| 49021 |
2021-02-04 10:52
|
416212.jpg.exe 5210f2b1dea41fc2209ca7dccb4ec172 |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49022 |
2021-02-04 10:52
|
541310.jpg.exe ac7d58bf24cbc2083fe4a90f203c9ab5
RCE |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49023 |
2021-02-04 10:14
|
6lajhbjyuk.exe 77be0dd6570301acac3634801676b5d7
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(185.100.65.29) - mailcious
api.ipify.org(54.243.164.148)
54.225.129.141
185.100.65.29 - mailcious
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
10.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49024 |
2021-02-04 10:14
|
winlog.exe 339fedf77e466d75dc3d7197fafa2ac3
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://azmtool.us/kaka/kaka1/fre.php
|
2
azmtool.us(89.235.184.241)
45.128.207.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49025 |
2021-02-04 09:59
|
vbc.exe 2ffc43d9e4d2482e7acfdcef863fe7e9
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS Cryptographic key |
4
http://www.starlevelopulence.com/kre/?jFNHix=0OfHdNz0HWhF9HvaatlBO/XroeHlL7Urm8EImvnpnos1yLwvrzvh2obe20hMQlWMYoNQHDpy&oXU=_0GDCjlXRtr4u
http://www.babylist.info/kre/?jFNHix=mkx09hqXalb1sG7rIkwTo1+5sqNE9cKMt7dvRqdNeRtwcb/BKuz3t/EUP1FALOL4s9t4U09z&oXU=_0GDCjlXRtr4u
http://www.smyleoberry.com/kre/?jFNHix=wPJk7tKGuyBEXolqs/BP21jfPD8XOzKUBfoK5nxEF3WPIHY1woaeT3O1l5lNU2VWzdsP7CRb&oXU=_0GDCjlXRtr4u
http://www.canceledculture.net/kre/?jFNHix=sZpFlhXP8dA3ffHIyrPzRO7rgjEq65TwHsovkvKuC9nuE9nDYSZRHOFurjv11gPSsq5taiH9&oXU=_0GDCjlXRtr4u
|
10
www.smyleoberry.com(18.211.19.104)
www.babylist.info(52.219.116.115)
www.canceledculture.net(34.102.136.180)
www.starlevelopulence.com(23.227.38.74)
www.fu2car.com(198.74.106.243) - mailcious
3.93.205.129
52.219.117.59
198.74.106.243 - mailcious
34.102.136.180 - mailcious
23.227.38.74 - mailcious
|
|
|
10.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49026 |
2021-02-04 09:59
|
UDI.exe 103a67077a7c6f4efd59a2042168f08b
VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
193.239.147.103 - mailcious
|
|
|
3.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49027 |
2021-02-04 09:46
|
svchost.exe c69a6a5f930af087691a861a2ba904eb
Dridex VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://drsbake.com:443/js/t2/index.php
|
2
drsbake.com(69.10.52.210)
69.10.52.210 - mailcious
|
5
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY HTTP traffic on port 443 (POST)
|
|
11.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49028 |
2021-02-04 09:45
|
TEMP.so.exe f160c057fded2c01bfdb65bb7aa9dfcc
Malware download Amadey VirusTotal Malware Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
1
http://186.122.150.107/cc/index.php - rule_id: 246
|
1
186.122.150.107 - mailcious
|
1
ET MALWARE Amadey CnC Check-In
|
1
http://186.122.150.107/cc/index.php
|
6.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49029 |
2021-02-04 09:40
|
bb.exe 2668dde5e520194c26a7dd49d1aab364
VirusTotal Malware AutoRuns Creates executable files malicious URLs sandbox evasion Windows RCE DNS |
|
1
|
|
|
7.4 |
M |
57 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49030 |
2021-02-04 09:37
|
new.exe fea1df2cdbc8ed9c6a82bcce20402a0a
VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
2
fire4fire.ddns.net()
79.134.225.52 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49031 |
2021-02-04 09:37
|
MLY.exe 3c9be33d1fd95c74f800e570cd4654eb
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName Cryptographic key crashed |
|
2
klakjadkkjbjkjhiji.gotdns.ch(104.243.245.159)
104.243.245.159
|
|
|
14.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49032 |
2021-02-04 09:20
|
lv.exe 5d2f84a7e74e6e5ff1db4c4038d0f5e4
VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check Tofsee Windows ComputerName crashed |
2
http://ip-api.com/line
https://iplogger.org/1rUs77
|
4
iplogger.org(88.99.66.31)
ip-api.com(208.95.112.1)
88.99.66.31 - mailcious
208.95.112.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49033 |
2021-02-04 09:19
|
mannx.scr 87a960f2e2706c501193fbf3266b9ea9
Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://193.239.147.103/base/92F45ADD52B004FE7B54082FDCFB8C41.html - rule_id: 225
https://api.ipify.org/
|
3
api.ipify.org(23.21.48.44)
54.225.129.141
193.239.147.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://193.239.147.103/base/
|
14.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49034 |
2021-02-03 18:51
|
light.exe 3722074c541640dafeaf62c0e12080c0
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49035 |
2021-02-03 18:50
|
licenser.txt.exe 63e7beb498ebe532263c977d71f664c3
VirusTotal Malware Buffer PE Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
4.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|