5536 |
2021-03-02 15:36
|
document2.doc 2fdf771221253c034cb69f52209d9de3 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5537 |
2021-03-02 15:38
|
F6RTDU8mL5raqwH.pdf.exe 8c57f9d8979fbf2747ad0cc1408dd133 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS keylogger |
|
2
shahzad73.casacam.net(91.212.153.84) - mailcious 91.212.153.84 - mailcious
|
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5538 |
2021-03-02 16:02
|
febsc.exe d982bc6d34d36e1d584c8541b9fd3ab8 VirusTotal Malware unpack itself malicious URLs Remote Code Execution |
|
|
|
|
2.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5539 |
2021-03-02 16:04
|
febs.exe ba08ebebc0859783501f5c5ad2e22425 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
16
http://www.albunyan.net/akjg/ http://www.cynding.com/akjg/?CP=jWqwEiON+vh8jBCco1GX67GB0f94OKdV8R5ZL/1bkloyIfFYfndB36UKnN/7f0vblD7P/FfI&nX=Txl0dbhP5VmD3 http://www.jlintuitivedesign.com/akjg/ http://www.southamericastreetball.com/akjg/ http://www.homeilluminationz.com/akjg/?CP=p4uC2bbW+1tOQoJv5zVXMYHycBs/umhiIpxP5tyb2A2MCdo8hYQM7MmGp7QsfJjbkASTYik8&nX=Txl0dbhP5VmD3 http://www.teamsilike.com/akjg/ http://www.cynding.com/akjg/ http://www.jlintuitivedesign.com/akjg/?CP=FLD+4oCbaMJSCRAQt+7TAdkVEY4DDPm16+P8NhswyzFB4RpyWSRrvankZxw/H/wEEb6G6okI&nX=Txl0dbhP5VmD3 http://www.thefolkloreforest.com/akjg/ http://www.thefolkloreforest.com/akjg/?CP=77ynH+jK1zMTfLXA1x2yn5Nj8gXvoMzXisZfaxa7ayoCAYrTKT8LtYJFxQGF6gwyyjgwGN6O&nX=Txl0dbhP5VmD3 http://www.southamericastreetball.com/akjg/?CP=PmdIRmmitnT9vcCxPTHtuVFRsdPm0Ei2jbNxj4Ru5iw+W23tp1iBl386TY+8+T2T0w3R+XKe&nX=Txl0dbhP5VmD3 http://www.quantumfibersolution.com/akjg/ http://www.homeilluminationz.com/akjg/ http://www.teamsilike.com/akjg/?CP=VfhhGrtRaeLEY52oORiJDQeTZ2q0OTWOGeFs7M+Jo1NLp22JF6wSRL5UtgTdr1v1hvJiAGa6&nX=Txl0dbhP5VmD3 http://www.albunyan.net/akjg/?CP=wR73bOoHJTW/Jga1xSgdGy6jh83HSflClW5QGN93ZAhe/empoutr2rnGqXZEqOSPRoiYGWS0&nX=Txl0dbhP5VmD3 http://www.quantumfibersolution.com/akjg/?CP=X1lRwW5Q7TjKblC+7NGfC8V9sYxjs6/xU2gfum0xVYGi23p2PU/zmdmqZrsTTzXcULJ4n7ru&nX=Txl0dbhP5VmD3
|
17
www.albunyan.net(34.102.136.180) www.southamericastreetball.com(34.102.136.180) www.quantumfibersolution.com(34.102.136.180) www.cynding.com(151.101.192.119) www.teamsilike.com(45.192.122.209) www.shianjunye.com(47.244.244.180) www.thefolkloreforest.com(202.124.241.178) www.blocknicnain.com() www.jobs-metro.com() www.jlintuitivedesign.com(173.231.207.172) www.homeilluminationz.com(34.102.136.180) 173.231.207.172 47.244.244.180 34.102.136.180 - mailcious 151.101.0.119 202.124.241.178 45.192.122.209
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5540 |
2021-03-02 16:15
|
file.exe e6d1e080cea89eab46ccd90418b62ec7 VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5541 |
2021-03-02 16:15
|
regasm.exe 43f9fd0e3e8bf66bee9581e616f870f5 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://hiqhway39clothing.com/zoro/zoro6/fre.php
|
2
hiqhway39clothing.com(45.8.124.39) 45.8.124.39
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
10.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5542 |
2021-03-02 16:36
|
regasm2.exe 3ec57bc71a3024b83bcbed9ec1a85888 VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
2.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5543 |
2021-03-02 16:37
|
RPI_Scanned_701.pdf.exe e4dfcc8b181667438f4df1b788929e0f Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.161.70) 162.88.193.70 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5544 |
2021-03-02 16:39
|
RPI_Scanned_01507.jpg.exe eb75677a28024f4bbc9cab2c69894c9d Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.161.70) 131.186.113.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
17.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5545 |
2021-03-02 18:14
|
scan.exe e9dcdd1b1719d0b6784ce1cae84c200e VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5546 |
2021-03-02 18:15
|
https://zoomba619.blogspot.com... 9c804308bb43d9f9942d16382b47d50a VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
28
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://zoomba619.blogspot.com/favicon.ico https://www.google.com/css/maia.css https://fonts.googleapis.com/css?family=Open+Sans:300 https://www.google.com/gen_204?atyp=i&zx=1614676260899&sei=LQE-YPC2PJSxtQbD7LuYDA&ogf=.40.40.40.76.40.40.40.&ogrp=&ogv=358727508.0&ogd=&ogc=KOR&ogl=ko&oggv=quantum%3AgapiBuildLabel&jexpid=&srcpg=prop%3D30&jsr=10&emsg=ReferenceError%3A'console'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4. https://www.blogger.com/static/v1/widgets/2473628150-widgets.js https://www.google-analytics.com/analytics.js https://www.blogger.com/blogin.g?blogspotURL=https://zoomba619.blogspot.com/p/b2.html https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/b2.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/b2.html%26bpli%3D1&passive=true&go=true https://ssl.gstatic.com/gb/images/p1_cfd8cf40.png https://www.blogger.com/img/share_buttons_20_3.png https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fzoomba619.blogspot.com%2Fp%2Fb2.html&bpli=1 https://zoomba619.blogspot.com/p/b2.html https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Yi2_l953dwg.O/rt=j/m=q_d,qawd,qmd,qsd,qmutsd,qapid/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtb,qhtt/d=1/ed=1/rs=AA2YrTukMeXtxdl-OH9-2R7CQbBSwE70Hg https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.GTg18L1Wqko.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_RJSdiavtoJQlz9JCcpOM9qnUIlw/cb=gapi.loaded_0 https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.blogger.com/dyn-css/authorization.css?targetBlogID=2525772521150521786&zx=9421adcd-07e7-4170-b701-6dfd427bbbe2 https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700 https://www.blogger.com/img/blogger-logotype-color-black-1x.png https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js https://resources.blogblog.com/img/icon18_edit_allbkg.gif https://www.blogger.com/static/v1/v-css/281434096-static_pages.css https://resources.blogblog.com/img/icon18_wrench_allbkg.png
|
21
zoomba619.blogspot.com(172.217.26.1) - mailcious resources.blogblog.com(172.217.25.201) www.google.com(216.58.197.228) www.gstatic.com(216.58.197.163) ssl.gstatic.com(216.58.197.227) accounts.google.com(216.58.197.173) www.google-analytics.com(216.58.197.174) apis.google.com(172.217.175.110) fonts.gstatic.com(172.217.25.67) fonts.googleapis.com(172.217.175.234) www.blogger.com(172.217.25.201) 172.217.31.225 172.217.161.142 216.58.200.67 216.58.199.110 172.217.161.173 216.58.221.233 172.217.31.234 172.217.24.201 216.58.220.196 142.250.199.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5547 |
2021-03-02 18:17
|
scr.dll 4e812d5fdec0e51f6eadade33a73aeef VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.76//g6yNcO8/index.php?scr=up
|
1
|
|
|
4.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5548 |
2021-03-02 18:18
|
scan.exe e9dcdd1b1719d0b6784ce1cae84c200e VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5549 |
2021-03-02 18:23
|
slim.exe 212cc44592f59e68dc35b99ac02505e1 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows keylogger |
|
2
top.k1ll1fabused1.xyz(94.177.123.162) - mailcious 94.177.123.162 - mailcious
|
|
|
7.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5550 |
2021-03-02 18:24
|
slim2.exe 6e3931892ecdec7410c508a5989c864a FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself Remote Code Execution DNS |
4
http://www.wildhare.media/private/?T8SH=/nAwW+TzLw/gtsecfx4H2s2WryKThcYrPAq/X+8+W0pN77ZYzijkP8Xh+ibBOYEyRn8Zyttf&R2MdC=Mj_PAvq8P8bxt2L0 http://www.proofnutriceuticals.com/private/?T8SH=OMfd2xMVJ3ryVckUoRZhT5ZlpPYC8VYF4X9akFCkKITZUoxBcO9JSRPnNOkL92Fwpy0lK8XC&R2MdC=Mj_PAvq8P8bxt2L0 http://www.aallwellsolutions.com/private/?T8SH=yax+qLwztdI6r2eWfuj6YnlWGMmZs9IdsVCAiq+4w2PhkA2gaE2m7eLlgqR1ThPS3JjyxLUt&R2MdC=Mj_PAvq8P8bxt2L0 http://www.attza.com/private/?T8SH=3RlbuXDnLNiyjXMzDVa+2Ib6rD8c+NeYZn7lBZlLYKtj/Rn8sEo+CamSl2DBhjRCfRfDfbVK&R2MdC=Mj_PAvq8P8bxt2L0
|
8
www.aallwellsolutions.com(43.225.55.146) www.wildhare.media(182.50.132.242) www.proofnutriceuticals.com(34.102.136.180) www.attza.com(158.177.208.8) 43.225.55.146 158.177.208.8 34.102.136.180 - mailcious 182.50.132.242 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|