| 49831 |
2020-12-16 16:17
|
1312.gif.2.exe d41d8cd98f00b204e9800998ecf8427e |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49832 |
2020-12-16 12:50
|
http://54.169.255.180/.cache/A... ff1f1a2332f563aebf955780642344f1
Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
1
http://54.169.255.180/.cache/AP.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49833 |
2020-12-16 12:23
|
1SystemWindows.exe d100a087bc378ea7fb3afc39bc164984
VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
4
http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1608088546&mv=u&mvi=7&pcm2cms=yes&pl=18&shardbypass=yes
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:785814653&cup2hreq=d24eedb90b0e27ebe0b6054a63c6cfca8e31297d6eb8148ac15b766c4c760631
https://update.googleapis.com/service/update2
|
2
r7---sn-3u-bh2lz.gvt1.com(59.18.45.210)
59.18.45.210
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49834 |
2020-12-16 12:23
|
1312.gif.1.exe b2a9a4e1656bdb5749de4f228dc9f307
VirusTotal Malware |
|
|
|
|
1.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49835 |
2020-12-16 11:06
|
XokBnqWMZ4B9pbd.exe e9dbec32351a5bd0a3f94b8314e4d958
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
185.239.242.219 - mailcious
|
|
|
17.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49836 |
2020-12-16 10:37
|
win32.exe f4fccdb6286107ca3592406e356a6b5e
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/clue/gate.php - rule_id: 158
|
2
begadi.ga(176.118.165.175) - mailcious
176.118.165.175
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/clue/gate.php
|
15.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49837 |
2020-12-16 10:37
|
vbc.exe ebc762f4d1d6557fcfb73fc7eb1d5b7a
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://benweve.com/clock/five/fre.php - rule_id: 153
|
2
benweve.com(95.213.224.89) - mailcious
95.213.224.89 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://benweve.com/clock/five/fre.php
|
14.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49838 |
2020-12-16 09:55
|
Speeder_1.0.0.3_qd13.exe a6d2cae21d592a602211a854dc4dc91a
VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Tofsee Browser ComputerName DNS |
45
http://speedup.jiezhansifang.com/openapi/speedup/v1/getGameList.do?channelId=13
http://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854
http://resource-speedup.jiezhansifang.com/speedup/images/game/images/52c64bea221d0ee934ffe01795d39d4a.jpg
http://resource-speedup.jiezhansifang.com/speedup/images/game/pubg.jpg
http://resource-speedup.jiezhansifang.com/speedup/images/ad/ad-4.png
https://client-revision.jiezhansifang.com/modules/constant/config_5cd1dcc.js
https://client-revision.jiezhansifang.com/resource/images/layout_mask_98ae434.png
https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546335
https://client-revision.jiezhansifang.com/jzsf/oemJzAppKey.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546332
https://client-revision.jiezhansifang.com/modules/util/wxLogin_feabe64.js
https://client-revision.jiezhansifang.com/modules/util/helper_31ef72e.js
https://res.wx.qq.com/connect/zh_CN/htmledition/js/jquery.min3696b4.js
https://client-revision.jiezhansifang.com/modules/app/index_c47f623.js
https://hm.baidu.com/hm.js?8603659db96c7aa11111e7d2cf361c4e
https://client-revision.jiezhansifang.com/modules/util/disableScale_ad56695.js
https://client-revision.jiezhansifang.com/resource/js/conf/mod-conf_c04f440.js
https://client-revision.jiezhansifang.com/resource/css/qrcode.css
https://client-revision.jiezhansifang.com/resource/css/client_z.png
https://client-revision.jiezhansifang.com/modules/pkg/conf_db4e6ed.js
https://client-revision.jiezhansifang.com/modules/pkg/coms_950264e.js
https://client-revision.jiezhansifang.com/resource/js/modjs/1.0.13/mod_0f4920e.js
https://client-revision.jiezhansifang.com/authInfo?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&reqId=1608096546331
https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=83ab9561022ec376dd0d18f99888529d&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css
https://client-revision.jiezhansifang.com/modules/pkg/page-common_ea1051e.js
https://client-revision.jiezhansifang.com/resource/css/client.css
https://client-revision.jiezhansifang.com/modules/util/channel_5c9966b.js
https://client-revision.jiezhansifang.com/modules/pkg/lib_c4b765a.js
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569904
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569905
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569906
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569907
https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=1178776312&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%3Fclient%3Dxm%26qd%3D13%23login&v=1.2.80&lv=1&api=6_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&tt=%E5%8A%A0%E9%80%9F%E5%99%A8
https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546333&reqId=1608096546334
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569903
https://lp.open.weixin.qq.com/connect/l/qrconnect?uuid=091dIIJr1ugJFa19&_=1608096569908
https://reg-saas.whweidu.com/thirdparty/wechat/login/qrcode/get.do?clientId=9FCC46B6-E59F-4D32-ADA9-7B39835687F2&appKey=a22c30c4c6dd4316a189cfe47c91571b&callbackURI=https%3A%2F%2Fclient-revision.jiezhansifang.com%2Fjzsf%2FoemLoginCallback&callback=jQuery19107494205348593246_1608096546336&reqId=1608096546337
https://hm.baidu.com/hm.gif?kb=0&cc=1&ck=1&cl=24-bit&ds=1024x768&vl=434&et=0&fl=13.0&ja=1&ln=ko&lo=0&rnd=77078479&si=8603659db96c7aa11111e7d2cf361c4e&su=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F&v=1.2.80&lv=1&api=4_0&sn=64253&r=0&ww=17&ct=!!&u=https%3A%2F%2Fclient-revision.jiezhansifang.com%2F%23login&tt=%E5%8A%A0%E9%80%9F%E5%99%A8
https://client-revision.jiezhansifang.com/?client=xm&qd=13
https://open.weixin.qq.com/connect/qrcode/091dIIJr1ugJFa19
https://client.jiezhansifang.com/uploadRecord?channelId=13&localMac=94-DE-27-8C-32-74×tamp=20201216142854
https://open.weixin.qq.com/connect/qrconnect?appid=wxaaa8da95fe65628e&scope=snsapi_login&redirect_uri=https%3A%2F%2Freg.jiezhansifang.com%2Fthirdparty%2Fwechat%2Fcallback.do&state=3e5a8d4ab7b80ec3521f7c047e96ff8a&login_type=jssdk&self_redirect=true&style=undefined&href=https://client-revision.jiezhansifang.com/resource/css/qrcode.css
https://res.wx.qq.com/connect/zh_CN/htmledition/style/impowerApp45a337.css
https://client-revision.jiezhansifang.com/modules/pkg/page-login_7fc304f.js
https://client-revision.jiezhansifang.com/resource/images/layout_bg-theme-1_632e2ef.png
https://client-revision.jiezhansifang.com/modules/util/track_587265c.js
|
16
reg-saas.whweidu.com(47.114.110.100)
lp.open.weixin.qq.com(203.205.232.67)
client-revision.jiezhansifang.com(58.216.9.68)
res.wx.qq.com(150.109.206.166)
reg.jiezhansifang.com(47.114.110.100)
client.jiezhansifang.com(58.216.9.68)
resource-speedup.jiezhansifang.com(58.216.9.68)
hm.baidu.com(103.235.46.191) - mailcious
speedup.jiezhansifang.com(58.216.9.68)
open.weixin.qq.com(203.205.239.172)
203.205.234.140
58.216.9.68
203.205.239.171
103.235.46.191 - mailcious
150.109.206.154
47.114.110.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49839 |
2020-12-16 09:50
|
SkIoKdBiDxtQ2g1.exe 89a6ece185d652883f32474e5c0df7c7
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS DDNS |
|
2
2c04mm.hopto.org(79.134.225.9)
79.134.225.9
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
14.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49840 |
2020-12-16 09:46
|
SkIoKdBiDxtQ2g1.exe 89a6ece185d652883f32474e5c0df7c7
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS DDNS |
|
2
2c04mm.hopto.org(79.134.225.9)
79.134.225.9
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.6 |
M |
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49841 |
2020-12-16 09:46
|
Rep_LI6.doc 8e842b5a5672e46538f5d6fea2275579
Vulnerability VirusTotal Malware unpack itself malicious URLs Windows |
|
2
electrocardsystems.com(160.153.128.10) - mailcious
160.153.128.10 - mailcious
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49842 |
2020-12-16 09:15
|
regasm.exe b8561eed84f227c88c7b8d3a106be5ab
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/rojas/gate.php - rule_id: 146
|
2
webtex.ga(176.118.165.175) - mailcious
176.118.165.175
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://webtex.ga/rojas/gate.php
|
15.2 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49843 |
2020-12-16 09:13
|
pdf.exe 48a9add9e1b4b99548e564dfbdcb8a9f
VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee |
|
3
dl.dropboxusercontent.com(162.125.80.15) - malware
dl.dropbox.com(162.125.80.15) - malware
162.125.80.15 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
42 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49844 |
2020-12-16 09:11
|
KINO.exe e74426f4ab322e220a00be7558b892de
VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee ComputerName DNS |
1
https://hastebin.com/raw/wugowatelu
|
2
hastebin.com(104.24.127.89) - mailcious
104.24.126.89 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49845 |
2020-12-16 09:10
|
kingtroupxtwo.scr d19c1f5071b995ed4bdefa7dfa86a2f5
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
11.4 |
M |
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|