| 45601 |
2021-04-30 09:48
|
 divine11111.html 2eeda876014265c8413ef0e565a96657
AntiDebug AntiVM PNG Format VBScript suspicious privilege MachineGuid Code Injection WMI wscript.exe payload download Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Dropper |
33
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt - rule_id: 971
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501&bpli=1
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://resources.blogblog.com/img/blank.gif
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.google.com/css/maia.css
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&passive=true&go=true
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fyahameinhunbusorkoinai.blogspot.com%2Fp%2Fdivine11111.html&type=blog&bpli=1
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd
https://www.blogger.com/static/v1/jsbin/3544430843-cmt__en_gb.js
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://www.google.com/js/bg/EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c.js
|
19
resources.blogblog.com(172.217.31.137)
ia801408.us.archive.org(207.241.228.148) - mailcious
www.google.com(172.217.161.68)
www.gstatic.com(172.217.174.99)
fonts.googleapis.com(172.217.25.106)
archive.org(207.241.224.2) - mailcious
accounts.google.com(216.58.220.141)
www.google-analytics.com(172.217.161.78)
fonts.gstatic.com(172.217.175.227)
www.blogger.com(172.217.31.137)
172.217.163.234
142.250.204.105
207.241.228.148 - mailcious
142.250.66.35
142.250.66.141
172.217.31.233
172.217.24.68
172.217.163.238
172.217.161.131
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45602 |
2021-04-30 09:48
|
 cutscroll.png f5c29728fe1f4226a8dc603d788a0a6f
PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/lib90/TEST22-PC_W617601.8F3740811540BBD5131268335F0573AB/5/kps/
|
2
103.54.41.193 - mailcious
178.134.47.166
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45603 |
2021-04-30 09:47
|
Company Details.ppam c8e1760af8a65590d26315a4ff144b62
VBA_macro PNG Format VirusTotal Malware powershell AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName DNS |
15
http://www.j.mp/ddsobpechateessentesathatesesjdw
http://bit.ly/ddsobpechateessentesathatesesjdw
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog
https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js
https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
|
16
resources.blogblog.com(172.217.31.137)
yahameinhunbusorkoinai.blogspot.com(172.217.175.65)
google.com(216.58.220.142)
ia601409.us.archive.org(207.241.227.129)
accounts.google.com(216.58.220.141)
bit.ly(67.199.248.10) - mailcious
www.j.mp(67.199.248.17) - mailcious
www.blogger.com(172.217.175.9)
207.241.227.129
142.250.199.65
142.250.66.109
67.199.248.17 - mailcious
67.199.248.10 - phishing
142.250.204.110
172.217.26.137
142.250.66.41
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45604 |
2021-04-30 09:41
|
 redbutton.png 79f0f44a27a3d1bdc7cdd7e7c248fb29
PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/tot90/TEST22-PC_W617601.F773CB1B97BB6C3311087FB95D3B54AB/5/kps/
|
4
103.54.41.193 - mailcious
103.66.72.217 - mailcious
154.79.245.158 - mailcious
103.124.173.35
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45605 |
2021-04-30 09:38
|
 HBankers_Latest.hta 4324831d87b2b6e82e60406c4d07b42c
Antivirus AntiDebug AntiVM MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
https://ia601400.us.archive.org/31/items/bypass_20210428_0905/bypass.txt
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45606 |
2021-04-30 09:36
|
 8BmVIdYzvSw7AD3.exe 063f5233e489e4b13c2fcc62e1750705
PWS .NET framework AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45607 |
2021-04-30 09:33
|
 280421-z1z.exe 2699077a996951eac7b369b6356ff296
PE File OS Processor Check PE32 VirusTotal Malware unpack itself RCE |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45608 |
2021-04-30 09:32
|
 HBankers_Latest.hta 4324831d87b2b6e82e60406c4d07b42cVirusTotal Malware crashed |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
0.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45609 |
2021-04-30 09:31
|
 reg.dot d0c491b8eb3ea8f00a93af05ef1b8945
AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45610 |
2021-04-30 09:31
|
 s68r0hZ49vns9tk.exe 081bff782d62aebc69b61009e6000ab8
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45611 |
2021-04-30 09:24
|
 5bef7b39fe02eabea2c02612758762... 6f203feba292f1322dae52e76dbf4ce4
VBA_macro VirusTotal Malware Malicious Traffic unpack itself DNS |
|
3
190.14.37.252 - malware
91.211.91.71 - malware
185.82.218.30 - malware
|
|
|
3.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45612 |
2021-04-30 09:17
|
 tgixx.exe 318f4d702f97b8d7fbc1a1fddfab81ae
Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
|
|
|
9.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45613 |
2021-04-30 09:15
|
 vbc.exe 44fd8894c4e507cafa1c767995dd8927
PWS Loki .NET framework AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
2
eyecos.ga(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
14.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45614 |
2021-04-30 09:13
|
 netmount.dll 3f3cb269876273534664a5d37118de14
PE File DLL PE32 Dridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.54.41.193/net5/TEST22-PC_W617601.ECBBA697DF647B34877FFEF33E641797/5/kps/
|
4
103.54.41.193 - mailcious
103.66.72.217 - mailcious
117.252.68.211 - mailcious
131.0.112.122
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45615 |
2021-04-30 09:12
|
986758_IUX.msi ea5b0a11238124c6fc78dd72a7bb2401
Gen2 OS Processor Check MSOffice File VirusTotal Malware DNS crashed |
|
|
|
|
1.2 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|