44086 |
2021-01-06 12:44
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44087 |
2021-01-06 12:38
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44088 |
2021-01-06 12:33
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44089 |
2021-01-06 12:29
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44090 |
2021-01-06 12:26
|
BavwKzfNo6hxk.dll 9d7b87ffd95d99fd6116b9903905ed5d VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44091 |
2021-01-06 12:10
|
5DVxvgK9jn5gaBl.exe cec5782c931581f13ce3c5d5b6a948a2 Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName DNS |
1
|
4
yz.videomarket.eu(185.157.162.81) ip-api.com(208.95.112.1) 185.157.162.81 - mailcious 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44092 |
2021-01-06 12:09
|
QPR-3067.exe 1d11abb9dac9b15823d1bcad2b8b3675 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.206.215.56/morx/1/cgi.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
16.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44093 |
2021-01-06 11:04
|
5DVxvgK9jn5gaBl.exe cec5782c931581f13ce3c5d5b6a948a2 Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName DNS |
1
|
4
yz.videomarket.eu(185.157.162.81) ip-api.com(208.95.112.1) 185.157.162.81 - mailcious 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44094 |
2021-01-06 11:04
|
QPR-3067.exe 1d11abb9dac9b15823d1bcad2b8b3675 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs Windows Cryptographic key |
|
|
|
|
12.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44095 |
2021-01-06 10:59
|
oscvkjfdg.exe 309d6364fda12fa061274bb9e9ea02c9 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
9
http://regay.ac.ug/sqlite3.dll http://regay.ac.ug/nss3.dll http://regay.ac.ug/ http://regay.ac.ug/msvcp140.dll http://regay.ac.ug/softokn3.dll http://regay.ac.ug/mozglue.dll http://regay.ac.ug/freebl3.dll http://regay.ac.ug/main.php http://regay.ac.ug/vcruntime140.dll
|
2
regay.ac.ug(185.215.113.77) 185.215.113.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44096 |
2021-01-06 10:58
|
nmode.exe 4abfa113c1177d7123f6e7974cb55824 unpack itself DNS |
|
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44097 |
2021-01-06 10:43
|
M21Y.dll e8321185b16458d8b3c0bbbbcf1f4c83 VirusTotal Malware PDB Malicious Traffic Checks debugger RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
|
2
75.188.107.174 - mailcious 75.109.111.18 - mailcious
|
|
|
7.8 |
M |
36 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44098 |
2021-01-06 10:35
|
CSEWRP2SOE.doc ad4bcb076364ee442f3f39da778bd020 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://90.160.138.175/ebcm0xsm82slhh/3ruzho/judyl618q6mm/2qquygyq7snqmwxq/oy8jhdwgb3q0yiccd/ - rule_id: 207
|
5
www.dirgantaratuba.com(202.67.13.163) - mailcious astrologiaexistencial.com(31.22.4.141) - malware 90.160.138.175 - mailcious 202.67.13.163 - mailcious 31.22.4.141 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44099 |
2021-01-06 10:35
|
ATBL039LN.doc ad4bcb076364ee442f3f39da778bd020 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://90.160.138.175/uadbj60ddk90o/sinscgn5f1g93jpxs7/szhxd583txfj43/090kq9at2k8z/nf92vd6x1w5/walsps0j6w1fd3vao4i/ - rule_id: 207
|
5
www.dirgantaratuba.com(202.67.13.163) - mailcious astrologiaexistencial.com(31.22.4.141) - malware 202.67.13.163 - mailcious 90.160.138.175 - mailcious 31.22.4.141 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
|
5.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44100 |
2021-01-06 10:31
|
__38810326881.doc a57197f6d468f2143536940bb13541a6 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
|
9
infoprocenter.com(185.225.36.38) - malware miprimercamino.com(144.217.79.200) - malware crt.sectigo.com(91.199.212.52) obob.tv(5.45.114.71) - malware 91.199.212.52 125.0.215.60 - mailcious 185.225.36.38 - malware 5.45.114.71 - malware 144.217.79.200 - mailcious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
M |
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|