| 45826 |
2021-04-30 18:12
|
 IMG_0540001825.exe fd0e7153869bad651ae4ae4f1dbef3da
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45827 |
2021-04-30 18:10
|
 Szakur.exe 6293b2f51ac52c926cfc5f87775a21fa
PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/PV/300/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45828 |
2021-04-30 18:08
|
 svch.exe 3722c9a2efe69886e53ef37bebcee669
Loki PE File PE32 DLL OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
|
2
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45829 |
2021-04-30 18:06
|
 templex.exe c37d480d603a248b0e230a1c15590266
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45830 |
2021-04-30 18:03
|
 in6-4.doc ba4afb8bb89f4a8f103780c416ecdbdd
VBA_macro Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key Downloader |
1
http://84.200.4.102/dwpc.exe
|
1
|
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45831 |
2021-04-30 18:03
|
 vbc.exe 396fedf9bcc0ad02b69510c986131fd2
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45832 |
2021-04-30 18:01
|
 winlog.exe bab5165b972f2416ae964d7b79bd5ecf
Glupteba OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Windows RCE crashed |
|
|
|
|
3.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45833 |
2021-04-30 18:01
|
 regasm.exe 37207e8bd9430777ab0e27cf4a4fc26a
PWS Loki AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://kushikushi.us/chief/kev/fre.php
|
2
kushikushi.us(185.29.127.141)
185.29.127.141
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45834 |
2021-04-30 17:59
|
 kayx.exe 129e1d37b93430b4bd894b16c53cd6bc
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows crashed |
3
http://www.wirebeevehicles.com/bwk/?EDK8gDR=VOL7UDcQYRljSosxQOYPJG6yJtUQAld58UNriPOjT+IDxU4HyvwawJh1yPzk3AG9OprqJGoe&BZ=E2M4oNPx_Ln
http://www.fragrancecollector.com/bwk/?EDK8gDR=LZ0Uj0vFRx/4vDVTGDC73qa8DXiw0WGVyXki5dqgklz7zfTX+bG4IBE0uelYToudE5/XdoAX&BZ=E2M4oNPx_Ln
https://www.bing.com/
|
7
www.lovenfys.com()
www.wirebeevehicles.com(148.66.138.166)
www.fragrancecollector.com(74.208.236.213)
www.google.com(172.217.174.100)
74.208.236.213 - mailcious
148.66.138.166 - mailcious
172.217.163.228
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45835 |
2021-04-30 17:58
|
 s.dot f62c1d955d66e2f33ed7f3abe9a44690
Loki RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
http://107.172.130.145/bh/svch.exe
|
3
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
107.172.130.145 - malware
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45836 |
2021-04-30 17:56
|
Project Korvus.exe e4cb6177f54802a8eb50817353622056
Ave Maria WARZONE RAT Antivirus OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName RCE DNS Cryptographic key |
|
2
rosesfn-49817.portmap.host(193.161.193.99)
193.161.193.99 - mailcious
|
1
ET POLICY DNS Query to a Reverse Proxy Service Observed
|
|
10.8 |
|
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45837 |
2021-04-30 12:04
|
 RaptoreumDigger.exe ddf9bb04a39bd8b450d6fb90a146df9c
AsyncRAT backdoor PE File OS Processor Check PE64 PDB MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45838 |
2021-04-30 09:48
|
 divine11111.html 2eeda876014265c8413ef0e565a96657
AntiDebug AntiVM PNG Format VBScript suspicious privilege MachineGuid Code Injection WMI wscript.exe payload download Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Dropper |
33
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt - rule_id: 971
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501&bpli=1
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://resources.blogblog.com/img/blank.gif
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.google.com/css/maia.css
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&passive=true&go=true
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fyahameinhunbusorkoinai.blogspot.com%2Fp%2Fdivine11111.html&type=blog&bpli=1
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd
https://www.blogger.com/static/v1/jsbin/3544430843-cmt__en_gb.js
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://www.google.com/js/bg/EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c.js
|
19
resources.blogblog.com(172.217.31.137)
ia801408.us.archive.org(207.241.228.148) - mailcious
www.google.com(172.217.161.68)
www.gstatic.com(172.217.174.99)
fonts.googleapis.com(172.217.25.106)
archive.org(207.241.224.2) - mailcious
accounts.google.com(216.58.220.141)
www.google-analytics.com(172.217.161.78)
fonts.gstatic.com(172.217.175.227)
www.blogger.com(172.217.31.137)
172.217.163.234
142.250.204.105
207.241.228.148 - mailcious
142.250.66.35
142.250.66.141
172.217.31.233
172.217.24.68
172.217.163.238
172.217.161.131
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45839 |
2021-04-30 09:48
|
 cutscroll.png f5c29728fe1f4226a8dc603d788a0a6f
PE File OS Processor Check PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://103.54.41.193/lib90/TEST22-PC_W617601.8F3740811540BBD5131268335F0573AB/5/kps/
|
2
103.54.41.193 - mailcious
178.134.47.166
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45840 |
2021-04-30 09:47
|
Company Details.ppam c8e1760af8a65590d26315a4ff144b62
VBA_macro PNG Format VirusTotal Malware powershell AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName DNS |
15
http://www.j.mp/ddsobpechateessentesathatesesjdw
http://bit.ly/ddsobpechateessentesathatesesjdw
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog
https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js
https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
|
16
resources.blogblog.com(172.217.31.137)
yahameinhunbusorkoinai.blogspot.com(172.217.175.65)
google.com(216.58.220.142)
ia601409.us.archive.org(207.241.227.129)
accounts.google.com(216.58.220.141)
bit.ly(67.199.248.10) - mailcious
www.j.mp(67.199.248.17) - mailcious
www.blogger.com(172.217.175.9)
207.241.227.129
142.250.199.65
142.250.66.109
67.199.248.17 - mailcious
67.199.248.10 - phishing
142.250.204.110
172.217.26.137
142.250.66.41
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|