| 5401 |
2021-02-24 09:59
|
NewOrder.exe 6dd83e20f43a9bd2e136fcd77131f7e4
VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5402 |
2021-02-24 09:59
|
PCkeiTarv6iiGIr.exe 208aa1d897aa53ff9fe71cf3d3e9ddcd
VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5403 |
2021-02-24 10:11
|
regasm.exe a34368a13cf3838ff8860de92e688ef9
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb6/fre.php - rule_id: 279
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://becharnise.ir/fb6/fre.php
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5404 |
2021-02-24 10:11
|
tnf.exe e48ba1147b75508b7f58cace584373cb
VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
3.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5405 |
2021-02-24 12:17
|
v.exe fac509b5175d3647945bdbf7ac010acc
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5406 |
2021-02-24 12:18
|
update-22.exe eb332fd9cc8be8e6a60d4ff9c5f5fcf7
Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications AppData folder malicious URLs suspicious TLD WriteConsoleW anti-virtualization installed browsers check Windows Browser Trojan DNS Software |
2
http://update0019992.ru/gate.php
http://update0019992.ru/0321.exe
|
2
update0019992.ru(185.42.12.131)
185.42.12.131 - mailcious
|
3
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
16.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5407 |
2021-02-24 19:22
|
VOP.exe d7e81abce9332847471b89e50b241172
VirusTotal Malware |
|
|
|
|
1.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5408 |
2021-02-24 19:23
|
vbc.exe ddd12f311426d418e5e017ad76941dbb
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
3
http://or-logistlcs.com/zoro/zoro3/fre.php - rule_id: 287
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:2599645791&cup2hreq=c2ba0303595974d978506352344dd859c2f160d3cb7e163814583ef06301fbd5
|
4
edgedl.gvt1.com(142.250.34.2)
or-logistlcs.com(78.155.205.35) - mailcious
142.250.34.2
78.155.205.35
|
11
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://or-logistlcs.com/zoro/zoro3/fre.php
|
11.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5409 |
2021-02-24 19:28
|
2200.dll 8478376cc9f6f4143330e13a29910e0e
VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5410 |
2021-02-24 19:32
|
winlog.exe f10054d325df455c58ecb16ea660d3f2
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder malicious URLs sandbox evasion Windows |
26
http://www.mmstruckingllc.com/4qdc/
http://www.hezhengnet.com/4qdc/?sBvD8D=DESRs6IdHJEpm4yw51yxInN9HPcxKcfrrsMcjbMTEpkK3ZIiivOFSgPXGjWJZ3QzqmoTDbQr&APcTS4=2dpx4
http://www.sandrapidal.com/4qdc/
http://www.sandrapidal.com/4qdc/?sBvD8D=Jf+Pqdm8N5fM9VZ2wKWnoUT7iExpB1l8ZZ0SuVjNFHrHfdMvDW4RlhrTPxXZeHJqeUPw8ZTq&APcTS4=2dpx4
http://www.equiposddl.com/4qdc/
http://www.tarpleymusic.info/4qdc/?sBvD8D=S++3y3EmTTTplvptUl2KOuHs7ASQiLkZvG5oDf2R3dOcyh6LVahUGmc4rRDWLNgZoeGySt/x&APcTS4=2dpx4
http://www.39palmavenue.com/4qdc/?sBvD8D=ZB8Pl5eDf8aho280P6iGhrGYsApNwIB7ekYXKTVFcKlD8S9L9SaQPCrtSuLaXlZvBT4zjJAF&APcTS4=2dpx4
http://www.beconfidentagain.com/4qdc/
http://www.codejunkys.com/4qdc/
http://www.39palmavenue.com/4qdc/
http://www.speedysnacksbox.com/4qdc/?sBvD8D=oetlJbtj0tgqDzrmxGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA077UwGoI5FIR665gFnERZ&APcTS4=2dpx4
http://www.larek.store/4qdc/?sBvD8D=ksdKauA40BLufk3o7PhmpJWWpS+APqZ7qoEqdT5jR8wX4FZqQLBgVKK1weN39IAf8RbB/LvC&APcTS4=2dpx4
http://www.officialgiftclub.com/4qdc/
http://www.officialgiftclub.com/4qdc/?sBvD8D=qYGSGtCbZFmMWCpSQqz1JucUVnxJeJoeahlKEbPa/Lu7IBLzSDzZS1GsiShIcvlAR7bSvwnK&APcTS4=2dpx4
http://www.mmstruckingllc.com/4qdc/?sBvD8D=oK3elT1JgyFAW660P1yLagQVOGuoIO8gDXTsb9cadnXvKIo9/Ks69xA9wmy+tFRqNWeSFNh1&APcTS4=2dpx4
http://www.tarpleymusic.info/4qdc/
http://www.buildassetswealth.com/4qdc/?sBvD8D=t6rgzpTjZdy0+k83991GCjSWOfv9/TODS4Ek6OC62IlgiroDTvf2cwXn6E2WBeZOaOndKChy&APcTS4=2dpx4
http://www.speedysnacksbox.com/4qdc/
http://www.beconfidentagain.com/4qdc/?sBvD8D=uT9syTVHQAugJys1vi0ORJwgGNlm67yR3E6S9rKwhzoBUu+CtDrzM4qRkW7esx6aXU7lh8YE&APcTS4=2dpx4
http://www.hezhengnet.com/4qdc/
http://www.oscarandmarina.com/4qdc/
http://www.buildassetswealth.com/4qdc/
http://www.larek.store/4qdc/
http://www.equiposddl.com/4qdc/?sBvD8D=seo4KtAVJ3hZFyZ3tFjoxqkgDldoxUIk7lgrfGyblEtLt+g6uaUe1M/25hiyLLuVckujptna&APcTS4=2dpx4
http://www.codejunkys.com/4qdc/?sBvD8D=lg+kM9JZ+ZcD9QOlP+KMIECEyC5ycBWcBxQSqRKWh4De9Tij0cRgC2smSDVBCjG0ShLs5Q5Z&APcTS4=2dpx4
http://www.oscarandmarina.com/4qdc/?sBvD8D=/K9fKEm1iVU/vQdq9qjMpN7djpymTmJxGBmtfBNPc89EpBqGqireW4HrVkBB+pc66so9RLiq&APcTS4=2dpx4
|
25
www.speedysnacksbox.com(34.102.136.180)
www.buildassetswealth.com(34.102.136.180)
www.torontotel.com()
www.qm7886.com()
www.hezhengnet.com(75.2.66.247)
www.codejunkys.com(91.195.241.137)
www.mmstruckingllc.com(34.102.136.180)
www.equiposddl.com(34.80.190.141)
www.officialgiftclub.com(23.227.38.74)
www.sandrapidal.com(185.99.187.155)
www.beconfidentagain.com(104.21.76.239)
www.tarpleymusic.info(184.168.131.241)
www.larek.store(185.104.45.146)
www.39palmavenue.com(23.253.73.122)
www.oscarandmarina.com(184.168.131.241)
23.253.73.122
184.168.131.241 - mailcious
185.104.45.146
91.195.241.137 - mailcious
185.99.187.155
34.102.136.180 - mailcious
34.80.190.141 - mailcious
172.67.202.77
23.227.38.74 - mailcious
99.83.224.11
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5411 |
2021-02-24 20:25
|
alfile.exe fd916b27fb57ad76c767e6753d7f68ed
VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5412 |
2021-02-24 20:28
|
cosz.exe f4318c74d987c8ad1f3030f7589accdf
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5413 |
2021-02-24 20:30
|
crypt_MC.exe da82741efad64eea568ae23f173cfbd7
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces AppData folder malicious URLs VMware anti-virtualization Tofsee Windows Firmware DNS crashed |
7
https://pastebin.com/raw/6krWSuyQ
https://www.bing.com/
https://pastebin.com/raw/ZRsg4svJ
https://iplogger.org/1nzde7
https://pastebin.com/raw/JJxgrwan
https://blog.agencia10x.com/trapday.exe
https://pastebin.com/raw/mcfQfZNu
|
8
iplogger.org(88.99.66.31)
www.google.com(216.58.197.196)
pastebin.com(104.23.99.190) - mailcious
blog.agencia10x.com(104.21.67.51) - malware
172.67.213.210
88.99.66.31 - mailcious
172.217.24.68
104.23.98.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5414 |
2021-02-24 20:32
|
cosz.exe f4318c74d987c8ad1f3030f7589accdf
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5415 |
2021-02-25 09:14
|
embarf.point.exe 884dab96c679194fc5140322d5ce9e9d
VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|