5446 |
2021-02-25 15:09
|
svch.exe c2b9721f7f6892761514f55bc7a7fecb Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://www.cambridgelodge.com.au/wp-admin/js/Panel/five/fre.php http://coroloboxorozor.com/base/03329EE96F201F380B0160C072BE819C.html - rule_id: 288
|
4
coroloboxorozor.com(172.67.172.17) - mailcious www.cambridgelodge.com.au(27.121.66.73) 104.21.71.230 - mailcious 27.121.66.73
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://coroloboxorozor.com/base/
|
15.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5447 |
2021-02-25 15:51
|
System32.exe 93c15cbf5aa7c60824404ffb63db9998 AutoRuns MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5448 |
2021-02-25 15:51
|
vbc.exe 074c396a4b75da68d3c038f3c2105829 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://coroloboxorozor.com/base/F31A591A992F9F10459CA91956D4B922.html - rule_id: 288 http://coroloboxorozor.com/base/7E698E4C45D33D02E9E58579AE794079.html - rule_id: 288
|
3
coroloboxorozor.com(104.21.71.230) - mailcious 45.147.198.227 172.67.172.17
|
|
2
http://coroloboxorozor.com/base/ http://coroloboxorozor.com/base/
|
17.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5449 |
2021-02-25 17:20
|
vbc2.exe 507f7ce0a2a3ecd308d735d9a4b98d2c Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
51.195.53.221 - mailcious
|
|
|
13.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5450 |
2021-02-25 17:27
|
vbc3.exe 507f7ce0a2a3ecd308d735d9a4b98d2c Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
51.195.53.221 - mailcious
|
|
|
14.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5451 |
2021-02-25 17:28
|
1111START.exe 12b02f4f89aa1a5e632dfe82d8e242ca VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS crashed |
7
https://blog.agencia10x.com/Clipper_gooodjobb.exe https://iplogger.org/1rst77 https://iplogger.org/1nzde7 https://pastebin.com/raw/NahZ7XWL https://iplogger.org/1r9Hp7 https://pastebin.com/raw/JQ9Es8Mg https://blog.agencia10x.com/crypt_MC_miner_goodjob.exe
|
11
pool.minexmr.com(178.32.120.127) - mailcious iplogger.org(88.99.66.31) pastebin.com(104.23.99.190) - mailcious blog.agencia10x.com(172.67.213.210) - malware 88.99.66.31 - mailcious 104.21.67.51 - malware 195.2.84.91 - malware 104.23.98.190 - mailcious 51.68.21.188 - mailcious 178.32.120.127 - mailcious 94.130.165.85
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DNS request for Monero mining pool ET INFO Dotted Quad Host ZIP Request
|
|
15.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5452 |
2021-02-25 18:04
|
mex.exe 70dca411445d3b4394d9c467bf3ff994 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
1
|
7
WHOIS.APNIC.NET(172.104.77.201) whois.iana.org(192.0.32.59) api.ip.sb(172.67.75.172) 172.67.75.172 172.104.77.201 87.251.71.75 - mailcious 192.0.32.59
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5453 |
2021-02-25 18:09
|
New_mix_.exe ba0a5f07334577cb52cc9df482e056b7 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://86.107.197.8:3214/ https://www.bing.com/ https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63) www.google.com(172.217.174.100) whois.iana.org(192.0.32.59) api.ip.sb(172.67.75.172) 172.67.75.172 192.0.32.59 13.107.21.200 142.250.199.68 86.107.197.8 172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
15.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5454 |
2021-02-25 18:15
|
regasm.exe 42570d1bbe61dcc04cccf86c985e4961 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://becharnise.ir/fb6/fre.php - rule_id: 279
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://becharnise.ir/fb6/fre.php
|
10.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5455 |
2021-02-25 18:17
|
tnf.exe 60ba69b7155f5e11a3edfe47f5841fe3 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser Email ComputerName Firmware DNS Cryptographic key Software crashed |
9
http://178.20.44.153/crypt_loader_mix.exe https://iplogger.org/1r2et7 https://iplogger.org/1tsef7 https://fckcloudf.top//l/f/vB122HcBuI_ccNKoq57k/4825e3ce43c9c8037090f05b40ca43a21bc0e5b0 https://fckcloudf.top/ https://api.ip.sb/geoip https://tttttt.me/jrrand0mer https://fckcloudf.top//l/f/vB122HcBuI_ccNKoq57k/393ab60e0d09ad4206b5fb6641450b7dbf1fc07c https://iplogger.org/1nsMw7
|
26
pool.minexmr.com(94.130.164.163) - mailcious www.google.com(172.217.26.4) WHOIS.APNIC.NET(172.104.77.201) blog.agencia10x.com(172.67.213.210) - malware api.ip.sb(104.26.12.31) tttttt.me(95.216.186.40) - mailcious fckcloudf.top(172.67.194.108) iplogger.org(88.99.66.31) whois.iana.org(192.0.32.59) pastebin.com(104.23.98.190) - mailcious 172.67.213.210 - malware 192.0.32.59 104.21.41.220 178.20.44.153 88.99.66.31 - mailcious 13.107.21.200 104.23.99.190 - mailcious 195.2.84.91 - malware 87.251.71.75 - mailcious 172.104.79.63 88.99.193.240 51.254.84.37 - mailcious 95.216.186.40 - mailcious 216.58.220.196 94.130.165.87 104.26.13.31
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host ZIP Request ET POLICY DNS request for Monero mining pool
|
|
27.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5456 |
2021-02-25 18:24
|
vbc2.exe f7df06763242e98b83d0367202379ad1 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5457 |
2021-02-25 18:24
|
vbc.exe 00f5f529af85bb9acf04ae57da30e1f5 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
|
|
|
10.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5458 |
2021-02-25 18:29
|
winlog.exe 360437b30bd9db4fa30bb9399d712948 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://or-logistlcs.com/zoro/zoro2/fre.php - rule_id: 294
|
2
or-logistlcs.com(78.155.205.35) - mailcious 78.155.205.35 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://or-logistlcs.com/zoro/zoro2/fre.php
|
12.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5459 |
2021-02-26 09:31
|
Multas,Lugar y Hora.vbs 4f8a13f5cc132e50e3cfa031f571745f Malware VBScript powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key DDNS Dropper |
4
http://elvbs.store/vbs/2278466649.txt - rule_id: 289 http://elvbs.store/vbs/2278466649.txt https://paste.ee/r/bXy8G/0 - rule_id: 290 https://paste.ee/r/WbDha/0 - rule_id: 291
|
6
paste.ee(172.67.219.133) - mailcious elvbs.store(31.170.166.149) - malware negamerproteiper87.duckdns.org(46.246.26.71) - mailcious 172.67.219.133 - mailcious 46.246.26.71 31.170.166.149 - malware
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://elvbs.store/vbs/ https://paste.ee/r/bXy8G/0 https://paste.ee/r/WbDha/0
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5460 |
2021-02-26 09:46
|
1.exe a864386e5111b893dde1fc1188e9b529 VirusTotal Cryptocurrency Miner Malware Cryptocurrency PDB Code Injection Check memory Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName Firmware |
|
2
mine.c3pool.com(101.32.200.219) 101.32.73.178
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
8.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|