44611 |
2020-12-12 15:16
|
fw4.exe a7ea20176e5493c4c6f7e936a9632271 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Windows Browser ComputerName DNS Cryptographic key Software |
1
http://api.ipify.org/?format=xml
|
3
api.ipify.org(54.235.142.93) 174.129.214.20 94.103.95.216
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
16.6 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44612 |
2020-12-12 15:15
|
fw2.exe 9b8b7fb36bcd5fd0b30b293f6799bb77 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44613 |
2020-12-12 09:58
|
document.doc 09b4dc7085245d88d5afdaf7933a2cc2 VirusTotal Malware exploit crash unpack itself malicious URLs Exploit DNS crashed |
1
http://hawkloger.shortcm.li/
|
3
hawkloger.shortcm.li(35.157.135.19) 100.26.26.203 192.3.22.9 - malware
|
|
|
5.8 |
M |
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44614 |
2020-12-12 09:56
|
FTT.exe cc5fad28fad2e205e36753bfae4c7277 VirusTotal Malware AutoRuns Windows |
|
|
|
|
3.8 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44615 |
2020-12-11 18:35
|
baron.exe a6fb36f357cadbaf2c45e7598b3a8b5d VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
2
http://www.ruaysatu99.com/bw82/?u4=i+9stTbx/MW0+Tcz0EE6I6cBHO+UXpYkX0sdRWETn3hxejK1QgwJZPhRy7i6Ky+JFyNPISSc&mt=V48Dup_8 http://www.ruaysatu99.com/bw82/
|
5
www.ruaysatu99.com(104.28.26.19) www.chrisbubser.digital() www.twistedtailgatesweeps1.com(184.168.131.241) 172.67.129.48 184.168.131.241 - mailcious
|
|
|
10.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44616 |
2020-12-11 18:35
|
7eCddpJGSBLnWFD.exe a9c4a016d08ff940dfc11c0742131c79 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 104.28.4.151 216.146.43.70 - suspicious
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
11.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44617 |
2020-12-11 17:50
|
svchost.exe ea5a8d3c78da8dff27c17d36e97e8c81 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Creates shortcut unpack itself suspicious process malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software |
|
4
begadi.ga(46.173.214.99) - mailcious i.imgur.com(151.101.52.193) - mailcious 151.101.24.193 - mailcious 46.173.214.99
|
2
ET INFO DNS Query for Suspicious .ga Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
18 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44618 |
2020-12-11 12:15
|
vbc.exe 57f70f5f34b309b444bc08eb765e353e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
forrastfoods.com() - mailcious
|
|
|
13.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44619 |
2020-12-11 12:15
|
win32.exe 9194a15c419ca38f3a7801503b8650ea Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(46.173.214.99) - mailcious 46.173.214.99
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
14.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44620 |
2020-12-11 11:42
|
soft.exe 6fdb7328d15d2ee2ad9f6b072054a7be VirusTotal Malware Malicious Traffic Check memory Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows DNS |
2
http://www.cleimmo.ma/rh/img1.php http://www.cleimmo.ma/rh/img1.php?id=00009CF9F2321904909678
|
2
www.cleimmo.ma(174.142.95.72) - malware 174.142.95.72 - malware
|
|
|
6.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44621 |
2020-12-11 11:42
|
svchost.exe ea5a8d3c78da8dff27c17d36e97e8c81 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Creates shortcut unpack itself suspicious process AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName Trojan DNS Software |
1
https://i.imgur.com/pIX7pTm.png
|
4
begadi.ga(46.173.214.99) - mailcious i.imgur.com(151.101.24.193) - mailcious 151.101.24.193 - mailcious 46.173.214.99
|
11
ET INFO DNS Query for Suspicious .ga Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
7.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44622 |
2020-12-11 11:34
|
FWSoOkisTysdyTr.exe 1170578f5b1ba09cd66681ec545a65d2 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
|
|
|
14.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44623 |
2020-12-11 11:34
|
3.dotm f0cd43674b0d3acd51027faed428f39c VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
3.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44624 |
2020-12-11 11:23
|
coxk8.exe c226055b158c763deb6e8c12210e6a3a unpack itself |
|
|
|
|
1.2 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44625 |
2020-12-11 11:02
|
vbc2.exe b27e14119c9ec903014300caff12f6bf VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|