| 5356 |
2021-02-22 19:02
|
win322.exe 3c98031abb827791a6eac446d4e6e154
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
detectportal.firefox.com(34.107.221.82)
mozilla.org(44.236.48.31)
34.107.221.82
|
|
|
9.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5357 |
2021-02-23 09:49
|
2.exe 5c0331638e59621f50341ec30f80a4c0
Malware download VirusTotal Open Directory Malware AutoRuns Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan |
|
4
s2010218.f3322.net(58.218.67.253)
ylsn.site(139.215.147.100)
139.215.147.100
58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
7.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5358 |
2021-02-23 09:50
|
1.exe 96e2b84ac4e49605b7715abe0352b04b
Malware download VirusTotal Open Directory Malware AutoRuns suspicious privilege Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan DNS |
|
4
s2010218.f3322.net(58.218.67.253)
ylsn.site(139.215.147.100)
139.215.147.100
58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
10.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5359 |
2021-02-23 09:55
|
3.exe ff7d3b6003c9058e40ae38a6a7efe40c
Malware download VirusTotal Open Directory Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check Windows Exploit Browser Advertising Trojan |
|
2
s2010218.f3322.net(58.218.67.253)
58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
11.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5360 |
2021-02-23 09:55
|
4.exe 3095bf8189c4bbba126bd587ceb66893
VirusTotal Malware Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
2
s2010218.f3322.net(58.218.67.253)
58.218.67.253 - mailcious
|
|
|
3.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5361 |
2021-02-23 10:00
|
2228.exe 0420435e01b432b69af26314d6faa99d
Malware download VirusTotal Open Directory Malware AutoRuns Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan |
|
4
s2010218.f3322.net(58.218.67.253)
ylsn.site(139.215.147.100)
139.215.147.100
58.218.67.253 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
7.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5362 |
2021-02-23 10:00
|
ali.exe 4cf00a84b2a96c9f35910063eaadf02d
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5363 |
2021-02-23 11:21
|
file1.jpg.exe bab5de876317b61245488f04d75ad33a
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
16.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5364 |
2021-02-23 12:44
|
daji.exe 096da551ab960e72a876f4c922d017ac
VirusTotal Malware AutoRuns suspicious privilege unpack itself malicious URLs Windows |
|
3
s2010218.f3322.net(58.218.67.253) - mailcious
r.pengyou.com(0.0.0.1) - mailcious
58.218.67.253 - mailcious
|
|
|
6.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5365 |
2021-02-23 12:46
|
IMG_01670_Scanned.jpg.exe bb78d2def4dedae9e7ab93082d1e5a56
FormBook Malware download VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName DNS Cryptographic key |
22
http://www.iconsneakersfr.com/mt6e/
http://www.selimtokdemir.com/mt6e/
http://www.shopstuckonyou.com/mt6e/
http://www.shareboard.net/mt6e/
http://www.shopstuckonyou.com/mt6e/?p0D=QrTzqiQvO1HqcR4iDuVMOkMM/q1EOnp1sicprWnh+BTyLIiGyD5AlSfyL3KMkNVJ6yvlLp1r&pPU=EFQDPFT0svF0
http://www.ikescakes.com/mt6e/
http://www.avmelihcelik.com/mt6e/
http://www.daysad.com/mt6e/?pPU=EFQDPFT0svF0&p0D=nLUnIGzaCJ+M1rWnTH35FRGNi4zQ+mzL810j085rNDpYT/d60xQV8nPQltHsOkkMn9HHqeBk
http://www.avmelihcelik.com/mt6e/?p0D=U2DfitfdnhhAlQqKAzhpMed/awq1Omf1FRP5Jw29Dkjp95ZGAWcqSc1/Q3gXrJ+BpmITJJwq&pPU=EFQDPFT0svF0
http://www.selimtokdemir.com/mt6e/?p0D=RPj4HhcWHdY5bsDWDqyXLYaxJu8cMRb9O7zhNDI8Xw4dSnlztaXP5AN82PLVwPUTTNJ6RgMs&pPU=EFQDPFT0svF0
http://www.shareboard.net/mt6e/?pPU=EFQDPFT0svF0&p0D=FHMZs3l8EE1+pKIA8HeWHdfJY+e7Ng4zY/hLwmQtaF7TNsaaZghzFNOLzrqEQTN6FiTS6eBw
http://www.usdtmgm.com/mt6e/?p0D=hqs7xKdaa4GpweRSvNV+A8Pr9u2ypDJ05Fa2bAr1u19PcT59KuBsyQCmcnNe1Ftso3o2jem1&pPU=EFQDPFT0svF0
http://www.usdtmgm.com/mt6e/
http://www.thelastco.com/mt6e/?pPU=EFQDPFT0svF0&p0D=tzcsl1q6Pegf8qGbY3FpbIZlOFhHNAGFT9Q5qg6MICWUuSYfHPkPiad6/6QJSRcbDU0uhihJ
http://www.ikescakes.com/mt6e/?p0D=YvExCURAav+pwDF8uMbCTZtdlUfUNESptwEuhOkN0IaeLcZ/LEZMWsSvPyol6qv1uAAX5Hbn&pPU=EFQDPFT0svF0
http://www.thelastco.com/mt6e/
http://www.mobilesolutionservice.com/mt6e/
http://www.madewithrealmeat.com/mt6e/
http://www.madewithrealmeat.com/mt6e/?pPU=EFQDPFT0svF0&p0D=v9Cj8MVvdhKxhcWjnmATBocxmZOy80FG1JhOPJowA/Cdp9S0Gyxfy8ikL7UuEREwmnYCSh8R
http://www.daysad.com/mt6e/
http://www.mobilesolutionservice.com/mt6e/?p0D=97AfqtxpG729lAriabKS3ny0nGJhtFP0P7ugibKBZ+YO1JA6Ycv39Vy9GPSP++pfiEPVZjwZ&pPU=EFQDPFT0svF0
http://www.iconsneakersfr.com/mt6e/?pPU=EFQDPFT0svF0&p0D=S3SgXqYM2P0kj3ZiHsUeRL61MTKTCgyxAIMttAIrDK9m9FXKDltLZwXAMZA0/o2LfvDnGV2j
|
20
www.thelastco.com(52.58.78.16)
www.iconsneakersfr.com(23.227.38.74)
www.avmelihcelik.com(78.142.211.39)
www.shopstuckonyou.com(23.227.38.74)
www.selimtokdemir.com(34.102.136.180)
www.madewithrealmeat.com(217.70.184.50)
www.shareboard.net(154.203.181.108)
www.usdtmgm.com(172.67.206.199)
www.mobilesolutionservice.com(209.99.40.222)
www.daysad.com(91.195.241.137)
www.ikescakes.com(34.102.136.180)
91.195.241.137 - mailcious
52.58.78.16 - mailcious
209.99.40.222 - mailcious
34.102.136.180 - mailcious
217.70.184.50 - mailcious
78.142.211.39
172.67.206.199
23.227.38.74 - mailcious
154.203.181.108
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
14.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5366 |
2021-02-23 13:18
|
IMG_7742_Scanned.jpg.exe b68f5e610c36752a3803d8a8204159fb
FormBook Malware download VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName Cryptographic key |
22
http://www.cqca119.com/gypo/?Upth=6Ijyluq2RWZUQffIzZF3GEHXZAy1x9hj6K8feiKvwtPS96RjXVd7OPwQutjTQ9ygwsdSzPPp&S2Jl9T=RR-Ptri8rrtH
http://www.1523821.com/gypo/
http://www.cqca119.com/gypo/
http://www.1523821.com/gypo/?Upth=v6eFGANBqKYkba/rLmy8ZMDKCNJtnpJsc77T3WiDa26PAQjvqk+HirB8hdK7R3QbGbeh1NKI&S2Jl9T=RR-Ptri8rrtH
http://www.nadaalop.com/gypo/
http://www.livingthetao.com/gypo/?Upth=7+o+4dQFo7ngybfe17MEAgaZzWnM+NgHkJ1J+peRKzfL/bUVN7scDNa6YNRxPzV6Uz6qQ4vQ&S2Jl9T=RR-Ptri8rrtH
http://www.as-enterprise.com/gypo/
http://www.as-enterprise.com/gypo/?Upth=u01kdbaCF1jaxs+hkUj51O7puL2jN6QuMPtBnyk6FYfBNdqrZfhxbljL/BoGvG9P/m9wU15t&S2Jl9T=RR-Ptri8rrtH
http://www.nadaalop.com/gypo/?Upth=N76VK1KtwY1tiSMZgJtIojhyxdLVy9Pt6atYqBFG54SLe4WJs16bke4SFE1VxNcxcZA4qo1e&S2Jl9T=RR-Ptri8rrtH
http://www.coronarestschuldbefreiung.info/gypo/
http://www.livingthetao.com/gypo/
http://www.arkaim.online/gypo/?Upth=JWH9LrfQSVRfn3hm9LJF4827P5918lWClymTVf/+yn9nhWGZvP9h3vxN+9MnrqVNKRg9pPxS&S2Jl9T=RR-Ptri8rrtH
http://www.coronarestschuldbefreiung.info/gypo/?Upth=DWXR3hxdbYCNjwPmZVrJcl4soHKrsMllvRDmbJMn5S9oSq1d2/2J5i8pIOHm0T1IalMTW49o&S2Jl9T=RR-Ptri8rrtH
http://www.nurturell.com/gypo/
http://www.outsourceddraftingservices.com/gypo/?Upth=BRxeeSAC+9zk/4Zc6eeiUEsyU3ax7XYgLl5hP1QKhmebf/KqdholJd0XmcADC2P4n8VV6qBN&S2Jl9T=RR-Ptri8rrtH
http://www.pachayfannels.com/gypo/?Upth=ZwoD27LU1k7tqoDXBPBTvFWkvKW5FQWE00s7HksUqgRx0NNWszane7VGQb9IL33FEDRF8gG6&S2Jl9T=RR-Ptri8rrtH
http://www.arkaim.online/gypo/
http://www.g7jnpkjmr97w5.net/gypo/
http://www.outsourceddraftingservices.com/gypo/
http://www.nurturell.com/gypo/?Upth=s6lkjXCBLALOFEyxdU2+zluNvv3wYD6CeK+0nTgRAm7t3Jcjgfa2JouYZWUwWsdH2WN98BNX&S2Jl9T=RR-Ptri8rrtH
http://www.g7jnpkjmr97w5.net/gypo/?Upth=vZ7dpNAWbPcVRH+zlpC13zKsEuFRE/SeQP5pmKdqvDgfPxOnKxrAJp8p73yLM2eIvAxWmGXP&S2Jl9T=RR-Ptri8rrtH
http://www.pachayfannels.com/gypo/
|
22
www.livingthetao.com(34.102.136.180)
www.nurturell.com(34.102.136.180)
www.outsourceddraftingservices.com(184.168.131.241)
www.g7jnpkjmr97w5.net(103.109.255.49)
www.panyspace.website()
www.pachayfannels.com(66.96.147.160)
www.coronarestschuldbefreiung.info(85.13.138.58)
www.cqca119.com(104.21.75.126)
www.1523821.com(103.214.140.250)
www.nadaalop.com(193.238.27.20)
www.arkaim.online(78.140.191.25)
www.as-enterprise.com(46.17.172.153)
85.13.138.58
104.21.75.126
103.109.255.49
78.140.191.25
184.168.131.241 - mailcious
34.102.136.180 - mailcious
103.214.140.250
193.238.27.20
46.17.172.153
66.96.147.160 - phishing
|
4
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2
ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2
|
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5367 |
2021-02-23 13:23
|
IMG_6078_SCANNED.jpg.exe 98b7438e7128ce0e2e983e50f2a4f4ed
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://95.181.172.200/ro/z/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
16.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5368 |
2021-02-23 13:24
|
IMG_61061_SCANNED.jpg.exe 96ee30ef07bdc81ad2362a4ec3dc6b2a
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
15.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5369 |
2021-02-23 13:32
|
IN90003844.exe f57d087472fdeac6df9751ad5d0c0965
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Software crashed keylogger |
|
|
|
|
11.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5370 |
2021-02-23 13:32
|
IMG_71106_SCANNED.jpg.exe 88e0de608b9deebe3aa0925029b0fde3
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
162.88.193.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
17.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|