| 49186 |
2021-01-22 14:27
|
inst.exe 6226d18273fc74d923183ea7510e595a
VirusTotal Malware AutoRuns PDB suspicious privilege ICMP traffic unpack itself malicious URLs Windows Advertising crashed |
|
2
iplogger.org(88.99.66.31)
88.99.66.31 - mailcious
|
|
|
8.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49187 |
2021-01-22 14:09
|
haitianx.scr c2a516ecaa7cd7627eee19decabbedb6
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
4
http://193.239.147.103/base/08630725A5CB69811CA785E5021F8027.html - rule_id: 225
http://193.239.147.103/base/6725254379D95D39B09B9B25FAC379BA.html - rule_id: 225
http://193.239.147.103/base/D2971E30954D508FBBF087522324E13F.html - rule_id: 225
http://193.239.147.103/base/A03D8F041FC4B573858ABD98BB1DDE42.html - rule_id: 225
|
1
193.239.147.103 - mailcious
|
|
4
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
http://193.239.147.103/base/
|
13.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49188 |
2021-01-22 14:09
|
gfers.exe f781bbd506e29a57c76c1e647bef90ba
VirusTotal Malware unpack itself RCE DNS |
|
|
|
|
2.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49189 |
2021-01-22 13:50
|
davincii.scr 8806d043a732233b3f67303b04a9d6ae
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
193.239.147.103 - mailcious
|
|
|
15.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49190 |
2021-01-22 13:49
|
fdwzkmx.rar.exe 4746fbed409f87ec6ddb6653cb4e201c
Malware download Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
|
1
194.225.58.214 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
6.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49191 |
2021-01-22 10:25
|
d2.exe 5092bff4eca423c90563e487762966b3
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
6
http://www.thrivezi.com/bw82/
http://www.cbrealvitalize.com/bw82/ - rule_id: 171
http://www.healthyfifties.com/bw82/
http://www.healthyfifties.com/bw82/?EZA0p8=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&GzuX=BxodbDv
http://www.cbrealvitalize.com/bw82/?EZA0p8=QMz1n+xx2KiD30AmT9IbdZVffunkwaB1v+iSpZgJgwTVZu6PNQxJOIJjV5QBJp9Es7YbcplQ&GzuX=BxodbDv - rule_id: 171
http://www.thrivezi.com/bw82/?EZA0p8=3XAKDXBRuf4B6JZ9IcS+nDMUHIb0m9P0UU4GdGE01CbNADkpa+Q1M0I062yKB15gX2NcPG15&GzuX=BxodbDv
|
12
www.kolamart.com(34.102.136.180) - mailcious
www.cbrealvitalize.com(34.102.136.180) - mailcious
www.mybestaide.com(52.216.18.186) - mailcious
www.fcoins.club()
www.gallerybrows.com(34.102.136.180) - mailcious
www.healthyfifties.com(198.20.125.69)
www.thrivezi.com(52.201.79.206)
www.texasdryroof.com(34.102.136.180) - mailcious
52.217.84.67
34.102.136.180 - mailcious
52.201.79.206
198.20.125.69
|
|
2
http://www.cbrealvitalize.com/bw82/
http://www.cbrealvitalize.com/bw82/
|
10.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49192 |
2021-01-22 10:24
|
d1.exe 7cc23aa86ee79dc1e11a395e85096ec3
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
7
http://www.healthyfifties.com/bw82/
http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx - rule_id: 170
http://www.rizrvd.com/bw82/?GFND=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&Rlj=XVIXx4yx
http://www.healthyfifties.com/bw82/?GFND=HMhfXgki/fwU+9g//Qf3+P0dwVGdeYMc6HI22Y6bWas+l7LY9GWDX2ofl83vvRcw0wooSWA8&Rlj=XVIXx4yx
http://www.engageautism.info/bw82/?GFND=n1L9MQk4QDNxb7EvfxU4KXziLGivOllQbN1QPcwD8xjBZtBLcQYTGxkchzBYP8u5N9Eeup4x&Rlj=XVIXx4yx
http://www.engageautism.info/bw82/
http://www.rizrvd.com/bw82/ - rule_id: 170
|
12
www.openspiers.com()
www.healthyfifties.com(198.20.125.69)
www.rizrvd.com(34.102.136.180) - mailcious
www.mybestaide.com(52.217.40.219) - mailcious
www.fcoins.club()
www.xn--avenr-wsa.com(34.102.136.180) - mailcious
www.engageautism.info(34.102.136.180)
www.magiclabs.media(198.49.23.144) - mailcious
52.216.81.74
198.20.125.69
198.185.159.144 - mailcious
34.102.136.180 - mailcious
|
|
2
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49193 |
2021-01-22 10:18
|
CL4G.dll 3e1249e4d0b0b61d493da93139b9f3a4
VirusTotal Malware |
|
|
|
|
1.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49194 |
2021-01-22 10:18
|
5555555555_2.jpg.exe 42574d38cc2760ec1e2ed9beb234567b |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49195 |
2021-01-22 10:13
|
zbf8jiX.exe 3b6e27d8d7051194ba8dd6fd3a299f95
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
1
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
13.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49196 |
2021-01-22 10:09
|
5555555555.jpg.exe c1a0cf6c95370e2bb4e3d7b8353d883e
VirusTotal Malware |
|
|
|
|
1.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49197 |
2021-01-22 09:31
|
winlog4.exe ac98cc8a1ff04aa8ae259ab9436a1fa7
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://papanwa.com/zoro/zoro5/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious
89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49198 |
2021-01-22 09:31
|
winlog3.exe f9d11b84c36b4ef4af4f24aae95f9fb5
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/zoro/zoro4/fre.php
|
2
papanwa.com(89.235.184.237) - mailcious
89.235.184.237
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49199 |
2021-01-22 00:30
|
winlog2.exe f69047c67c621e68c5b21d46fa60a629
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities malicious URLs Windows DNS |
12
http://www.cdxxcenter.com/eaud/?yVMpQN-P=PrMgcOi1C+xZ30CWD0gc9ulMZW33lnSah2vPZyD0kOIVO7Z9yyRLeacl5RaDqYuDJhZjlHXn&1bz=o8rLp
http://www.aylinahmet.com/eaud/?yVMpQN-P=dkGNOulwVjv8zgSWjgNToxTq8jv0eBwRjmPU0sHeGsnyZG8Azfs8cGv+uVQVVqh/rgDmjPZQ&1bz=o8rLp
http://www.wayupteam.com/eaud/
http://www.wayupteam.com/eaud/?yVMpQN-P=PzB82rHCp8FP3i2tjPH9Da/CMy1ak9u45Pqnc//l8Tlr+8C8+l65GQ0dZUw1huaMyarbmhv5&1bz=o8rLp
http://www.shopboxbarcelona.com/eaud/
http://www.shopboxbarcelona.com/eaud/?yVMpQN-P=k4wX6qLWkZ62JBj00Ey9dmmYuTmZckCKLx/WbK6+kj69szauJdIs1jgWs5keczVrrNGRPH0u&1bz=o8rLp
http://www.cdxxcenter.com/eaud/
http://www.youraircases.com/eaud/
http://www.syndicatesportspicks.com/eaud/
http://www.youraircases.com/eaud/?yVMpQN-P=3dcguFfnHEPsckgmkKw+Exgc9MSut+i0q6e3fvJncsgRJabIu/5IpnTx9jl+SdMjs2aFOQWK&1bz=o8rLp
http://www.syndicatesportspicks.com/eaud/?yVMpQN-P=TmaymnuzZVPHOLNQbQufSSrBpb16xYpQ84upgGoVWbi1NWDOfZ/3bdXsGprkvtXhR7uMmkQF&1bz=o8rLp
http://www.aylinahmet.com/eaud/
|
17
www.aylinahmet.com(155.159.249.22)
www.pencueaidnetwork.com()
www.learnhour.net() - mailcious
www.ndblife.com(34.102.136.180) - mailcious
www.wayupteam.com(50.31.188.183)
www.shopboxbarcelona.com(217.160.0.94)
www.syndicatesportspicks.com(34.102.136.180)
www.cdxxcenter.com(34.102.136.180)
www.yesmywigs.com(66.23.236.66) - mailcious
www.tolentinestore.com()
www.youraircases.com(182.50.132.242)
155.159.249.22
34.102.136.180 - mailcious
66.23.236.66 - mailcious
50.31.188.183
217.160.0.94 - malware
182.50.132.242 - mailcious
|
|
|
13.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49200 |
2021-01-22 00:29
|
winlog.exe 3a9e68325d16c69df66db1b81f666601
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
8
http://www.esteemquantum.life/oean/?xVMtBJhH=uMheGNtLG83DWb8+pJnijuSPYVQmK9z4N72e0RaWrMXJhQwFShq8v5/IEF769tewOnJp9UL0&1bw=L6Adp678CV6lYt-p
http://www.freshmarketfood.com/oean/
http://www.pickmeagift.com/oean/
http://www.esteemquantum.life/oean/
http://www.pickmeagift.com/oean/?xVMtBJhH=aW6dKdfNC0TaLCWk0cRKJvncxteqGHOu8KfgGkm+b/r8i9Fy2o3V6crNDDcDvNd+xgLUiAmx&1bw=L6Adp678CV6lYt-p
http://www.biomig.net/oean/?xVMtBJhH=XgOOq6QvXYd3S2LwFPp7s1bJKMN7SvZCJ+ljzv9K68iz1Bzd2f3uX4ix7LPeYUhOuWXD9LqF&1bw=L6Adp678CV6lYt-p
http://www.biomig.net/oean/
http://www.freshmarketfood.com/oean/?xVMtBJhH=3T7LywsMgbRZsCqbDcaOpJcYrA1mIhtx4MuIxdOp/UIFVoYkxO76/uhqn4t2hcXy5gypmA3V&1bw=L6Adp678CV6lYt-p
|
13
www.neonatalfeedrates.com()
www.esteemquantum.life(13.113.246.118)
www.chefericcatering.com(23.227.38.74) - mailcious
www.pickmeagift.com(34.102.136.180)
www.freshmarketfood.com(154.216.110.171)
www.ddmns6tzey2d.com()
www.actusdumoment.com()
www.biomig.net(213.186.33.5)
13.113.246.118
34.102.136.180 - mailcious
213.186.33.5 - mailcious
154.216.110.171
23.227.38.74 - mailcious
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
9.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|