| 44086 |
2021-01-06 12:44
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d
VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44087 |
2021-01-06 12:38
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d
VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44088 |
2021-01-06 12:33
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d
VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44089 |
2021-01-06 12:29
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d
VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44090 |
2021-01-06 12:26
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d
VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44091 |
2021-01-06 12:10
|
5DVxvgK9jn5gaBl.exe cec5782c931581f13ce3c5d5b6a948a2
Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName DNS |
1
|
4
yz.videomarket.eu(185.157.162.81)
ip-api.com(208.95.112.1)
185.157.162.81 - mailcious
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44092 |
2021-01-06 12:09
|
QPR-3067.exe 1d11abb9dac9b15823d1bcad2b8b3675
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.206.215.56/morx/1/cgi.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
16.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44093 |
2021-01-06 11:04
|
5DVxvgK9jn5gaBl.exe cec5782c931581f13ce3c5d5b6a948a2
Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName DNS |
1
|
4
yz.videomarket.eu(185.157.162.81)
ip-api.com(208.95.112.1)
185.157.162.81 - mailcious
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44094 |
2021-01-06 11:04
|
QPR-3067.exe 1d11abb9dac9b15823d1bcad2b8b3675
VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs Windows Cryptographic key |
|
|
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44095 |
2021-01-06 10:59
|
oscvkjfdg.exe 309d6364fda12fa061274bb9e9ea02c9
Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
9
http://regay.ac.ug/sqlite3.dll
http://regay.ac.ug/nss3.dll
http://regay.ac.ug/
http://regay.ac.ug/msvcp140.dll
http://regay.ac.ug/softokn3.dll
http://regay.ac.ug/mozglue.dll
http://regay.ac.ug/freebl3.dll
http://regay.ac.ug/main.php
http://regay.ac.ug/vcruntime140.dll
|
2
regay.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44096 |
2021-01-06 10:58
|
nmode.exe 4abfa113c1177d7123f6e7974cb55824
unpack itself DNS |
|
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44097 |
2021-01-06 10:43
|
M21Y.dll e8321185b16458d8b3c0bbbbcf1f4c83
VirusTotal Malware PDB Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
|
2
75.188.107.174 - mailcious
75.109.111.18 - mailcious
|
|
|
7.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44098 |
2021-01-06 10:35
|
CSEWRP2SOE.doc ad4bcb076364ee442f3f39da778bd020
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://90.160.138.175/ebcm0xsm82slhh/3ruzho/judyl618q6mm/2qquygyq7snqmwxq/oy8jhdwgb3q0yiccd/ - rule_id: 207
|
5
www.dirgantaratuba.com(202.67.13.163) - mailcious
astrologiaexistencial.com(31.22.4.141) - malware
90.160.138.175 - mailcious
202.67.13.163 - mailcious
31.22.4.141 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44099 |
2021-01-06 10:35
|
ATBL039LN.doc ad4bcb076364ee442f3f39da778bd020
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://90.160.138.175/uadbj60ddk90o/sinscgn5f1g93jpxs7/szhxd583txfj43/090kq9at2k8z/nf92vd6x1w5/walsps0j6w1fd3vao4i/ - rule_id: 207
|
5
www.dirgantaratuba.com(202.67.13.163) - mailcious
astrologiaexistencial.com(31.22.4.141) - malware
202.67.13.163 - mailcious
90.160.138.175 - mailcious
31.22.4.141 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44100 |
2021-01-06 10:31
|
__38810326881.doc a57197f6d468f2143536940bb13541a6
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
|
9
infoprocenter.com(185.225.36.38) - malware
miprimercamino.com(144.217.79.200) - malware
crt.sectigo.com(91.199.212.52)
obob.tv(5.45.114.71) - malware
91.199.212.52
125.0.215.60 - mailcious
185.225.36.38 - malware
5.45.114.71 - malware
144.217.79.200 - mailcious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
M |
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|