| 44686 |
2021-06-15 11:09
|
 VOKLIGHT.exe 9a86329fb7bd48fc778676e664d3d0be
NPKI UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44687 |
2021-06-15 11:07
|
 VOKLIGHTD.exe 2b766f06adf2c73fb6da681572d72a6f
UltraVNC PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44688 |
2021-06-15 11:05
|
 ultramediaburner.exe 6103ca066cd5345ec41feaf1a0fdadaf
AsyncRAT backdoor Gen1 PE File PE32 .NET EXE OS Processor Check GIF Format DLL PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser ComputerName |
|
|
|
|
4.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44689 |
2021-06-15 11:03
|
 W10.exe 9925c832892716a17f2d2cfe504d6014
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
6
http://www.cailingji.com/nins/?Jt7=ZigJafU65g541z6AJQhLlB2ijeCUh9KrJrU7Ko5QeDMYzQNvsOCdRuuAImDEPqDTQy7GCcaq&EHL0Sj=gbWtof_PU4
http://www.cailingji.com/nins/
http://www.pairtty.com/nins/
http://www.pairtty.com/nins/?EHL0Sj=gbWtof_PU4&Jt7=Yl6ghbUTOfFKZlIjt511mlxxAGPGhY/iMYkKbpzmtvCXcyaHrmo2DgpfL2jY/vfvsLlUKrDJ
http://www.twelve11transportsllc.com/nins/
http://www.twelve11transportsllc.com/nins/?Jt7=CEm+UgykZ2D9b0nZca6rky8bSFFAZGTHBUEhJLBs1v2ReapgVSdxQAx7MIm2S8oE5Q7JWIIx&EHL0Sj=gbWtof_PU4
|
8
www.cailingji.com(13.59.53.244)
www.moremeafrica.com() - mailcious
www.pairtty.com(64.190.62.111)
www.imperiummetal.site()
www.twelve11transportsllc.com(34.80.190.141)
3.143.65.214 - mailcious
64.190.62.111 - mailcious
34.80.190.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44690 |
2021-06-15 11:03
|
 I-Record.exe 628507826e1b4f53cccc7d795a83a6e8
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44691 |
2021-06-15 11:01
|
 IDownload.exe ecb919c46197e6af3661c1883035536a
AsyncRAT backdoor Gen1 PE File PE32 DLL .NET DLL GIF Format OS Processor Check .NET EXE PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName |
|
|
|
|
6.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44692 |
2021-06-15 11:00
|
 vbc.exe 616a10fdc3307fd483916e1b578c9f9c
AsyncRAT backdoor PWS .NET framework Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
|
|
|
8.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44693 |
2021-06-15 10:59
|
 nnaf.exe f9f02646aeeaa754474089a00d07b0e5
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
2
www.google.com(172.217.31.132)
172.217.31.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44694 |
2021-06-15 10:58
|
 img_23_61_78_802.exe d45879197ce5a42e7c810bca5e020af5
PWS Loki[b] Loki[m] DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.34.39/cap-01/pin.php - rule_id: 1961
|
1
209.141.34.39 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.34.39/cap-01/pin.php
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44695 |
2021-06-15 10:56
|
 IDownload.exe 4a6b686ed3f18f9aecf846d08a6aa948
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44696 |
2021-06-15 10:55
|
 UltraMediaBurner.exe d6a73306c5bdcc557880a455bfb1a4be
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44697 |
2021-06-15 10:51
|
Document 53142810.xls 76d9ad731b3417ce329035c3497d19eb
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself Tofsee Windows crashed |
1
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
|
2
exam.edumation.app(134.209.3.189)
134.209.3.189
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44698 |
2021-06-15 10:51
|
Document 1659904.xls c03577c814275b568037f2eb9e0fc1e3
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://cek-api.match.my.id/vendor/google/auth/src/Cache/z7kVDYvd8s.php
https://www.patie.com.br/posts/hPdcXy5hUEfG.php
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php
https://hellomeela.phptasks.com/vendor/guzzlehttp/guzzle/src/Cookie/hUXKGbfO9ibqXaw.php
https://voixdescedres.com/www.achatfromchad.com/wp-content/themes/twentyeleven/colors/AP92wBohqyRvjIt.php
https://new.ishr.co.in/wp-content/plugins/unlimited-elements-for-elementor/inc_php/addontypes/wjhhlXuZ7uwqmS.php
https://invest.arabia-investment.com/wp-content/themes/sinatra/template-parts/content/YdePNtKjW.php
https://final.foodpoint.ma/public/impactfront/vendor/bootstrap/dist/MbvBb3r7S3ARV.php
https://damta.mrboatstudio.com/wp-content/plugins/elementor/includes/admin-templates/8sgSD2JtRBnm1.php
|
20
invest.arabia-investment.com(192.254.185.136)
exam.edumation.app(134.209.3.189)
philips.dexsandbox.com(70.32.93.146)
www.patie.com.br(191.252.105.201)
hellomeela.phptasks.com(104.255.220.56)
cek-api.match.my.id(144.91.85.140)
voixdescedres.com(162.253.125.64)
damta.mrboatstudio.com(31.22.4.136)
final.foodpoint.ma(185.87.187.226)
new.ishr.co.in(164.52.201.122)
104.255.220.56 - mailcious
191.252.105.201 - mailcious
31.22.4.136
185.87.187.226 - mailcious
162.253.125.64 - mailcious
192.254.185.136 - malware
70.32.93.146 - mailcious
164.52.201.122
134.209.3.189
144.91.85.140
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44699 |
2021-06-15 10:45
|
 scbybttprepush528.exe 5f32ab11399c7596889739620f178464
Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL PNG Format GIF Format MSOffice File JPEG Format PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser ComputerName RCE DNS |
56
http://cdn-file.ludashi.com/assets/jquery/jquery183.js
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_pwd.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b0ea6c10aa2f9f8637adaf8dca6545cc&from=tp_scbybt&forcetick=38280328
http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106151648
http://s.ludashi.com/wan?type=accurate&action=t2&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743342984&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_pwd.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=826d4532b60a11f8167a6de2a2ebb3b4&from=tp_scbybt&forcetick=38280015
http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=360b234ed2d7c7100458a3db8cec87d4&from=tp_scbybt&forcetick=38294421
http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3c8bbce5d85ff18952d12d4d3f3c0fbb&from=tp_scbybt&forcetick=38289750
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/bg.jpg
http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304274775074992668_1623743310671
http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=d9da2c7d1d42abeeb954adc866e09c16&from=tp_scbybt&forcetick=38284656
http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e55055547e8d2a8cd6a58b02d78635ef&from=tp_scbybt&forcetick=38284656
http://s.ludashi.com/wan?type=accurate&action=t3&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743373002&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/main.css?t=20210323
http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=0351e7d49752fc50b3d45b851d5c1ecb&from=tp_scbybt&forcetick=38277546
http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3198fe798dd9371f1a1b673d412602e1&from=tp_scbybt&forcetick=38266125
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_weixin.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/log_btn.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/checkbox.png
http://wan.ludashi.com/announce/list?callback=jQuery18304274775074992668_1623743310672&type=2&gid=cqbz&skip=0&num=5&_=1623743312955
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav03.png
http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=451727ea8e9bb803e49df4ef62ea6542&from=tp_scbybt&forcetick=38289750
http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18304274775074992668_1623743310671&_=1623743313409
http://cdn-file.ludashi.com/assets/sea/sea.js
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav02.png
http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav01.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/news-bg.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_qq.png
http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b66114296225ca89357975808c8201b6&from=tp_scbybt&forcetick=38266187
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_code.png?t=20191021
http://s.ludashi.com/wan?type=accurate&action=t1&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743322985&ex_ary[guid]=
http://wan.ludashi.com/micro/cqbz/index_lds.html?channel=tp&from=tp_repush_wd_cqbz_528
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/hovers.png
http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=8b4326d365a719ea3d64e7e755a4de6d&from=tp_scbybt&forcetick=38294421
http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743312959&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_left.png
http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=2a1a43be6e7fcdbeaec42ddf0f59f465&from=tp_scbybt&forcetick=38266187
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_code.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e9a12aa16e6ff34eb8e20e934148f43d&from=tp_scbybt&forcetick=38293062
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_act.png?t=20191021
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/cir.png
http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=04827975d3650ab9d840f338a616b9f7&from=tp_scbybt&forcetick=38280281
http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106151647
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav04.png
http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_act.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=76aa7ce20c8482e4d2b27579e9a19d03&from=tp_scbybt&forcetick=38267031
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/line.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_right.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/upload.jpg
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/reg.jpg?t=20200105
https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527
https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527
https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
17
cdn-file-ssl-wan.ludashi.com(115.238.192.239)
i.ludashi.com(120.27.82.56)
cdn-wan.ludashi.com(122.225.67.192)
wan.ludashi.com(139.129.105.182)
s.ludashi.com(114.115.221.211)
cdn-ssl-wan.ludashi.com(115.238.192.238)
cdn-file.ludashi.com(101.227.25.212)
cdn-file-ssl-pc.ludashi.com(180.163.122.228)
139.129.105.182
47.117.78.230
115.238.192.248
115.238.192.239
114.115.214.33
180.163.122.224
101.227.25.210
122.225.67.180
120.27.82.56
|
4
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44700 |
2021-06-15 10:39
|
 bin.exe 285cc0e41ca87f5eb2a6d08680a0f94b
Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|