43651 |
2021-01-28 09:43
|
b8bejqqlu.zip.exe a4b9e098c98cd47e18f8c6a1ad8897c1 VirusTotal Malware PDB Check memory unpack itself malicious URLs WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43652 |
2021-01-28 09:43
|
engkeyz.scr 0eda2db28f1121fb5d2d6a4095f56c98 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/B9C222805990160F9B6328AD0B8E747E.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
13.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43653 |
2021-01-28 09:23
|
vbc.exe fcbfe0655ddb6609b6145f5798e7c9bf VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43654 |
2021-01-28 09:19
|
111.exe 7fe2322db3d58f5b993fadbaaff908be Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Browser Email ComputerName DNS Software |
1
http://168.119.251.131/index.php
|
1
|
3
ET MALWARE AZORult Variant.4 Checkin M2 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE AZORult v3.2 Server Response M1
|
|
15.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43655 |
2021-01-28 09:19
|
document.doc e2c1faf78a91f45c6f641d24d639865d VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://198.144.176.167/hkcmd/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43656 |
2021-01-27 18:43
|
http://mkontakt.az/111.exe 7fe2322db3d58f5b993fadbaaff908be Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mkontakt.az/111.exe
|
2
mkontakt.az(181.214.31.82) - malware 181.214.31.82 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43657 |
2021-01-27 18:23
|
x2.exe 39de62da4dfeff9120a26dde09bdc502 VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
3
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1611738980&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:3980937290&cup2hreq=19d6c928944230667bafc7586f7fa28265e20679d0e05b3cab22276b420157df
|
3
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 108.177.125.100 59.18.45.210
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43658 |
2021-01-27 18:22
|
x.exe 0b184fd1c1c4004732543ec8fcfb2dec VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43659 |
2021-01-27 18:11
|
winlog.exe 3ed71f97489274760b6cf02192304259 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
16
http://www.304shaughnessygreen.info/oean/ http://www.rentapalla.com/oean/?tFQt=uJMS4n8hnAfXh1eQEpEiAtJtgQ+Goi3J4PdJxqA1a4iBE1ZCLNY3VKBiZQq62bMdHueqr4Es&CTsX=ctxlUjex http://www.whitehatiq.com/oean/ http://www.noreservationsxpress.com/oean/ http://www.keboate.club/oean/ http://www.spreadaccounts.com/oean/ http://www.whitehatiq.com/oean/?tFQt=KWGdH6HDVOkHecSJWqueEpGu4EnLOQ+fhcKc7xJOVn1RfkZtY0+vTtgZvstCJF/v0hGzsVaB&CTsX=ctxlUjex http://www.spreadaccounts.com/oean/?tFQt=AVPoclZBn6YUGHdvJG1nvrD0t0OfwKp1UGP/USi75Cd0r/08+bo7uLN+JKd2heq33dw8S6ca&CTsX=ctxlUjex http://www.noreservationsxpress.com/oean/?tFQt=CvsxKoM60OfQ8fGTXBbpdXnTwCPpEEaCmzHFCHzAWcKTIFnzrwhUNsIxVjQlwFCJZxG1hBBK&CTsX=ctxlUjex http://www.keboate.club/oean/?tFQt=QSIVnL8FsQ86I9ftObQFTaTfjHXZPmA+lf/i1wqWHQ+DpjJN0tThUQdryDm/gQdAyh4Bi8f2&CTsX=ctxlUjex http://www.rentapalla.com/oean/ http://www.classifoods.com/oean/ http://www.villacascabel.com/oean/ http://www.classifoods.com/oean/?tFQt=tlpEk5Yc5HGF6dX8xlIEZIOmNCoa9q/DjdEupl7JLSvP8LDGQNEf4EYqcnXPjKH0Da/na0Nh&CTsX=ctxlUjex http://www.villacascabel.com/oean/?tFQt=y9e/MxDXq6znQynJS/4/YFbhG21L4hlaZJ1Zs6chlC0G5OG4Wqgq2h88dorsMfhQdkUW0v2C&CTsX=ctxlUjex http://www.304shaughnessygreen.info/oean/?tFQt=d8/ljYFd44S3ZY/csWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nG5hqAHp7fX+BfduudFO&CTsX=ctxlUjex
|
16
www.rentapalla.com(184.72.229.176) www.classifoods.com(91.195.241.137) www.villacascabel.com(34.102.136.180) www.whitehatiq.com(74.208.236.196) www.spreadaccounts.com(78.153.213.7) www.piemontelaw.net() www.noreservationsxpress.com(91.195.241.137) www.keboate.club(95.215.210.10) www.304shaughnessygreen.info(198.54.117.212) 198.54.117.218 - mailcious 78.153.213.7 91.195.241.137 - mailcious 74.208.236.196 - mailcious 34.102.136.180 - mailcious 95.215.210.10 - mailcious 184.72.229.176
|
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43660 |
2021-01-27 18:10
|
regasm.exe 1c542066dfe0b5bf71f31f6fb040bea8 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fa11/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious 104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43661 |
2021-01-27 18:03
|
omamsa.exe 8e4e60df0ee32e049f04663cc631d739 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43662 |
2021-01-27 18:03
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
3
http://www.lujanlimo.com/zrmt/?CP=Beq8FbisEkqsrqM6klh+Gyi53mF46o1BjhTFQb6w5+5tvHm1/bEpGxsYejS6UpKw+LMqh+Pf&Cb=hN9p3VdH http://www.wirelesschargerkings.com/zrmt/?CP=acObcxrqEZYNQkbfM0pAtiKzDw/RiaHZTsQqBgt5z62YX7az0UmoTE9uSlE6Z14wouDX7k5U&Cb=hN9p3VdH https://www.google.com/
|
7
www.lujanlimo.com(164.88.90.236) www.khanhvps.design() www.wirelesschargerkings.com(23.227.38.74) www.google.com(172.217.31.164) 108.177.125.99 23.227.38.74 - mailcious 164.88.90.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43663 |
2021-01-27 17:58
|
530340.cls.exe c740bdab4e7f09140d91c235867b5b4f VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43664 |
2021-01-27 17:56
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.31.164) 108.177.97.104
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43665 |
2021-01-27 17:34
|
winlog6.exe cf1df9447bb09096f96cc7ff65852e73 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
1
zunlen.com(95.181.155.246) - mailcious
|
|
|
11.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|