| 49201 |
2021-01-22 00:21
|
win32.exe 1931f5b75ae8d9c14ec61cdd53e70f21
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs DNS |
22
http://www.bickel.wtf/incn/?GVTD=RGE/cWUJuc7tcSqTAP+gX/nnKrq7afk6KP8dfym4YezssBE+jvWHjf7t1SEWyTMXjEqr1dSZ&a48=tXIxBnQhDP3L
http://www.180wea.com/incn/
http://www.sentire.design/incn/
http://www.maisonscoeurdepivoine.com/incn/
http://www.therandstadride.com/incn/?GVTD=8wX1QV1qWYl49rszJeTzbck9pXYYKDC67oRhcTB41onpIWQqFJPPZVIT+MJhrfKw4Dtyr3ZM&a48=tXIxBnQhDP3L
http://www.therandstadride.com/incn/
http://www.meritane.com/incn/?GVTD=Nc+BD9vs4+e4cECzWuWcLeKFWqdEC9nRQaTZZf49Ggwzlob125o+HeI1QO0cpRtIrhtUCGr3&a48=tXIxBnQhDP3L
http://www.kaiyuansu.pro/incn/?GVTD=4y+UTKzHU4A6kuvXaYS74WaP+qCjnKVRzK/jF/x906cXBmLcUo8gxlVC8dbx5AF+KUuFRXVs&a48=tXIxBnQhDP3L
http://www.enlightenedhealthcoaching.com/incn/
http://www.meritane.com/incn/
http://www.americanmarketedge.com/incn/?GVTD=pEuRuOfh0RPfl+oiP7k0h24+ZbJdO6NkpJaEurquBhTH7uFTgd2KPm6WV+g8bO15oKR+AHxs&a48=tXIxBnQhDP3L
http://www.maisonscoeurdepivoine.com/incn/?GVTD=fpp5tzsDVw/boHH54xFz2lHuIJXrIy+MvJer49wUQ5nc5MDVdJwShsfT7qJbFiH8F+zIzFgI&a48=tXIxBnQhDP3L
http://www.cathygass.com/incn/
http://www.kaiyuansu.pro/incn/
http://www.somright.com/incn/
http://www.bickel.wtf/incn/
http://www.cathygass.com/incn/?GVTD=V5Re+WzC2sGOxtPxWLRbc/hMewIuQBUuTdSbLO4SRNAW8zvmFoXi5zGaY5LI3OIdHMscm6dB&a48=tXIxBnQhDP3L
http://www.180wea.com/incn/?GVTD=Sz3dszz1KVNc+BCS0cIR8dLOlzhJ3GRpiIaxFKw9EG065ZkIMAMyYd3MWGhyRr/sd99EsGlH&a48=tXIxBnQhDP3L
http://www.sentire.design/incn/?GVTD=5ltUxrtqtF8SsvUdywSBkwhwumkFdmMXQM+4K6mrQNNQqM/0ADGIG9+v1h3p90Hn+Oe+pBf8&a48=tXIxBnQhDP3L
http://www.enlightenedhealthcoaching.com/incn/?GVTD=POIZWkDj692E5dmcoJxHrl96tfitCI2EQH3I4lOKciTKVqVppac3P3ErgzEtcXkQplKPzCNh&a48=tXIxBnQhDP3L
http://www.americanmarketedge.com/incn/
http://www.somright.com/incn/?GVTD=7K3NAYrZE3cIvfbo6b4PZi12r/NG2k7uK0KaMfF8yQll7TEeAOn7HJqDdgdEMXlclzCf6XwD&a48=tXIxBnQhDP3L
|
24
www.enlightenedhealthcoaching.com(34.80.190.141)
www.potlucks.net(91.195.241.137) - mailcious
www.maisonscoeurdepivoine.com(91.121.39.102)
www.bickel.wtf(44.227.76.166)
www.180wea.com(154.204.174.86)
www.kaiyuansu.pro(34.102.136.180)
www.cathygass.com(198.185.159.144)
www.sentire.design(198.185.159.145)
www.americanmarketedge.com(3.137.48.156)
www.somright.com(62.60.250.5)
www.meritane.com(34.102.136.180)
www.therandstadride.com(35.171.196.117)
www.khocam.com()
44.227.76.166 - mailcious
62.60.250.5
91.121.39.102
35.171.196.117
3.140.151.209 - mailcious
154.204.174.86
34.102.136.180 - mailcious
34.80.190.141 - mailcious
91.195.241.137 - mailcious
198.185.159.145 - mailcious
198.185.159.144 - mailcious
|
|
|
10.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49202 |
2021-01-22 00:21
|
vbc3.exe e09c5be82b79d79dc377271d67f92a89
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://papanwa.com/chief/offor/fre.php
|
2
papanwa.com(89.235.184.237)
185.252.147.215
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49203 |
2021-01-22 00:10
|
vbc.exe e9ccfae9cb025410406a12538137c69f
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder malicious URLs Windows |
4
http://www.vulcanudachi-proclub.com/eaud/?-Zu8_b3=0gUbOA7tMjRSIgsT4fVDJFMoLXaZpJXDHRG+cBYqA+jofG8O+HCMFeRJJZ4a+W5/c9Karx9b&CxoHs=2djDG
http://www.glz-cc.com/eaud/
http://www.glz-cc.com/eaud/?-Zu8_b3=Vm47xG0o1uJn0Ra0RXkLMOtvIic+pdia61rKwK4dBl+1Xhm18UA1axsctX2EX35jb9biJ3GQ&CxoHs=2djDG
http://www.vulcanudachi-proclub.com/eaud/
|
16
www.dajiankang.love()
www.sulpher.network()
www.mersinsimsek.com(104.21.32.198)
www.mettyapp.com(34.102.136.180) - mailcious
www.guorunme.com(156.224.53.101) - mailcious
www.glz-cc.com(84.16.73.17)
www.realestatejewel.com()
www.vulcanudachi-proclub.com(172.67.169.202)
www.lebaronfuneraire.com(217.70.184.50) - mailcious
www.bosman-smm.online()
156.224.53.101 - mailcious
34.102.136.180 - mailcious
217.70.184.50 - mailcious
104.21.32.198
104.21.27.226
84.16.73.17
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49204 |
2021-01-22 00:09
|
vbc2.exe 0705cb1278a79218eec9badca52ab8b3
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://okpana.com/chief/har/fre.php
|
2
okpana.com(185.22.153.203) - mailcious
185.22.153.203
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49205 |
2021-01-22 00:05
|
TaAgente.exe 4cb563bf89a0407ba573f86a2f2a2030
VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows Cryptographic key |
|
2
apps.saintsoporte.com(162.248.54.77) - malware
162.248.54.77 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA Applayer Detect protocol only one direction
|
|
4.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49206 |
2021-01-22 00:02
|
svchost.exe 5aeb0da76f99119932bf52c3eb8b0767
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
28
http://www.inreachpt.com/gqx2/?jPg8=9/BKDbjRUTLHiCAkv4UrkvSCkC6DC2Rftex5RF517dla63TUfiGzTWKrNUH/ld7HE/txj1Uk&0rn=WHrpcFC0d
http://www.enlightenedsoil.com/gqx2/?jPg8=cjip6uuPgbETVH3T8V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL2dojhljSS+Qzet3utIR&0rn=WHrpcFC0d
http://www.thefanexam.com/gqx2/?jPg8=HrF3TVmG/JjI1PnvTLIIYpmn2zTORZwa7SZzfRngC4AhxnWytwZOrvMCggULKagFWCKc0ybP&0rn=WHrpcFC0d
http://www.beepybox.online/gqx2/?jPg8=yCE81FN5kJDvf69H1zCHl1SnIq+u0HMqx0bFiExBcMqvSlXqSPdOcc4J90HIKOaEDs5PHmMh&0rn=WHrpcFC0d
http://www.libraspeed.com/gqx2/?jPg8=6qqHzrP8Ew0N3qBcvLoa2iiZ2tjwRqllt0EEYSmVAScoxFQXiXz7/LqOYXVLNW/f4soD4emN&0rn=WHrpcFC0d
http://www.com-cancel-payment-id655.com/gqx2/
http://www.thefanexam.com/gqx2/
http://www.com-cancel-payment-id655.com/gqx2/?jPg8=hzhb46uYekxeSjynDSvHSBZ+WScKj86Lzekpz01nr5Rqx8ccLecn3Up/ez6Dfz0AhJ7oHM6Z&0rn=WHrpcFC0d
http://www.ohiotechreport.com/gqx2/
http://www.tu4343.com/gqx2/?jPg8=c0uTa4Ry3vesai6lXTSfINFQpRrMtH1K87WBIlrG0XAtnO8wLGbiahB/6B1lfYrqembCPOk5&0rn=WHrpcFC0d
http://www.tu4343.com/gqx2/
http://www.beepybox.online/gqx2/
http://www.shuhan.design/gqx2/?jPg8=+3QoYFPD3RQeYLjAYFhuJ6Cz2rhEMAU1T5a3j4/+hda+nWQNJZmKako0P2ib9ZGD25UQvPrc&0rn=WHrpcFC0d
http://www.starlinkwebservices.com/gqx2/
http://www.enlightenedsoil.com/gqx2/
http://www.5200853.com/gqx2/
http://www.bonus189.space/gqx2/?jPg8=5R1gPD5AcirPvdqxX3OEjI5TkTWkghjMkZYg470HlnfMN6fJZonrVNztkTKmxtrm7HwX4kWu&0rn=WHrpcFC0d
http://www.shuhan.design/gqx2/
http://www.zhjiaxiang.com/gqx2/?jPg8=WYs2CJQaHu7VDjmvT8HY/uenJ8IAuXAtr5EFzbfELRegL/XO6LMGY4Hpvd4bWrO2XC6qj4kB&0rn=WHrpcFC0d
http://www.teacher-retirement-info.info/gqx2/?jPg8=OXVidlqG6XkfBKSTfRTYNsCHZ7Lzo3O37PQdrKyHFgPzio9FREHRskcmwWepUtod5GjdUGTA&0rn=WHrpcFC0d
http://www.bonus189.space/gqx2/
http://www.zhjiaxiang.com/gqx2/
http://www.starlinkwebservices.com/gqx2/?jPg8=1oLdWJEa6RMPILHmU3RMDTTKV/8OlgAWvoSufNbfYqrB9zEOlffSJnN5c7l9eL53m4HAxa1z&0rn=WHrpcFC0d
http://www.5200853.com/gqx2/?jPg8=D7HYjwmfjk7r2Ukao5V0C9NhbEdLEQDWgNm8jPt18Yf6jGPHPId8fj6QgnBzS3/GDME8Xiko&0rn=WHrpcFC0d
http://www.inreachpt.com/gqx2/
http://www.teacher-retirement-info.info/gqx2/
http://www.libraspeed.com/gqx2/
http://www.ohiotechreport.com/gqx2/?jPg8=IPC5rKMb5U2wGfsfh3591N/FvVXjYSZNx84XlhlRnNK1DZcHs5M0z52hyAuoszkEQc4vvPuF&0rn=WHrpcFC0d
|
26
www.kimscraftyresale.com()
www.shuhan.design(192.185.35.76)
www.tu4343.com(154.202.142.207)
www.com-cancel-payment-id655.com(47.254.175.19)
www.inreachpt.com(34.102.136.180)
www.beepybox.online(64.98.145.30)
www.bonus189.space(87.236.16.223)
www.enlightenedsoil.com(34.80.190.141)
www.thefanexam.com(13.35.101.98)
www.5200853.com(198.200.62.230)
www.libraspeed.com(3.137.48.156)
www.ohiotechreport.com(34.102.136.180)
www.starlinkwebservices.com(34.102.136.180)
www.teacher-retirement-info.info(34.102.136.180)
www.zhjiaxiang.com(156.254.253.78)
64.98.145.30 - mailcious
47.254.175.19 - phishing
154.202.142.207
99.84.233.196
3.140.151.209
34.102.136.180 - mailcious
192.185.35.76
198.200.62.230
34.80.190.141 - mailcious
87.236.16.223
156.254.253.78
|
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49207 |
2021-01-22 00:00
|
obo.exe 1965c283581daeb2fc16e26de73839aa
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49208 |
2021-01-21 23:55
|
9EGOH1YVZN.doc d955a8e1fdaa16e64dbe51f6ce642939
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/xybw7y1jgb4yy/k4kco3n35edfkaud61s/p1aadoondllo/nl53y4wf5dczdhgf/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49209 |
2021-01-21 23:53
|
yWL7cRcL.dll db6b1b751143235793c97e2060753b03
VirusTotal Malware |
|
|
|
|
1.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49210 |
2021-01-21 23:18
|
VN0UBI.doc f478137e6d85859bc62b73a9bd3a1e98
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/qyj1kbqipj/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49211 |
2021-01-21 23:17
|
Y33RPKU5M4WHOHFC.doc 7836472c87f92110ca1826ee3c1f813f
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/2jgohnydjwphp/5bg2j33u3tqmsr1/7kfslol/fkkkc1i/sa8wc5xkdz2b74/q46dyyubwtfj2u2t6/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49212 |
2021-01-21 22:40
|
rLTjQ3s2GkCn.dll 782f98c00905f1b80f0dfc6dc287cd6e
VirusTotal Malware |
|
|
|
|
1.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49213 |
2021-01-21 22:40
|
raeigb8.rar.exe 4b0e1750691b96e97f20da52f7d7032c
VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49214 |
2021-01-21 21:25
|
picture.png.exe 9b91667fa9c2e2a6bd1db04ca36558bb
Dridex TrickBot Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Kovter Windows ComputerName RCE DNS crashed |
1
https://85.204.116.83/mor1/TEST22-PC_W617601.053BFB3DD930433A45DFFD9FB3DEF5FD/5/kps/
|
7
mswvdOianirMyzFeSSntzoSkLaMEL.mswvdOianirMyzFeSSntzoSkLaMEL()
216.128.130.16
207.246.92.48
172.105.107.25
139.162.182.54
85.204.116.83
113.160.129.15
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
14.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49215 |
2021-01-21 21:22
|
oosAm1N4UOgKvVubJ.dll 782f98c00905f1b80f0dfc6dc287cd6e
VirusTotal Malware |
|
|
|
|
1.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|