5266 |
2021-02-18 22:19
|
regasm.exe a3ea851c219595231607114885c09413 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://becharnise.ir/fb6/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5267 |
2021-02-18 22:22
|
setup.exe 708cf56061b75db614bd5ce9ebff2c75 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser ComputerName crashed |
8
http://www.wpobot.com/update.php?version=10165 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl http://www.wpobot.com/api.php http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x86.exe https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x64.exe https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x86.exe
|
4
www.wpobot.com(198.187.31.103) download.microsoft.com(23.40.44.112) 104.75.0.70 198.187.31.103 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5268 |
2021-02-18 22:22
|
slim.exe f0dc88bce28dcc9005164930e94eacd6 VirusTotal Malware suspicious privilege Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5269 |
2021-02-18 22:27
|
UyHosminFeb2.exe 07f3ee1b4354031f89d96955e7917ea7 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Check memory unpack itself Auto service suspicious process malicious URLs sandbox evasion Windows Browser ComputerName crashed |
1
http://webservicepag.webhop.net/gate/config.txt
|
4
webservicepag.webhop.net(141.255.151.45) vpspro.blogdns.com(216.108.228.33) 216.108.228.33 141.255.151.45 - malware
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
8.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5270 |
2021-02-18 22:29
|
slim.exe f0dc88bce28dcc9005164930e94eacd6 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
26
http://www.afirecma.com/idir/?p0D=OZI7YR54vOYS79WY5njqDUCepgfTBU36uUqyx5fGkogFcmDIgVDn3LRait3tsL93YwN6YK0U&uFNl=XP7LsfJxpLQ http://www.tgy100.com/idir/ http://www.hombresalfa.com/idir/?p0D=eEDuJm92lZ58mmw5V4yjuMarZgCg+o797kIn51t297/yWqdQXgz7vtQqNzNsJc6Yqh+14HkO&uFNl=XP7LsfJxpLQ http://www.thebesthikingstoreblog.com/idir/?p0D=QIXd/mjLKOOaZWlCK9Nz0vgzPzQTz8rpua4vxMUkP4TZ4+ZDMcF7B8dwX7w9ToweBXakw/Pm&uFNl=XP7LsfJxpLQ http://www.kimamayuru.com/idir/?p0D=n4fEXWOLx34zvL9LSVhM0KaUjBlMGNx6zalqg03KW9KXpN9BO4lW1Zl4AIxme79BhR5bBvH5&uFNl=XP7LsfJxpLQ http://www.hombresalfa.com/idir/ http://www.epoxmarket.com/idir/?p0D=citDNjrGzXp4nOAOiXbnGk52DOFKXGtGfg6KNhs8aG4omlMQk+WHRaS2qqenKAN/tRUNOBfA&uFNl=XP7LsfJxpLQ http://www.wm-ks.com/idir/?p0D=tnXvwXwoY4lgl+w7De9+Iq8KdJftVNAznVeQREgxAUMbqntEi+pAiZf9TDQv/EVHb7ydbAxE&uFNl=XP7LsfJxpLQ http://www.mediasupernova.com/idir/ http://www.powermindcoaching.com/idir/ http://www.wm-ks.com/idir/ http://www.hall-on.com/idir/ http://www.epoxmarket.com/idir/ http://www.voilalab.com/idir/ http://www.turnthathitup.net/idir/ http://www.voilalab.com/idir/?p0D=oqW0YC7G2AuJGwjJ3/1jHB/SAWK+tz+c7ymrxwj0j6odj/cbfCbC8tKFV8mukz9ltKDMWpwe&uFNl=XP7LsfJxpLQ http://www.mediasupernova.com/idir/?p0D=BBXoJm4MOJa/oV19fGSy0sEyLibn+67cOqr4fvCs/lTJXuLPBOR+35b9eRxxgzeDCyaLVV+T&uFNl=XP7LsfJxpLQ http://www.afirecma.com/idir/ http://www.thebesthikingstoreblog.com/idir/ http://www.turnthathitup.net/idir/?p0D=iSp7NF8Br3ApWgHvTjEcfDBaCHutx70BvHhPVcPPPjkgis6I8Zd6JxGFIsdgBzsCH8+PAaXc&uFNl=XP7LsfJxpLQ http://www.tgy100.com/idir/?p0D=TbC2B3LY80HXTYJ2J0L9FMb0mDNXYD2dgqpFcjwDXgtFFFDLgz7v0CRCg/isIQm2NBWZXWQ3&uFNl=XP7LsfJxpLQ http://www.freeladoc.com/idir/ http://www.freeladoc.com/idir/?p0D=CmQXZxFmZ695aeMJcjz8m9xSVyzCLxVE0/38UE+wwn+siyXkfrtAsF+E7ghy7rvY1pN5IddI&uFNl=XP7LsfJxpLQ http://www.hall-on.com/idir/?p0D=3ocem91AMy6SoJdwNUrqoc/jLrHK5wIjRiEvaEch1opoAARw4iB7gQOpr+O6VNmJ4iVn0zkF&uFNl=XP7LsfJxpLQ http://www.powermindcoaching.com/idir/?p0D=hwkvgHy6hn8ZJxQczAdxmMIc2NJmaXdSmd7aO9ihGVc7clm8AiHflo6UhWkhBJcmNr8Z8TPM&uFNl=XP7LsfJxpLQ http://www.kimamayuru.com/idir/
|
28
www.freeladoc.com(206.221.176.184) www.hombresalfa.com(74.208.236.11) www.powermindcoaching.com(182.50.132.242) www.turnthathitup.net(52.52.194.179) www.thebesthikingstoreblog.com(198.12.210.182) www.tgy100.com(72.44.77.77) www.hunliqn.com() www.hall-on.com(94.23.162.163) www.voilalab.com(52.58.78.16) www.wagnercontractingllc.com() www.afirecma.com(156.241.53.240) www.kimamayuru.com(118.27.99.26) www.wm-ks.com(172.67.138.38) www.mediasupernova.com(198.54.117.216) www.epoxmarket.com(52.213.114.86) 198.12.210.182 156.241.53.240 54.38.220.85 - mailcious 52.58.78.16 - mailcious 118.27.99.26 198.54.117.217 - phishing 104.21.62.185 182.50.132.242 - mailcious 72.44.77.77 74.208.236.11 13.56.50.119 52.213.114.86 - mailcious 207.244.67.216 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5271 |
2021-02-18 23:38
|
VTY.exe 3afbff763b9b7c1d7ee7c7d99ea33bb2 VirusTotal Malware RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5272 |
2021-02-18 23:43
|
W5o0qEYvyipy0ld.exe c6744a569048af543f110f79542e23a7 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
4.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5273 |
2021-02-18 23:46
|
waki.jpg.exe c23cd3266f9085ba12e269d4ddc79fc2 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
26
http://www.svsnovotec.com/cna8/ http://www.cursoexitus.com/cna8/?t8bHuZw=a0asMOVpz8WLDPvFAZ3ojJcr2odJrn+KI/Gr1ti8VNVtOpWaznC+Hs3uvnAYvBrMBpn6Og3I&3f=llvt http://www.hyderabadmanhattancondos.com/cna8/?t8bHuZw=+4SRMCfR1pXhxYZNAOHKF3KBm2ArHZ1J8ffRm7LE3wyHXTGJEnegBMV1g+qBW9SbdMY9xpmT&3f=llvt http://www.agshorizon.com/cna8/?t8bHuZw=88GsOuFBSheH9N/F3CJIv2llvPaEExNntIG2mw0QvGFaf9KO3hzLniHlqCvFylhTbixlNkHB&3f=llvt http://www.resellerpagecomputers.com/cna8/ http://www.zbjingrui.com/cna8/ http://www.zbjingrui.com/cna8/?t8bHuZw=2qa3y11aYweRkojoMIGYGIvrhuz7zSwu73s+V7BHXPuVXli2iNxgJKPSXxJEfjT/VB1RGBps&3f=llvt http://www.lareinadelosalisados.com/cna8/?t8bHuZw=3nwiMzBH5zISWV+kA44m7bOcNqtjZkUigNZpmgdKr87zu/Fv/AAk/LvUHpUWtVxWGxvG7Q/z&3f=llvt http://www.oeayzom.com/cna8/?t8bHuZw=bQQdhT25E1xcFRHMVUoAXJPnddiWe9NZF4MvzcN2mzTbLpOvMHTPNzixsfgIj7YDHmt4SSXZ&3f=llvt http://www.brazillianallstars.com/cna8/?t8bHuZw=OPBiOkdGnsBiPlDJyMS3cRTBDXW7gZN6qRGskf93TgZkyIehwJ5enE3IvZSXKhhlz6ESEyri&3f=llvt http://www.saiparahnama.com/cna8/?t8bHuZw=73Ks6GVNyc5SUCaxFbilKlR0/vx8QzpZLj71l8L7ttPLLfRfHCiNlF/SFEu0ZEFqqTjnsNKb&3f=llvt http://www.hyderabadmanhattancondos.com/cna8/ http://www.cursoexitus.com/cna8/ http://www.lareinadelosalisados.com/cna8/ http://www.u9wm4u5fssmaj.net/cna8/?t8bHuZw=D8OfqwtS0R/F0HI62UNQ2cEBUEn8K3a/Zpv4JJVrER3wSHMynO7gqo1kELjDhgDWkDQTxE8h&3f=llvt http://www.brazillianallstars.com/cna8/ http://www.saiparahnama.com/cna8/ http://www.5725carnarvon.com/cna8/?t8bHuZw=xEdRKHtWhbqEtMVvGHeGdritWit32lJWXQbzgO+RJiChlLGWegYWHsZ3gkufEETu3eQpKLBD&3f=llvt http://www.eiz.one/cna8/ http://www.5725carnarvon.com/cna8/ http://www.svsnovotec.com/cna8/?t8bHuZw=HlL8mN6+4YD61fAyGhHcA/B0uclaHg8iRUuo/0mF9tiDS/eZFcHY28W0Nq1e+L1zPEQAkgt3&3f=llvt http://www.u9wm4u5fssmaj.net/cna8/ http://www.resellerpagecomputers.com/cna8/?t8bHuZw=shDnAgmCNutKNEhK2UTmOqUaO6S+siwCiYFGugceBpP3nAvpmqcZBKo9HSuTln67JwN3hGTW&3f=llvt http://www.oeayzom.com/cna8/ http://www.agshorizon.com/cna8/ http://www.eiz.one/cna8/?t8bHuZw=hg0kLiEQ+cOGkgm/T/rkndEMkEM0ATXMwPsp21XTfSW5joXzU15QjAd4e9WDOAzlIVuQr98O&3f=llvt
|
26
www.brazillianallstars.com(34.102.136.180) www.5725carnarvon.com(34.80.190.141) www.eiz.one(34.80.190.141) www.saiparahnama.com(154.93.91.183) www.svsnovotec.com(208.91.197.91) www.oeayzom.com(91.195.241.137) www.u9wm4u5fssmaj.net(103.71.95.177) www.lareinadelosalisados.com(108.179.194.9) www.zbjingrui.com(23.110.236.96) www.cursoexitus.com(154.204.8.240) www.resellerpagecomputers.com(184.168.131.241) www.agshorizon.com(104.21.41.247) www.heicat.club() www.hyderabadmanhattancondos.com(34.102.136.180) www.onlinedavetiyecim.com() 103.71.95.177 108.179.194.9 184.168.131.241 - mailcious 91.195.241.137 - mailcious 23.110.236.96 34.102.136.180 - mailcious 154.93.91.183 34.80.190.141 - mailcious 104.21.41.247 154.204.8.240 208.91.197.91 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5274 |
2021-02-19 09:15
|
WAQ.exe bdfdc1f12e34b9ec4877c30f32c0947f VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5275 |
2021-02-19 09:15
|
winlog.exe 464dad78f117c78acf3dbc4da0afeacc Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5276 |
2021-02-19 09:19
|
x3t5n6rofkRBJYo.exe 3b0f7e6a0e98a28fc8f8e9cff739ff0a VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5277 |
2021-02-19 09:21
|
winlog2.exe 8a497c5c9117e49aca17d4daed692816 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
20
http://www.winabeel.com/nsag/?wR9=Zdd+03lHSaHx9bsfGmYqRiw2DY9Wd51jzuzcC+yplmYsvIS302b6tXCbCdSHs+H4vWsRR/ih&lZQ=7neHz4Sxe http://www.winabeel.com/nsag/ http://www.droneserviceshouston.com/nsag/ http://www.patientsbooking.info/nsag/?wR9=KeczQ56DamwD9svIFnNGWWHsFBeO9lrdG3HlKeiP/mxlv9NU3UnoEtu0s/ati3Kq4DxBk6xe&lZQ=7neHz4Sxe http://www.patientsbooking.info/nsag/ http://www.droneserviceshouston.com/nsag/?wR9=TqyY/GEJPDsYG8NWMRdFyQRMdddqkM/uWsPloTk7EWU4HGwS0QcF8NuPxGCLWW63qZeDdTav&lZQ=7neHz4Sxe http://www.thevistadrinksco.com/nsag/?wR9=89x0WLRjiX8vxJewURQp/GvcN1/YmgWR5RrL9zwJ4+Em3U5V6Jl/KIqLKOREtlLDyo6UZk4M&lZQ=7neHz4Sxe http://www.myfeezinc.com/nsag/?wR9=AXehkXJ0lYKIRpysAOPXC/XvfFX0gl1EYuuNA/NXyIs4zVDAJbmNyTfmVaLKjAY24GUI8tpB&lZQ=7neHz4Sxe http://www.caresring.com/nsag/ http://www.caresring.com/nsag/?wR9=eOUA5aRjIkCGomxMCKVsCrqw77oq3Ld2II7ona7zW1G1cXWvsE4xWZulTcw0Ww3D2pTFfRhO&lZQ=7neHz4Sxe http://www.siyezim.com/nsag/ http://www.siyezim.com/nsag/?wR9=cHydTT74E1nn7ShzX27nBLtIpe6KAA4gGlqEXBmrSVatdVIqfO0uonw9flVqSmKs+CTKt5eQ&lZQ=7neHz4Sxe http://www.hakimkhawatmi.com/nsag/ http://www.thevistadrinksco.com/nsag/ http://www.babyhopeful.com/nsag/?wR9=yJxBi+1cVPxd0IGA9juRnJgWBvF/w5S3xYjlHn+qYkob6wIsFpdmcyl/46PgOE7zBLoH0wn5&lZQ=7neHz4Sxe http://www.robertbeauford.net/nsag/ http://www.robertbeauford.net/nsag/?wR9=ZytS2kh4n9O75onGDRHLLhWWTpd2/DnFG1VREKPl60yjO6W3J/fIWdjd5GqXYUyRpzsqAW0K&lZQ=7neHz4Sxe http://www.babyhopeful.com/nsag/ http://www.hakimkhawatmi.com/nsag/?wR9=9Tl2KXc88NiNV6d78vpX/czO0Yy7ZBOWuVeFqMNCcJII52Iatjzlz5H6MLTI0pcZ5A6WDAz/&lZQ=7neHz4Sxe http://www.myfeezinc.com/nsag/
|
22
www.nooshone.com() www.droneserviceshouston.com(52.58.78.16) www.hakimkhawatmi.com(34.102.136.180) www.thevistadrinksco.com(34.102.136.180) www.patientsbooking.info(34.102.136.180) www.caresring.com(3.14.163.116) www.856380692.xyz(103.88.34.80) www.winabeel.com(34.102.136.180) www.evoslancete.com() www.myfeezinc.com(103.224.182.242) www.babyhopeful.com(161.97.106.19) www.robertbeauford.net(154.214.73.24) www.skinjunkie.site() www.siyezim.com(176.53.69.72) 52.58.78.16 - mailcious 34.102.136.180 - mailcious 176.53.69.72 103.88.34.80 - suspicious 154.214.73.24 3.14.163.116 161.97.106.19 103.224.182.242 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5278 |
2021-02-19 09:26
|
yygg.exe 3ef3395f97eaeebe5c6cf07594402606 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5279 |
2021-02-19 09:42
|
123.exe 37514775ce8c353351766d3c63bbe20a Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency buffers extracted unpack itself sandbox evasion installed browsers check Stealer Browser ComputerName DNS crashed |
|
1
|
1
ET MALWARE Win32/HunterStealer/AlfonsoStealer CnC Exfil
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5280 |
2021-02-19 09:44
|
10.fbr.exe 853c5f48616fd2afd63e487d197c9796 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName Remote Code Execution DNS crashed |
|
7
200.52.147.93 - mailcious 142.202.191.164 - mailcious 194.5.249.156 - phishing 45.155.173.242 - mailcious 94.140.114.136 - mailcious 108.170.20.75 - mailcious 186.250.157.116 - mailcious
|
8
ET CNC Feodo Tracker Reported CnC Server group 16 ET CNC Feodo Tracker Reported CnC Server group 24 ET CNC Feodo Tracker Reported CnC Server group 2 ET CNC Feodo Tracker Reported CnC Server group 12 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 4 ET CNC Feodo Tracker Reported CnC Server group 9
|
|
9.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|