| 49036 |
2021-02-03 18:22
|
aguerox.scr c96bca895f08287e145cf97fa5b4158f
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://becharnise.ir/fa15/fre.php
http://193.239.147.103/base/2C72DA610917F3D48463446C0D190DB7.html - rule_id: 225
|
3
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
193.239.147.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://193.239.147.103/base/
|
15.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49037 |
2021-02-03 18:12
|
winlog4.exe 524ac66f24321c6da65f2b098978bff7
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
12
http://www.thebabylashes.com/gqx2/
http://www.tmpaas.com/gqx2/
http://www.theofficialtoluwani.com/gqx2/?nPntH4=upR2KFKjs42p1EdP4ql1+FytJ5veHcIKVvPJe+9hsDBmELSeELrVJP2ZA2YHWwOMOjSiJC6f&Lh3l=ZTdtL8t8yx
http://www.theofficialtoluwani.com/gqx2/
http://www.shaffglowing.com/gqx2/?nPntH4=KhA/zwXnJUgsBxEHuGzVV5+gy2rf8S/xUCEhxADior6XXCc1M4KkV7Go+fDVN/HCwemfANa+&Lh3l=ZTdtL8t8yx
http://www.tmpaas.com/gqx2/?nPntH4=5JpUkVtS0JNuUoRlf+CFDHpP4Uxy07qT9+hKEWZ21aajybDa6hG7iO1an+96ZpJK7db/pMaD&Lh3l=ZTdtL8t8yx
http://www.shaffglowing.com/gqx2/
http://www.oaklandraidersjerseyspop.com/gqx2/
http://www.donboscohistorycorner.com/gqx2/?nPntH4=+N3LpDhTi/fP7Hwf9yN+rTh7hlKS/+ht+RV6ys2fj+a4t5CqqKB2KdcgeWwIOpMcpe/YHAwJ&Lh3l=ZTdtL8t8yx
http://www.oaklandraidersjerseyspop.com/gqx2/?nPntH4=EgmJjZ22Ewk3ZUBAMVOOKgrHeYQOJcLzmrSGfMm6T5GCaNHOwgoPLqek76Dq2OYiVDVEigp6&Lh3l=ZTdtL8t8yx
http://www.donboscohistorycorner.com/gqx2/
http://www.thebabylashes.com/gqx2/?nPntH4=GNK9yXShMMK+HA+mQO0UuqFPWoPP84MnG3zjeho+qZgE6xGhoImbl1IUPjhBqmb49Fd79M+M&Lh3l=ZTdtL8t8yx
|
14
www.tmpaas.com(43.243.108.245)
www.shaffglowing.com(185.210.145.3)
www.donboscohistorycorner.com(165.227.229.15)
www.theofficialtoluwani.com(34.102.136.180)
www.thebabylashes.com(23.227.38.74)
www.oaklandraidersjerseyspop.com(3.234.181.234)
www.teamworkdash.com(34.102.136.180) - mailcious
www.inreachpt.com(34.102.136.180) - mailcious
185.210.145.3
43.243.108.245
34.102.136.180 - mailcious
3.234.181.234 - mailcious
23.227.38.74 - mailcious
165.227.229.15
|
|
|
9.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49038 |
2021-02-03 18:11
|
winlog3.exe 5ec4108db8c98d030cea2bb1ea95b725
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.ppeaceandgloves.com/aky/?tHrt=fJr/bXrOOydqPygeucC36RKPLZWaOswXVxbDwO1Xd9dOOwwVQBbu3banfdOux07squRMjBgr&UtzXc=GFNlYtxHSPupeV
http://www.bytecommunication.com/aky/?UtzXc=GFNlYtxHSPupeV&tHrt=rii9xW2yAVjkIq2xZOjNE/j5Fqela4Uc8+1TqvkS5Mpd2SL5/rCEfL/s7QB2eT+WoS6hJ8+t
|
5
www.ppeaceandgloves.com(91.195.241.137)
www.smithvilletexashistory.com()
www.bytecommunication.com(108.62.32.215)
108.62.32.215
91.195.241.137 - mailcious
|
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49039 |
2021-02-03 17:51
|
winlog2.exe 84756d09ad2ebedc58b7a9c1f8eef37a
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
8
http://www.fadhilaaqiqah.com/oean/?0VJtG4=sNIx3+d+Vk9EHeH7EC9q5Tmy2l1x0RXkuchRdpUVobrYMUbUhiEqq/j39KrEvBnVPyS3H2Zf&jFNTe=aFNTkfKp
http://www.binggraesantorini.com/oean/
http://www.5037adairway.com/oean/
http://www.binggraesantorini.com/oean/?0VJtG4=/Tb7qIo2lpboAMxAj7Gh2hKFZ23w4lXxZLQB9l6RwaFPFjPRBAPhOCcTAbF5URuiUHLgEz+l&jFNTe=aFNTkfKp
http://www.ceejing.com/oean/?0VJtG4=sNeCokEil3n05bCMuHkoGVQWeq3WOq80ehrkGAbIdyTAKn0wwoYT6FA2uGnC4/MYFICEqumS&jFNTe=aFNTkfKp
http://www.fadhilaaqiqah.com/oean/
http://www.ceejing.com/oean/
http://www.5037adairway.com/oean/?0VJtG4=UDbslJB1q+rri679tZMgD4X+MNMiKzOXjqs7zZj0KYuc4U4K27OQ1IdPl9lyNCPJCUK9RLqX&jFNTe=aFNTkfKp
|
15
www.binggraesantorini.com(52.58.78.16)
www.classifoods.com(91.195.241.137) - mailcious
www.ceejing.com(45.32.95.179)
www.villacascabel.com(34.102.136.180) - mailcious
www.spreadaccounts.com(78.153.213.7) - mailcious
www.5037adairway.com(184.168.131.241)
www.piemontelaw.net() - mailcious
www.fadhilaaqiqah.com(172.67.219.15)
78.153.213.7 - mailcious
104.21.78.86
184.168.131.241 - mailcious
45.32.95.179
91.195.241.137 - mailcious
52.58.78.16 - mailcious
34.102.136.180 - mailcious
|
|
|
9.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49040 |
2021-02-03 17:50
|
winlog.exe d64f47ad1647d93473130d1e301adbb0
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
10
http://www.teamworkdash.com/gqx2/?5jrD_Rw=ZQeVLdaP9EWyqX8bXjuqV8BLV5S5w9PqgUgyzPf0MLEvcbi2aaDTCxVd2NzhYgYAniygw7pi&Dne0g=AFQPa05PwphlOzx
http://www.eligetucafetera.com/gqx2/?5jrD_Rw=ugyBOnsIFYLtxifZElK+MG66jquXJo8uwGSdrHtlO+FUNhRVEpehsSBNBQXnM6G4YAUs1vTR&Dne0g=AFQPa05PwphlOzx
http://www.spiderofthesea.com/gqx2/
http://www.fanninhomesforless.com/gqx2/?5jrD_Rw=fdOSUXvE6wZzQ9cHW2YQH5fCAX4vARqGP9sfwvXn2tyGLR//bC18tYmBxGkEL6jypmB19dZF&Dne0g=AFQPa05PwphlOzx
http://www.prayerswithmary.com/gqx2/?5jrD_Rw=njfRlhVj6EFspW2a0FRdDD3+20pPuTSuw1g6+/A6xC/1keaDHuewSnbFvm47zIyGVFI7XEui&Dne0g=AFQPa05PwphlOzx
http://www.fanninhomesforless.com/gqx2/
http://www.spiderofthesea.com/gqx2/?5jrD_Rw=Q1blzfWd1iL5ZbYIfd4CXQmcA8vflGzyEF+Kxk/VYfDAqqdZkJ9amDqbv+xKX/wj3ZCwkuYh&Dne0g=AFQPa05PwphlOzx
http://www.prayerswithmary.com/gqx2/
http://www.eligetucafetera.com/gqx2/
http://www.teamworkdash.com/gqx2/
|
12
www.eligetucafetera.com(186.64.118.110)
www.prayerswithmary.com(172.217.175.19)
www.inreachpt.com(34.102.136.180) - mailcious
www.spiderofthesea.com(34.102.136.180)
www.thefanexam.com(99.84.233.212) - mailcious
www.teamworkdash.com(34.102.136.180)
www.fanninhomesforless.com(34.102.136.180)
www.starlinkwebservices.com(34.102.136.180) - mailcious
172.217.31.147 - phishing
65.8.168.33
34.102.136.180 - mailcious
186.64.118.110
|
|
|
8.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49041 |
2021-02-03 17:33
|
vbc.exe 766ba75de87fda229a25dbccd8a6218f
VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee DNS crashed |
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49042 |
2021-02-03 14:49
|
scr.dll 2928f54a3af6cbea7c0d669b246c8bce
VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself malicious URLs DNS |
1
http://176.111.174.35//Fn39vld2cS/index.php?scr=up
|
1
|
|
|
4.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49043 |
2021-02-03 14:47
|
svch.exe 2d2df98c3ca178862612a0527503ca5b
VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee DNS crashed |
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49044 |
2021-02-03 14:39
|
proforma.exe 05f8d37087eb2818436f604cea3e5e87
VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key crashed keylogger |
1
|
4
primeswift.xyz(37.49.225.174)
ip-api.com(208.95.112.1)
37.49.225.174
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
10.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49045 |
2021-02-03 14:39
|
Protected Client.vbs 9f969c41db50bac5bf029f83c5456a09
VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
|
6
isrealpicker.duckdns.org(185.19.85.159) - mailcious
kadsec.com(104.21.60.156) - mailcious
google.com(172.217.25.206)
172.67.198.2 - mailcious
185.19.85.159 - mailcious
172.217.174.110 - phishing
|
2
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49046 |
2021-02-03 14:35
|
odinaka.scr b509dff7edd46ff799f8f854d6de3617
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/1951E124E4B830EA95E6D2FA25528F31.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
14.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49047 |
2021-02-03 14:35
|
ppei.exe ac4cd44715d6bcee3624efeaf5b7b107
VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
216.250.126.108 - mailcious
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49048 |
2021-02-03 14:23
|
licenser.txt.exe edacbd011f5d6d4bd0646ebdff7499ca
VirusTotal Malware Buffer PE Malicious Traffic Check memory buffers extracted Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows DNS crashed |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612329375&mv=m&mvi=7&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:1322616147&cup2hreq=ac01f7a2c251c2866f15c996813e96ee5f7d9eb595388c0690c99723a89081fb
https://update.googleapis.com/service/update2
|
2
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
59.18.45.210
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
7.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49049 |
2021-02-03 14:22
|
mii.exe 8315199b3ee08e32cf5d72c94c1827ee
VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
1
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49050 |
2021-02-03 14:13
|
invoice_45212.doc f05f34a933c910b787d64a63d8514744
Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|