43771 |
2021-01-22 17:09
|
vbc2.exe f42d95af9e81a4dc5b7e15697c2a3081 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Software crashed |
|
|
|
|
15.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43772 |
2021-01-22 17:01
|
regasm.exe a7bc5a4d585adbe52ba261b7d93a9035 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
20
http://www.nakedsumac.com/de92/?iJE=w8T6CpukX6yfQvZIBhYPxVcZOJT0YdSbifWJ12s38v2ZLMly/jK/hH1sG1YdJfDsPOAQRnWG&wXO=OZNlib http://www.hellbentmask.com/de92/ http://www.withatwist2016.com/de92/?wXO=OZNlib&iJE=t7CCSJzhjWdNUDSRT10xvW6lcdlCWJgRUPFM5YVSwGpaJ46SFtjs+MnRNQdgKehd0ODA58MR http://www.tyelevator.com/de92/ http://www.stonescapes1.com/de92/?wXO=OZNlib&iJE=FMDFc6rJ4poPid6ur6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jrtwmAYMYw+t4wpXMFEO http://www.stonescapes1.com/de92/ http://www.algemixdelchef.com/de92/?iJE=mPU5Qk0Q1JMbXKNJRceqtcyM9qQl8Ofn0X4hMrRDi25MNpIsGCD5ge9g91NIFQ6BKHb0PsTJ&wXO=OZNlib http://www.kittens.finance/de92/ http://www.tyelevator.com/de92/?wXO=OZNlib&iJE=mFzktdIcIh/EzcBtenlVDl+Oamx3cB2UX3JUQNnMIO9CRz3auOtbc9g7Rlp1L+yqgpAbjNby http://www.kittens.finance/de92/?wXO=OZNlib&iJE=SepTr08gQtYDGIYzymAoDHuPHW+wUVypIADVZtpVRETA8PVoR8fWn74ARfsodaLMX6s9Mrbp http://www.getyourquan.com/de92/?wXO=OZNlib&iJE=TbPz6VcOjdaIZyAIsiKgb5mt6ozyC/VrN5J65Y+0E8EicD2AJ+d+KbdEMZPtgZqIRLTVzFSd http://www.doubscollectivites.com/de92/ http://www.hellbentmask.com/de92/?wXO=OZNlib&iJE=K6nMS4TU/65k2ljnAmNqa0/NC8FeCuLZ/pa/CGKctGvE4jDYB4TuE5khORTn9v5LllOb5e/3 http://www.blondedevil.com/de92/?iJE=e2DkSttiDYVMoavFD/xTyg4pOrB+dDqhbjgV2584DQSa9zn8GxBgzZjS7GudSKx6HXAmrJRb&wXO=OZNlib http://www.doubscollectivites.com/de92/?iJE=zN2IcpsrPCNmgxQHCa91oF5zBiiS0EWJGpScsTXIt82BcT9oZQju2EvESER3q+qC+ZYpMKOm&wXO=OZNlib http://www.algemixdelchef.com/de92/ http://www.withatwist2016.com/de92/ http://www.getyourquan.com/de92/ http://www.blondedevil.com/de92/ http://www.nakedsumac.com/de92/
|
20
www.algemixdelchef.com(179.188.47.250) www.tyelevator.com(34.102.136.180) www.withatwist2016.com(34.102.136.180) www.hellbentmask.com(23.227.38.74) www.blondedevil.com(91.184.0.95) www.fashiongomaufacturer.com() www.kittens.finance(198.54.117.218) www.stonescapes1.com(192.187.111.219) www.nakedsumac.com(192.0.78.24) www.getyourquan.com(2.57.90.16) www.doubscollectivites.com(213.186.33.5) 198.54.117.211 - phishing 34.102.136.180 - mailcious 179.188.47.250 192.187.111.219 213.186.33.5 - mailcious 2.57.90.16 - mailcious 192.0.78.24 - mailcious 23.227.38.74 - mailcious 91.184.0.95
|
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43773 |
2021-01-22 16:59
|
vbc.exe cb09a2db3c751f29b1e51c542b9c6fd3 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://mannaton.com/zoro/zoro3/fre.php
|
2
mannaton.com(185.219.41.233) 185.219.41.233 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43774 |
2021-01-22 16:52
|
liamhugox.scr bf36c3069116a3da50f1064adfdd155a Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
http://193.239.147.103/base/118EEA2963EA5CF974F8ED3D9A878F37.html - rule_id: 225 http://193.239.147.103/base/264712C97B662289D6644F926525A252.html - rule_id: 225 http://193.239.147.103/base/717CB3CF78475C54FCA26C56816F0DE8.html - rule_id: 225 http://193.239.147.103/base/048127D57020AA6715C6D457787F2BED.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/
|
15.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43775 |
2021-01-22 16:51
|
moloengkids_1.5.0.0.exe 91931d77ca12d8afaef2135314c32afa VirusTotal Malware Check memory Creates executable files unpack itself AppData folder malicious URLs |
|
|
|
|
3.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43776 |
2021-01-22 16:08
|
kdotx.scr b95249a3ceacb06a049d3f211479fc7e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
5
http://193.239.147.103/base/A1974CB1ECB4D1302C386D3DFB883181.html - rule_id: 225 http://193.239.147.103/base/1A8D3D2609505E3CEDE6D59742CA5034.html - rule_id: 225 http://193.239.147.103/base/0CF0F5D48FE381404608CF3D899D2B52.html - rule_id: 225 http://193.239.147.103/base/5B89C8FEDDDEEF146F2D6591104C2A5A.html - rule_id: 225 https://api.ipify.org/
|
3
api.ipify.org(54.225.242.59) 184.73.247.141 193.239.147.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/
|
14.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43777 |
2021-01-22 16:06
|
k7e1ga.rar.exe a4cf7f9a24231b357d5d42777869fa88 VirusTotal Malware |
|
|
|
|
0.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43778 |
2021-01-22 14:27
|
IMG_04017.pdf.exe 9b2bde9769d02bac7e022ff7a36010e5 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43779 |
2021-01-22 14:27
|
inst.exe 6226d18273fc74d923183ea7510e595a VirusTotal Malware AutoRuns PDB suspicious privilege ICMP traffic unpack itself malicious URLs Windows Advertising crashed |
|
2
iplogger.org(88.99.66.31) 88.99.66.31 - mailcious
|
|
|
8.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43780 |
2021-01-22 14:09
|
haitianx.scr c2a516ecaa7cd7627eee19decabbedb6 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
4
http://193.239.147.103/base/08630725A5CB69811CA785E5021F8027.html - rule_id: 225 http://193.239.147.103/base/6725254379D95D39B09B9B25FAC379BA.html - rule_id: 225 http://193.239.147.103/base/D2971E30954D508FBBF087522324E13F.html - rule_id: 225 http://193.239.147.103/base/A03D8F041FC4B573858ABD98BB1DDE42.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/ http://193.239.147.103/base/
|
13.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43781 |
2021-01-22 14:09
|
gfers.exe f781bbd506e29a57c76c1e647bef90ba VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43782 |
2021-01-22 13:50
|
davincii.scr 8806d043a732233b3f67303b04a9d6ae Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
193.239.147.103 - mailcious
|
|
|
15.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43783 |
2021-01-22 13:49
|
fdwzkmx.rar.exe 4746fbed409f87ec6ddb6653cb4e201c Malware download Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
|
1
194.225.58.214 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
6.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43784 |
2021-01-22 10:25
|
d2.exe 5092bff4eca423c90563e487762966b3 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
6
http://www.thrivezi.com/bw82/ http://www.cbrealvitalize.com/bw82/ - rule_id: 171 http://www.healthyfifties.com/bw82/ http://www.healthyfifties.com/bw82/?EZA0p8=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&GzuX=BxodbDv http://www.cbrealvitalize.com/bw82/?EZA0p8=QMz1n+xx2KiD30AmT9IbdZVffunkwaB1v+iSpZgJgwTVZu6PNQxJOIJjV5QBJp9Es7YbcplQ&GzuX=BxodbDv - rule_id: 171 http://www.thrivezi.com/bw82/?EZA0p8=3XAKDXBRuf4B6JZ9IcS+nDMUHIb0m9P0UU4GdGE01CbNADkpa+Q1M0I062yKB15gX2NcPG15&GzuX=BxodbDv
|
12
www.kolamart.com(34.102.136.180) - mailcious www.cbrealvitalize.com(34.102.136.180) - mailcious www.mybestaide.com(52.216.18.186) - mailcious www.fcoins.club() www.gallerybrows.com(34.102.136.180) - mailcious www.healthyfifties.com(198.20.125.69) www.thrivezi.com(52.201.79.206) www.texasdryroof.com(34.102.136.180) - mailcious 52.217.84.67 34.102.136.180 - mailcious 52.201.79.206 198.20.125.69
|
|
2
http://www.cbrealvitalize.com/bw82/ http://www.cbrealvitalize.com/bw82/
|
10.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43785 |
2021-01-22 10:24
|
d1.exe 7cc23aa86ee79dc1e11a395e85096ec3 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
7
http://www.healthyfifties.com/bw82/ http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx - rule_id: 170 http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx http://www.healthyfifties.com/bw82/?GFND=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&Rlj=XVIXx4yx http://www.engageautism.info/bw82/?GFND=n1L9MQk4QDNxb7EvfxU4KXziLGivOllQbN1QPcwD8xjBZtBLcQYTGxkchzBYP8u5N9Eeup4x&Rlj=XVIXx4yx http://www.engageautism.info/bw82/ http://www.rizrvd.com/bw82/ - rule_id: 170
|
12
www.openspiers.com() www.healthyfifties.com(198.20.125.69) www.rizrvd.com(34.102.136.180) - mailcious www.mybestaide.com(52.217.40.219) - mailcious www.fcoins.club() www.xn--avenr-wsa.com(34.102.136.180) - mailcious www.engageautism.info(34.102.136.180) www.magiclabs.media(198.49.23.144) - mailcious 52.216.81.74 198.20.125.69 198.185.159.144 - mailcious 34.102.136.180 - mailcious
|
|
2
http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|