5401 |
2021-02-24 09:59
|
NewOrder.exe 6dd83e20f43a9bd2e136fcd77131f7e4 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5402 |
2021-02-24 09:59
|
PCkeiTarv6iiGIr.exe 208aa1d897aa53ff9fe71cf3d3e9ddcd VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5403 |
2021-02-24 10:11
|
regasm.exe a34368a13cf3838ff8860de92e688ef9 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb6/fre.php - rule_id: 279
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://becharnise.ir/fb6/fre.php
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5404 |
2021-02-24 10:11
|
tnf.exe e48ba1147b75508b7f58cace584373cb VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
3.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5405 |
2021-02-24 12:17
|
v.exe fac509b5175d3647945bdbf7ac010acc VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5406 |
2021-02-24 12:18
|
update-22.exe eb332fd9cc8be8e6a60d4ff9c5f5fcf7 Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications AppData folder malicious URLs suspicious TLD WriteConsoleW anti-virtualization installed browsers check Windows Browser Trojan DNS Software |
2
http://update0019992.ru/gate.php http://update0019992.ru/0321.exe
|
2
update0019992.ru(185.42.12.131) 185.42.12.131 - mailcious
|
3
ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Trojan Generic - POST To gate.php with no referer ET POLICY PE EXE or DLL Windows file download HTTP
|
|
16.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5407 |
2021-02-24 19:22
|
VOP.exe d7e81abce9332847471b89e50b241172 VirusTotal Malware |
|
|
|
|
1.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5408 |
2021-02-24 19:23
|
vbc.exe ddd12f311426d418e5e017ad76941dbb Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
3
http://or-logistlcs.com/zoro/zoro3/fre.php - rule_id: 287 http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:2599645791&cup2hreq=c2ba0303595974d978506352344dd859c2f160d3cb7e163814583ef06301fbd5
|
4
edgedl.gvt1.com(142.250.34.2) or-logistlcs.com(78.155.205.35) - mailcious 142.250.34.2 78.155.205.35
|
11
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://or-logistlcs.com/zoro/zoro3/fre.php
|
11.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5409 |
2021-02-24 19:28
|
2200.dll 8478376cc9f6f4143330e13a29910e0e VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5410 |
2021-02-24 19:32
|
winlog.exe f10054d325df455c58ecb16ea660d3f2 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder malicious URLs sandbox evasion Windows |
26
http://www.mmstruckingllc.com/4qdc/ http://www.hezhengnet.com/4qdc/?sBvD8D=DESRs6IdHJEpm4yw51yxInN9HPcxKcfrrsMcjbMTEpkK3ZIiivOFSgPXGjWJZ3QzqmoTDbQr&APcTS4=2dpx4 http://www.sandrapidal.com/4qdc/ http://www.sandrapidal.com/4qdc/?sBvD8D=Jf+Pqdm8N5fM9VZ2wKWnoUT7iExpB1l8ZZ0SuVjNFHrHfdMvDW4RlhrTPxXZeHJqeUPw8ZTq&APcTS4=2dpx4 http://www.equiposddl.com/4qdc/ http://www.tarpleymusic.info/4qdc/?sBvD8D=S++3y3EmTTTplvptUl2KOuHs7ASQiLkZvG5oDf2R3dOcyh6LVahUGmc4rRDWLNgZoeGySt/x&APcTS4=2dpx4 http://www.39palmavenue.com/4qdc/?sBvD8D=ZB8Pl5eDf8aho280P6iGhrGYsApNwIB7ekYXKTVFcKlD8S9L9SaQPCrtSuLaXlZvBT4zjJAF&APcTS4=2dpx4 http://www.beconfidentagain.com/4qdc/ http://www.codejunkys.com/4qdc/ http://www.39palmavenue.com/4qdc/ http://www.speedysnacksbox.com/4qdc/?sBvD8D=oetlJbtj0tgqDzrmxGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA077UwGoI5FIR665gFnERZ&APcTS4=2dpx4 http://www.larek.store/4qdc/?sBvD8D=ksdKauA40BLufk3o7PhmpJWWpS+APqZ7qoEqdT5jR8wX4FZqQLBgVKK1weN39IAf8RbB/LvC&APcTS4=2dpx4 http://www.officialgiftclub.com/4qdc/ http://www.officialgiftclub.com/4qdc/?sBvD8D=qYGSGtCbZFmMWCpSQqz1JucUVnxJeJoeahlKEbPa/Lu7IBLzSDzZS1GsiShIcvlAR7bSvwnK&APcTS4=2dpx4 http://www.mmstruckingllc.com/4qdc/?sBvD8D=oK3elT1JgyFAW660P1yLagQVOGuoIO8gDXTsb9cadnXvKIo9/Ks69xA9wmy+tFRqNWeSFNh1&APcTS4=2dpx4 http://www.tarpleymusic.info/4qdc/ http://www.buildassetswealth.com/4qdc/?sBvD8D=t6rgzpTjZdy0+k83991GCjSWOfv9/TODS4Ek6OC62IlgiroDTvf2cwXn6E2WBeZOaOndKChy&APcTS4=2dpx4 http://www.speedysnacksbox.com/4qdc/ http://www.beconfidentagain.com/4qdc/?sBvD8D=uT9syTVHQAugJys1vi0ORJwgGNlm67yR3E6S9rKwhzoBUu+CtDrzM4qRkW7esx6aXU7lh8YE&APcTS4=2dpx4 http://www.hezhengnet.com/4qdc/ http://www.oscarandmarina.com/4qdc/ http://www.buildassetswealth.com/4qdc/ http://www.larek.store/4qdc/ http://www.equiposddl.com/4qdc/?sBvD8D=seo4KtAVJ3hZFyZ3tFjoxqkgDldoxUIk7lgrfGyblEtLt+g6uaUe1M/25hiyLLuVckujptna&APcTS4=2dpx4 http://www.codejunkys.com/4qdc/?sBvD8D=lg+kM9JZ+ZcD9QOlP+KMIECEyC5ycBWcBxQSqRKWh4De9Tij0cRgC2smSDVBCjG0ShLs5Q5Z&APcTS4=2dpx4 http://www.oscarandmarina.com/4qdc/?sBvD8D=/K9fKEm1iVU/vQdq9qjMpN7djpymTmJxGBmtfBNPc89EpBqGqireW4HrVkBB+pc66so9RLiq&APcTS4=2dpx4
|
25
www.speedysnacksbox.com(34.102.136.180) www.buildassetswealth.com(34.102.136.180) www.torontotel.com() www.qm7886.com() www.hezhengnet.com(75.2.66.247) www.codejunkys.com(91.195.241.137) www.mmstruckingllc.com(34.102.136.180) www.equiposddl.com(34.80.190.141) www.officialgiftclub.com(23.227.38.74) www.sandrapidal.com(185.99.187.155) www.beconfidentagain.com(104.21.76.239) www.tarpleymusic.info(184.168.131.241) www.larek.store(185.104.45.146) www.39palmavenue.com(23.253.73.122) www.oscarandmarina.com(184.168.131.241) 23.253.73.122 184.168.131.241 - mailcious 185.104.45.146 91.195.241.137 - mailcious 185.99.187.155 34.102.136.180 - mailcious 34.80.190.141 - mailcious 172.67.202.77 23.227.38.74 - mailcious 99.83.224.11
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5411 |
2021-02-24 20:25
|
alfile.exe fd916b27fb57ad76c767e6753d7f68ed VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5412 |
2021-02-24 20:28
|
cosz.exe f4318c74d987c8ad1f3030f7589accdf VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5413 |
2021-02-24 20:30
|
crypt_MC.exe da82741efad64eea568ae23f173cfbd7 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces AppData folder malicious URLs VMware anti-virtualization Tofsee Windows Firmware DNS crashed |
7
https://pastebin.com/raw/6krWSuyQ https://www.bing.com/ https://pastebin.com/raw/ZRsg4svJ https://iplogger.org/1nzde7 https://pastebin.com/raw/JJxgrwan https://blog.agencia10x.com/trapday.exe https://pastebin.com/raw/mcfQfZNu
|
8
iplogger.org(88.99.66.31) www.google.com(216.58.197.196) pastebin.com(104.23.99.190) - mailcious blog.agencia10x.com(104.21.67.51) - malware 172.67.213.210 88.99.66.31 - mailcious 172.217.24.68 104.23.98.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5414 |
2021-02-24 20:32
|
cosz.exe f4318c74d987c8ad1f3030f7589accdf VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5415 |
2021-02-25 09:14
|
embarf.point.exe 884dab96c679194fc5140322d5ce9e9d VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|