| 43711 |
2021-01-27 09:52
|
regasm.exe e6ab3de4c697f00a45320e4b7b446d8d
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://becharnise.ir/fa13/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious
104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
16.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43712 |
2021-01-27 07:54
|
http://192.3.141.142/vbc/docum... 612cbefcc52ad75af7c64823ed1ec1f6
Dridex VirusTotal Malware Code Injection Malicious Traffic exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://192.3.141.142/vbc/document.doc
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DOC Request
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43713 |
2021-01-26 18:32
|
kingtoupx.scr f7578590576f773532d92d481e562ef2
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName DNS crashed |
|
|
|
|
3.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43714 |
2021-01-26 18:32
|
prosperx.scr fe3d1c112fa0aa12ab303a11a77b0c6a
VirusTotal Malware Buffer PE Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs DNS crashed |
1
http://193.239.147.103/base/817B8D2BFEA38CDAF771C594C8EDD2E5.html - rule_id: 225
|
2
193.239.147.103 - mailcious
167.88.9.83
|
|
1
http://193.239.147.103/base/
|
9.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43715 |
2021-01-26 18:28
|
izux.scr 2329d201c907626ed3662b062aa32b41
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName DNS crashed |
|
1
|
|
|
3.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43716 |
2021-01-26 18:28
|
globalx.scr c44f6eff601aabba3dd3f245cb9dde54
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName crashed |
|
|
|
|
2.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43717 |
2021-01-26 18:25
|
arabicguyx.scr 0ab82854f449517d76898302950817ee
Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/D1A437E767757AD4AED3D462BF223DC7.html - rule_id: 225
|
3
mail.owlpk.com(198.187.31.7)
198.187.31.7
193.239.147.103 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
1
http://193.239.147.103/base/
|
13.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43718 |
2021-01-26 18:24
|
document_s41021.doc 90e60c68d3649013b79904c12d272e3b
VirusTotal Malware exploit crash unpack itself malicious URLs Tofsee Windows Exploit DNS DDNS crashed |
1
https://cdn.discordapp.com/attachments/783539498667343886/803491652416569374/Dhiwh
|
6
moneyds.ddns.net(54.39.198.228) - mailcious
legitfilehost4datas.ddns.net(23.95.85.164) - mailcious
cdn.discordapp.com(162.159.130.233) - malware
54.39.198.228 - mailcious
162.159.135.233 - malware
23.95.85.164 - mailcious
|
3
ET POLICY DNS Query to DynDNS Domain *.ddns .net
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43719 |
2021-01-26 18:12
|
ap0s.doc 628fcb7fe29df6ee64286915015c3496
VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
25
http://www.plantfulllife.com/qjnt/?Lh3lv=6RjRNigwV3H1trhfkx/OcaBScyq7qfXXKRxLghQtm6nam5biFhjXIKBNUc+wRWCONsXFnvTN&UR-p=D8FtM
http://www.masterm77.com/qjnt/
http://www.plantfulllife.com/qjnt/
http://www.ddhhynjy.com/qjnt/?Lh3lv=0BX5a3DXJuqkhkeAur1jCYTsSHXGzn+6jDLX5QEyju+Jwtvv6I6S+pN9LWrBr6qZSFZFUWoJ&UR-p=D8FtM
http://www.blupointer.com/qjnt/?Lh3lv=9dKa/EKejBThEf7Ehev1Rw3g0+RWncoBsgayghByrb7SaiGOVPnpcX/N1/JzpOBmW9BZ1pLv&UR-p=D8FtM
http://www.ddhhynjy.com/qjnt/
http://www.hitchhikerfab.com/qjnt/
http://www.masterm77.com/qjnt/?Lh3lv=z8rl/LcnTgkDBpq7iYzRlH4u28G3pvzpoDnGr0uuu58niVck1+R337WVBJKGDD66JB4E6Rj6&UR-p=D8FtM
http://www.magnificosocial.com/qjnt/?Lh3lv=GpTcnCDq8KJ2mitrTj4Fk3BIAmSrE5mZgDgHw0a9tGAsf8ZasEddw0I7IksIbffritNOMvsn&UR-p=D8FtM
http://www.olympiaopen.com/qjnt/
http://www.magnificosocial.com/qjnt/
http://www.everlastingnewyork.com/qjnt/
http://www.peorig.club/qjnt/?Lh3lv=zvQ5C8AN6LS+SjG0ENJ8LummG3Xt3peeFAG6oW8Gx4ddZRlbMg4VGSUUdCNRrP4K31lA1IvS&UR-p=D8FtM
http://www.olympiaopen.com/qjnt/?Lh3lv=HhxZTgRIZj+P8YWXsIcLtYimLLzBxB7hhRIkm8Dk9aTlSSzAos8duEnCDtPH1UV6w1DnxFHW&UR-p=D8FtM
http://www.peorig.club/qjnt/
http://www.blupointer.com/qjnt/
http://www.hitchhikerfab.com/qjnt/?Lh3lv=KGtKEK537eeHi2KuPFiQHpBQXGwqu3us+JnipgV76PdXjtPQQBbs2KeUH0Vpnteq9nBjcwEy&UR-p=D8FtM
http://www.agedeve.com/qjnt/
http://www.everlastingnewyork.com/qjnt/?Lh3lv=c6xlLRIoagedd2evSrW5Xv80wJxsvlonc0HUpICYXTSG7qpKfMrJQWVJ7N2tc0dkGK+WqxPG&UR-p=D8FtM
http://www.tyequip.com/qjnt/?Lh3lv=276ci3gTSuxRnPrAMI7KLy7xr0fYIbufYZAHzugFn8rF+F+kBD1HslPgaCVV1/Y9DndUpaG/&UR-p=D8FtM
http://212.114.52.113/main/202124/ap0s.exe
http://www.xn--9t4bi03a.com/qjnt/?Lh3lv=5BsQoKazrnex84I5GDgz/hhBWiEHJFbN6qfWvnha8iNDKsXKB3znfaVRSc9gVFuLzy11Ygt3&UR-p=D8FtM
http://www.agedeve.com/qjnt/?Lh3lv=pAjcZQ5A69a1hIKrdL7c+HTJra0FiVZXb1TFPwj9+c0ZNxiex7h+YGjzX60BFj4UBdUe1Gn5&UR-p=D8FtM
http://www.xn--9t4bi03a.com/qjnt/
http://www.tyequip.com/qjnt/
|
26
www.plantfulllife.com(34.102.136.180)
www.gamersgangbd.com()
www.peorig.club(95.215.210.10)
www.olympiaopen.com(45.195.180.171)
www.magnificosocial.com(34.102.136.180)
www.blupointer.com(156.237.162.40)
www.hitchhikerfab.com(156.224.235.237)
www.agedeve.com(154.196.153.20)
www.newenglandredsox.com()
www.everlastingnewyork.com(34.102.136.180)
www.masterm77.com(18.183.162.214)
www.ggate.club()
www.tyequip.com(3.223.115.185)
www.ddhhynjy.com(23.228.252.153)
www.xn--9t4bi03a.com(75.2.85.42)
45.195.180.171
156.237.162.40
99.83.196.71
18.183.162.214
95.215.210.10
34.102.136.180 - mailcious
23.228.252.153
156.224.235.237
3.223.115.185 - mailcious
154.196.153.20
212.114.52.113
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43720 |
2021-01-26 18:10
|
arabicguyx.exe 3c68883aec0f8998e92336eb1e4a5dfc
Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
https://pastebin.com/raw/W63zsRav - rule_id: 101
|
4
mail.owlpk.com(198.187.31.7)
pastebin.com(104.23.99.190) - mailcious
104.23.99.190 - mailcious
198.187.31.7
|
3
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE AgentTesla Exfil Via SMTP
|
1
https://pastebin.com/raw/W63zsRav
|
16.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43721 |
2021-01-26 14:49
|
vbc.exe dba3d7f3ca0f9c2d94b4d6830a344c93
VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion Browser DNS |
|
|
|
|
5.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43722 |
2021-01-26 14:48
|
rkb86q.zip.exe 58690c2e2bca2fcb6148a2c68de45d3b
VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43723 |
2021-01-26 14:41
|
lkuz11.zip.dll bca1b70d9f8a052f4384a9c3c826b9d6
VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43724 |
2021-01-26 14:34
|
lkuz11.zip.exe bca1b70d9f8a052f4384a9c3c826b9d6
VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
3.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43725 |
2021-01-26 14:33
|
hesuoig.jpg.exe 84048d4a704ca3ed43cf15d44dceeb39
VirusTotal Malware |
|
|
|
|
1.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|