43786 |
2021-01-22 10:18
|
CL4G.dll 3e1249e4d0b0b61d493da93139b9f3a4 VirusTotal Malware |
|
|
|
|
1.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43787 |
2021-01-22 10:18
|
5555555555_2.jpg.exe 42574d38cc2760ec1e2ed9beb234567b |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43788 |
2021-01-22 10:13
|
zbf8jiX.exe 3b6e27d8d7051194ba8dd6fd3a299f95 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
1
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
13.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43789 |
2021-01-22 10:09
|
5555555555.jpg.exe c1a0cf6c95370e2bb4e3d7b8353d883e VirusTotal Malware |
|
|
|
|
1.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43790 |
2021-01-22 09:31
|
winlog4.exe ac98cc8a1ff04aa8ae259ab9436a1fa7 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://papanwa.com/zoro/zoro5/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious 89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43791 |
2021-01-22 09:31
|
winlog3.exe f9d11b84c36b4ef4af4f24aae95f9fb5 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/zoro/zoro4/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious 89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43792 |
2021-01-22 00:30
|
winlog2.exe f69047c67c621e68c5b21d46fa60a629 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities malicious URLs Windows DNS |
12
http://www.cdxxcenter.com/eaud/?yVMpQN-P=PrMgcOi1C+xZ30CWD0gc9ulMZW33lnSah2vPZyD0kOIVO7Z9yyRLeacl5RaDqYuDJhZjlHXn&1bz=o8rLp http://www.aylinahmet.com/eaud/?yVMpQN-P=dkGNOulwVjv8zgSWjgNToxTq8jv0eBwRjmPU0sHeGsnyZG8Azfs8cGv+uVQVVqh/rgDmjPZQ&1bz=o8rLp http://www.wayupteam.com/eaud/ http://www.wayupteam.com/eaud/?yVMpQN-P=PzB82rHCp8FP3i2tjPH9Da/CMy1ak9u45Pqnc//l8Tlr+8C8+l65GQ0dZUw1huaMyarbmhv5&1bz=o8rLp http://www.shopboxbarcelona.com/eaud/ http://www.shopboxbarcelona.com/eaud/?yVMpQN-P=k4wX6qLWkZ62JBj00Ey9dmmYuTmZckCKLx/WbK6+kj69szauJdIs1jgWs5keczVrrNGRPH0u&1bz=o8rLp http://www.cdxxcenter.com/eaud/ http://www.youraircases.com/eaud/ http://www.syndicatesportspicks.com/eaud/ http://www.youraircases.com/eaud/?yVMpQN-P=3dcguFfnHEPsckgmkKw+Exgc9MSut+i0q6e3fvJncsgRJabIu/5IpnTx9jl+SdMjs2aFOQWK&1bz=o8rLp http://www.syndicatesportspicks.com/eaud/?yVMpQN-P=TmaymnuzZVPHOLNQbQufSSrBpb16xYpQ84upgGoVWbi1NWDOfZ/3bdXsGprkvtXhR7uMmkQF&1bz=o8rLp http://www.aylinahmet.com/eaud/
|
17
www.aylinahmet.com(155.159.249.22) www.pencueaidnetwork.com() www.learnhour.net() - mailcious www.ndblife.com(34.102.136.180) - mailcious www.wayupteam.com(50.31.188.183) www.shopboxbarcelona.com(217.160.0.94) www.syndicatesportspicks.com(34.102.136.180) www.cdxxcenter.com(34.102.136.180) www.yesmywigs.com(66.23.236.66) - mailcious www.tolentinestore.com() www.youraircases.com(182.50.132.242) 155.159.249.22 34.102.136.180 - mailcious 66.23.236.66 - mailcious 50.31.188.183 217.160.0.94 - malware 182.50.132.242 - mailcious
|
|
|
13.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43793 |
2021-01-22 00:29
|
winlog.exe 3a9e68325d16c69df66db1b81f666601 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
8
http://www.esteemquantum.life/oean/?xVMtBJhH=uMheGNtLG83DWb8+pJnijuSPYVQmK9z4N72e0RaWrMXJhQwFShq8v5/IEF769tewOnJp9UL0&1bw=L6Adp678CV6lYt-p http://www.freshmarketfood.com/oean/ http://www.pickmeagift.com/oean/ http://www.esteemquantum.life/oean/ http://www.pickmeagift.com/oean/?xVMtBJhH=aW6dKdfNC0TaLCWk0cRKJvncxteqGHOu8KfgGkm+b/r8i9Fy2o3V6crNDDcDvNd+xgLUiAmx&1bw=L6Adp678CV6lYt-p http://www.biomig.net/oean/?xVMtBJhH=XgOOq6QvXYd3S2LwFPp7s1bJKMN7SvZCJ+ljzv9K68iz1Bzd2f3uX4ix7LPeYUhOuWXD9LqF&1bw=L6Adp678CV6lYt-p http://www.biomig.net/oean/ http://www.freshmarketfood.com/oean/?xVMtBJhH=3T7LywsMgbRZsCqbDcaOpJcYrA1mIhtx4MuIxdOp/UIFVoYkxO76/uhqn4t2hcXy5gypmA3V&1bw=L6Adp678CV6lYt-p
|
13
www.neonatalfeedrates.com() www.esteemquantum.life(13.113.246.118) www.chefericcatering.com(23.227.38.74) - mailcious www.pickmeagift.com(34.102.136.180) www.freshmarketfood.com(154.216.110.171) www.ddmns6tzey2d.com() www.actusdumoment.com() www.biomig.net(213.186.33.5) 13.113.246.118 34.102.136.180 - mailcious 213.186.33.5 - mailcious 154.216.110.171 23.227.38.74 - mailcious
|
2
ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain
|
|
9.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43794 |
2021-01-22 00:21
|
win32.exe 1931f5b75ae8d9c14ec61cdd53e70f21 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
22
http://www.bickel.wtf/incn/?GVTD=RGE/cWUJuc7tcSqTAP+gX/nnKrq7afk6KP8dfym4YezssBE+jvWHjf7t1SEWyTMXjEqr1dSZ&a48=tXIxBnQhDP3L http://www.180wea.com/incn/ http://www.sentire.design/incn/ http://www.maisonscoeurdepivoine.com/incn/ http://www.therandstadride.com/incn/?GVTD=8wX1QV1qWYl49rszJeTzbck9pXYYKDC67oRhcTB41onpIWQqFJPPZVIT+MJhrfKw4Dtyr3ZM&a48=tXIxBnQhDP3L http://www.therandstadride.com/incn/ http://www.meritane.com/incn/?GVTD=Nc+BD9vs4+e4cECzWuWcLeKFWqdEC9nRQaTZZf49Ggwzlob125o+HeI1QO0cpRtIrhtUCGr3&a48=tXIxBnQhDP3L http://www.kaiyuansu.pro/incn/?GVTD=4y+UTKzHU4A6kuvXaYS74WaP+qCjnKVRzK/jF/x906cXBmLcUo8gxlVC8dbx5AF+KUuFRXVs&a48=tXIxBnQhDP3L http://www.enlightenedhealthcoaching.com/incn/ http://www.meritane.com/incn/ http://www.americanmarketedge.com/incn/?GVTD=pEuRuOfh0RPfl+oiP7k0h24+ZbJdO6NkpJaEurquBhTH7uFTgd2KPm6WV+g8bO15oKR+AHxs&a48=tXIxBnQhDP3L http://www.maisonscoeurdepivoine.com/incn/?GVTD=fpp5tzsDVw/boHH54xFz2lHuIJXrIy+MvJer49wUQ5nc5MDVdJwShsfT7qJbFiH8F+zIzFgI&a48=tXIxBnQhDP3L http://www.cathygass.com/incn/ http://www.kaiyuansu.pro/incn/ http://www.somright.com/incn/ http://www.bickel.wtf/incn/ http://www.cathygass.com/incn/?GVTD=V5Re+WzC2sGOxtPxWLRbc/hMewIuQBUuTdSbLO4SRNAW8zvmFoXi5zGaY5LI3OIdHMscm6dB&a48=tXIxBnQhDP3L http://www.180wea.com/incn/?GVTD=Sz3dszz1KVNc+BCS0cIR8dLOlzhJ3GRpiIaxFKw9EG065ZkIMAMyYd3MWGhyRr/sd99EsGlH&a48=tXIxBnQhDP3L http://www.sentire.design/incn/?GVTD=5ltUxrtqtF8SsvUdywSBkwhwumkFdmMXQM+4K6mrQNNQqM/0ADGIG9+v1h3p90Hn+Oe+pBf8&a48=tXIxBnQhDP3L http://www.enlightenedhealthcoaching.com/incn/?GVTD=POIZWkDj692E5dmcoJxHrl96tfitCI2EQH3I4lOKciTKVqVppac3P3ErgzEtcXkQplKPzCNh&a48=tXIxBnQhDP3L http://www.americanmarketedge.com/incn/ http://www.somright.com/incn/?GVTD=7K3NAYrZE3cIvfbo6b4PZi12r/NG2k7uK0KaMfF8yQll7TEeAOn7HJqDdgdEMXlclzCf6XwD&a48=tXIxBnQhDP3L
|
24
www.enlightenedhealthcoaching.com(34.80.190.141) www.potlucks.net(91.195.241.137) - mailcious www.maisonscoeurdepivoine.com(91.121.39.102) www.bickel.wtf(44.227.76.166) www.180wea.com(154.204.174.86) www.kaiyuansu.pro(34.102.136.180) www.cathygass.com(198.185.159.144) www.sentire.design(198.185.159.145) www.americanmarketedge.com(3.137.48.156) www.somright.com(62.60.250.5) www.meritane.com(34.102.136.180) www.therandstadride.com(35.171.196.117) www.khocam.com() 44.227.76.166 - mailcious 62.60.250.5 91.121.39.102 35.171.196.117 3.140.151.209 - mailcious 154.204.174.86 34.102.136.180 - mailcious 34.80.190.141 - mailcious 91.195.241.137 - mailcious 198.185.159.145 - mailcious 198.185.159.144 - mailcious
|
|
|
10.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43795 |
2021-01-22 00:21
|
vbc3.exe e09c5be82b79d79dc377271d67f92a89 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/chief/offor/fre.php
|
2
papanwa.com(89.235.184.237) 185.252.147.215
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43796 |
2021-01-22 00:10
|
vbc.exe e9ccfae9cb025410406a12538137c69f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder malicious URLs Windows |
4
http://www.vulcanudachi-proclub.com/eaud/?-Zu8_b3=0gUbOA7tMjRSIgsT4fVDJFMoLXaZpJXDHRG+cBYqA+jofG8O+HCMFeRJJZ4a+W5/c9Karx9b&CxoHs=2djDG http://www.glz-cc.com/eaud/ http://www.glz-cc.com/eaud/?-Zu8_b3=Vm47xG0o1uJn0Ra0RXkLMOtvIic+pdia61rKwK4dBl+1Xhm18UA1axsctX2EX35jb9biJ3GQ&CxoHs=2djDG http://www.vulcanudachi-proclub.com/eaud/
|
16
www.dajiankang.love() www.sulpher.network() www.mersinsimsek.com(104.21.32.198) www.mettyapp.com(34.102.136.180) - mailcious www.guorunme.com(156.224.53.101) - mailcious www.glz-cc.com(84.16.73.17) www.realestatejewel.com() www.vulcanudachi-proclub.com(172.67.169.202) www.lebaronfuneraire.com(217.70.184.50) - mailcious www.bosman-smm.online() 156.224.53.101 - mailcious 34.102.136.180 - mailcious 217.70.184.50 - mailcious 104.21.32.198 104.21.27.226 84.16.73.17
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43797 |
2021-01-22 00:09
|
vbc2.exe 0705cb1278a79218eec9badca52ab8b3 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://okpana.com/chief/har/fre.php
|
2
okpana.com(185.22.153.203) - mailcious 185.22.153.203
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43798 |
2021-01-22 00:05
|
TaAgente.exe 4cb563bf89a0407ba573f86a2f2a2030 VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Cryptographic key |
|
2
apps.saintsoporte.com(162.248.54.77) - malware 162.248.54.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SURICATA Applayer Detect protocol only one direction
|
|
4.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43799 |
2021-01-22 00:02
|
svchost.exe 5aeb0da76f99119932bf52c3eb8b0767 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
28
http://www.inreachpt.com/gqx2/?jPg8=9/BKDbjRUTLHiCAkv4UrkvSCkC6DC2Rftex5RF517dla63TUfiGzTWKrNUH/ld7HE/txj1Uk&0rn=WHrpcFC0d http://www.enlightenedsoil.com/gqx2/?jPg8=cjip6uuPgbETVH3T8V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL2dojhljSS+Qzet3utIR&0rn=WHrpcFC0d http://www.thefanexam.com/gqx2/?jPg8=HrF3TVmG/JjI1PnvTLIIYpmn2zTORZwa7SZzfRngC4AhxnWytwZOrvMCggULKagFWCKc0ybP&0rn=WHrpcFC0d http://www.beepybox.online/gqx2/?jPg8=yCE81FN5kJDvf69H1zCHl1SnIq+u0HMqx0bFiExBcMqvSlXqSPdOcc4J90HIKOaEDs5PHmMh&0rn=WHrpcFC0d http://www.libraspeed.com/gqx2/?jPg8=6qqHzrP8Ew0N3qBcvLoa2iiZ2tjwRqllt0EEYSmVAScoxFQXiXz7/LqOYXVLNW/f4soD4emN&0rn=WHrpcFC0d http://www.com-cancel-payment-id655.com/gqx2/ http://www.thefanexam.com/gqx2/ http://www.com-cancel-payment-id655.com/gqx2/?jPg8=hzhb46uYekxeSjynDSvHSBZ+WScKj86Lzekpz01nr5Rqx8ccLecn3Up/ez6Dfz0AhJ7oHM6Z&0rn=WHrpcFC0d http://www.ohiotechreport.com/gqx2/ http://www.tu4343.com/gqx2/?jPg8=c0uTa4Ry3vesai6lXTSfINFQpRrMtH1K87WBIlrG0XAtnO8wLGbiahB/6B1lfYrqembCPOk5&0rn=WHrpcFC0d http://www.tu4343.com/gqx2/ http://www.beepybox.online/gqx2/ http://www.shuhan.design/gqx2/?jPg8=+3QoYFPD3RQeYLjAYFhuJ6Cz2rhEMAU1T5a3j4/+hda+nWQNJZmKako0P2ib9ZGD25UQvPrc&0rn=WHrpcFC0d http://www.starlinkwebservices.com/gqx2/ http://www.enlightenedsoil.com/gqx2/ http://www.5200853.com/gqx2/ http://www.bonus189.space/gqx2/?jPg8=5R1gPD5AcirPvdqxX3OEjI5TkTWkghjMkZYg470HlnfMN6fJZonrVNztkTKmxtrm7HwX4kWu&0rn=WHrpcFC0d http://www.shuhan.design/gqx2/ http://www.zhjiaxiang.com/gqx2/?jPg8=WYs2CJQaHu7VDjmvT8HY/uenJ8IAuXAtr5EFzbfELRegL/XO6LMGY4Hpvd4bWrO2XC6qj4kB&0rn=WHrpcFC0d http://www.teacher-retirement-info.info/gqx2/?jPg8=OXVidlqG6XkfBKSTfRTYNsCHZ7Lzo3O37PQdrKyHFgPzio9FREHRskcmwWepUtod5GjdUGTA&0rn=WHrpcFC0d http://www.bonus189.space/gqx2/ http://www.zhjiaxiang.com/gqx2/ http://www.starlinkwebservices.com/gqx2/?jPg8=1oLdWJEa6RMPILHmU3RMDTTKV/8OlgAWvoSufNbfYqrB9zEOlffSJnN5c7l9eL53m4HAxa1z&0rn=WHrpcFC0d http://www.5200853.com/gqx2/?jPg8=D7HYjwmfjk7r2Ukao5V0C9NhbEdLEQDWgNm8jPt18Yf6jGPHPId8fj6QgnBzS3/GDME8Xiko&0rn=WHrpcFC0d http://www.inreachpt.com/gqx2/ http://www.teacher-retirement-info.info/gqx2/ http://www.libraspeed.com/gqx2/ http://www.ohiotechreport.com/gqx2/?jPg8=IPC5rKMb5U2wGfsfh3591N/FvVXjYSZNx84XlhlRnNK1DZcHs5M0z52hyAuoszkEQc4vvPuF&0rn=WHrpcFC0d
|
26
www.kimscraftyresale.com() www.shuhan.design(192.185.35.76) www.tu4343.com(154.202.142.207) www.com-cancel-payment-id655.com(47.254.175.19) www.inreachpt.com(34.102.136.180) www.beepybox.online(64.98.145.30) www.bonus189.space(87.236.16.223) www.enlightenedsoil.com(34.80.190.141) www.thefanexam.com(13.35.101.98) www.5200853.com(198.200.62.230) www.libraspeed.com(3.137.48.156) www.ohiotechreport.com(34.102.136.180) www.starlinkwebservices.com(34.102.136.180) www.teacher-retirement-info.info(34.102.136.180) www.zhjiaxiang.com(156.254.253.78) 64.98.145.30 - mailcious 47.254.175.19 - phishing 154.202.142.207 99.84.233.196 3.140.151.209 34.102.136.180 - mailcious 192.185.35.76 198.200.62.230 34.80.190.141 - mailcious 87.236.16.223 156.254.253.78
|
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43800 |
2021-01-22 00:00
|
obo.exe 1965c283581daeb2fc16e26de73839aa VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|