43756 |
2021-01-24 15:37
|
86QEWWFXW.doc 7258d39f41a2bbf908aa0da116d71785 Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Windows DNS |
1
http://195.159.28.230:8080/mhfe5/4bvbc6wdpodox49dx/eqc25jekko1ev4h1/gqmdy03/
|
4
cab.mykfn.com(103.143.46.51) - malware 69.38.130.14 195.159.28.230 103.143.46.51 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
7.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43757 |
2021-01-24 15:35
|
bfDxx9wOnZ6L.dll 7a2719feebfc1580305490f1393a8b5b VirusTotal Malware |
|
|
|
|
1.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43758 |
2021-01-24 10:45
|
winlog.exe 209a9397bb6c68626ff785164388a65d Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://zunlen.com/chief/jojo/fre.php
|
2
zunlen.com(91.142.90.103) 95.181.155.246
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43759 |
2021-01-24 10:45
|
vbc2.exe 10801c62dc23ddb26ffd88b67c43c657 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43760 |
2021-01-24 10:38
|
PATOTO.pdf.exe c7b57a6ecc4533c754e1c04789e242d0 Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
mail.tavmachine.com(89.32.249.155) freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.70 - suspicious 89.32.249.155 - malware 104.21.19.200
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SURICATA Applayer Detect protocol only one direction
|
|
17.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43761 |
2021-01-24 10:37
|
vbc.exe c3d0ab8f849d88b7f0ff0020670a11e1 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
3
http://www.sh-ruidiclub.com/kna/?MJBx=+nx195h0NbafDtQp1QPBDOHdjCmMRQ8aKErdSAt88BDsc/u/TtSX5WL4qDGYhxz6osxlOxMX&U8kx=9rGDCxG8rZSPD4o http://www.melonicwater.com/kna/?MJBx=9oI7M79+QRbmhM2oxlAzxuYXzqnn3T2ubU0puNYb8AxxNo35UCQOq0sw66B6q0lorE5JaewK&U8kx=9rGDCxG8rZSPD4o http://www.nosyboats.com/kna/?MJBx=cgL5PBhyQayUAmaGlB2Ygqz7ix1/ecfu/XtkZEW3lCqxOcQMRXMgxa44V/QPEhaODSJalgde&U8kx=9rGDCxG8rZSPD4o
|
6
www.sh-ruidiclub.com(107.186.80.231) www.nosyboats.com(91.216.107.44) www.melonicwater.com(207.174.214.40) 207.174.214.40 107.186.80.231 91.216.107.44 - mailcious
|
|
|
9.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43762 |
2021-01-24 10:23
|
lv.exe 0d6e899aa1a131fc917e5814d562a06b VirusTotal Malware AutoRuns Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check Windows ComputerName crashed |
1
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43763 |
2021-01-24 10:20
|
GHoTgzOL9Cy.dll 08667fc58fec60e818c3344ed718a1dd VirusTotal Malware |
|
|
|
|
1.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43764 |
2021-01-22 18:29
|
bbc.exe 19f207b20b1d2a05aba1a1eb59da54d2 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs ComputerName DNS crashed |
|
|
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43765 |
2021-01-22 18:27
|
c3.dll 81f401defa8faa2e4745590bc4f6c008 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43766 |
2021-01-22 18:26
|
alex.scr 45a72653fb1d34a564f611c1f3594c02 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces DNS |
4
http://193.239.147.103/base/FAB1A25ABF3F57F3030F40686667A161.html - rule_id: 225 http://193.239.147.103/base/8C0599C1B9B3E6070FB750C30A6E4DE5.html - rule_id: 225 http://193.239.147.103/base/2C9EBDF8639D920DAD88AE504A55F6CC.html - rule_id: 225 http://193.239.147.103/base/DBB21AAEE02CC39BE17503128FDCD072.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/
|
3.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43767 |
2021-01-22 18:25
|
abdulx.scr 093581879b31e72cb9f58572e92a326b Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
5
http://193.239.147.103/base/A835403D21646D38831BEFB4AACEE40A.html - rule_id: 225 http://193.239.147.103/base/B958C53208B4018959CAB8F85D1BE96B.html - rule_id: 225 http://193.239.147.103/base/B8D7291260DCC598FA98C5584014FB4A.html - rule_id: 225 http://193.239.147.103/base/359D3681998052C40556FFBF15816F76.html - rule_id: 225 https://api.ipify.org/
|
3
api.ipify.org(54.225.242.59) 193.239.147.103 - mailcious 54.225.66.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/
|
15.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43768 |
2021-01-22 18:21
|
3XvbkMuarDL4nbwCq3qfQ.dll 08667fc58fec60e818c3344ed718a1dd VirusTotal Malware |
|
|
|
|
1.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43769 |
2021-01-22 18:04
|
xax7k4mlp.zip.exe b613ab3eef642e50999219c6bc103c24 Malware download Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
|
1
194.225.58.214 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
6.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43770 |
2021-01-22 17:10
|
worked.exe a8417cfd71637c7371986737cff269cf VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
2
http://www.liveincrestline.com/zn7/?BTjh9FI=CNjzvDNEGQkr8b6ycAVxkdviCic9tzSqSRl+pNSZpvdlL1X5CXUA+FLPFa52ug0VjC9S0NeH&EBZ=ZTFHsbMXnr http://www.cryptowaveride.com/zn7/?BTjh9FI=IuJ1YotfD/ZPboQQZRHFlfyTrctPVfDxOBDSDNQsLVOVo5kk+6JcPN8CJ5fVGvcvinAyq9aN&EBZ=ZTFHsbMXnr
|
4
www.cryptowaveride.com(34.102.136.180) www.liveincrestline.com(69.163.165.39) 69.163.165.39 34.102.136.180 - mailcious
|
|
|
10.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|