| 43876 |
2021-01-19 20:06
|
dir1.exe 257331ce21922bcbf76f740b83278672
VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43877 |
2021-01-19 19:52
|
a.bat b069d57216e8231d7afba2cf8d6cffca
VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
6.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43878 |
2021-01-19 19:51
|
xp.exe 9d90a61620ab938eff9b8cf385330d18
VirusTotal Malware AutoRuns Check memory Windows DNS |
|
1
|
|
|
3.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43879 |
2021-01-19 19:42
|
winlog2.exe d4982ab3c53ad21f2b1b96f7ae8042d4
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.thesoakcpd.com/aky/?GXIPO=79No+51RoBpSajMFB51TrsSPEllet6PQDvJRzjw6lOViT8JDJpLcb/HEtX6ZEGKHiTboBuhO&Jt7=XPI4nRqP
http://www.smart-acumen.com/aky/?GXIPO=gOwobIXy2IrYnjIaG3AwDKClj9vAMng9gwfaZLjIn7fq+uvMrAEaK1rCIShrRt35Jdqv46QK&Jt7=XPI4nRqP
|
6
www.thesoakcpd.com(217.160.0.15)
www.2125lynchmere.com(69.10.230.169) - mailcious
www.smart-acumen.com(5.181.216.128)
217.160.0.15 - malware
69.10.230.169 - mailcious
5.181.216.128
|
|
|
10.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43880 |
2021-01-19 19:42
|
winlog3.exe 04d511a27304f93e708f91308d483358
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
2
http://www.proficienthomesalesandloans.com/xle/?v2=5S2M2nsEvat/dw0yRB1RkESwrzTYNHZJ7j4TXZ4MxpAWYPjGG3hrjdTwbpfFrY/lcnWByFuo&CZ=7nEtZrt
http://www.marriedandmore.com/xle/?v2=aVWK+ivfpDz//JmOCtLdGJnMdpuThj8cJzWoubWvv0m/5hyGdZ39Cj79Ss59g+kNi/ikGGLa&CZ=7nEtZrt
|
4
www.proficienthomesalesandloans.com(104.21.19.111)
www.marriedandmore.com(192.185.0.218)
192.185.0.218
172.67.186.1
|
|
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43881 |
2021-01-19 18:04
|
win32.exe 1c68b56f273eab047eccce3cbad492a5
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
16
http://www.yamadaya-online.com/incn/?XrFPa4XH=tPtCc93X/sb9UbP+l4A76+cJlJHtHytkDIrsxQJaEiDHZvaIL76kC0R23INoY77N5mLjMrBy&Ezut_N=3fX0
http://www.roofers-anaheim.com/incn/
http://www.eot0luh5ia.men/incn/
http://www.beyond-bit.com/incn/
http://www.beyond-bit.com/incn/?XrFPa4XH=YrtWNBgmb2ekH5/VSSeCtKksfbKwFZQCaaVwoI4/63osree27xmVnVuRuJBQ3d45WgaAp3o7&Ezut_N=3fX0
http://www.thesalesforceradi.computer/incn/
http://www.eot0luh5ia.men/incn/?XrFPa4XH=m4ouVyUl+s1c6t7cszZ4V57VzBx9sXZE6H4CZFy3XB5LKVwpZiMCZcEYOl8HQzHkmwC71lWh&Ezut_N=3fX0
http://www.thetealworld.com/incn/?XrFPa4XH=dwvtlaotYkEyrLXKKUNICGoHUTiqAIVqRPA9lUT4Pm7DxJ7jY96duxNsxexTTlPBKInL+yPH&Ezut_N=3fX0
http://www.intelligentsystemsus.com/incn/
http://www.yamadaya-online.com/incn/
http://www.thesalesforceradi.computer/incn/?XrFPa4XH=g8zBe+Wa8Qd2A7rK8cCUF2Brh4XZZOnsa4HOniGhpjs2/eT6ajFnfTKGxgb7F533HNhicgtO&Ezut_N=3fX0
http://www.c2ornot.com/incn/?XrFPa4XH=NJdx5BFH2ciFg3yxHRPJJJPEQqcuzsVvmh3UEKgvJGOG0O5tJ9LkJEChKyJimPBpe4iUY/xD&Ezut_N=3fX0
http://www.thetealworld.com/incn/
http://www.c2ornot.com/incn/
http://www.intelligentsystemsus.com/incn/?XrFPa4XH=ktJfcA9BiEpmnMDigbLVmOfBkEQJoyy1/Xj7PlRrl/Pge5lD6F8CuIkUSNL0wu0J8v1gJUXD&Ezut_N=3fX0
http://www.roofers-anaheim.com/incn/?XrFPa4XH=Qbt4NfiTyPusL7LT90toHONuWmgRFYghRGt6Z/DxFkzDdX55oqsfrtFqD/aXkhe974+tUcDj&Ezut_N=3fX0
|
18
www.yamadaya-online.com(23.227.38.74)
www.roofers-anaheim.com(50.62.160.230)
www.c2ornot.com(156.252.101.208)
www.pjy589.com(194.113.169.32)
www.thetealworld.com(198.49.23.144)
www.thesalesforceradi.computer(198.54.117.215)
www.intelligentsystemsus.com(74.208.236.121)
www.eot0luh5ia.men(104.21.47.209)
www.beyond-bit.com(34.102.136.180)
50.62.160.230
198.54.117.212 - mailcious
156.252.101.208
194.113.169.32
198.49.23.145 - mailcious
34.102.136.180 - mailcious
104.21.47.209
74.208.236.121 - mailcious
23.227.38.74 - mailcious
|
|
|
9.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43882 |
2021-01-19 18:03
|
winlog.exe b66575e9b08b09e31b3bc4089965474b
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory unpack itself suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
blueriiver-eu.com(0.0.0.0) - mailcious
|
|
|
9.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43883 |
2021-01-19 17:58
|
svchost.exe 3096a3c81ff6c435ded33765f5f10be1
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself suspicious process malicious URLs Windows ComputerName DNS Cryptographic key |
|
|
|
|
8.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43884 |
2021-01-19 17:57
|
vbc.exe c6091ddf2745b7edcfa535d727ea7b7a
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
1
|
|
|
12.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43885 |
2021-01-19 17:33
|
s.exe dbf1dde293475eccf03f89c27399e631
VirusTotal Malware AutoRuns Check memory buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion Tofsee Windows Gmail Advertising Google ComputerName Remote Code Execution DNS DDNS crashed keylogger Downloader |
14
http://e87ue2.vaiwan.com/e/9085/esp.zip
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://xred.site50.net/syn/Synaptics.rar
http://213.176.40.125:94/xp.exe
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://doc-00-3s-docs.googleusercontent.com/docs/securesc/6io358jaeodvuoa3bvgr9ro840kjc5b9/3vam5ftlr2lto2nrrav74oc025cptvh3/1611044925000/12988806548615432052/12709860803453301647Z/0BxsMXGfPIZfSTmlVYkxhSDg5TzQ?e=download
https://www.000webhost.com/migrate?static=true
https://s1-i47p.5588888.xyz/e/9085/esp.zip
https://docs.google.com/nonceSigner?nonce=la098gnd5s1mu&continue=https://doc-00-3s-docs.googleusercontent.com/docs/securesc/6io358jaeodvuoa3bvgr9ro840kjc5b9/3vam5ftlr2lto2nrrav74oc025cptvh3/1611044925000/12988806548615432052/12709860803453301647Z/0BxsMXGfPIZfSTmlVYkxhSDg5TzQ?e%3Ddownload&hash=47ndji8u26porgjkv55a8lh0r6sks8ol
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/dl/zhp1b06imehwylq/Synaptics.rar
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://doc-00-3s-docs.googleusercontent.com/docs/securesc/6io358jaeodvuoa3bvgr9ro840kjc5b9/3vam5ftlr2lto2nrrav74oc025cptvh3/1611044925000/12988806548615432052/12709860803453301647Z/0BxsMXGfPIZfSTmlVYkxhSDg5TzQ?e=download&nonce=la098gnd5s1mu&user=12709860803453301647Z&hash=d8ic5re6m2v4igbusnkpb0pie42duqri
https://doc-08-3s-docs.googleusercontent.com/docs/securesc/6io358jaeodvuoa3bvgr9ro840kjc5b9/4e745kpj1bo71vv0ioak2rt56ojmbjnb/1611045000000/12988806548615432052/12709860803453301647Z/0BxsMXGfPIZfSVlVsOGlEVGxuZVk?e=download
|
24
e87ue2.vaiwan.com(114.55.250.207)
www.000webhost.com(104.18.107.8)
doc-00-3s-docs.googleusercontent.com(172.217.175.33) - mailcious
freedns.afraid.org(69.42.215.252)
docs.google.com(172.217.26.14) - mailcious
xred.site50.net(153.92.0.100)
doc-08-3s-docs.googleusercontent.com(172.217.175.33) - malware
www.dropbox.com(162.125.80.18) - mailcious
smtp.gmail.com(108.177.97.108)
s1-i47p.5588888.xyz(159.138.27.248)
xred.mooo.com()
162.125.80.18 - mailcious
114.55.250.207
159.138.27.248
104.18.108.8
216.58.221.225 - malware
140.82.59.108
153.92.0.100 - mailcious
50.23.197.95
64.233.189.109
213.176.40.125
142.250.199.65
212.95.148.53 - malware
172.217.24.206 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
ET POLICY Dropbox.com Offsite File Backup in Use
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Suspicious User-Agent Containing .exe
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
16.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43886 |
2021-01-19 11:32
|
regasm2.exe 7741e4266e8d98231cb6b0b89b1f4e9a
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://okpana.com/chief/kev/fre.php
|
2
okpana.com(45.128.206.183)
45.128.206.183
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43887 |
2021-01-19 11:31
|
regasm.exe 786180a5141bf4ea48e26910d2bf9061
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
5.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43888 |
2021-01-19 11:28
|
KUT.exe 40c5609d0196211eae06a33b3bae5ec8
VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process malicious URLs WriteConsoleW Windows Cryptographic key keylogger |
|
2
wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu(37.230.130.127)
37.230.130.127
|
|
|
15.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43889 |
2021-01-19 11:28
|
IMG_26017.pdf.exe 3638367090aa7b5f444c76c0d1af9582
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
216.146.43.71
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43890 |
2021-01-19 11:17
|
IMG_6007.pdf.exe 27970a1a59a9e4f39aed843e55e31ae0
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
172.67.188.154
131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|