| 49171 |
2021-01-27 18:43
|
http://mkontakt.az/111.exe 7fe2322db3d58f5b993fadbaaff908be
Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mkontakt.az/111.exe
|
2
mkontakt.az(181.214.31.82) - malware
181.214.31.82 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49172 |
2021-01-27 18:23
|
x2.exe 39de62da4dfeff9120a26dde09bdc502
VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
3
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1611738980&mv=m&mvi=7&pl=18&shardbypass=yes
https://update.googleapis.com/service/update2?cup2key=10:3980937290&cup2hreq=19d6c928944230667bafc7586f7fa28265e20679d0e05b3cab22276b420157df
|
3
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
108.177.125.100
59.18.45.210
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49173 |
2021-01-27 18:22
|
x.exe 0b184fd1c1c4004732543ec8fcfb2dec
VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49174 |
2021-01-27 18:11
|
winlog.exe 3ed71f97489274760b6cf02192304259
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
16
http://www.304shaughnessygreen.info/oean/
http://www.rentapalla.com/oean/?tFQt=uJMS4n8hnAfXh1eQEpEiAtJtgQ+Goi3J4PdJxqA1a4iBE1ZCLNY3VKBiZQq62bMdHueqr4Es&CTsX=ctxlUjex
http://www.whitehatiq.com/oean/
http://www.noreservationsxpress.com/oean/
http://www.keboate.club/oean/
http://www.spreadaccounts.com/oean/
http://www.whitehatiq.com/oean/?tFQt=KWGdH6HDVOkHecSJWqueEpGu4EnLOQ+fhcKc7xJOVn1RfkZtY0+vTtgZvstCJF/v0hGzsVaB&CTsX=ctxlUjex
http://www.spreadaccounts.com/oean/?tFQt=AVPoclZBn6YUGHdvJG1nvrD0t0OfwKp1UGP/USi75Cd0r/08+bo7uLN+JKd2heq33dw8S6ca&CTsX=ctxlUjex
http://www.noreservationsxpress.com/oean/?tFQt=CvsxKoM60OfQ8fGTXBbpdXnTwCPpEEaCmzHFCHzAWcKTIFnzrwhUNsIxVjQlwFCJZxG1hBBK&CTsX=ctxlUjex
http://www.keboate.club/oean/?tFQt=QSIVnL8FsQ86I9ftObQFTaTfjHXZPmA+lf/i1wqWHQ+DpjJN0tThUQdryDm/gQdAyh4Bi8f2&CTsX=ctxlUjex
http://www.rentapalla.com/oean/
http://www.classifoods.com/oean/
http://www.villacascabel.com/oean/
http://www.classifoods.com/oean/?tFQt=tlpEk5Yc5HGF6dX8xlIEZIOmNCoa9q/DjdEupl7JLSvP8LDGQNEf4EYqcnXPjKH0Da/na0Nh&CTsX=ctxlUjex
http://www.villacascabel.com/oean/?tFQt=y9e/MxDXq6znQynJS/4/YFbhG21L4hlaZJ1Zs6chlC0G5OG4Wqgq2h88dorsMfhQdkUW0v2C&CTsX=ctxlUjex
http://www.304shaughnessygreen.info/oean/?tFQt=d8/ljYFd44S3ZY/csWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nG5hqAHp7fX+BfduudFO&CTsX=ctxlUjex
|
16
www.rentapalla.com(184.72.229.176)
www.classifoods.com(91.195.241.137)
www.villacascabel.com(34.102.136.180)
www.whitehatiq.com(74.208.236.196)
www.spreadaccounts.com(78.153.213.7)
www.piemontelaw.net()
www.noreservationsxpress.com(91.195.241.137)
www.keboate.club(95.215.210.10)
www.304shaughnessygreen.info(198.54.117.212)
198.54.117.218 - mailcious
78.153.213.7
91.195.241.137 - mailcious
74.208.236.196 - mailcious
34.102.136.180 - mailcious
95.215.210.10 - mailcious
184.72.229.176
|
|
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49175 |
2021-01-27 18:10
|
regasm.exe 1c542066dfe0b5bf71f31f6fb040bea8
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fa11/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious
104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49176 |
2021-01-27 18:03
|
omamsa.exe 8e4e60df0ee32e049f04663cc631d739
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
1
http://193.239.147.103/base/
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49177 |
2021-01-27 18:03
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
3
http://www.lujanlimo.com/zrmt/?CP=Beq8FbisEkqsrqM6klh+Gyi53mF46o1BjhTFQb6w5+5tvHm1/bEpGxsYejS6UpKw+LMqh+Pf&Cb=hN9p3VdH
http://www.wirelesschargerkings.com/zrmt/?CP=acObcxrqEZYNQkbfM0pAtiKzDw/RiaHZTsQqBgt5z62YX7az0UmoTE9uSlE6Z14wouDX7k5U&Cb=hN9p3VdH
https://www.google.com/
|
7
www.lujanlimo.com(164.88.90.236)
www.khanhvps.design()
www.wirelesschargerkings.com(23.227.38.74)
www.google.com(172.217.31.164)
108.177.125.99
23.227.38.74 - mailcious
164.88.90.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
|
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49178 |
2021-01-27 17:58
|
530340.cls.exe c740bdab4e7f09140d91c235867b5b4f
VirusTotal Malware unpack itself RCE |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49179 |
2021-01-27 17:56
|
IMG-50230.pdf.exe beb09e991a41577e79dfabc58178a44f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.31.164)
108.177.97.104
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49180 |
2021-01-27 17:34
|
winlog6.exe cf1df9447bb09096f96cc7ff65852e73
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
1
zunlen.com(95.181.155.246) - mailcious
|
|
|
11.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49181 |
2021-01-27 17:21
|
winlog4.exe 8fdff316f12069a8982756b946d065f4
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software |
1
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
1
wagisz.com(95.181.155.246) - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49182 |
2021-01-27 17:21
|
winlog5.exe 880b987607e4a382fc7e8364a36872ad
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fa9/fre.php
|
2
becharnise.ir(104.237.252.85) - mailcious
104.237.252.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49183 |
2021-01-27 17:16
|
winlog2.exe 5c0de7259a084a9f9acab766469540ee
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://wendoun.com/zoro/zoro4/fre.php
|
2
wendoun.com(95.181.155.246)
91.142.90.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
11.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49184 |
2021-01-27 17:16
|
winlog3.exe 9021643741f28e6a7032d8fe3fcd20f1
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://flokii.us/zoro/zoro2/fre.php
|
2
flokii.us(95.181.155.246)
91.142.90.103 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49185 |
2021-01-27 17:09
|
winlog.exe 73e25f09d4c7e66c2f126f49e47154aa
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|