| 49111 |
2021-02-01 22:11
|
hkcmd.exe b8fbbf48619bf863aba9e5eb8fb3f81e
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs |
11
http://www.activagebenefits.net/bw82/?sBvD8D=kkzs7wdmjdk7n45UjfiLHnYXY/z1ZZpbk/YksZMR2IH2vaFa+RYbCAbMSAFheW9HER5RLpU/&APcT7P=djFDaHXHkHmL
http://www.thedancehalo.com/bw82/ - rule_id: 174
http://www.illfingers.com/bw82/?sBvD8D=oL6WGk535ShIMWn5X5nbn/aOUoaL8VsOPK21+5lbgTOaDrSYSQVH4Z9wRk26hxOpEjraHrRl&APcT7P=djFDaHXHkHmL
http://www.wmarquezy.com/bw82/ - rule_id: 181
http://www.activagebenefits.net/bw82/
http://www.wmarquezy.com/bw82/?sBvD8D=/EPqbtSARGzilFdTRYE1urAc3bDaNMBRSm6tJpb+ckA41wFrw7Re59/hr+veajPbLei9XJ0s&APcT7P=djFDaHXHkHmL - rule_id: 181
http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL - rule_id: 170
http://www.rizrvd.com/bw82/?sBvD8D=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&APcT7P=djFDaHXHkHmL
http://www.illfingers.com/bw82/
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.thedancehalo.com/bw82/?sBvD8D=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&APcT7P=djFDaHXHkHmL - rule_id: 174
|
13
www.nikolaichan.com(216.58.197.179) - mailcious
www.exlineinsurance.com(182.50.132.242) - mailcious
www.illfingers.com(162.241.217.138)
www.thedancehalo.com(34.102.136.180) - mailcious
www.activagebenefits.net(34.102.136.180)
www.rizrvd.com(34.102.136.180) - mailcious
www.wmarquezy.com(192.0.78.25) - mailcious
www.blacksailus.com()
162.241.217.138
34.102.136.180 - mailcious
216.58.197.179 - deface
182.50.132.242 - mailcious
192.0.78.24 - mailcious
|
|
6
http://www.thedancehalo.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.wmarquezy.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
http://www.thedancehalo.com/bw82/
|
9.0 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49112 |
2021-02-01 16:46
|
document.doc ae9cd0d00d776cbef69043a7d2f025c3
Dridex VirusTotal Malware exploit crash unpack itself malicious URLs Tofsee Exploit crashed |
|
2
bribble.com(35.208.60.152)
35.208.60.152
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
3.6 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49113 |
2021-02-01 12:35
|
vbc.exe 7aecb24d8babdcdf05a5848e7029e94f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows Cryptographic key |
5
http://www.paeonystore.com/kre/?XbcPulJH=fVdkn5N/DitBhQggR74LEaJAM/79H7ZPaeruS3BugSBUurHi6N1DFnDlSn6gB1X2ZzUpTF80&Ez=ctK0
http://www.trumpgangsters.com/kre/?XbcPulJH=9UI7BRcJrOVJiYXGY1wy7EXB5HGDpYNsxFhLtRPahjl+xHtXDFL8Nrwwr3SB4a5CSm/aZ5Pr&Ez=ctK0
http://www.1823a.com/kre/?XbcPulJH=tgBv8+Uuglqxhn5vYThYYFONh49n2qhe+6hhsETYco4wQgAmxdUJOX1YqPiQK2+3qjYQNw+V&Ez=ctK0
http://www.neverstopip.com/kre/?XbcPulJH=qMhmFMOJUb0oqJiblOF4ZjX2Hn0liLqRT6TyR3D4E52tgVnGOdNkf6QKQbmF98mnTd58WGhq&Ez=ctK0
http://www.pawantakespawn.com/kre/?XbcPulJH=0hFF07bkIl12u3jYu3U87KAD+fBNC/VwfLazYSnr9vcKzPwJ5Ffis/qtA9V8wyqijEj+wKfA&Ez=ctK0
|
9
www.1823a.com(104.233.238.207)
www.neverstopip.com(34.102.136.180)
www.trumpgangsters.com(34.102.136.180)
www.pawantakespawn.com(23.82.12.31)
www.paeonystore.com(8.210.69.194)
8.210.69.194
104.233.238.207
34.102.136.180 - mailcious
23.82.12.31 - suspicious
|
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49114 |
2021-02-01 12:28
|
pppp.exe b88c6ae98565520b5abf0dbc67522f1d
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.26.4)
172.217.31.163
172.217.175.100
172.217.175.14 - mailcious
37.46.150.67 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49115 |
2021-02-01 12:28
|
sppp.exe b12bb3159a945df7c5944b6f4192516d
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.26.4)
172.217.31.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49116 |
2021-02-01 12:26
|
OBBBOP.exe 06f4d22f42e1d2406d5dd25c69aa92ac
Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(216.58.197.228)
172.217.174.100
193.239.147.32 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49117 |
2021-02-01 12:22
|
obbbb.exe 52f0b3acdd40bc050d4c0cdac026cf73
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
4
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1612149378&mv=m&mvi=7&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:844178793&cup2hreq=c803d7ebab594fd900f99d3cf4c07af6f5ab610770c94bf3fe7fb489e4cb2eff
https://www.google.com/
|
5
www.google.com(172.217.26.4)
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
172.217.24.132 - suspicious
59.18.45.210
45.15.143.216
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49118 |
2021-02-01 12:21
|
sil.exe 8ecb4e5a7e2da81cfc68069c61d873a0
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49119 |
2021-02-01 11:28
|
cpu64.exe a431c41c39712dfbc0c8a50fe6abc95f
unpack itself malicious URLs DNS |
|
|
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49120 |
2021-02-01 11:28
|
wifi.exe 022abc021cc91efe3e1bc65b158654e4
VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName |
|
|
|
|
10.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49121 |
2021-02-01 11:17
|
svch.exe d7c6ddd2feb3c305103f5c3cbb81ba01
VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
7
http://www.cbrealvitalize.com/bw82/ - rule_id: 171
http://www.cbrealvitalize.com/bw82/?Lh38w=QMz1n+xx2KiD30AmT9IbdZVffunkwaB1v+iSpZgJgwTVZu6PNQxJOIJjV5QBJp9Es7YbcplQ&UR-X=D8Opc - rule_id: 171
http://www.housebulb.com/bw82/?Lh38w=mLdVvjD1AdGiZCaQi9zNl/jZmYLrRWlh7y0PmaE2JOXYml8BP0ZPnpOO6IWo6uQ+XsyL7mYN&UR-X=D8Opc
http://www.rizrvd.com/bw82/?Lh38w=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&UR-X=D8Opc - rule_id: 170
http://www.rizrvd.com/bw82/?Lh38w=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&UR-X=D8Opc
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.housebulb.com/bw82/
|
22
www.learnplaychess.com(103.250.186.248) - mailcious
www.kolamart.com(34.102.136.180) - mailcious
www.chrisbubser.digital() - mailcious
www.magnabeautystyle.com(184.168.131.241) - mailcious
www.h2oturkiye.com(94.73.146.42) - mailcious
www.yjpps.com(0.0.0.0)
www.cbrealvitalize.com(34.102.136.180) - mailcious
www.rizrvd.com(34.102.136.180) - mailcious
www.housebulb.com(173.234.15.207)
www.semenboostplus.com()
www.riggsfarmfenceservices.com()
www.dameadamea.com()
www.fcoins.club()
www.pandabutik.com(78.142.208.189) - mailcious
www.medkomp.online(81.200.118.106) - mailcious
94.73.146.42 - mailcious
184.168.131.241 - mailcious
173.234.15.207
34.102.136.180 - mailcious
78.142.208.189 - mailcious
81.200.118.106 - mailcious
103.250.186.248 - mailcious
|
|
4
http://www.cbrealvitalize.com/bw82/
http://www.cbrealvitalize.com/bw82/
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
|
4.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49122 |
2021-02-01 11:17
|
vbc.exe 6eac032479caee22d70c96d763cc5e10
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://51.195.53.221/p.php/zAjk1t0dYWTzj
|
1
51.195.53.221 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
14.4 |
M |
46 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49123 |
2021-02-01 11:11
|
SQLSerase.exe af9652990abce48e2e848e097c7ee4ab
AutoRuns suspicious privilege Creates executable files unpack itself malicious URLs Windows DNS |
|
2
d.nxxxn.ga(91.208.245.238) - mailcious
91.208.245.238
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
4.6 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49124 |
2021-02-01 11:03
|
ReportServser.exe a2eea769cf4aa2d2f21b9b2292332a43
Buffer PE AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files unpack itself Windows utilities AppData folder sandbox evasion WriteConsoleW Windows RCE DNS |
|
2
r.nxxxn.ga(91.208.245.238) - mailcious
91.208.245.238
|
1
ET INFO DNS Query for Suspicious .ga Domain
|
|
10.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49125 |
2021-01-31 16:38
|
regasm.exe d7c6ddd2feb3c305103f5c3cbb81ba01
VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
13
http://www.rizrvd.com/bw82/ - rule_id: 170
http://www.ctfocbdwholesale.com/bw82/
http://www.thebabyfriendly.com/bw82/?9rn0nZSH=r3fdhBxd74oEgZicGttpxejAYTJXJLNaeaQcIVjlA69R3Zm0PRCvEsUIL1HUx1pPfbJ8Suyi&w2=jFQp3Rm0k
http://www.rizrvd.com/bw82/?9rn0nZSH=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&w2=jFQp3Rm0k - rule_id: 170
http://www.rizrvd.com/bw82/?9rn0nZSH=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&w2=jFQp3Rm0k
http://www.thedancehalo.com/bw82/?9rn0nZSH=TJmBUVi76XvdedvdT4XTiNg0xow+eIDVhd+PvrNB1pQf64xZGmJKzxet+DQnJGM605l+3b5o&w2=jFQp3Rm0k - rule_id: 174
http://www.thebabyfriendly.com/bw82/
http://www.ctfocbdwholesale.com/bw82/?9rn0nZSH=Rxta6xhvu0A+EUy44SYKtO8XUaMinJcredwrnbAyLO8KeYZYbVzWAt3TsErgmguQWvKNX28r&w2=jFQp3Rm0k
http://www.thedancehalo.com/bw82/ - rule_id: 174
http://www.wellnesssensation.com/bw82/?9rn0nZSH=455EGVYNkgtY7DWQNruX/4AMFbR5eugGoF6uNR+Emdxr+jw+VvqHfprsjaey9bT2FO76WXiQ&w2=jFQp3Rm0k
http://www.wellnesssensation.com/bw82/
http://www.gdsjgf.com/bw82/?9rn0nZSH=7KG5rMnLNS/F00cUwyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27kzNH/2ON0tx/WWBZXRB&w2=jFQp3Rm0k - rule_id: 173
http://www.gdsjgf.com/bw82/ - rule_id: 173
|
23
www.gdsjgf.com(34.102.136.180) - mailcious
www.kolamart.com(34.102.136.180) - mailcious
www.thedancehalo.com(34.102.136.180) - mailcious
www.medkomp.online(81.200.118.106) - mailcious
www.rumblingrambles.com() - mailcious
www.curateherstories.com(34.102.136.180) - mailcious
www.rizrvd.com(34.102.136.180) - mailcious
www.mybestaide.com(52.216.8.26) - mailcious
www.gallerybrows.com(34.102.136.180) - mailcious
www.wellnesssensation.com(52.128.23.153)
www.thebabyfriendly.com(154.80.226.18)
www.magnabeautystyle.com(184.168.131.241) - mailcious
www.leadeligey.com(192.0.78.24) - mailcious
www.ctfocbdwholesale.com(34.102.136.180)
www.acdfr.com(199.34.228.73) - mailcious
52.128.23.153
199.34.228.73 - mailcious
52.216.95.162
184.168.131.241 - mailcious
34.102.136.180 - mailcious
81.200.118.106 - mailcious
154.80.226.18
192.0.78.25 - mailcious
|
|
6
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
http://www.thedancehalo.com/bw82/
http://www.thedancehalo.com/bw82/
http://www.gdsjgf.com/bw82/
http://www.gdsjgf.com/bw82/
|
4.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|