43711 |
2021-01-27 09:52
|
regasm.exe e6ab3de4c697f00a45320e4b7b446d8d Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://becharnise.ir/fa13/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious 104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
16.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43712 |
2021-01-27 07:54
|
http://192.3.141.142/vbc/docum... 612cbefcc52ad75af7c64823ed1ec1f6 Dridex VirusTotal Malware Code Injection Malicious Traffic exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://192.3.141.142/vbc/document.doc
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DOC Request ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43713 |
2021-01-26 18:32
|
kingtoupx.scr f7578590576f773532d92d481e562ef2 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName DNS crashed |
|
|
|
|
3.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43714 |
2021-01-26 18:32
|
prosperx.scr fe3d1c112fa0aa12ab303a11a77b0c6a VirusTotal Malware Buffer PE Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs DNS crashed |
1
http://193.239.147.103/base/817B8D2BFEA38CDAF771C594C8EDD2E5.html - rule_id: 225
|
2
193.239.147.103 - mailcious 167.88.9.83
|
|
1
http://193.239.147.103/base/
|
9.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43715 |
2021-01-26 18:28
|
izux.scr 2329d201c907626ed3662b062aa32b41 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName DNS crashed |
|
1
|
|
|
3.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43716 |
2021-01-26 18:28
|
globalx.scr c44f6eff601aabba3dd3f245cb9dde54 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName crashed |
|
|
|
|
2.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43717 |
2021-01-26 18:25
|
arabicguyx.scr 0ab82854f449517d76898302950817ee Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/D1A437E767757AD4AED3D462BF223DC7.html - rule_id: 225
|
3
mail.owlpk.com(198.187.31.7) 198.187.31.7 193.239.147.103 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction ET MALWARE AgentTesla Exfil Via SMTP
|
1
http://193.239.147.103/base/
|
13.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43718 |
2021-01-26 18:24
|
document_s41021.doc 90e60c68d3649013b79904c12d272e3b VirusTotal Malware exploit crash unpack itself malicious URLs Tofsee Windows Exploit DNS DDNS crashed |
1
https://cdn.discordapp.com/attachments/783539498667343886/803491652416569374/Dhiwh
|
6
moneyds.ddns.net(54.39.198.228) - mailcious legitfilehost4datas.ddns.net(23.95.85.164) - mailcious cdn.discordapp.com(162.159.130.233) - malware 54.39.198.228 - mailcious 162.159.135.233 - malware 23.95.85.164 - mailcious
|
3
ET POLICY DNS Query to DynDNS Domain *.ddns .net SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43719 |
2021-01-26 18:12
|
ap0s.doc 628fcb7fe29df6ee64286915015c3496 VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
25
http://www.plantfulllife.com/qjnt/?Lh3lv=6RjRNigwV3H1trhfkx/OcaBScyq7qfXXKRxLghQtm6nam5biFhjXIKBNUc+wRWCONsXFnvTN&UR-p=D8FtM http://www.masterm77.com/qjnt/ http://www.plantfulllife.com/qjnt/ http://www.ddhhynjy.com/qjnt/?Lh3lv=0BX5a3DXJuqkhkeAur1jCYTsSHXGzn+6jDLX5QEyju+Jwtvv6I6S+pN9LWrBr6qZSFZFUWoJ&UR-p=D8FtM http://www.blupointer.com/qjnt/?Lh3lv=9dKa/EKejBThEf7Ehev1Rw3g0+RWncoBsgayghByrb7SaiGOVPnpcX/N1/JzpOBmW9BZ1pLv&UR-p=D8FtM http://www.ddhhynjy.com/qjnt/ http://www.hitchhikerfab.com/qjnt/ http://www.masterm77.com/qjnt/?Lh3lv=z8rl/LcnTgkDBpq7iYzRlH4u28G3pvzpoDnGr0uuu58niVck1+R337WVBJKGDD66JB4E6Rj6&UR-p=D8FtM http://www.magnificosocial.com/qjnt/?Lh3lv=GpTcnCDq8KJ2mitrTj4Fk3BIAmSrE5mZgDgHw0a9tGAsf8ZasEddw0I7IksIbffritNOMvsn&UR-p=D8FtM http://www.olympiaopen.com/qjnt/ http://www.magnificosocial.com/qjnt/ http://www.everlastingnewyork.com/qjnt/ http://www.peorig.club/qjnt/?Lh3lv=zvQ5C8AN6LS+SjG0ENJ8LummG3Xt3peeFAG6oW8Gx4ddZRlbMg4VGSUUdCNRrP4K31lA1IvS&UR-p=D8FtM http://www.olympiaopen.com/qjnt/?Lh3lv=HhxZTgRIZj+P8YWXsIcLtYimLLzBxB7hhRIkm8Dk9aTlSSzAos8duEnCDtPH1UV6w1DnxFHW&UR-p=D8FtM http://www.peorig.club/qjnt/ http://www.blupointer.com/qjnt/ http://www.hitchhikerfab.com/qjnt/?Lh3lv=KGtKEK537eeHi2KuPFiQHpBQXGwqu3us+JnipgV76PdXjtPQQBbs2KeUH0Vpnteq9nBjcwEy&UR-p=D8FtM http://www.agedeve.com/qjnt/ http://www.everlastingnewyork.com/qjnt/?Lh3lv=c6xlLRIoagedd2evSrW5Xv80wJxsvlonc0HUpICYXTSG7qpKfMrJQWVJ7N2tc0dkGK+WqxPG&UR-p=D8FtM http://www.tyequip.com/qjnt/?Lh3lv=276ci3gTSuxRnPrAMI7KLy7xr0fYIbufYZAHzugFn8rF+F+kBD1HslPgaCVV1/Y9DndUpaG/&UR-p=D8FtM http://212.114.52.113/main/202124/ap0s.exe http://www.xn--9t4bi03a.com/qjnt/?Lh3lv=5BsQoKazrnex84I5GDgz/hhBWiEHJFbN6qfWvnha8iNDKsXKB3znfaVRSc9gVFuLzy11Ygt3&UR-p=D8FtM http://www.agedeve.com/qjnt/?Lh3lv=pAjcZQ5A69a1hIKrdL7c+HTJra0FiVZXb1TFPwj9+c0ZNxiex7h+YGjzX60BFj4UBdUe1Gn5&UR-p=D8FtM http://www.xn--9t4bi03a.com/qjnt/ http://www.tyequip.com/qjnt/
|
26
www.plantfulllife.com(34.102.136.180) www.gamersgangbd.com() www.peorig.club(95.215.210.10) www.olympiaopen.com(45.195.180.171) www.magnificosocial.com(34.102.136.180) www.blupointer.com(156.237.162.40) www.hitchhikerfab.com(156.224.235.237) www.agedeve.com(154.196.153.20) www.newenglandredsox.com() www.everlastingnewyork.com(34.102.136.180) www.masterm77.com(18.183.162.214) www.ggate.club() www.tyequip.com(3.223.115.185) www.ddhhynjy.com(23.228.252.153) www.xn--9t4bi03a.com(75.2.85.42) 45.195.180.171 156.237.162.40 99.83.196.71 18.183.162.214 95.215.210.10 34.102.136.180 - mailcious 23.228.252.153 156.224.235.237 3.223.115.185 - mailcious 154.196.153.20 212.114.52.113
|
5
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43720 |
2021-01-26 18:10
|
arabicguyx.exe 3c68883aec0f8998e92336eb1e4a5dfc Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
https://pastebin.com/raw/W63zsRav - rule_id: 101
|
4
mail.owlpk.com(198.187.31.7) pastebin.com(104.23.99.190) - mailcious 104.23.99.190 - mailcious 198.187.31.7
|
3
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE AgentTesla Exfil Via SMTP
|
1
https://pastebin.com/raw/W63zsRav
|
16.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43721 |
2021-01-26 14:49
|
vbc.exe dba3d7f3ca0f9c2d94b4d6830a344c93 VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion Browser DNS |
|
|
|
|
5.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43722 |
2021-01-26 14:48
|
rkb86q.zip.exe 58690c2e2bca2fcb6148a2c68de45d3b VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43723 |
2021-01-26 14:41
|
lkuz11.zip.dll bca1b70d9f8a052f4384a9c3c826b9d6 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43724 |
2021-01-26 14:34
|
lkuz11.zip.exe bca1b70d9f8a052f4384a9c3c826b9d6 VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
3.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43725 |
2021-01-26 14:33
|
hesuoig.jpg.exe 84048d4a704ca3ed43cf15d44dceeb39 VirusTotal Malware |
|
|
|
|
1.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|