| 43771 |
2021-01-22 17:09
|
vbc2.exe f42d95af9e81a4dc5b7e15697c2a3081
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Software crashed |
|
|
|
|
15.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43772 |
2021-01-22 17:01
|
regasm.exe a7bc5a4d585adbe52ba261b7d93a9035
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
20
http://www.nakedsumac.com/de92/?iJE=w8T6CpukX6yfQvZIBhYPxVcZOJT0YdSbifWJ12s38v2ZLMly/jK/hH1sG1YdJfDsPOAQRnWG&wXO=OZNlib
http://www.hellbentmask.com/de92/
http://www.withatwist2016.com/de92/?wXO=OZNlib&iJE=t7CCSJzhjWdNUDSRT10xvW6lcdlCWJgRUPFM5YVSwGpaJ46SFtjs+MnRNQdgKehd0ODA58MR
http://www.tyelevator.com/de92/
http://www.stonescapes1.com/de92/?wXO=OZNlib&iJE=FMDFc6rJ4poPid6ur6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jrtwmAYMYw+t4wpXMFEO
http://www.stonescapes1.com/de92/
http://www.algemixdelchef.com/de92/?iJE=mPU5Qk0Q1JMbXKNJRceqtcyM9qQl8Ofn0X4hMrRDi25MNpIsGCD5ge9g91NIFQ6BKHb0PsTJ&wXO=OZNlib
http://www.kittens.finance/de92/
http://www.tyelevator.com/de92/?wXO=OZNlib&iJE=mFzktdIcIh/EzcBtenlVDl+Oamx3cB2UX3JUQNnMIO9CRz3auOtbc9g7Rlp1L+yqgpAbjNby
http://www.kittens.finance/de92/?wXO=OZNlib&iJE=SepTr08gQtYDGIYzymAoDHuPHW+wUVypIADVZtpVRETA8PVoR8fWn74ARfsodaLMX6s9Mrbp
http://www.getyourquan.com/de92/?wXO=OZNlib&iJE=TbPz6VcOjdaIZyAIsiKgb5mt6ozyC/VrN5J65Y+0E8EicD2AJ+d+KbdEMZPtgZqIRLTVzFSd
http://www.doubscollectivites.com/de92/
http://www.hellbentmask.com/de92/?wXO=OZNlib&iJE=K6nMS4TU/65k2ljnAmNqa0/NC8FeCuLZ/pa/CGKctGvE4jDYB4TuE5khORTn9v5LllOb5e/3
http://www.blondedevil.com/de92/?iJE=e2DkSttiDYVMoavFD/xTyg4pOrB+dDqhbjgV2584DQSa9zn8GxBgzZjS7GudSKx6HXAmrJRb&wXO=OZNlib
http://www.doubscollectivites.com/de92/?iJE=zN2IcpsrPCNmgxQHCa91oF5zBiiS0EWJGpScsTXIt82BcT9oZQju2EvESER3q+qC+ZYpMKOm&wXO=OZNlib
http://www.algemixdelchef.com/de92/
http://www.withatwist2016.com/de92/
http://www.getyourquan.com/de92/
http://www.blondedevil.com/de92/
http://www.nakedsumac.com/de92/
|
20
www.algemixdelchef.com(179.188.47.250)
www.tyelevator.com(34.102.136.180)
www.withatwist2016.com(34.102.136.180)
www.hellbentmask.com(23.227.38.74)
www.blondedevil.com(91.184.0.95)
www.fashiongomaufacturer.com()
www.kittens.finance(198.54.117.218)
www.stonescapes1.com(192.187.111.219)
www.nakedsumac.com(192.0.78.24)
www.getyourquan.com(2.57.90.16)
www.doubscollectivites.com(213.186.33.5)
198.54.117.211 - phishing
34.102.136.180 - mailcious
179.188.47.250
192.187.111.219
213.186.33.5 - mailcious
2.57.90.16 - mailcious
192.0.78.24 - mailcious
23.227.38.74 - mailcious
91.184.0.95
|
|
|
9.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43773 |
2021-01-22 16:59
|
vbc.exe cb09a2db3c751f29b1e51c542b9c6fd3
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://mannaton.com/zoro/zoro3/fre.php
|
2
mannaton.com(185.219.41.233)
185.219.41.233 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43774 |
2021-01-22 16:52
|
liamhugox.scr bf36c3069116a3da50f1064adfdd155a
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
http://193.239.147.103/base/118EEA2963EA5CF974F8ED3D9A878F37.html - rule_id: 225
http://193.239.147.103/base/264712C97B662289D6644F926525A252.html - rule_id: 225
http://193.239.147.103/base/717CB3CF78475C54FCA26C56816F0DE8.html - rule_id: 225
http://193.239.147.103/base/048127D57020AA6715C6D457787F2BED.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
|
15.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43775 |
2021-01-22 16:51
|
moloengkids_1.5.0.0.exe 91931d77ca12d8afaef2135314c32afa
VirusTotal Malware Check memory Creates executable files unpack itself AppData folder malicious URLs |
|
|
|
|
3.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43776 |
2021-01-22 16:08
|
kdotx.scr b95249a3ceacb06a049d3f211479fc7e
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
5
http://193.239.147.103/base/A1974CB1ECB4D1302C386D3DFB883181.html - rule_id: 225
http://193.239.147.103/base/1A8D3D2609505E3CEDE6D59742CA5034.html - rule_id: 225
http://193.239.147.103/base/0CF0F5D48FE381404608CF3D899D2B52.html - rule_id: 225
http://193.239.147.103/base/5B89C8FEDDDEEF146F2D6591104C2A5A.html - rule_id: 225
https://api.ipify.org/
|
3
api.ipify.org(54.225.242.59)
184.73.247.141
193.239.147.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
|
14.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43777 |
2021-01-22 16:06
|
k7e1ga.rar.exe a4cf7f9a24231b357d5d42777869fa88
VirusTotal Malware |
|
|
|
|
0.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43778 |
2021-01-22 14:27
|
IMG_04017.pdf.exe 9b2bde9769d02bac7e022ff7a36010e5
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
131.186.161.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43779 |
2021-01-22 14:27
|
inst.exe 6226d18273fc74d923183ea7510e595a
VirusTotal Malware AutoRuns PDB suspicious privilege ICMP traffic unpack itself malicious URLs Windows Advertising crashed |
|
2
iplogger.org(88.99.66.31)
88.99.66.31 - mailcious
|
|
|
8.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43780 |
2021-01-22 14:09
|
haitianx.scr c2a516ecaa7cd7627eee19decabbedb6
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
4
http://193.239.147.103/base/08630725A5CB69811CA785E5021F8027.html - rule_id: 225
http://193.239.147.103/base/6725254379D95D39B09B9B25FAC379BA.html - rule_id: 225
http://193.239.147.103/base/D2971E30954D508FBBF087522324E13F.html - rule_id: 225
http://193.239.147.103/base/A03D8F041FC4B573858ABD98BB1DDE42.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
|
13.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43781 |
2021-01-22 14:09
|
gfers.exe f781bbd506e29a57c76c1e647bef90ba
VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43782 |
2021-01-22 13:50
|
davincii.scr 8806d043a732233b3f67303b04a9d6ae
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
193.239.147.103 - mailcious
|
|
|
15.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43783 |
2021-01-22 13:49
|
fdwzkmx.rar.exe 4746fbed409f87ec6ddb6653cb4e201c
Malware download Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
|
1
194.225.58.214 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
6.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43784 |
2021-01-22 10:25
|
d2.exe 5092bff4eca423c90563e487762966b3
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
6
http://www.thrivezi.com/bw82/
http://www.cbrealvitalize.com/bw82/ - rule_id: 171
http://www.healthyfifties.com/bw82/
http://www.healthyfifties.com/bw82/?EZA0p8=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&GzuX=BxodbDv
http://www.cbrealvitalize.com/bw82/?EZA0p8=QMz1n+xx2KiD30AmT9IbdZVffunkwaB1v+iSpZgJgwTVZu6PNQxJOIJjV5QBJp9Es7YbcplQ&GzuX=BxodbDv - rule_id: 171
http://www.thrivezi.com/bw82/?EZA0p8=3XAKDXBRuf4B6JZ9IcS+nDMUHIb0m9P0UU4GdGE01CbNADkpa+Q1M0I062yKB15gX2NcPG15&GzuX=BxodbDv
|
12
www.kolamart.com(34.102.136.180) - mailcious
www.cbrealvitalize.com(34.102.136.180) - mailcious
www.mybestaide.com(52.216.18.186) - mailcious
www.fcoins.club()
www.gallerybrows.com(34.102.136.180) - mailcious
www.healthyfifties.com(198.20.125.69)
www.thrivezi.com(52.201.79.206)
www.texasdryroof.com(34.102.136.180) - mailcious
52.217.84.67
34.102.136.180 - mailcious
52.201.79.206
198.20.125.69
|
|
2
http://www.cbrealvitalize.com/bw82/
http://www.cbrealvitalize.com/bw82/
|
10.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43785 |
2021-01-22 10:24
|
d1.exe 7cc23aa86ee79dc1e11a395e85096ec3
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
7
http://www.healthyfifties.com/bw82/
http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx - rule_id: 170
http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx
http://www.healthyfifties.com/bw82/?GFND=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&Rlj=XVIXx4yx
http://www.engageautism.info/bw82/?GFND=n1L9MQk4QDNxb7EvfxU4KXziLGivOllQbN1QPcwD8xjBZtBLcQYTGxkchzBYP8u5N9Eeup4x&Rlj=XVIXx4yx
http://www.engageautism.info/bw82/
http://www.rizrvd.com/bw82/ - rule_id: 170
|
12
www.openspiers.com()
www.healthyfifties.com(198.20.125.69)
www.rizrvd.com(34.102.136.180) - mailcious
www.mybestaide.com(52.217.40.219) - mailcious
www.fcoins.club()
www.xn--avenr-wsa.com(34.102.136.180) - mailcious
www.engageautism.info(34.102.136.180)
www.magiclabs.media(198.49.23.144) - mailcious
52.216.81.74
198.20.125.69
198.185.159.144 - mailcious
34.102.136.180 - mailcious
|
|
2
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|