Submissions - ZeroBOX

Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player	Etc
50056	2020-11-26 10:01	Bbyzuwhvoljsm1.exe 883025ad08af47c1efac400822932857 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS	1 Keyword trend analysis	3	1		4.0	M	21	ZeroCERT

50057	2020-11-26 09:31	ach.vbs 7eb75ac29bcdb9b04ffd7be21be218c0 Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS		6	3		14.4	M		ZeroCERT

50058	2020-11-26 09:31	a14.exe 3eafc3e74deeffaccc2a203154265a30 Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Email ComputerName DNS Software	3 Keyword trend analysis	1	5		11.8	M	34	ZeroCERT

50059	2020-11-26 07:54	http://195.3.146.180/cia.exe a7d58a3a9f2ff3e1fefd69ed12cceeb1 Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader		1	7 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex		6.6	M	49	ZeroCERT

50060	2020-11-25 18:36	winlog2.exe 953183f2f75bd5550052ec78c16f1f28 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows	5 Keyword trend analysis Info http://www.theplatinumworld.com/ogg/?EzrxUr=z4WWY2NGDQA3TT970o2t6UJYrBZlOTp5t0HWRFWiJXrZveQAnQBDb/Q+hz+Oh6TLV9U4RDLY&anM=TXFDw2SpHTH0S http://www.moneybusinessclub.com/ogg/?EzrxUr=PD+A/uZZjHqP2DE+br7tala8gkAXPgZdBw4uif/jhwXtpQmdgbjHM7L4nfrDT9H/G3/GJr0I&anM=TXFDw2SpHTH0S http://www.mybuildingneeds.com/ogg/?EzrxUr=FSuMtK+4cIF2dgg9R8/Am8atNYEqepqwKIxzNRd2vmoZjUi8YNUHcO9eylnwG8TASaDp3Fc2&anM=TXFDw2SpHTH0S http://www.zdysks.com/ogg/?EzrxUr=h9fUdnKRQufkCbej0B2zDKYyE5dQPtw7ynwbYbfWK2SXogl5VJXj7+ljaUQejbnu0ocEcl3d&anM=TXFDw2SpHTH0S http://www.blog-cybersecurite.net/ogg/?EzrxUr=uyIbKDCrypeXPZ6yI4wWJtRQLd3qsroUFyMxRi5llJsKcNcLyiSZfqtWNsDNHLipxP26HmJh&anM=TXFDw2SpHTH0S	10			9.0	M	24	ZeroCERT

50061	2020-11-25 18:32	winlog.exe a3369a332aebbd578c291cc27ccb354b Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName Software	1 Keyword trend analysis	2	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response	1	17.0	M	44	ZeroCERT

50062	2020-11-25 18:31	winlog2.exe 953183f2f75bd5550052ec78c16f1f28 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows					9.2	M	24	ZeroCERT

50063	2020-11-25 18:28	whe.exe 095e1574fea1e95a9ed568d2e679fb77 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed					8.4	M	52	ZeroCERT

50064	2020-11-25 18:28	vbc2.exe ec26b497c9a213858ee08585ff4b3f10 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software	1 Keyword trend analysis	2	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response		14.0	M	30	ZeroCERT

50065	2020-11-25 18:22	vbc.exe f3d05ab1f7e10173609506ba7f343cd6 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key	1 Keyword trend analysis	2	1		4.6	M	11	ZeroCERT

50066	2020-11-25 18:22	svchost.exe 3093fbc1285eae874e39161553540c6c VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs	1 Keyword trend analysis	2			8.2	M	18	ZeroCERT

50067	2020-11-25 18:19	svchost.exe 3093fbc1285eae874e39161553540c6c VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs					7.4	M	18	ZeroCERT

50068	2020-11-25 18:16	regasm.exe 2c779eb8a99417d4512c130b00b0dbf0 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Software	1 Keyword trend analysis	2	9 Info ET INFO DNS Query for Suspicious .ml Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ml Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2		14.8	M	20	ZeroCERT

50069	2020-11-25 18:13	https://zoomba619.blogspot.com... c89486438fea2dd19f18900689a2ea43 Dridex VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed	30 Keyword trend analysis Info https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://zoomba619.blogspot.com/favicon.ico https://www.google.com/css/maia.css https://fonts.googleapis.com/css?family=Open+Sans:300 https://www.blogger.com/blogin.g?blogspotURL=https://zoomba619.blogspot.com/p/14n.html https://www.google-analytics.com/analytics.js https://zoomba619.blogspot.com/p/14n.html https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc-.woff https://www.blogger.com/img/share_buttons_20_3.png https://www.gstatic.com/og/_/ss/k=og.qtm.LxFU5raKC7I.L.I9.O/m=qawd,qmd/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtb,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuxx9r82IG9VtDswwd52iKnvFvhvw https://www.blogger.com/static/v1/v-css/281434096-static_pages.css https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/14n.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/14n.html%26bpli%3D1&passive=true&go=true https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eDa9r_TVF5I.O/rt=j/m=q_d,qawd,qmd,qsd,qmutsd,qapid/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtb,qhtt/d=1/ed=1/rs=AA2YrTvt_FChtzGjr4wKVQY3jzJEAyfceg https://www.blogger.com/static/v1/widgets/1791449097-widgets.js https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.google.com/gen_204?atyp=i&zx=1606295324725&sei=JR--X8L4I9fj-gSfx774Dw&ogf=.40.40.40.76.40.40.40.&ogrp=&ogv=343804731.0&ogd=&ogc=KOR&ogl=ko&oggv=quantum%3AgapiBuildLabel&jexpid=&srcpg=prop%3D30&jsr=10&emsg=ReferenceError%3A'console'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4. https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg https://fonts.googleapis.com/css?lang=ko&family=Product+Sans\|Roboto:400,700 https://www.blogger.com/img/blogger-logotype-color-black-1x.png https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uhBKOtz6fOw.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8GZHNTtpcfighnqAH0uUZTALLzrw/cb=gapi.loaded_0 https://www.blogger.com/dyn-css/authorization.css?targetBlogID=2525772521150521786&zx=f1a9dab4-d740-4e63-b13e-5c2747a95cd6 https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fzoomba619.blogspot.com%2Fp%2F14n.html&bpli=1 https://www.blogger.com/static/v1/jsbin/4244862144-ieretrofit.js https://resources.blogblog.com/img/icon18_edit_allbkg.gif https://ssl.gstatic.com/gb/images/p1_799229b0.png https://resources.blogblog.com/img/icon18_wrench_allbkg.png https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js	21 Info zoomba619.blogspot.com(172.217.25.193) resources.blogblog.com(216.58.197.137) www.google.com(172.217.175.36) www.gstatic.com(172.217.24.131) ssl.gstatic.com(172.217.24.131) accounts.google.com(172.217.174.109) www.google-analytics.com(172.217.174.110) apis.google.com(172.217.161.78) fonts.gstatic.com(172.217.161.67) fonts.googleapis.com(216.58.197.202) www.blogger.com(216.58.197.137) 216.58.199.4 - suspicious 216.58.199.9 172.217.31.234 172.217.163.227 172.217.26.142 172.217.26.129 172.217.161.163 172.217.24.201 216.58.200.13 172.217.31.227	3		4.6			ZeroCERT

50070	2020-11-25 18:11	guy1.exe 9721f911ecb8a06c0f244f7ff35dbde2 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Tor ComputerName DNS crashed		2	3		13.4	M	26	ZeroCERT