=ctxlUjex
http://www.spreadaccounts.com/oean/?tFQt=AVPoclZBn6YUGHdvJG1nvrD0t0OfwKp1UGP/USi75Cd0r/08+bo7uLN+JKd2heq33dw8S6ca&CTsX=ctxlUjex
http://www.noreservationsxpress.com/oean/?tFQt=CvsxKoM60OfQ8fGTXBbpdXnTwCPpEEaCmzHFCHzAWcKTIFnzrwhUNsIxVjQlwFCJZxG1hBBK&CTsX=ctxlUjex
http://www.keboate.club/oean/?tFQt=QSIVnL8FsQ86I9ftObQFTaTfjHXZPmA+lf/i1wqWHQ+DpjJN0tThUQdryDm/gQdAyh4Bi8f2&CTsX=ctxlUjex
http://www.rentapalla.com/oean/
http://www.classifoods.com/oean/
http://www.villacascabel.com/oean/
http://www.classifoods.com/oean/?tFQt=tlpEk5Yc5HGF6dX8xlIEZIOmNCoa9q/DjdEupl7JLSvP8LDGQNEf4EYqcnXPjKH0Da/na0Nh&CTsX=ctxlUjex
http://www.villacascabel.com/oean/?tFQt=y9e/MxDXq6znQynJS/4/YFbhG21L4hlaZJ1Zs6chlC0G5OG4Wqgq2h88dorsMfhQdkUW0v2C&CTsX=ctxlUjex
http://www.304shaughnessygreen.info/oean/?tFQt=d8/ljYFd44S3ZY/csWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nG5hqAHp7fX+BfduudFO&CTsX=ctxlUjex
|
16
www.rentapalla.com(184.72.229.176)
www.classifoods.com(91.195.241.137)
www.villacascabel.com(34.102.136.180)
www.whitehatiq.com(74.208.236.196)
www.spreadaccounts.com(78.153.213.7)
www.piemontelaw.net()
www.noreservationsxpress.com(91.195.241.137)
www.keboate.club(95.215.210.10)
www.304shaughnessygreen.info(198.54.117.212)
198.54.117.218 - mailcious
78.153.213.7
91.195.241.137 - mailcious
74.208.236.196 - mailcious
34.102.136.180 - mailcious
95.215.210.10 - mailcious
184.72.229.176
|
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43660 |
2021-01-27 18:10
|
regasm.exe 1c542066dfe0b5bf71f31f6fb040bea8
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fa11/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious
104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43661 |
2021-01-27 18:03
|
omamsa.exe 8e4e60df0ee32e049f04663cc631d739
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43662 |
2021-01-27 18:03
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
3
http://www.lujanlimo.com/zrmt/?CP=Beq8FbisEkqsrqM6klh+Gyi53mF46o1BjhTFQb6w5+5tvHm1/bEpGxsYejS6UpKw+LMqh+Pf&Cb=hN9p3VdH
http://www.wirelesschargerkings.com/zrmt/?CP=acObcxrqEZYNQkbfM0pAtiKzDw/RiaHZTsQqBgt5z62YX7az0UmoTE9uSlE6Z14wouDX7k5U&Cb=hN9p3VdH
https://www.google.com/
|
7
www.lujanlimo.com(164.88.90.236)
www.khanhvps.design()
www.wirelesschargerkings.com(23.227.38.74)
www.google.com(172.217.31.164)
108.177.125.99
23.227.38.74 - mailcious
164.88.90.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43663 |
2021-01-27 17:58
|
530340.cls.exe c740bdab4e7f09140d91c235867b5b4f
VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43664 |
2021-01-27 17:56
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.31.164)
108.177.97.104
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43665 |
2021-01-27 17:34
|
winlog6.exe cf1df9447bb09096f96cc7ff65852e73
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
1
zunlen.com(95.181.155.246) - mailcious
|
|
|
11.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|