44551 |
2020-12-16 12:23
|
1312.gif.1.exe b2a9a4e1656bdb5749de4f228dc9f307 VirusTotal Malware |
|
|
|
|
1.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44552 |
2020-12-16 11:06
|
XokBnqWMZ4B9pbd.exe e9dbec32351a5bd0a3f94b8314e4d958 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
185.239.242.219 - mailcious
|
|
|
17.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44553 |
2020-12-16 10:37
|
win32.exe f4fccdb6286107ca3592406e356a6b5e Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(176.118.165.175) - mailcious 176.118.165.175
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
15.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44554 |
2020-12-16 10:37
|
vbc.exe ebc762f4d1d6557fcfb73fc7eb1d5b7a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://benweve.com/clock/five/fre.php - rule_id: 153
|
2
benweve.com(95.213.224.89) - mailcious 95.213.224.89 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://benweve.com/clock/five/fre.php
|
14.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44555 |
2020-12-16 09:55
|
Speeder_1.0.0.3_qd13.exe a6d2cae21d592a602211a854dc4dc91a VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Tofsee Browser ComputerName DNS |
45
http://speedup.jiezhansifang.com/openapi/speedup/v1/getGameList.do?channelId=13 http://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854 http://resource-speedup.jiezhansifang.com/speedup/images/game/images/52c64bea221d0ee934ffe01795d39d4a.jpg http://resource-speedup.jiezhansifang.com/speedup/images/game/pubg.jpg http://resource-speedup.jiezhansifang.com/speedup/images/ad/ad-4.png https://client-revision.jiezhansifang.com/modules/constant/config_5cd1dcc.js https://client-revision.jiezhansifang.com/resource/images/layout_mask_98ae434.png https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546335 https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546332 https://client-revision.jiezhansifang.com/modules/util/wxLogin_feabe64.js https://client-revision.jiezhansifang.com/modules/util/helper_31ef72e.js https://res.wx.qq.com/connect/zh_CN/htmledition/js/jquery.min3696b4.js https://client-revision.jiezhansifang.com/modules/app/index_c47f623.js https://hm.baidu.com/hm.js?8603659db96c7aa11111e7d2cf361c4e https://client-revision.jiezhansifang.com/modules/util/disableScale_ad56695.js https://client-revision.jiezhansifang.com/resource/js/conf/mod-conf_c04f440.js https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://client-revision.jiezhansifang.com/resource/css/client_z.png https://client-revision.jiezhansifang.com/modules/pkg/conf_db4e6ed.js https://client-revision.jiezhansifang.com/modules/pkg/coms_950264e.js https://client-revision.jiezhansifang.com/resource/js/modjs/1.0.13/mod_0f4920e.js https://client-revision.jiezhansifang.com/authInfo?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546331 https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=83ab9561022ec376dd0d18f99888529d&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://client-revision.jiezhansifang.com/modules/pkg/page-common_ea1051e.js https://client-revision.jiezhansifang.com/resource/css/client.css https://client-revision.jiezhansifang.com/modules/util/channel_5c9966b.js https://client-revision.jiezhansifang.com/modules/pkg/lib_c4b765a.js https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569904 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569905 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569906 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569907 https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=1178776312&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%3Fclient%3Dxm%26qd%3D13%23login&v=1.2.80&lv=1&api=6_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&tt=%E5%8A%A0%E9%80%9F%E5%99%A8 https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546333&reqId=1608096546334 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569903 https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569908 https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546336&reqId=1608096546337 https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=77078479&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&v=1.2.80&lv=1&api=4_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%23login&tt=%E5%8A%A0%E9%80%9F%E5%99%A8 https://client-revision.jiezhansifang.com/?client=xm&qd=13 https://open.weixin.qq.com/connect/qrcode/091dIIJr1ugJFa19 https://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854 https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=3e5a8d4ab7b80ec3521f7c047e96ff8a&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css https://res.wx.qq.com/connect/zh_CN/htmledition/style/impowerApp45a337.css https://client-revision.jiezhansifang.com/modules/pkg/page-login_7fc304f.js https://client-revision.jiezhansifang.com/resource/images/layout_bg-theme-1_632e2ef.png https://client-revision.jiezhansifang.com/modules/util/track_587265c.js
|
16
reg-saas.whweidu.com(47.114.110.100) lp.open.weixin.qq.com(203.205.232.67) client-revision.jiezhansifang.com(58.216.9.68) res.wx.qq.com(150.109.206.166) reg.jiezhansifang.com(47.114.110.100) client.jiezhansifang.com(58.216.9.68) resource-speedup.jiezhansifang.com(58.216.9.68) hm.baidu.com(103.235.46.191) - mailcious speedup.jiezhansifang.com(58.216.9.68) open.weixin.qq.com(203.205.239.172) 203.205.234.140 58.216.9.68 203.205.239.171 103.235.46.191 - mailcious 150.109.206.154 47.114.110.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44556 |
2020-12-16 09:50
|
SkIoKdBiDxtQ2g1.exe 89a6ece185d652883f32474e5c0df7c7 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS DDNS |
|
2
2c04mm.hopto.org(79.134.225.9) 79.134.225.9
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
14.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44557 |
2020-12-16 09:46
|
SkIoKdBiDxtQ2g1.exe 89a6ece185d652883f32474e5c0df7c7 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS DDNS |
|
2
2c04mm.hopto.org(79.134.225.9) 79.134.225.9
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.6 |
M |
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44558 |
2020-12-16 09:46
|
Rep_LI6.doc 8e842b5a5672e46538f5d6fea2275579 Vulnerability VirusTotal Malware unpack itself malicious URLs Windows |
|
2
electrocardsystems.com(160.153.128.10) - mailcious 160.153.128.10 - mailcious
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44559 |
2020-12-16 09:15
|
regasm.exe b8561eed84f227c88c7b8d3a106be5ab Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/rojas/gate.php - rule_id: 146
|
2
webtex.ga(176.118.165.175) - mailcious 176.118.165.175
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://webtex.ga/rojas/gate.php
|
15.2 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44560 |
2020-12-16 09:13
|
pdf.exe 48a9add9e1b4b99548e564dfbdcb8a9f VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee |
|
3
dl.dropboxusercontent.com(162.125.80.15) - malware dl.dropbox.com(162.125.80.15) - malware 162.125.80.15 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
42 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44561 |
2020-12-16 09:11
|
KINO.exe e74426f4ab322e220a00be7558b892de VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee ComputerName DNS |
1
https://hastebin.com/raw/wugowatelu
|
2
hastebin.com(104.24.127.89) - mailcious 104.24.126.89 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44562 |
2020-12-16 09:10
|
kingtroupxtwo.scr d19c1f5071b995ed4bdefa7dfa86a2f5 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
11.4 |
M |
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44563 |
2020-12-15 18:19
|
kingtroupx.scr d16ccfd5f5e6cd6a6324c79c9a66a90a VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs Windows DNS Cryptographic key |
|
|
|
|
6.6 |
M |
40 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44564 |
2020-12-15 18:19
|
kdotx.scr 4ddf98cd8e5a012c02850f0a988adf2c VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
5.8 |
M |
34 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44565 |
2020-12-15 18:11
|
JFjolfjed_.exe 61ae277818f7f258b41cee010f3914d2 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs Interception DNS crashed |
1
http://nilemixitupd.biz.pl/ouKHkjnjfdjnsjsnolwprjyndxhanzbtjxzqutjcmnyjcIkdi/Fqkzjny
|
4
discord.com(162.159.128.233) nilemixitupd.biz.pl(104.223.143.21) - malware 104.223.143.21 - mailcious 162.159.135.232
|
|
|
6.4 |
M |
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|