| 44611 |
2020-12-12 15:16
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Windows Browser ComputerName DNS Cryptographic key Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.235.142.93)
174.129.214.20
94.103.95.216
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
16.6 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44612 |
2020-12-12 15:15
|
fw2.exe 9b8b7fb36bcd5fd0b30b293f6799bb77
VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44613 |
2020-12-12 09:58
|
document.doc 09b4dc7085245d88d5afdaf7933a2cc2
VirusTotal Malware exploit crash unpack itself malicious URLs Exploit DNS crashed |
1
http://hawkloger.shortcm.li/
|
3
hawkloger.shortcm.li(35.157.135.19)
100.26.26.203
192.3.22.9 - malware
|
|
|
5.8 |
M |
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44614 |
2020-12-12 09:56
|
FTT.exe cc5fad28fad2e205e36753bfae4c7277
VirusTotal Malware AutoRuns Windows |
|
|
|
|
3.8 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44615 |
2020-12-11 18:35
|
baron.exe a6fb36f357cadbaf2c45e7598b3a8b5d
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
2
http://www.ruaysatu99.com/bw82/?u4=i+9stTbx/MW0+Tcz0EE6I6cBHO+UXpYkX0sdRWETn3hxejK1QgwJZPhRy7i6Ky+JFyNPISSc&mt=V48Dup_8
http://www.ruaysatu99.com/bw82/
|
5
www.ruaysatu99.com(104.28.26.19)
www.chrisbubser.digital()
www.twistedtailgatesweeps1.com(184.168.131.241)
172.67.129.48
184.168.131.241 - mailcious
|
|
|
10.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44616 |
2020-12-11 18:35
|
7eCddpJGSBLnWFD.exe a9c4a016d08ff940dfc11c0742131c79
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.161.70)
104.28.4.151
216.146.43.70 - suspicious
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
11.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44617 |
2020-12-11 17:50
|
svchost.exe ea5a8d3c78da8dff27c17d36e97e8c81
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Creates shortcut unpack itself suspicious process malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software |
|
4
begadi.ga(46.173.214.99) - mailcious
i.imgur.com(151.101.52.193) - mailcious
151.101.24.193 - mailcious
46.173.214.99
|
2
ET INFO DNS Query for Suspicious .ga Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44618 |
2020-12-11 12:15
|
vbc.exe 57f70f5f34b309b444bc08eb765e353e
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
forrastfoods.com() - mailcious
|
|
|
13.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44619 |
2020-12-11 12:15
|
win32.exe 9194a15c419ca38f3a7801503b8650ea
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(46.173.214.99) - mailcious
46.173.214.99
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
14.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44620 |
2020-12-11 11:42
|
soft.exe 6fdb7328d15d2ee2ad9f6b072054a7be
VirusTotal Malware Malicious Traffic Check memory Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows DNS |
2
http://www.cleimmo.ma/rh/img1.php
http://www.cleimmo.ma/rh/img1.php?id=00009CF9F2321904909678
|
2
www.cleimmo.ma(174.142.95.72) - malware
174.142.95.72 - malware
|
|
|
6.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44621 |
2020-12-11 11:42
|
svchost.exe ea5a8d3c78da8dff27c17d36e97e8c81
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Creates shortcut unpack itself suspicious process AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName Trojan DNS Software |
1
https://i.imgur.com/pIX7pTm.png
|
4
begadi.ga(46.173.214.99) - mailcious
i.imgur.com(151.101.24.193) - mailcious
151.101.24.193 - mailcious
46.173.214.99
|
11
ET INFO DNS Query for Suspicious .ga Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
7.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44622 |
2020-12-11 11:34
|
FWSoOkisTysdyTr.exe 1170578f5b1ba09cd66681ec545a65d2
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
|
|
|
14.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44623 |
2020-12-11 11:34
|
3.dotm f0cd43674b0d3acd51027faed428f39c
VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
3.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44624 |
2020-12-11 11:23
|
coxk8.exe c226055b158c763deb6e8c12210e6a3a
unpack itself |
|
|
|
|
1.2 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44625 |
2020-12-11 11:02
|
vbc2.exe b27e14119c9ec903014300caff12f6bf
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|