5356 |
2021-02-22 19:02
|
win322.exe 3c98031abb827791a6eac446d4e6e154 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) detectportal.firefox.com(34.107.221.82) mozilla.org(44.236.48.31) 34.107.221.82
|
|
|
9.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5357 |
2021-02-23 09:49
|
2.exe 5c0331638e59621f50341ec30f80a4c0 Malware download VirusTotal Open Directory Malware AutoRuns Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan |
|
4
s2010218.f3322.net(58.218.67.253) ylsn.site(139.215.147.100) 139.215.147.100 58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
7.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5358 |
2021-02-23 09:50
|
1.exe 96e2b84ac4e49605b7715abe0352b04b Malware download VirusTotal Open Directory Malware AutoRuns suspicious privilege Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan DNS |
|
4
s2010218.f3322.net(58.218.67.253) ylsn.site(139.215.147.100) 139.215.147.100 58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
10.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5359 |
2021-02-23 09:55
|
3.exe ff7d3b6003c9058e40ae38a6a7efe40c Malware download VirusTotal Open Directory Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check Windows Exploit Browser Advertising Trojan |
|
2
s2010218.f3322.net(58.218.67.253) 58.218.67.253 - mailcious
|
10
ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
11.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5360 |
2021-02-23 09:55
|
4.exe 3095bf8189c4bbba126bd587ceb66893 VirusTotal Malware Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
2
s2010218.f3322.net(58.218.67.253) 58.218.67.253 - mailcious
|
|
|
3.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5361 |
2021-02-23 10:00
|
2228.exe 0420435e01b432b69af26314d6faa99d Malware download VirusTotal Open Directory Malware AutoRuns Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Exploit Trojan |
|
4
s2010218.f3322.net(58.218.67.253) ylsn.site(139.215.147.100) 139.215.147.100 58.218.67.253 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
7.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5362 |
2021-02-23 10:00
|
ali.exe 4cf00a84b2a96c9f35910063eaadf02d Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5363 |
2021-02-23 11:21
|
file1.jpg.exe bab5de876317b61245488f04d75ad33a Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
16.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5364 |
2021-02-23 12:44
|
daji.exe 096da551ab960e72a876f4c922d017ac VirusTotal Malware AutoRuns suspicious privilege unpack itself malicious URLs Windows |
|
3
s2010218.f3322.net(58.218.67.253) - mailcious r.pengyou.com(0.0.0.1) - mailcious 58.218.67.253 - mailcious
|
|
|
6.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5365 |
2021-02-23 12:46
|
IMG_01670_Scanned.jpg.exe bb78d2def4dedae9e7ab93082d1e5a56 FormBook Malware download VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName DNS Cryptographic key |
22
http://www.iconsneakersfr.com/mt6e/ http://www.selimtokdemir.com/mt6e/ http://www.shopstuckonyou.com/mt6e/ http://www.shareboard.net/mt6e/ http://www.shopstuckonyou.com/mt6e/?p0D=QrTzqiQvO1HqcR4iDuVMOkMM/q1EOnp1sicprWnh+BTyLIiGyD5AlSfyL3KMkNVJ6yvlLp1r&pPU=EFQDPFT0svF0 http://www.ikescakes.com/mt6e/ http://www.avmelihcelik.com/mt6e/ http://www.daysad.com/mt6e/?pPU=EFQDPFT0svF0&p0D=nLUnIGzaCJ+M1rWnTH35FRGNi4zQ+mzL810j085rNDpYT/d60xQV8nPQltHsOkkMn9HHqeBk http://www.avmelihcelik.com/mt6e/?p0D=U2DfitfdnhhAlQqKAzhpMed/awq1Omf1FRP5Jw29Dkjp95ZGAWcqSc1/Q3gXrJ+BpmITJJwq&pPU=EFQDPFT0svF0 http://www.selimtokdemir.com/mt6e/?p0D=RPj4HhcWHdY5bsDWDqyXLYaxJu8cMRb9O7zhNDI8Xw4dSnlztaXP5AN82PLVwPUTTNJ6RgMs&pPU=EFQDPFT0svF0 http://www.shareboard.net/mt6e/?pPU=EFQDPFT0svF0&p0D=FHMZs3l8EE1+pKIA8HeWHdfJY+e7Ng4zY/hLwmQtaF7TNsaaZghzFNOLzrqEQTN6FiTS6eBw http://www.usdtmgm.com/mt6e/?p0D=hqs7xKdaa4GpweRSvNV+A8Pr9u2ypDJ05Fa2bAr1u19PcT59KuBsyQCmcnNe1Ftso3o2jem1&pPU=EFQDPFT0svF0 http://www.usdtmgm.com/mt6e/ http://www.thelastco.com/mt6e/?pPU=EFQDPFT0svF0&p0D=tzcsl1q6Pegf8qGbY3FpbIZlOFhHNAGFT9Q5qg6MICWUuSYfHPkPiad6/6QJSRcbDU0uhihJ http://www.ikescakes.com/mt6e/?p0D=YvExCURAav+pwDF8uMbCTZtdlUfUNESptwEuhOkN0IaeLcZ/LEZMWsSvPyol6qv1uAAX5Hbn&pPU=EFQDPFT0svF0 http://www.thelastco.com/mt6e/ http://www.mobilesolutionservice.com/mt6e/ http://www.madewithrealmeat.com/mt6e/ http://www.madewithrealmeat.com/mt6e/?pPU=EFQDPFT0svF0&p0D=v9Cj8MVvdhKxhcWjnmATBocxmZOy80FG1JhOPJowA/Cdp9S0Gyxfy8ikL7UuEREwmnYCSh8R http://www.daysad.com/mt6e/ http://www.mobilesolutionservice.com/mt6e/?p0D=97AfqtxpG729lAriabKS3ny0nGJhtFP0P7ugibKBZ+YO1JA6Ycv39Vy9GPSP++pfiEPVZjwZ&pPU=EFQDPFT0svF0 http://www.iconsneakersfr.com/mt6e/?pPU=EFQDPFT0svF0&p0D=S3SgXqYM2P0kj3ZiHsUeRL61MTKTCgyxAIMttAIrDK9m9FXKDltLZwXAMZA0/o2LfvDnGV2j
|
20
www.thelastco.com(52.58.78.16) www.iconsneakersfr.com(23.227.38.74) www.avmelihcelik.com(78.142.211.39) www.shopstuckonyou.com(23.227.38.74) www.selimtokdemir.com(34.102.136.180) www.madewithrealmeat.com(217.70.184.50) www.shareboard.net(154.203.181.108) www.usdtmgm.com(172.67.206.199) www.mobilesolutionservice.com(209.99.40.222) www.daysad.com(91.195.241.137) www.ikescakes.com(34.102.136.180) 91.195.241.137 - mailcious 52.58.78.16 - mailcious 209.99.40.222 - mailcious 34.102.136.180 - mailcious 217.70.184.50 - mailcious 78.142.211.39 172.67.206.199 23.227.38.74 - mailcious 154.203.181.108
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
14.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5366 |
2021-02-23 13:18
|
IMG_7742_Scanned.jpg.exe b68f5e610c36752a3803d8a8204159fb FormBook Malware download VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName Cryptographic key |
22
http://www.cqca119.com/gypo/?Upth=6Ijyluq2RWZUQffIzZF3GEHXZAy1x9hj6K8feiKvwtPS96RjXVd7OPwQutjTQ9ygwsdSzPPp&S2Jl9T=RR-Ptri8rrtH http://www.1523821.com/gypo/ http://www.cqca119.com/gypo/ http://www.1523821.com/gypo/?Upth=v6eFGANBqKYkba/rLmy8ZMDKCNJtnpJsc77T3WiDa26PAQjvqk+HirB8hdK7R3QbGbeh1NKI&S2Jl9T=RR-Ptri8rrtH http://www.nadaalop.com/gypo/ http://www.livingthetao.com/gypo/?Upth=7+o+4dQFo7ngybfe17MEAgaZzWnM+NgHkJ1J+peRKzfL/bUVN7scDNa6YNRxPzV6Uz6qQ4vQ&S2Jl9T=RR-Ptri8rrtH http://www.as-enterprise.com/gypo/ http://www.as-enterprise.com/gypo/?Upth=u01kdbaCF1jaxs+hkUj51O7puL2jN6QuMPtBnyk6FYfBNdqrZfhxbljL/BoGvG9P/m9wU15t&S2Jl9T=RR-Ptri8rrtH http://www.nadaalop.com/gypo/?Upth=N76VK1KtwY1tiSMZgJtIojhyxdLVy9Pt6atYqBFG54SLe4WJs16bke4SFE1VxNcxcZA4qo1e&S2Jl9T=RR-Ptri8rrtH http://www.coronarestschuldbefreiung.info/gypo/ http://www.livingthetao.com/gypo/ http://www.arkaim.online/gypo/?Upth=JWH9LrfQSVRfn3hm9LJF4827P5918lWClymTVf/+yn9nhWGZvP9h3vxN+9MnrqVNKRg9pPxS&S2Jl9T=RR-Ptri8rrtH http://www.coronarestschuldbefreiung.info/gypo/?Upth=DWXR3hxdbYCNjwPmZVrJcl4soHKrsMllvRDmbJMn5S9oSq1d2/2J5i8pIOHm0T1IalMTW49o&S2Jl9T=RR-Ptri8rrtH http://www.nurturell.com/gypo/ http://www.outsourceddraftingservices.com/gypo/?Upth=BRxeeSAC+9zk/4Zc6eeiUEsyU3ax7XYgLl5hP1QKhmebf/KqdholJd0XmcADC2P4n8VV6qBN&S2Jl9T=RR-Ptri8rrtH http://www.pachayfannels.com/gypo/?Upth=ZwoD27LU1k7tqoDXBPBTvFWkvKW5FQWE00s7HksUqgRx0NNWszane7VGQb9IL33FEDRF8gG6&S2Jl9T=RR-Ptri8rrtH http://www.arkaim.online/gypo/ http://www.g7jnpkjmr97w5.net/gypo/ http://www.outsourceddraftingservices.com/gypo/ http://www.nurturell.com/gypo/?Upth=s6lkjXCBLALOFEyxdU2+zluNvv3wYD6CeK+0nTgRAm7t3Jcjgfa2JouYZWUwWsdH2WN98BNX&S2Jl9T=RR-Ptri8rrtH http://www.g7jnpkjmr97w5.net/gypo/?Upth=vZ7dpNAWbPcVRH+zlpC13zKsEuFRE/SeQP5pmKdqvDgfPxOnKxrAJp8p73yLM2eIvAxWmGXP&S2Jl9T=RR-Ptri8rrtH http://www.pachayfannels.com/gypo/
|
22
www.livingthetao.com(34.102.136.180) www.nurturell.com(34.102.136.180) www.outsourceddraftingservices.com(184.168.131.241) www.g7jnpkjmr97w5.net(103.109.255.49) www.panyspace.website() www.pachayfannels.com(66.96.147.160) www.coronarestschuldbefreiung.info(85.13.138.58) www.cqca119.com(104.21.75.126) www.1523821.com(103.214.140.250) www.nadaalop.com(193.238.27.20) www.arkaim.online(78.140.191.25) www.as-enterprise.com(46.17.172.153) 85.13.138.58 104.21.75.126 103.109.255.49 78.140.191.25 184.168.131.241 - mailcious 34.102.136.180 - mailcious 103.214.140.250 193.238.27.20 46.17.172.153 66.96.147.160 - phishing
|
4
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2
|
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5367 |
2021-02-23 13:23
|
IMG_6078_SCANNED.jpg.exe 98b7438e7128ce0e2e983e50f2a4f4ed Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://95.181.172.200/ro/z/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
16.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5368 |
2021-02-23 13:24
|
IMG_61061_SCANNED.jpg.exe 96ee30ef07bdc81ad2362a4ec3dc6b2a Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
15.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5369 |
2021-02-23 13:32
|
IN90003844.exe f57d087472fdeac6df9751ad5d0c0965 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName Software crashed keylogger |
|
|
|
|
11.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5370 |
2021-02-23 13:32
|
IMG_71106_SCANNED.jpg.exe 88e0de608b9deebe3aa0925029b0fde3 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
17.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|