| 5266 |
2021-02-18 22:19
|
regasm.exe a3ea851c219595231607114885c09413
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://becharnise.ir/fb6/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5267 |
2021-02-18 22:22
|
setup.exe 708cf56061b75db614bd5ce9ebff2c75
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser ComputerName crashed |
8
http://www.wpobot.com/update.php?version=10165
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://www.wpobot.com/api.php
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x86.exe
https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x64.exe
https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x86.exe
|
4
www.wpobot.com(198.187.31.103)
download.microsoft.com(23.40.44.112)
104.75.0.70
198.187.31.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5268 |
2021-02-18 22:22
|
slim.exe f0dc88bce28dcc9005164930e94eacd6
VirusTotal Malware suspicious privilege Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5269 |
2021-02-18 22:27
|
UyHosminFeb2.exe 07f3ee1b4354031f89d96955e7917ea7
VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Check memory unpack itself Auto service suspicious process malicious URLs sandbox evasion Windows Browser ComputerName crashed |
1
http://webservicepag.webhop.net/gate/config.txt
|
4
webservicepag.webhop.net(141.255.151.45)
vpspro.blogdns.com(216.108.228.33)
216.108.228.33
141.255.151.45 - malware
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
8.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5270 |
2021-02-18 22:29
|
slim.exe f0dc88bce28dcc9005164930e94eacd6
FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
26
http://www.afirecma.com/idir/?p0D=OZI7YR54vOYS79WY5njqDUCepgfTBU36uUqyx5fGkogFcmDIgVDn3LRait3tsL93YwN6YK0U&uFNl=XP7LsfJxpLQ
http://www.tgy100.com/idir/
http://www.hombresalfa.com/idir/?p0D=eEDuJm92lZ58mmw5V4yjuMarZgCg+o797kIn51t297/yWqdQXgz7vtQqNzNsJc6Yqh+14HkO&uFNl=XP7LsfJxpLQ
http://www.thebesthikingstoreblog.com/idir/?p0D=QIXd/mjLKOOaZWlCK9Nz0vgzPzQTz8rpua4vxMUkP4TZ4+ZDMcF7B8dwX7w9ToweBXakw/Pm&uFNl=XP7LsfJxpLQ
http://www.kimamayuru.com/idir/?p0D=n4fEXWOLx34zvL9LSVhM0KaUjBlMGNx6zalqg03KW9KXpN9BO4lW1Zl4AIxme79BhR5bBvH5&uFNl=XP7LsfJxpLQ
http://www.hombresalfa.com/idir/
http://www.epoxmarket.com/idir/?p0D=citDNjrGzXp4nOAOiXbnGk52DOFKXGtGfg6KNhs8aG4omlMQk+WHRaS2qqenKAN/tRUNOBfA&uFNl=XP7LsfJxpLQ
http://www.wm-ks.com/idir/?p0D=tnXvwXwoY4lgl+w7De9+Iq8KdJftVNAznVeQREgxAUMbqntEi+pAiZf9TDQv/EVHb7ydbAxE&uFNl=XP7LsfJxpLQ
http://www.mediasupernova.com/idir/
http://www.powermindcoaching.com/idir/
http://www.wm-ks.com/idir/
http://www.hall-on.com/idir/
http://www.epoxmarket.com/idir/
http://www.voilalab.com/idir/
http://www.turnthathitup.net/idir/
http://www.voilalab.com/idir/?p0D=oqW0YC7G2AuJGwjJ3/1jHB/SAWK+tz+c7ymrxwj0j6odj/cbfCbC8tKFV8mukz9ltKDMWpwe&uFNl=XP7LsfJxpLQ
http://www.mediasupernova.com/idir/?p0D=BBXoJm4MOJa/oV19fGSy0sEyLibn+67cOqr4fvCs/lTJXuLPBOR+35b9eRxxgzeDCyaLVV+T&uFNl=XP7LsfJxpLQ
http://www.afirecma.com/idir/
http://www.thebesthikingstoreblog.com/idir/
http://www.turnthathitup.net/idir/?p0D=iSp7NF8Br3ApWgHvTjEcfDBaCHutx70BvHhPVcPPPjkgis6I8Zd6JxGFIsdgBzsCH8+PAaXc&uFNl=XP7LsfJxpLQ
http://www.tgy100.com/idir/?p0D=TbC2B3LY80HXTYJ2J0L9FMb0mDNXYD2dgqpFcjwDXgtFFFDLgz7v0CRCg/isIQm2NBWZXWQ3&uFNl=XP7LsfJxpLQ
http://www.freeladoc.com/idir/
http://www.freeladoc.com/idir/?p0D=CmQXZxFmZ695aeMJcjz8m9xSVyzCLxVE0/38UE+wwn+siyXkfrtAsF+E7ghy7rvY1pN5IddI&uFNl=XP7LsfJxpLQ
http://www.hall-on.com/idir/?p0D=3ocem91AMy6SoJdwNUrqoc/jLrHK5wIjRiEvaEch1opoAARw4iB7gQOpr+O6VNmJ4iVn0zkF&uFNl=XP7LsfJxpLQ
http://www.powermindcoaching.com/idir/?p0D=hwkvgHy6hn8ZJxQczAdxmMIc2NJmaXdSmd7aO9ihGVc7clm8AiHflo6UhWkhBJcmNr8Z8TPM&uFNl=XP7LsfJxpLQ
http://www.kimamayuru.com/idir/
|
28
www.freeladoc.com(206.221.176.184)
www.hombresalfa.com(74.208.236.11)
www.powermindcoaching.com(182.50.132.242)
www.turnthathitup.net(52.52.194.179)
www.thebesthikingstoreblog.com(198.12.210.182)
www.tgy100.com(72.44.77.77)
www.hunliqn.com()
www.hall-on.com(94.23.162.163)
www.voilalab.com(52.58.78.16)
www.wagnercontractingllc.com()
www.afirecma.com(156.241.53.240)
www.kimamayuru.com(118.27.99.26)
www.wm-ks.com(172.67.138.38)
www.mediasupernova.com(198.54.117.216)
www.epoxmarket.com(52.213.114.86)
198.12.210.182
156.241.53.240
54.38.220.85 - mailcious
52.58.78.16 - mailcious
118.27.99.26
198.54.117.217 - phishing
104.21.62.185
182.50.132.242 - mailcious
72.44.77.77
74.208.236.11
13.56.50.119
52.213.114.86 - mailcious
207.244.67.216 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5271 |
2021-02-18 23:38
|
VTY.exe 3afbff763b9b7c1d7ee7c7d99ea33bb2
VirusTotal Malware RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5272 |
2021-02-18 23:43
|
W5o0qEYvyipy0ld.exe c6744a569048af543f110f79542e23a7
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
4.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5273 |
2021-02-18 23:46
|
waki.jpg.exe c23cd3266f9085ba12e269d4ddc79fc2
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
26
http://www.svsnovotec.com/cna8/
http://www.cursoexitus.com/cna8/?t8bHuZw=a0asMOVpz8WLDPvFAZ3ojJcr2odJrn+KI/Gr1ti8VNVtOpWaznC+Hs3uvnAYvBrMBpn6Og3I&3f=llvt
http://www.hyderabadmanhattancondos.com/cna8/?t8bHuZw=+4SRMCfR1pXhxYZNAOHKF3KBm2ArHZ1J8ffRm7LE3wyHXTGJEnegBMV1g+qBW9SbdMY9xpmT&3f=llvt
http://www.agshorizon.com/cna8/?t8bHuZw=88GsOuFBSheH9N/F3CJIv2llvPaEExNntIG2mw0QvGFaf9KO3hzLniHlqCvFylhTbixlNkHB&3f=llvt
http://www.resellerpagecomputers.com/cna8/
http://www.zbjingrui.com/cna8/
http://www.zbjingrui.com/cna8/?t8bHuZw=2qa3y11aYweRkojoMIGYGIvrhuz7zSwu73s+V7BHXPuVXli2iNxgJKPSXxJEfjT/VB1RGBps&3f=llvt
http://www.lareinadelosalisados.com/cna8/?t8bHuZw=3nwiMzBH5zISWV+kA44m7bOcNqtjZkUigNZpmgdKr87zu/Fv/AAk/LvUHpUWtVxWGxvG7Q/z&3f=llvt
http://www.oeayzom.com/cna8/?t8bHuZw=bQQdhT25E1xcFRHMVUoAXJPnddiWe9NZF4MvzcN2mzTbLpOvMHTPNzixsfgIj7YDHmt4SSXZ&3f=llvt
http://www.brazillianallstars.com/cna8/?t8bHuZw=OPBiOkdGnsBiPlDJyMS3cRTBDXW7gZN6qRGskf93TgZkyIehwJ5enE3IvZSXKhhlz6ESEyri&3f=llvt
http://www.saiparahnama.com/cna8/?t8bHuZw=73Ks6GVNyc5SUCaxFbilKlR0/vx8QzpZLj71l8L7ttPLLfRfHCiNlF/SFEu0ZEFqqTjnsNKb&3f=llvt
http://www.hyderabadmanhattancondos.com/cna8/
http://www.cursoexitus.com/cna8/
http://www.lareinadelosalisados.com/cna8/
http://www.u9wm4u5fssmaj.net/cna8/?t8bHuZw=D8OfqwtS0R/F0HI62UNQ2cEBUEn8K3a/Zpv4JJVrER3wSHMynO7gqo1kELjDhgDWkDQTxE8h&3f=llvt
http://www.brazillianallstars.com/cna8/
http://www.saiparahnama.com/cna8/
http://www.5725carnarvon.com/cna8/?t8bHuZw=xEdRKHtWhbqEtMVvGHeGdritWit32lJWXQbzgO+RJiChlLGWegYWHsZ3gkufEETu3eQpKLBD&3f=llvt
http://www.eiz.one/cna8/
http://www.5725carnarvon.com/cna8/
http://www.svsnovotec.com/cna8/?t8bHuZw=HlL8mN6+4YD61fAyGhHcA/B0uclaHg8iRUuo/0mF9tiDS/eZFcHY28W0Nq1e+L1zPEQAkgt3&3f=llvt
http://www.u9wm4u5fssmaj.net/cna8/
http://www.resellerpagecomputers.com/cna8/?t8bHuZw=shDnAgmCNutKNEhK2UTmOqUaO6S+siwCiYFGugceBpP3nAvpmqcZBKo9HSuTln67JwN3hGTW&3f=llvt
http://www.oeayzom.com/cna8/
http://www.agshorizon.com/cna8/
http://www.eiz.one/cna8/?t8bHuZw=hg0kLiEQ+cOGkgm/T/rkndEMkEM0ATXMwPsp21XTfSW5joXzU15QjAd4e9WDOAzlIVuQr98O&3f=llvt
|
26
www.brazillianallstars.com(34.102.136.180)
www.5725carnarvon.com(34.80.190.141)
www.eiz.one(34.80.190.141)
www.saiparahnama.com(154.93.91.183)
www.svsnovotec.com(208.91.197.91)
www.oeayzom.com(91.195.241.137)
www.u9wm4u5fssmaj.net(103.71.95.177)
www.lareinadelosalisados.com(108.179.194.9)
www.zbjingrui.com(23.110.236.96)
www.cursoexitus.com(154.204.8.240)
www.resellerpagecomputers.com(184.168.131.241)
www.agshorizon.com(104.21.41.247)
www.heicat.club()
www.hyderabadmanhattancondos.com(34.102.136.180)
www.onlinedavetiyecim.com()
103.71.95.177
108.179.194.9
184.168.131.241 - mailcious
91.195.241.137 - mailcious
23.110.236.96
34.102.136.180 - mailcious
154.93.91.183
34.80.190.141 - mailcious
104.21.41.247
154.204.8.240
208.91.197.91 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5274 |
2021-02-19 09:15
|
WAQ.exe bdfdc1f12e34b9ec4877c30f32c0947f
VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5275 |
2021-02-19 09:15
|
winlog.exe 464dad78f117c78acf3dbc4da0afeacc
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5276 |
2021-02-19 09:19
|
x3t5n6rofkRBJYo.exe 3b0f7e6a0e98a28fc8f8e9cff739ff0a
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5277 |
2021-02-19 09:21
|
winlog2.exe 8a497c5c9117e49aca17d4daed692816
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
20
http://www.winabeel.com/nsag/?wR9=Zdd+03lHSaHx9bsfGmYqRiw2DY9Wd51jzuzcC+yplmYsvIS302b6tXCbCdSHs+H4vWsRR/ih&lZQ=7neHz4Sxe
http://www.winabeel.com/nsag/
http://www.droneserviceshouston.com/nsag/
http://www.patientsbooking.info/nsag/?wR9=KeczQ56DamwD9svIFnNGWWHsFBeO9lrdG3HlKeiP/mxlv9NU3UnoEtu0s/ati3Kq4DxBk6xe&lZQ=7neHz4Sxe
http://www.patientsbooking.info/nsag/
http://www.droneserviceshouston.com/nsag/?wR9=TqyY/GEJPDsYG8NWMRdFyQRMdddqkM/uWsPloTk7EWU4HGwS0QcF8NuPxGCLWW63qZeDdTav&lZQ=7neHz4Sxe
http://www.thevistadrinksco.com/nsag/?wR9=89x0WLRjiX8vxJewURQp/GvcN1/YmgWR5RrL9zwJ4+Em3U5V6Jl/KIqLKOREtlLDyo6UZk4M&lZQ=7neHz4Sxe
http://www.myfeezinc.com/nsag/?wR9=AXehkXJ0lYKIRpysAOPXC/XvfFX0gl1EYuuNA/NXyIs4zVDAJbmNyTfmVaLKjAY24GUI8tpB&lZQ=7neHz4Sxe
http://www.caresring.com/nsag/
http://www.caresring.com/nsag/?wR9=eOUA5aRjIkCGomxMCKVsCrqw77oq3Ld2II7ona7zW1G1cXWvsE4xWZulTcw0Ww3D2pTFfRhO&lZQ=7neHz4Sxe
http://www.siyezim.com/nsag/
http://www.siyezim.com/nsag/?wR9=cHydTT74E1nn7ShzX27nBLtIpe6KAA4gGlqEXBmrSVatdVIqfO0uonw9flVqSmKs+CTKt5eQ&lZQ=7neHz4Sxe
http://www.hakimkhawatmi.com/nsag/
http://www.thevistadrinksco.com/nsag/
http://www.babyhopeful.com/nsag/?wR9=yJxBi+1cVPxd0IGA9juRnJgWBvF/w5S3xYjlHn+qYkob6wIsFpdmcyl/46PgOE7zBLoH0wn5&lZQ=7neHz4Sxe
http://www.robertbeauford.net/nsag/
http://www.robertbeauford.net/nsag/?wR9=ZytS2kh4n9O75onGDRHLLhWWTpd2/DnFG1VREKPl60yjO6W3J/fIWdjd5GqXYUyRpzsqAW0K&lZQ=7neHz4Sxe
http://www.babyhopeful.com/nsag/
http://www.hakimkhawatmi.com/nsag/?wR9=9Tl2KXc88NiNV6d78vpX/czO0Yy7ZBOWuVeFqMNCcJII52Iatjzlz5H6MLTI0pcZ5A6WDAz/&lZQ=7neHz4Sxe
http://www.myfeezinc.com/nsag/
|
22
www.nooshone.com()
www.droneserviceshouston.com(52.58.78.16)
www.hakimkhawatmi.com(34.102.136.180)
www.thevistadrinksco.com(34.102.136.180)
www.patientsbooking.info(34.102.136.180)
www.caresring.com(3.14.163.116)
www.856380692.xyz(103.88.34.80)
www.winabeel.com(34.102.136.180)
www.evoslancete.com()
www.myfeezinc.com(103.224.182.242)
www.babyhopeful.com(161.97.106.19)
www.robertbeauford.net(154.214.73.24)
www.skinjunkie.site()
www.siyezim.com(176.53.69.72)
52.58.78.16 - mailcious
34.102.136.180 - mailcious
176.53.69.72
103.88.34.80 - suspicious
154.214.73.24
3.14.163.116
161.97.106.19
103.224.182.242 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5278 |
2021-02-19 09:26
|
yygg.exe 3ef3395f97eaeebe5c6cf07594402606
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5279 |
2021-02-19 09:42
|
123.exe 37514775ce8c353351766d3c63bbe20a
Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency buffers extracted unpack itself sandbox evasion installed browsers check Stealer Browser ComputerName DNS crashed |
|
1
|
1
ET MALWARE Win32/HunterStealer/AlfonsoStealer CnC Exfil
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5280 |
2021-02-19 09:44
|
10.fbr.exe 853c5f48616fd2afd63e487d197c9796
Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName Remote Code Execution DNS crashed |
|
7
200.52.147.93 - mailcious
142.202.191.164 - mailcious
194.5.249.156 - phishing
45.155.173.242 - mailcious
94.140.114.136 - mailcious
108.170.20.75 - mailcious
186.250.157.116 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 12
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 9
|
|
9.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|