| 5536 |
2021-03-02 15:36
|
document2.doc 2fdf771221253c034cb69f52209d9de3
Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5537 |
2021-03-02 15:38
|
F6RTDU8mL5raqwH.pdf.exe 8c57f9d8979fbf2747ad0cc1408dd133
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS keylogger |
|
2
shahzad73.casacam.net(91.212.153.84) - mailcious
91.212.153.84 - mailcious
|
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5538 |
2021-03-02 16:02
|
febsc.exe d982bc6d34d36e1d584c8541b9fd3ab8
VirusTotal Malware unpack itself malicious URLs Remote Code Execution |
|
|
|
|
2.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5539 |
2021-03-02 16:04
|
febs.exe ba08ebebc0859783501f5c5ad2e22425
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
16
http://www.albunyan.net/akjg/
http://www.cynding.com/akjg/?CP=jWqwEiON+vh8jBCco1GX67GB0f94OKdV8R5ZL/1bkloyIfFYfndB36UKnN/7f0vblD7P/FfI&nX=Txl0dbhP5VmD3
http://www.jlintuitivedesign.com/akjg/
http://www.southamericastreetball.com/akjg/
http://www.homeilluminationz.com/akjg/?CP=p4uC2bbW+1tOQoJv5zVXMYHycBs/umhiIpxP5tyb2A2MCdo8hYQM7MmGp7QsfJjbkASTYik8&nX=Txl0dbhP5VmD3
http://www.teamsilike.com/akjg/
http://www.cynding.com/akjg/
http://www.jlintuitivedesign.com/akjg/?CP=FLD+4oCbaMJSCRAQt+7TAdkVEY4DDPm16+P8NhswyzFB4RpyWSRrvankZxw/H/wEEb6G6okI&nX=Txl0dbhP5VmD3
http://www.thefolkloreforest.com/akjg/
http://www.thefolkloreforest.com/akjg/?CP=77ynH+jK1zMTfLXA1x2yn5Nj8gXvoMzXisZfaxa7ayoCAYrTKT8LtYJFxQGF6gwyyjgwGN6O&nX=Txl0dbhP5VmD3
http://www.southamericastreetball.com/akjg/?CP=PmdIRmmitnT9vcCxPTHtuVFRsdPm0Ei2jbNxj4Ru5iw+W23tp1iBl386TY+8+T2T0w3R+XKe&nX=Txl0dbhP5VmD3
http://www.quantumfibersolution.com/akjg/
http://www.homeilluminationz.com/akjg/
http://www.teamsilike.com/akjg/?CP=VfhhGrtRaeLEY52oORiJDQeTZ2q0OTWOGeFs7M+Jo1NLp22JF6wSRL5UtgTdr1v1hvJiAGa6&nX=Txl0dbhP5VmD3
http://www.albunyan.net/akjg/?CP=wR73bOoHJTW/Jga1xSgdGy6jh83HSflClW5QGN93ZAhe/empoutr2rnGqXZEqOSPRoiYGWS0&nX=Txl0dbhP5VmD3
http://www.quantumfibersolution.com/akjg/?CP=X1lRwW5Q7TjKblC+7NGfC8V9sYxjs6/xU2gfum0xVYGi23p2PU/zmdmqZrsTTzXcULJ4n7ru&nX=Txl0dbhP5VmD3
|
17
www.albunyan.net(34.102.136.180)
www.southamericastreetball.com(34.102.136.180)
www.quantumfibersolution.com(34.102.136.180)
www.cynding.com(151.101.192.119)
www.teamsilike.com(45.192.122.209)
www.shianjunye.com(47.244.244.180)
www.thefolkloreforest.com(202.124.241.178)
www.blocknicnain.com()
www.jobs-metro.com()
www.jlintuitivedesign.com(173.231.207.172)
www.homeilluminationz.com(34.102.136.180)
173.231.207.172
47.244.244.180
34.102.136.180 - mailcious
151.101.0.119
202.124.241.178
45.192.122.209
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5540 |
2021-03-02 16:15
|
file.exe e6d1e080cea89eab46ccd90418b62ec7
VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5541 |
2021-03-02 16:15
|
regasm.exe 43f9fd0e3e8bf66bee9581e616f870f5
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://hiqhway39clothing.com/zoro/zoro6/fre.php
|
2
hiqhway39clothing.com(45.8.124.39)
45.8.124.39
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
10.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5542 |
2021-03-02 16:36
|
regasm2.exe 3ec57bc71a3024b83bcbed9ec1a85888
VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
2.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5543 |
2021-03-02 16:37
|
RPI_Scanned_701.pdf.exe e4dfcc8b181667438f4df1b788929e0f
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.161.70)
162.88.193.70
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5544 |
2021-03-02 16:39
|
RPI_Scanned_01507.jpg.exe eb75677a28024f4bbc9cab2c69894c9d
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.161.70)
131.186.113.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
17.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5545 |
2021-03-02 18:14
|
scan.exe e9dcdd1b1719d0b6784ce1cae84c200e
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5546 |
2021-03-02 18:15
|
https://zoomba619.blogspot.com... 9c804308bb43d9f9942d16382b47d50a
VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
28
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://zoomba619.blogspot.com/favicon.ico
https://www.google.com/css/maia.css
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.google.com/gen_204?atyp=i&zx=1614676260899&sei=LQE-YPC2PJSxtQbD7LuYDA&ogf=.40.40.40.76.40.40.40.&ogrp=&ogv=358727508.0&ogd=&ogc=KOR&ogl=ko&oggv=quantum%3AgapiBuildLabel&jexpid=&srcpg=prop%3D30&jsr=10&emsg=ReferenceError%3A'console'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.
https://www.blogger.com/static/v1/widgets/2473628150-widgets.js
https://www.google-analytics.com/analytics.js
https://www.blogger.com/blogin.g?blogspotURL=https://zoomba619.blogspot.com/p/b2.html
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/b2.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://zoomba619.blogspot.com/p/b2.html%26bpli%3D1&passive=true&go=true
https://ssl.gstatic.com/gb/images/p1_cfd8cf40.png
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fzoomba619.blogspot.com%2Fp%2Fb2.html&bpli=1
https://zoomba619.blogspot.com/p/b2.html
https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Yi2_l953dwg.O/rt=j/m=q_d,qawd,qmd,qsd,qmutsd,qapid/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtb,qhtt/d=1/ed=1/rs=AA2YrTukMeXtxdl-OH9-2R7CQbBSwE70Hg
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.GTg18L1Wqko.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_RJSdiavtoJQlz9JCcpOM9qnUIlw/cb=gapi.loaded_0
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=2525772521150521786&zx=9421adcd-07e7-4170-b701-6dfd427bbbe2
https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
|
21
zoomba619.blogspot.com(172.217.26.1) - mailcious
resources.blogblog.com(172.217.25.201)
www.google.com(216.58.197.228)
www.gstatic.com(216.58.197.163)
ssl.gstatic.com(216.58.197.227)
accounts.google.com(216.58.197.173)
www.google-analytics.com(216.58.197.174)
apis.google.com(172.217.175.110)
fonts.gstatic.com(172.217.25.67)
fonts.googleapis.com(172.217.175.234)
www.blogger.com(172.217.25.201)
172.217.31.225
172.217.161.142
216.58.200.67
216.58.199.110
172.217.161.173
216.58.221.233
172.217.31.234
172.217.24.201
216.58.220.196
142.250.199.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5547 |
2021-03-02 18:17
|
scr.dll 4e812d5fdec0e51f6eadade33a73aeef
VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS |
1
http://185.215.113.76//g6yNcO8/index.php?scr=up
|
1
|
|
|
4.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5548 |
2021-03-02 18:18
|
scan.exe e9dcdd1b1719d0b6784ce1cae84c200e
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5549 |
2021-03-02 18:23
|
slim.exe 212cc44592f59e68dc35b99ac02505e1
VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows keylogger |
|
2
top.k1ll1fabused1.xyz(94.177.123.162) - mailcious
94.177.123.162 - mailcious
|
|
|
7.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5550 |
2021-03-02 18:24
|
slim2.exe 6e3931892ecdec7410c508a5989c864a
FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself Remote Code Execution DNS |
4
http://www.wildhare.media/private/?T8SH=/nAwW+TzLw/gtsecfx4H2s2WryKThcYrPAq/X+8+W0pN77ZYzijkP8Xh+ibBOYEyRn8Zyttf&R2MdC=Mj_PAvq8P8bxt2L0
http://www.proofnutriceuticals.com/private/?T8SH=OMfd2xMVJ3ryVckUoRZhT5ZlpPYC8VYF4X9akFCkKITZUoxBcO9JSRPnNOkL92Fwpy0lK8XC&R2MdC=Mj_PAvq8P8bxt2L0
http://www.aallwellsolutions.com/private/?T8SH=yax+qLwztdI6r2eWfuj6YnlWGMmZs9IdsVCAiq+4w2PhkA2gaE2m7eLlgqR1ThPS3JjyxLUt&R2MdC=Mj_PAvq8P8bxt2L0
http://www.attza.com/private/?T8SH=3RlbuXDnLNiyjXMzDVa+2Ib6rD8c+NeYZn7lBZlLYKtj/Rn8sEo+CamSl2DBhjRCfRfDfbVK&R2MdC=Mj_PAvq8P8bxt2L0
|
8
www.aallwellsolutions.com(43.225.55.146)
www.wildhare.media(182.50.132.242)
www.proofnutriceuticals.com(34.102.136.180)
www.attza.com(158.177.208.8)
43.225.55.146
158.177.208.8
34.102.136.180 - mailcious
182.50.132.242 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|