43966 |
2021-01-13 09:35
|
i6vw7u.zip.exe 7750ba949e4b090260827a4d8be63efc VirusTotal Malware |
|
|
|
|
1.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43967 |
2021-01-13 09:21
|
file1.exe c6a79aaad7ae2619ef0a38d08af79c83 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
18
http://www.betwalkoffame.com/8rg4/ http://www.giftasmile2day.com/8rg4/ http://www.crafteest.com/8rg4/ http://www.bodyfuelrtd.com/8rg4/ http://www.bodyfuelrtd.com/8rg4/?kHQ4=A4ItsHP8Li20Ho4tzE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5tNGyT4QTCz5hKkgzm/W&D81h=O2MHdPkXO http://www.crafteest.com/8rg4/?kHQ4=UZP/0BHwZpoz7mAawfN1oLvS1pOV65j2qrD88SSsjEuRKlsL937L1SHvfEie1nqipCTchGw9&D81h=O2MHdPkXO http://www.johnsroadantiques.com/8rg4/?kHQ4=qLX5omwCy8B6uh18INhC5gWbtw/YaZymQR7Hq91dlzRMWz3TXYQYKbOUidDObHONAsCfGyB+&D81h=O2MHdPkXO http://www.tomatrader.com/8rg4/ http://www.johnsroadantiques.com/8rg4/ http://www.deutschekorrosionsschutz.net/8rg4/?kHQ4=fUUW/Jea5cA/DKOONFBgN1uiTlgk1tmNXmgCzqTgn/WqZBrBJd6M07glM592dpj8ni4GZGum&D81h=O2MHdPkXO http://www.giftasmile2day.com/8rg4/?kHQ4=sR6mXmiQP1VfpgZbalFao53tdftaP6KCaP+fBLIZC0+jJmH2nVBesjsihLBplGQSsRN9JQqY&D81h=O2MHdPkXO http://www.veteransc60.com/8rg4/ http://www.deutschekorrosionsschutz.net/8rg4/ http://www.tomatrader.com/8rg4/?kHQ4=osi+A10xhTC6/2XFMjJYmpHKyhIlbIEVA9ZkA2AeF5O/ngNAnrf5XwRnsTZ8MhZ0KXYMlSCd&D81h=O2MHdPkXO http://www.betwalkoffame.com/8rg4/?kHQ4=2O1fwdeR+ZJO02rk927Q48BQX3TemK8NUZTIJgoKX6XTObJpQPY82gAQUFaVGUGBWQKJ3eVB&D81h=O2MHdPkXO http://www.triagggroup.com/8rg4/ http://www.triagggroup.com/8rg4/?kHQ4=K2rufiHLD1a6kVi2Y5RpczlcUQQQ1/TYEtUAxTz/46ubTXsziv/5HpSVCeL4TaDK/opNOedx&D81h=O2MHdPkXO http://www.veteransc60.com/8rg4/?kHQ4=D2LmWfD9emrFkSR+NH3kUIYU1X1/MFF+05so5D8PRNnghRS2tnr/AnN0YEUfLqotPJzeuGbG&D81h=O2MHdPkXO
|
16
www.veteransc60.com(34.102.136.180) www.crafteest.com(34.102.136.180) www.hechoenvegas.net() www.tootleshook.com() www.betwalkoffame.com(94.136.40.51) www.johnsroadantiques.com(34.102.136.180) www.triagggroup.com(34.102.136.180) www.tomatrader.com(207.244.67.215) www.bodyfuelrtd.com(34.102.136.180) www.giftasmile2day.com(184.168.131.241) www.deutschekorrosionsschutz.net(81.169.145.143) 184.168.131.241 - mailcious 94.136.40.51 - mailcious 81.169.145.143 - mailcious 34.102.136.180 - mailcious 64.32.8.70
|
|
|
9.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43968 |
2021-01-13 09:18
|
gg7ktq8.zip.exe af7dde49c27f97cd77b03a8ace70beea VirusTotal Malware |
|
|
|
|
1.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43969 |
2021-01-13 08:11
|
bf2666c281488a8f_ar4u6sptay[1]... b1fc2bd56b00ed8144bcbf847ef0e8f8 VirusTotal Malware |
|
|
|
|
0.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43970 |
2021-01-13 08:06
|
http://www.mitraship.com/wp-co... 40fcbaf4b564b693ad3db6689a84eeed Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
www.mitraship.com(107.180.2.39) - malware 107.180.2.39 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43971 |
2021-01-12 18:40
|
1.exe 1ff59d25828ac6ee321e571439410b12 VirusTotal Cryptocurrency Miner Malware Cryptocurrency SMB Traffic Potential Scan AutoRuns Check memory Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows Browser ComputerName Remote Code Execution DNS |
1
|
764
gxxs.monerogb.com() - mailcious dns.monerogb.com(103.246.218.179) - mailcious ip.3322.net(118.184.176.22) 175.208.0.124 175.208.2.94 175.208.0.123 175.208.0.122 175.208.1.115 175.208.3.4 175.208.1.114 175.208.2.46 175.208.3.98 175.208.3.94 175.208.3.96 175.208.1.249 175.208.3.92 175.208.0.219 175.208.0.218 175.208.1.248 175.208.0.211 175.208.0.210 175.208.0.213 175.208.0.212 175.208.0.215 175.208.0.214 175.208.0.217 175.208.0.216 175.208.2.98 175.208.2.96 175.208.1.241 175.208.2.194 175.208.2.196 175.208.1.240 175.208.2.190 175.208.2.192 175.208.2.92 175.208.2.198 175.208.1.22 175.208.2.5 175.208.1.51 175.208.1.193 175.208.1.192 175.208.1.191 175.208.1.190 175.208.1.197 175.208.1.196 175.208.1.195 175.208.1.194 175.208.1.210 175.208.1.211 175.208.1.199 175.208.1.198 175.208.1.214 175.208.1.215 175.208.1.216 175.208.1.217 175.208.3.60 175.208.3.62 175.208.3.64 175.208.3.66 175.208.3.68 175.208.1.50 175.208.2.102 175.208.3.148 175.208.2.100 175.208.2.106 175.208.2.104 175.208.2.142 175.208.3.140 175.208.2.108 175.208.3.146 175.208.3.144 175.208.1.9 175.208.1.8 175.208.0.69 175.208.0.68 175.208.2.66 175.208.0.65 175.208.0.64 175.208.1.1 175.208.1.0 175.208.0.61 175.208.0.60 175.208.0.63 175.208.0.62 175.208.2.64 175.208.2.62 175.208.0.138 175.208.0.139 175.208.1.106 175.208.1.107 175.208.1.100 175.208.1.101 175.208.1.102 175.208.1.103 175.208.0.130 175.208.0.131 175.208.0.132 175.208.0.133 175.208.0.134 175.208.0.135 175.208.0.136 175.208.0.137 175.208.2.218 175.208.2.216 175.208.2.214 175.208.2.212 175.208.2.210 175.208.3.218 175.208.3.216 175.208.3.214 175.208.3.212 175.208.3.210 175.208.0.90 175.208.0.91 175.208.0.92 175.208.0.93 175.208.0.94 175.208.0.95 175.208.0.96 175.208.0.97 175.208.0.98 175.208.0.99 175.208.1.35 175.208.1.34 175.208.1.37 175.208.1.36 175.208.0.149 175.208.0.148 175.208.1.33 175.208.1.32 175.208.0.145 175.208.0.144 175.208.0.147 175.208.0.146 175.208.0.141 175.208.0.140 175.208.0.143 175.208.0.142 175.208.3.132 175.208.3.130 175.208.3.136 175.208.3.134 175.208.3.138 175.208.0.246 175.208.0.247 175.208.0.244 175.208.0.245 175.208.0.242 175.208.0.243 175.208.0.240 175.208.0.241 175.208.0.248 175.208.0.249 175.208.0.21 175.208.0.20 175.208.0.23 175.208.0.22 175.208.0.25 175.208.0.24 175.208.0.27 175.208.0.26 175.208.0.29 175.208.0.28 175.208.1.99 175.208.2.248 175.208.3.90 175.208.1.148 175.208.1.149 175.208.2.144 175.208.1.140 175.208.1.141 175.208.1.142 175.208.1.143 175.208.1.144 175.208.1.145 175.208.1.146 175.208.1.147 175.208.1.221 175.208.1.220 175.208.1.223 175.208.1.222 175.208.1.225 175.208.1.224 175.208.1.227 175.208.1.226 175.208.1.229 175.208.1.228 175.208.2.140 175.208.2.78 175.208.3.32 175.208.3.30 175.208.0.54 175.208.0.55 175.208.0.56 175.208.0.57 175.208.0.50 175.208.0.51 175.208.0.52 175.208.0.53 175.208.2.148 175.208.0.58 175.208.0.59 175.208.1.79 175.208.1.78 175.208.1.139 175.208.1.138 175.208.1.135 175.208.1.134 175.208.1.137 175.208.1.136 175.208.1.131 175.208.1.130 175.208.1.133 175.208.1.132 175.208.0.101 175.208.0.100 175.208.0.103 175.208.0.102 175.208.0.105 175.208.0.104 175.208.0.107 175.208.0.106 175.208.0.109 175.208.0.108 175.208.1.59 175.208.1.58 175.208.1.82 175.208.1.83 175.208.2.244 175.208.1.88 175.208.2.246 175.208.1.89 175.208.0.208 175.208.0.209 175.208.0.202 175.208.0.203 175.208.0.200 175.208.0.201 175.208.0.206 175.208.0.207 175.208.0.204 175.208.0.205 175.208.2.88 175.208.2.242 175.208.2.48 175.208.1.218 175.208.3.36 175.208.1.188 175.208.1.189 175.208.1.184 175.208.1.185 175.208.1.186 175.208.1.187 175.208.1.180 175.208.1.181 175.208.1.182 175.208.1.183 175.208.2.38 175.208.2.30 175.208.2.32 175.208.2.34 175.208.2.36 175.208.3.72 175.208.3.70 175.208.2.118 175.208.3.76 175.208.3.74 175.208.2.114 175.208.2.116 175.208.3.78 175.208.2.110 175.208.2.112 175.208.3.176 175.208.3.174 175.208.3.172 175.208.3.170 175.208.3.178 175.208.0.18 175.208.0.19 175.208.0.10 175.208.0.11 175.208.0.12 175.208.0.13 175.208.0.14 175.208.0.15 175.208.0.16 175.208.0.17 175.208.3.16 175.208.3.198 175.208.3.194 175.208.3.196 175.208.3.190 175.208.3.192 175.208.1.171 175.208.1.170 175.208.1.173 175.208.1.172 175.208.1.175 175.208.1.174 175.208.1.177 175.208.1.176 175.208.1.179 175.208.1.178 175.208.2.208 175.208.2.200 175.208.2.202 175.208.2.204 175.208.2.206 175.208.2.74 175.208.2.76 175.208.3.228 175.208.2.20 175.208.2.70 175.208.3.220 175.208.3.226 175.208.3.224 175.208.0.83 175.208.0.82 175.208.0.81 175.208.0.80 175.208.0.87 175.208.0.86 175.208.0.85 175.208.0.84 175.208.0.89 175.208.0.88 175.208.1.40 175.208.1.41 175.208.1.42 175.208.1.43 175.208.1.44 175.208.1.45 175.208.0.158 175.208.0.159 175.208.0.156 175.208.0.157 175.208.0.154 175.208.0.155 175.208.0.152 175.208.0.153 175.208.0.150 175.208.0.151 175.208.3.34 175.208.2.44 175.208.1.212 175.208.1.213 175.208.2.40 175.208.1.48 175.208.2.42 175.208.2.90 175.208.1.49 175.208.2.150 175.208.2.152 175.208.2.154 175.208.2.156 175.208.2.158 175.208.2.230 175.208.2.232 175.208.2.234 175.208.2.236 175.208.2.238 175.208.0.189 175.208.0.188 175.208.3.222 175.208.0.181 175.208.0.180 175.208.0.183 175.208.0.182 175.208.0.185 175.208.0.184 175.208.0.187 175.208.0.186 175.208.1.232 175.208.1.233 175.208.1.230 175.208.1.231 175.208.1.236 175.208.1.237 175.208.1.234 175.208.1.235 175.208.1.238 175.208.1.239 175.208.2.68 175.208.2.124 175.208.2.126 175.208.3.128 175.208.2.120 175.208.2.122 175.208.3.124 175.208.3.126 175.208.3.120 175.208.2.128 175.208.3.122 175.208.0.47 175.208.0.46 175.208.0.45 175.208.0.44 175.208.0.43 175.208.0.42 175.208.0.41 175.208.0.40 175.208.0.49 175.208.0.48 175.208.1.84 175.208.1.85 175.208.1.86 175.208.1.87 175.208.1.80 175.208.1.81 175.208.1.128 175.208.1.129 175.208.1.126 175.208.1.127 175.208.1.124 175.208.1.125 175.208.1.122 175.208.1.123 175.208.1.120 175.208.1.121 175.208.0.112 175.208.0.113 175.208.0.110 175.208.0.111 175.208.0.116 175.208.0.117 175.208.0.114 175.208.0.115 175.208.0.118 175.208.0.119 175.208.3.84 175.208.1.3 175.208.1.19 175.208.1.18 175.208.1.17 175.208.1.16 175.208.1.15 175.208.1.14 175.208.1.13 175.208.1.12 175.208.1.11 175.208.1.10 175.208.0.66 175.208.1.46 175.208.1.7 175.208.1.47 175.208.2.240 175.208.1.6 175.208.0.237 175.208.0.236 175.208.0.235 175.208.0.234 175.208.0.233 175.208.0.232 175.208.0.231 175.208.0.230 175.208.1.4 175.208.0.239 175.208.0.238 175.208.1.71 175.208.1.70 175.208.1.73 175.208.3.114 175.208.1.72 175.208.3.110 175.208.3.112 175.208.1.75 175.208.3.118 175.208.1.74 175.208.2.28 175.208.1.77 175.208.3.48 175.208.3.46 175.208.2.22 175.208.3.44 175.208.1.76 175.208.3.42 175.208.2.26 175.208.3.40 175.208.2.24 175.208.2.168 175.208.2.160 175.208.2.162 175.208.2.164 175.208.2.166 175.208.3.160 175.208.3.162 175.208.3.164 175.208.3.166 175.208.3.168 175.208.2.4 175.208.1.104 175.208.2.6 175.208.2.0 175.208.2.1 175.208.2.2 175.208.1.105 175.208.2.8 175.208.3.188 175.208.3.186 175.208.3.184 175.208.2.254 175.208.3.182 175.208.3.180 175.208.1.162 175.208.1.163 175.208.1.160 175.208.1.161 175.208.1.166 175.208.1.167 175.208.1.164 175.208.1.165 175.208.1.243 175.208.1.242 175.208.1.168 175.208.1.169 175.208.1.247 175.208.1.246 175.208.1.245 175.208.1.244 175.208.1.108 175.208.1.90 175.208.1.109 175.208.3.230 175.208.1.53 175.208.1.52 175.208.0.169 175.208.0.168 175.208.1.57 175.208.1.56 175.208.1.55 175.208.1.54 175.208.0.163 175.208.0.162 175.208.0.161 175.208.0.160 175.208.0.167 175.208.0.166 175.208.0.165 175.208.0.164 103.246.218.179 - mailcious 175.208.3.28 175.208.1.253 175.208.2.82 175.208.3.82 175.208.1.207 175.208.3.80 175.208.3.116 175.208.3.86 175.208.3.38 175.208.1.206 175.208.3.88 175.208.1.205 175.208.1.204 175.208.1.203 175.208.1.202 175.208.2.146 175.208.1.201 175.208.2.72 175.208.1.200 175.208.2.222 175.208.2.220 175.208.2.188 175.208.2.226 175.208.2.224 175.208.2.182 175.208.2.228 175.208.2.180 175.208.2.186 175.208.2.184 175.208.0.198 175.208.0.199 175.208.1.209 175.208.1.208 175.208.0.192 175.208.0.193 175.208.0.190 175.208.0.191 175.208.0.196 175.208.0.197 175.208.0.194 175.208.0.195 175.208.2.52 175.208.3.14 175.208.2.50 118.184.176.22 175.208.2.56 175.208.3.10 175.208.2.54 175.208.3.12 175.208.2.58 175.208.3.18 175.208.2.136 175.208.3.158 175.208.2.134 175.208.2.132 175.208.2.130 175.208.2.60 175.208.3.152 175.208.1.98 175.208.2.138 175.208.3.156 175.208.0.72 175.208.0.70 175.208.0.71 175.208.0.76 175.208.0.77 175.208.0.74 175.208.0.75 175.208.0.78 175.208.0.79 175.208.3.142 175.208.1.97 175.208.1.96 175.208.1.119 175.208.1.118 175.208.1.93 175.208.1.92 175.208.0.129 175.208.0.128 175.208.1.113 175.208.1.112 175.208.0.125 175.208.1.110 175.208.1.117 175.208.1.116 175.208.0.121 175.208.0.120 175.208.0.6 175.208.0.7 175.208.0.4 175.208.0.5 175.208.0.2 175.208.0.3 175.208.0.0 175.208.0.1 175.208.0.8 175.208.0.9 175.208.3.208 175.208.3.150 175.208.3.204 175.208.1.2 175.208.3.206 175.208.3.200 175.208.3.202 175.208.3.154 175.208.1.28 175.208.1.29 175.208.0.67 175.208.1.23 175.208.1.20 175.208.1.21 175.208.1.26 175.208.1.27 175.208.1.24 175.208.1.25 175.208.0.220 175.208.0.221 175.208.0.222 175.208.0.223 175.208.0.224 175.208.0.225 175.208.0.226 175.208.0.227 175.208.0.228 175.208.0.229 175.208.3.8 175.208.1.31 175.208.1.30 175.208.3.106 175.208.3.104 175.208.3.102 175.208.3.100 175.208.3.108 175.208.2.16 175.208.3.58 175.208.2.14 175.208.2.12 175.208.2.10 175.208.3.0 175.208.3.50 175.208.3.52 175.208.3.54 175.208.2.18 175.208.3.56 175.208.0.255 175.208.0.254 175.208.2.178 175.208.3.2 175.208.0.251 175.208.0.250 175.208.0.253 175.208.0.73 175.208.2.172 175.208.1.39 175.208.2.170 175.208.2.176 175.208.2.174 175.208.1.38 175.208.1.5 175.208.3.6 175.208.0.36 175.208.0.37 175.208.0.34 175.208.0.35 175.208.0.32 175.208.0.33 175.208.0.30 175.208.0.31 175.208.2.252 175.208.2.250 175.208.0.38 175.208.0.39 175.208.0.252 175.208.1.159 175.208.1.158 175.208.1.157 175.208.1.156 175.208.1.155 175.208.1.154 175.208.1.153 175.208.1.152 175.208.1.151 175.208.1.150 175.208.1.254 175.208.1.255 175.208.1.250 175.208.1.251 175.208.1.252 175.208.0.175 175.208.3.24 175.208.2.80 175.208.3.26 175.208.2.3 175.208.3.20 175.208.2.84 175.208.3.22 175.208.2.86 175.208.1.219 175.208.0.173 175.208.1.95 175.208.1.94 175.208.1.61 175.208.1.91 175.208.1.68 175.208.1.69 175.208.1.66 175.208.1.67 175.208.1.64 175.208.1.65 175.208.1.62 175.208.1.63 175.208.1.60 175.208.0.179 175.208.0.174 175.208.0.127 175.208.0.176 175.208.0.177 175.208.0.170 175.208.0.171 175.208.0.172 175.208.0.126 175.208.0.178 175.208.1.111
|
5
ET POLICY Cryptocurrency Miner Checkin ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net ET POLICY Unsupported/Fake Windows NT Version 5.0 ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
14.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43972 |
2021-01-12 18:20
|
Cancelation_Form_73827.xls 8e0a65e9867cbfa3f1286f101edf6007 Dridex Malware Check memory Creates executable files unpack itself malicious URLs suspicious TLD Tofsee DNS crashed |
|
2
fersite24.top(8.210.31.137) 8.210.31.137
|
3
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43973 |
2021-01-12 18:12
|
5533.exe aa4531720d49c5da1f04409e2d306e67 VirusTotal Malware Check memory ICMP traffic ComputerName DNS |
|
4
updates.microsoft.com() menutorga.top() babidone.top(193.56.255.166) 193.56.255.166
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43974 |
2021-01-12 17:19
|
XZYjfbnrtjtnxsrg4008u.exe d684fa1626b63d9a17c8818a63a23975 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted RWX flags setting unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software |
2
https://1drv.ws/u/s!Aq_FoTdPD9oAbrKvDTXSjqkQQmY?e=1QcqHS? https://hrarjw.am.files.1drv.com/y4miCUZLhWK4NJJSyF6rIJaETHrRJVW3YHcRkcv-naiM_58krty2OabzGKRcSlw4nqATQtO8Vrnw9zm_r15ISW16oiD8OFfZT-ntXF0T4xCNOER5wArITVetakfnLm-DL_1wDlKjqhTdYZ75vIYFlA23hbm8CTcfD67taHA3lpIrWGv39EGnRbVsmzgmW6K8WkDD0NCMvKlM9t8bAuwBnS_Bw/Jollx?download&psid=1
|
6
1drv.ws(168.235.93.122) - mailcious hrarjw.am.files.1drv.com(13.107.42.12) worldpackmx.com(104.148.41.8) - mailcious 168.235.93.122 - mailcious 104.148.41.8 - malware 13.107.42.12 - malware
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43975 |
2021-01-12 17:18
|
winlog2.exe 28525bacbafaf67335c51e61e0888ceb VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
2
http://www.lacorte.group/xle/?1b=96OrNXGTb2r8WSUyrljaRer+RupqUmsAfhZY6Tv0coGG0b5cqFk/Bsj5lwYTFoX/XWMISB45&3f=JDKDMFxx http://www.tknbr.com/xle/?1b=Rl1FUqEhAVGvT7vE/bktJFGFXueLf+JL64WsmKRsLeVQrOYnsryIoMH6Yo1cWIscPoVyZ9Wh&3f=JDKDMFxx
|
5
www.tknbr.com(104.19.152.30) www.lacorte.group(194.58.112.174) www.tesfamariamtb.com() 104.19.151.30 194.58.112.174 - mailcious
|
|
|
9.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43976 |
2021-01-12 17:13
|
Vwfdlbbi_Signed_.exe 6275a839b5071bf445539c8652d2b13b Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
1
https://0s0pua.bn.files.1drv.com/y4mOud0lHVldTubAsJs9HjQ2rv0tTD1LC-A5ugo81gbAgwrusjyVVHe2mRDdsUNXO2D5vmtTjOoJgCjQdJk4TC78EiDfie7WV-62k3QDf8nQh744Fu2odI9oWBHYtq5iDfapV7DYbTm4IKLGkmzzyv8RJmRnWKC6EdIF2OhExT0zVthjkU98T8Dq3y_XSnDePgSb4QO4DmkEFx6dqRReGJGUQ/Vwfdl?download&psid=1
|
4
1drv.ws(168.235.93.122) - mailcious 0s0pua.bn.files.1drv.com(13.107.42.12) - mailcious 168.235.93.122 - mailcious 13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43977 |
2021-01-12 17:12
|
winlog.exe bd018d7c0dacf69984d8c17f47803216 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
3.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43978 |
2021-01-12 13:26
|
Vwfdlbbi_Signed_.exe 6275a839b5071bf445539c8652d2b13b Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
1
https://0s0pua.bn.files.1drv.com/y4ms6VJnsiu6_em0mvDUAIry7BIECABJTmwLhfQm39ElxrileuPzl_ANSM5mcvN4KP6ke5sDSe-CTvzrng-STswngIx8GhnC1lRZ-0ieFZD--8jzu8AIFXR4OPtZinaqbg5EnWtG6LMiLQhzRxze_cOZk5cO6mN6eCyvnbrvVN9eXTr9TtHcHtuUzbN8Y5s4H0PkRsYkc8j1FOnUfsfKTtPYQ/Vwfdl?download&psid=1
|
4
1drv.ws(168.235.93.122) - mailcious 0s0pua.bn.files.1drv.com(13.107.42.12) - mailcious 168.235.93.122 - mailcious 13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43979 |
2021-01-12 13:26
|
vbc3.exe 4cf64bc5bbedb515fb360ecfd4093158 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43980 |
2021-01-12 13:19
|
vbc2.exe 59777cac7301b98f1d56bf01e8dd38bb Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://azme-contractors.com/chief/boss/fre.php
|
2
azme-contractors.com(213.159.212.148) 185.238.3.183
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.4 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|