| 43921 |
2021-01-15 17:14
|
LO-06.exe a71b92a0262b4067b2da39ad1f39bef5
Browser Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
|
2
whatgodcannotdodoestnotexist.duckdns.org(185.244.30.29) - mailcious
185.244.30.29
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
19.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43922 |
2021-01-15 10:59
|
invoice.exe 07d297371e6af555aa5ed31d423de4bc
VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43923 |
2021-01-15 10:58
|
5SVA7Ab.dll 7fea00378451a67e8ad1a95d337ca6a7
VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
2.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43924 |
2021-01-14 23:06
|
yx.dll f484e05278de137cef239080249c859e
VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43925 |
2021-01-14 23:00
|
yhdl.exe d6affe0bfbe329109f5dc3e785fce0b4
VirusTotal Malware PDB Code Injection Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself malicious URLs AntiVM_Disk Ransom Message VM Disk Size Check installed browsers check Interception Browser ComputerName Remote Code Execution DNS |
32
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/bg_pic.png?v=20150511
http://passport.caihong.com/index/initlogin?callback=jQuery11110821830705750221_1610663705703&_=1610663705704
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/body.jpg?v=20200107
http://passport.caihong.com/index/proxy
http://zystatic.51img1.com/v1/passport/js/aes.js?v=2020100701001
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/login_btn_03.png
http://zystatic.51img1.com/v1/game/platform/act/wd/wd_common.css?v=20141031
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/bg_pic.png
http://zystatic.51img1.com/v1/smrz/css/alert.css?v=20180417001
http://hofosoft.cn/api/report.asp
http://zystatic.51img1.com/v1/passport/js/pad-zeropadding.js?v=2020100701001
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/bg_pic.png?v=20201006
http://zystatic.51img1.com/v1/passport/js/reglogin_micro.js?v=2020100701001
http://zystatic.51img1.com/v1/smrz/js/main.js?v=20180417001
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/css/style.css?v=6
http://jssetup.com/update/install/data2.zip
http://zystatic.51img1.com/v1/passport/js/weilogin.js?v=2020100701001
http://zystatic.51img1.com/v1/passport/js/reglogin_mobile.js?v=2020100701001
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/bg_pic.png?v=20151012
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/xiaoyu_logo.png?v=20200107
http://micro.caihong.com/client/index/yhdl
http://zystatic.51img1.com/v1/global/css/layer.css?v=202010081392224
http://zystatic.51img1.com/v1/global/js/foui.js?v=2020100701001
http://zystatic.51img1.com/v1/game/platform/js/slider.js?v=2020100701001
http://micro.52xiaoyu.com/client/index/yhdl
http://tg.51.com/install/wd/a.html?mac=60004d4bdb4285.95767807&time=1610632523&game_ename=yhdl&ch=&token=f9e33d7f0cf630e19949b3e7ecb5f322&fb=wdyhdl
http://zystatic.51img1.com/v1/global/js/foui_dialog.js?v=2020100701001
http://zystatic.51img1.com/v1/global/js/jquery.js?v=2020100701001
http://zystatic.51img1.com/v1/passport/js/reglogin_micro.js?v=20160109001
http://zystatic.51img1.com/v1/game/platform/act/wd/yhdl/images/body_bg2.png?v=20200107
http://cdn.51img3.com/game/2020/202001/20200106/b3e68b0e2621b677d1d318c0bd7a640f.jpg
http://zystatic.51img1.com/v1/global/js/global.js?v=2020100701001
|
15
cdn.51img3.com(139.170.153.240)
jssetup.com(180.76.12.18)
micro.52xiaoyu.com(140.143.213.129)
hofosoft.cn(139.199.14.96)
passport.caihong.com(154.8.189.48)
zystatic.51img1.com(139.170.156.190)
micro.caihong.com(140.143.213.129)
tg.51.com(123.206.1.69)
123.206.1.69
139.199.14.96
180.76.12.18
42.63.21.203
154.8.189.48
59.80.39.108 - malware
140.143.213.129
|
|
|
10.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43926 |
2021-01-14 22:55
|
winlog.exe cd925558146dc80ccf028ce0e9a5c542
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
2
http://www.parkdaleliving.com/c8so/?Dz=cEUYti5eW5doMmTRfx60LfZoJb25X1Xzf5+VnWSK+GQ+zoFUxocKFVTuRcmC/4GKl4vgcySZ&lnud=Txll_F5
http://www.parkdaleliving.com/c8so/
|
5
www.parkdaleliving.com(184.168.131.241)
www.magazinepodcastcce.com()
www.heliaoyixue.com(154.212.39.175)
154.212.39.175
184.168.131.241 - mailcious
|
|
|
10.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43927 |
2021-01-14 22:53
|
xAL2ZKjESrfO.dll e90ffc58b3d9d3237121a3af6d05b927
VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43928 |
2021-01-14 21:53
|
vbc.exe 348c5527c97fb01007036353fc566fe3
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43929 |
2021-01-14 21:53
|
vbc2.exe 7c0158f3cf2b6d843226e3a1a86cc11f
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://lmpulsefashion.net/chief/boss/fre.php
|
2
lmpulsefashion.net(95.181.155.66)
5.34.180.165
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43930 |
2021-01-14 21:38
|
TRSU3GWU9YT1QG.doc 891461e859d74c54f7c50edcf2377d05
Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://www.solicon.us/allam-cycle-1c4gn/f5z/
http://88.255.216.16/landpage?op=1&ms=http://avadnansahin.com/wp-includes/w/
|
11
avadnansahin.com(109.232.216.177) - mailcious
remediis.com(5.2.81.171) - malware
www.solicon.us(52.172.204.196)
solicon.us(52.172.204.196) - malware
www.riparazioni-radiotv.com(89.46.104.24) - malware
109.232.216.177 - mailcious
88.255.216.16
5.2.81.171 - mailcious
52.172.204.196 - mailcious
71.72.196.159 - mailcious
89.46.104.24 - phishing
|
7
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET CNC Feodo Tracker Reported CnC Server group 21
|
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43931 |
2021-01-14 21:38
|
tttt.jpg.exe c82ca6c32016c3867edf5263e33687f8
Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43932 |
2021-01-14 21:30
|
tfsoft.exe 1d6edfa073e4a8f072df28cfd5321bba
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic buffers extracted ICMP traffic unpack itself Windows utilities Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware VM Disk Size Check Tofsee Windows crashed |
6
http://cdn.cuilet.com/API/General/client_log_user
http://cdn.cuilet.com/API/General/lsrpu
http://apps.game.qq.com/comm-htdocs/ip/get_ip.php
http://gweish.com/api/r/mcm
http://cdn.cuilet.com/api/filegoto1/81b1e3e4c7ac0cfc
https://sp0.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=175.208.134.150&resource_id=6006&ie=utf8&oe=gbk&format=json
|
12
cdn.qqb3.com(27.221.54.238)
cdn.cuilet.com(58.20.197.195)
apps.game.qq.com(180.163.15.188)
gweish.com(139.196.170.216)
21yp37sq.sched.sma.tdnsv5.com(27.221.54.238)
sp0.baidu.com(104.193.88.77)
cdn.sackow.com(116.162.88.114)
cdn.sackow.com.cdn.dnsv1.com(58.20.197.205)
119.63.197.139
101.71.72.225
180.163.26.100
139.196.170.216
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43933 |
2021-01-14 21:30
|
svchost.exe deed11e2b4b23dbe0c9ef99b5390bd6f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization ComputerName DNS Software |
2
http://www.rainbowhillsswimclub.com/kgw/?ofuxZr=/BXskQYSWXqmt7ypmlCXJh2TCoAVF6NqB2WeTBlmFvbTOR+KAyZC7kmLTs16RdrcUads/AWN&1bw=L6Ahp0_Psf-pdD-p
http://www.covaxbiotech.com/kgw/?ofuxZr=+msQwce7/ohVs9T0Bt/IQrx3+yFGRRQoMiijFcvEE/PpMYLwPWsQehMCZTZ869RqGQywkOTy&1bw=L6Ahp0_Psf-pdD-p
|
4
www.covaxbiotech.com(34.102.136.180)
www.rainbowhillsswimclub.com(154.218.55.251)
34.102.136.180 - mailcious
154.218.55.251
|
|
|
14.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43934 |
2021-01-14 18:27
|
regasm.exe bdcead3de71d101dc2d02676be1c9df5
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
16
http://www.arthalvorsonforcongress.com/qccq/
http://www.sentryhilllegal.com/qccq/
http://www.delhikigully.com/qccq/
http://www.magicdfw.com/qccq/
http://www.rootkit.global/qccq/?DbG=rTewgpI3qOx8f6CClEx6/kbXSqPdl6GspCPXRgshyEzLUkirGrT5/geLA0xJVOlgQXkDIovT&QZ3=ehutZ83HsZ-HpV
http://www.thejusticeadvantageseminars.com/qccq/
http://www.rootkit.global/qccq/
http://www.houserbuilders.com/qccq/?DbG=yTC3SBoauVnyVX105uvOFWW56mN4eHMJDcTl1edi1dFQ0sqL/17UDO/Y3GXv8lE8ElVIDKQq&QZ3=ehutZ83HsZ-HpV
http://www.delhikigully.com/qccq/?DbG=EX6gXufmfAKpNTWO8MF5os5AIxsXGf1tuUZgpi0Y0vXCX6/wBXx1NcJtAau1z62qE3Z+UI7i&QZ3=ehutZ83HsZ-HpV
http://www.houserbuilders.com/qccq/
http://www.sentryhilllegal.com/qccq/?DbG=gxNAjS6/xzvS1cA+THK4DVhKu7NmJhZ1tIRRPOrDUj75SN/L5lcvplYqcaC4bQmYnr211rtU&QZ3=ehutZ83HsZ-HpV
http://www.vendorsforproductions.com/qccq/
http://www.vendorsforproductions.com/qccq/?DbG=c7xKfZo7Wibhr2nhwE3oCDNV7hcVbR+suxiUr910VdLR3iqp5fCLoZoU6Mn7p4jlZyNU4tFc&QZ3=ehutZ83HsZ-HpV
http://www.magicdfw.com/qccq/?DbG=XVgEIlN8VMFTYJu8MTslf//mD7W1yz1wjYH1Lp2ZkcYDzzIxsQZF43pH8J7AY/YmN8YneCgf&QZ3=ehutZ83HsZ-HpV
http://www.arthalvorsonforcongress.com/qccq/?DbG=Mee/UfBbKs7hjt47KZA8F3cVabgZOUARY2p2/mU2IoU/+1QecldXQJ31HwUG93HGJVUSY9Ar&QZ3=ehutZ83HsZ-HpV
http://www.thejusticeadvantageseminars.com/qccq/?DbG=5QwZZzh79wULRlGYtpqXFTvkqVVQqJUl4ZwBwI0xw9VJU9XwkaBCfeMzead3CDJrVEKSeYi+&QZ3=ehutZ83HsZ-HpV
|
16
www.delhikigully.com(34.102.136.180)
www.sentryhilllegal.com(34.102.136.180)
www.magicdfw.com(3.16.142.83)
www.ahrohishrestha.com()
www.rootkit.global(34.102.136.180)
www.arthalvorsonforcongress.com(76.223.26.96)
www.houserbuilders.com(192.155.166.172)
www.rujgyolhb.icu()
www.y-agency.net()
www.thejusticeadvantageseminars.com(34.102.136.180)
www.vendorsforproductions.com(35.186.238.101)
35.186.238.101 - suspicious
192.155.166.172
34.102.136.180 - mailcious
3.16.142.83
76.223.26.96
|
1
ET INFO DNS Query for Suspicious .icu Domain
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43935 |
2021-01-14 18:27
|
SlyOzj2S7kfU8q.php.exe 9ea3fb3f680abbd409a76bb590db83f0
Remote Code Execution |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|