| 43786 |
2021-01-22 10:18
|
CL4G.dll 3e1249e4d0b0b61d493da93139b9f3a4
VirusTotal Malware |
|
|
|
|
1.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43787 |
2021-01-22 10:18
|
5555555555_2.jpg.exe 42574d38cc2760ec1e2ed9beb234567b |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43788 |
2021-01-22 10:13
|
zbf8jiX.exe 3b6e27d8d7051194ba8dd6fd3a299f95
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
1
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
13.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43789 |
2021-01-22 10:09
|
5555555555.jpg.exe c1a0cf6c95370e2bb4e3d7b8353d883e
VirusTotal Malware |
|
|
|
|
1.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43790 |
2021-01-22 09:31
|
winlog4.exe ac98cc8a1ff04aa8ae259ab9436a1fa7
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://papanwa.com/zoro/zoro5/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious
89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43791 |
2021-01-22 09:31
|
winlog3.exe f9d11b84c36b4ef4af4f24aae95f9fb5
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/zoro/zoro4/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious
89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43792 |
2021-01-22 00:30
|
winlog2.exe f69047c67c621e68c5b21d46fa60a629
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities malicious URLs Windows DNS |
12
http://www.cdxxcenter.com/eaud/?yVMpQN-P=PrMgcOi1C+xZ30CWD0gc9ulMZW33lnSah2vPZyD0kOIVO7Z9yyRLeacl5RaDqYuDJhZjlHXn&1bz=o8rLp
http://www.aylinahmet.com/eaud/?yVMpQN-P=dkGNOulwVjv8zgSWjgNToxTq8jv0eBwRjmPU0sHeGsnyZG8Azfs8cGv+uVQVVqh/rgDmjPZQ&1bz=o8rLp
http://www.wayupteam.com/eaud/
http://www.wayupteam.com/eaud/?yVMpQN-P=PzB82rHCp8FP3i2tjPH9Da/CMy1ak9u45Pqnc//l8Tlr+8C8+l65GQ0dZUw1huaMyarbmhv5&1bz=o8rLp
http://www.shopboxbarcelona.com/eaud/
http://www.shopboxbarcelona.com/eaud/?yVMpQN-P=k4wX6qLWkZ62JBj00Ey9dmmYuTmZckCKLx/WbK6+kj69szauJdIs1jgWs5keczVrrNGRPH0u&1bz=o8rLp
http://www.cdxxcenter.com/eaud/
http://www.youraircases.com/eaud/
http://www.syndicatesportspicks.com/eaud/
http://www.youraircases.com/eaud/?yVMpQN-P=3dcguFfnHEPsckgmkKw+Exgc9MSut+i0q6e3fvJncsgRJabIu/5IpnTx9jl+SdMjs2aFOQWK&1bz=o8rLp
http://www.syndicatesportspicks.com/eaud/?yVMpQN-P=TmaymnuzZVPHOLNQbQufSSrBpb16xYpQ84upgGoVWbi1NWDOfZ/3bdXsGprkvtXhR7uMmkQF&1bz=o8rLp
http://www.aylinahmet.com/eaud/
|
17
www.aylinahmet.com(155.159.249.22)
www.pencueaidnetwork.com()
www.learnhour.net() - mailcious
www.ndblife.com(34.102.136.180) - mailcious
www.wayupteam.com(50.31.188.183)
www.shopboxbarcelona.com(217.160.0.94)
www.syndicatesportspicks.com(34.102.136.180)
www.cdxxcenter.com(34.102.136.180)
www.yesmywigs.com(66.23.236.66) - mailcious
www.tolentinestore.com()
www.youraircases.com(182.50.132.242)
155.159.249.22
34.102.136.180 - mailcious
66.23.236.66 - mailcious
50.31.188.183
217.160.0.94 - malware
182.50.132.242 - mailcious
|
|
|
13.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43793 |
2021-01-22 00:29
|
winlog.exe 3a9e68325d16c69df66db1b81f666601
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
8
http://www.esteemquantum.life/oean/?xVMtBJhH=uMheGNtLG83DWb8+pJnijuSPYVQmK9z4N72e0RaWrMXJhQwFShq8v5/IEF769tewOnJp9UL0&1bw=L6Adp678CV6lYt-p
http://www.freshmarketfood.com/oean/
http://www.pickmeagift.com/oean/
http://www.esteemquantum.life/oean/
http://www.pickmeagift.com/oean/?xVMtBJhH=aW6dKdfNC0TaLCWk0cRKJvncxteqGHOu8KfgGkm+b/r8i9Fy2o3V6crNDDcDvNd+xgLUiAmx&1bw=L6Adp678CV6lYt-p
http://www.biomig.net/oean/?xVMtBJhH=XgOOq6QvXYd3S2LwFPp7s1bJKMN7SvZCJ+ljzv9K68iz1Bzd2f3uX4ix7LPeYUhOuWXD9LqF&1bw=L6Adp678CV6lYt-p
http://www.biomig.net/oean/
http://www.freshmarketfood.com/oean/?xVMtBJhH=3T7LywsMgbRZsCqbDcaOpJcYrA1mIhtx4MuIxdOp/UIFVoYkxO76/uhqn4t2hcXy5gypmA3V&1bw=L6Adp678CV6lYt-p
|
13
www.neonatalfeedrates.com()
www.esteemquantum.life(13.113.246.118)
www.chefericcatering.com(23.227.38.74) - mailcious
www.pickmeagift.com(34.102.136.180)
www.freshmarketfood.com(154.216.110.171)
www.ddmns6tzey2d.com()
www.actusdumoment.com()
www.biomig.net(213.186.33.5)
13.113.246.118
34.102.136.180 - mailcious
213.186.33.5 - mailcious
154.216.110.171
23.227.38.74 - mailcious
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
9.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43794 |
2021-01-22 00:21
|
win32.exe 1931f5b75ae8d9c14ec61cdd53e70f21
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
22
http://www.bickel.wtf/incn/?GVTD=RGE/cWUJuc7tcSqTAP+gX/nnKrq7afk6KP8dfym4YezssBE+jvWHjf7t1SEWyTMXjEqr1dSZ&a48=tXIxBnQhDP3L
http://www.180wea.com/incn/
http://www.sentire.design/incn/
http://www.maisonscoeurdepivoine.com/incn/
http://www.therandstadride.com/incn/?GVTD=8wX1QV1qWYl49rszJeTzbck9pXYYKDC67oRhcTB41onpIWQqFJPPZVIT+MJhrfKw4Dtyr3ZM&a48=tXIxBnQhDP3L
http://www.therandstadride.com/incn/
http://www.meritane.com/incn/?GVTD=Nc+BD9vs4+e4cECzWuWcLeKFWqdEC9nRQaTZZf49Ggwzlob125o+HeI1QO0cpRtIrhtUCGr3&a48=tXIxBnQhDP3L
http://www.kaiyuansu.pro/incn/?GVTD=4y+UTKzHU4A6kuvXaYS74WaP+qCjnKVRzK/jF/x906cXBmLcUo8gxlVC8dbx5AF+KUuFRXVs&a48=tXIxBnQhDP3L
http://www.enlightenedhealthcoaching.com/incn/
http://www.meritane.com/incn/
http://www.americanmarketedge.com/incn/?GVTD=pEuRuOfh0RPfl+oiP7k0h24+ZbJdO6NkpJaEurquBhTH7uFTgd2KPm6WV+g8bO15oKR+AHxs&a48=tXIxBnQhDP3L
http://www.maisonscoeurdepivoine.com/incn/?GVTD=fpp5tzsDVw/boHH54xFz2lHuIJXrIy+MvJer49wUQ5nc5MDVdJwShsfT7qJbFiH8F+zIzFgI&a48=tXIxBnQhDP3L
http://www.cathygass.com/incn/
http://www.kaiyuansu.pro/incn/
http://www.somright.com/incn/
http://www.bickel.wtf/incn/
http://www.cathygass.com/incn/?GVTD=V5Re+WzC2sGOxtPxWLRbc/hMewIuQBUuTdSbLO4SRNAW8zvmFoXi5zGaY5LI3OIdHMscm6dB&a48=tXIxBnQhDP3L
http://www.180wea.com/incn/?GVTD=Sz3dszz1KVNc+BCS0cIR8dLOlzhJ3GRpiIaxFKw9EG065ZkIMAMyYd3MWGhyRr/sd99EsGlH&a48=tXIxBnQhDP3L
http://www.sentire.design/incn/?GVTD=5ltUxrtqtF8SsvUdywSBkwhwumkFdmMXQM+4K6mrQNNQqM/0ADGIG9+v1h3p90Hn+Oe+pBf8&a48=tXIxBnQhDP3L
http://www.enlightenedhealthcoaching.com/incn/?GVTD=POIZWkDj692E5dmcoJxHrl96tfitCI2EQH3I4lOKciTKVqVppac3P3ErgzEtcXkQplKPzCNh&a48=tXIxBnQhDP3L
http://www.americanmarketedge.com/incn/
http://www.somright.com/incn/?GVTD=7K3NAYrZE3cIvfbo6b4PZi12r/NG2k7uK0KaMfF8yQll7TEeAOn7HJqDdgdEMXlclzCf6XwD&a48=tXIxBnQhDP3L
|
24
www.enlightenedhealthcoaching.com(34.80.190.141)
www.potlucks.net(91.195.241.137) - mailcious
www.maisonscoeurdepivoine.com(91.121.39.102)
www.bickel.wtf(44.227.76.166)
www.180wea.com(154.204.174.86)
www.kaiyuansu.pro(34.102.136.180)
www.cathygass.com(198.185.159.144)
www.sentire.design(198.185.159.145)
www.americanmarketedge.com(3.137.48.156)
www.somright.com(62.60.250.5)
www.meritane.com(34.102.136.180)
www.therandstadride.com(35.171.196.117)
www.khocam.com()
44.227.76.166 - mailcious
62.60.250.5
91.121.39.102
35.171.196.117
3.140.151.209 - mailcious
154.204.174.86
34.102.136.180 - mailcious
34.80.190.141 - mailcious
91.195.241.137 - mailcious
198.185.159.145 - mailcious
198.185.159.144 - mailcious
|
|
|
10.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43795 |
2021-01-22 00:21
|
vbc3.exe e09c5be82b79d79dc377271d67f92a89
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/chief/offor/fre.php
|
2
papanwa.com(89.235.184.237)
185.252.147.215
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43796 |
2021-01-22 00:10
|
vbc.exe e9ccfae9cb025410406a12538137c69f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder malicious URLs Windows |
4
http://www.vulcanudachi-proclub.com/eaud/?-Zu8_b3=0gUbOA7tMjRSIgsT4fVDJFMoLXaZpJXDHRG+cBYqA+jofG8O+HCMFeRJJZ4a+W5/c9Karx9b&CxoHs=2djDG
http://www.glz-cc.com/eaud/
http://www.glz-cc.com/eaud/?-Zu8_b3=Vm47xG0o1uJn0Ra0RXkLMOtvIic+pdia61rKwK4dBl+1Xhm18UA1axsctX2EX35jb9biJ3GQ&CxoHs=2djDG
http://www.vulcanudachi-proclub.com/eaud/
|
16
www.dajiankang.love()
www.sulpher.network()
www.mersinsimsek.com(104.21.32.198)
www.mettyapp.com(34.102.136.180) - mailcious
www.guorunme.com(156.224.53.101) - mailcious
www.glz-cc.com(84.16.73.17)
www.realestatejewel.com()
www.vulcanudachi-proclub.com(172.67.169.202)
www.lebaronfuneraire.com(217.70.184.50) - mailcious
www.bosman-smm.online()
156.224.53.101 - mailcious
34.102.136.180 - mailcious
217.70.184.50 - mailcious
104.21.32.198
104.21.27.226
84.16.73.17
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43797 |
2021-01-22 00:09
|
vbc2.exe 0705cb1278a79218eec9badca52ab8b3
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://okpana.com/chief/har/fre.php
|
2
okpana.com(185.22.153.203) - mailcious
185.22.153.203
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43798 |
2021-01-22 00:05
|
TaAgente.exe 4cb563bf89a0407ba573f86a2f2a2030
VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Cryptographic key |
|
2
apps.saintsoporte.com(162.248.54.77) - malware
162.248.54.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA Applayer Detect protocol only one direction
|
|
4.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43799 |
2021-01-22 00:02
|
svchost.exe 5aeb0da76f99119932bf52c3eb8b0767
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
28
http://www.inreachpt.com/gqx2/?jPg8=9/BKDbjRUTLHiCAkv4UrkvSCkC6DC2Rftex5RF517dla63TUfiGzTWKrNUH/ld7HE/txj1Uk&0rn=WHrpcFC0d
http://www.enlightenedsoil.com/gqx2/?jPg8=cjip6uuPgbETVH3T8V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL2dojhljSS+Qzet3utIR&0rn=WHrpcFC0d
http://www.thefanexam.com/gqx2/?jPg8=HrF3TVmG/JjI1PnvTLIIYpmn2zTORZwa7SZzfRngC4AhxnWytwZOrvMCggULKagFWCKc0ybP&0rn=WHrpcFC0d
http://www.beepybox.online/gqx2/?jPg8=yCE81FN5kJDvf69H1zCHl1SnIq+u0HMqx0bFiExBcMqvSlXqSPdOcc4J90HIKOaEDs5PHmMh&0rn=WHrpcFC0d
http://www.libraspeed.com/gqx2/?jPg8=6qqHzrP8Ew0N3qBcvLoa2iiZ2tjwRqllt0EEYSmVAScoxFQXiXz7/LqOYXVLNW/f4soD4emN&0rn=WHrpcFC0d
http://www.com-cancel-payment-id655.com/gqx2/
http://www.thefanexam.com/gqx2/
http://www.com-cancel-payment-id655.com/gqx2/?jPg8=hzhb46uYekxeSjynDSvHSBZ+WScKj86Lzekpz01nr5Rqx8ccLecn3Up/ez6Dfz0AhJ7oHM6Z&0rn=WHrpcFC0d
http://www.ohiotechreport.com/gqx2/
http://www.tu4343.com/gqx2/?jPg8=c0uTa4Ry3vesai6lXTSfINFQpRrMtH1K87WBIlrG0XAtnO8wLGbiahB/6B1lfYrqembCPOk5&0rn=WHrpcFC0d
http://www.tu4343.com/gqx2/
http://www.beepybox.online/gqx2/
http://www.shuhan.design/gqx2/?jPg8=+3QoYFPD3RQeYLjAYFhuJ6Cz2rhEMAU1T5a3j4/+hda+nWQNJZmKako0P2ib9ZGD25UQvPrc&0rn=WHrpcFC0d
http://www.starlinkwebservices.com/gqx2/
http://www.enlightenedsoil.com/gqx2/
http://www.5200853.com/gqx2/
http://www.bonus189.space/gqx2/?jPg8=5R1gPD5AcirPvdqxX3OEjI5TkTWkghjMkZYg470HlnfMN6fJZonrVNztkTKmxtrm7HwX4kWu&0rn=WHrpcFC0d
http://www.shuhan.design/gqx2/
http://www.zhjiaxiang.com/gqx2/?jPg8=WYs2CJQaHu7VDjmvT8HY/uenJ8IAuXAtr5EFzbfELRegL/XO6LMGY4Hpvd4bWrO2XC6qj4kB&0rn=WHrpcFC0d
http://www.teacher-retirement-info.info/gqx2/?jPg8=OXVidlqG6XkfBKSTfRTYNsCHZ7Lzo3O37PQdrKyHFgPzio9FREHRskcmwWepUtod5GjdUGTA&0rn=WHrpcFC0d
http://www.bonus189.space/gqx2/
http://www.zhjiaxiang.com/gqx2/
http://www.starlinkwebservices.com/gqx2/?jPg8=1oLdWJEa6RMPILHmU3RMDTTKV/8OlgAWvoSufNbfYqrB9zEOlffSJnN5c7l9eL53m4HAxa1z&0rn=WHrpcFC0d
http://www.5200853.com/gqx2/?jPg8=D7HYjwmfjk7r2Ukao5V0C9NhbEdLEQDWgNm8jPt18Yf6jGPHPId8fj6QgnBzS3/GDME8Xiko&0rn=WHrpcFC0d
http://www.inreachpt.com/gqx2/
http://www.teacher-retirement-info.info/gqx2/
http://www.libraspeed.com/gqx2/
http://www.ohiotechreport.com/gqx2/?jPg8=IPC5rKMb5U2wGfsfh3591N/FvVXjYSZNx84XlhlRnNK1DZcHs5M0z52hyAuoszkEQc4vvPuF&0rn=WHrpcFC0d
|
26
www.kimscraftyresale.com()
www.shuhan.design(192.185.35.76)
www.tu4343.com(154.202.142.207)
www.com-cancel-payment-id655.com(47.254.175.19)
www.inreachpt.com(34.102.136.180)
www.beepybox.online(64.98.145.30)
www.bonus189.space(87.236.16.223)
www.enlightenedsoil.com(34.80.190.141)
www.thefanexam.com(13.35.101.98)
www.5200853.com(198.200.62.230)
www.libraspeed.com(3.137.48.156)
www.ohiotechreport.com(34.102.136.180)
www.starlinkwebservices.com(34.102.136.180)
www.teacher-retirement-info.info(34.102.136.180)
www.zhjiaxiang.com(156.254.253.78)
64.98.145.30 - mailcious
47.254.175.19 - phishing
154.202.142.207
99.84.233.196
3.140.151.209
34.102.136.180 - mailcious
192.185.35.76
198.200.62.230
34.80.190.141 - mailcious
87.236.16.223
156.254.253.78
|
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43800 |
2021-01-22 00:00
|
obo.exe 1965c283581daeb2fc16e26de73839aa
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|