| 5656 |
2021-03-05 14:09
|
vbc.exe e51d22ebb56c5f204b9f275337fbcfde
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5657 |
2021-03-05 14:12
|
win32.exe 3dad99752800d2418553870b6e932c66
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5658 |
2021-03-05 14:14
|
winlog.exe c8cb664fed47b0347a3e70df2d119327
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
8
http://www.bukaino.net/nsag/?tZU4=oC6r1HmZx5wn5oXPzQLXQ4VMDjeb3X29kqfgvoAAEugKEHNilNhbzg6QyG7lAWIEjI8cRCmD&Ult8E=GTgP1na8nVYlWF
http://www.icepolo.com/nsag/?tZU4=KrISVuEJfroV2D55X6dLs0GN1f73ulMhv3kfCJ49OWlp4uYW/zulw4lDB/y+iFCn1yfvo+sH&Ult8E=GTgP1na8nVYlWF
http://www.meow-cafe.com/nsag/?tZU4=IhldT5wLTRKRhz0Kiz0IGMqIRU2spNDmcqI1QisIjZb8FIZrE1BmbNw3zkMl85/AvgANuIfm&Ult8E=GTgP1na8nVYlWF
http://www.meow-cafe.com/nsag/
http://www.mecs.club/nsag/?tZU4=0eG3A+xf/U4tD2DvywEKXt4QE5sc4N54SGadGOOgrfsIgOmM/WH/GgXAPI4MGlkByobfpq2S&Ult8E=GTgP1na8nVYlWF
http://www.icepolo.com/nsag/
http://www.bukaino.net/nsag/
http://www.mecs.club/nsag/
|
18
www.bukaino.net(184.168.131.241)
www.icepolo.com(91.195.241.137)
www.patientsbooking.info(34.102.136.180) - mailcious
www.meow-cafe.com(213.32.49.255)
www.856380692.xyz(103.88.34.80)
www.winabeel.com(34.102.136.180) - mailcious
www.evoslancete.com() - mailcious
www.myfeezinc.com(103.224.182.242) - mailcious
www.robertbeauford.net(154.214.73.24) - mailcious
www.mecs.club(155.133.132.7)
155.133.132.7 - malware
184.168.131.241 - mailcious
91.195.241.137 - mailcious
34.102.136.180 - mailcious
103.88.34.80 - suspicious
154.214.73.24 - mailcious
103.224.182.242 - phishing
213.32.49.255
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5659 |
2021-03-05 14:16
|
winlog2.exe b4f934c7e8c8c57260cfb11476ebff84
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb5/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5660 |
2021-03-05 17:41
|
3w.exe bec6b3783f500e425d69ec474de49d72
VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself malicious URLs Windows |
1
http://xk.996is.com:66/kj.dll
|
4
kk1.996is.com(103.219.39.78)
xk.996is.com(43.249.195.42)
43.249.195.42
103.219.39.78
|
|
|
4.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5661 |
2021-03-05 17:42
|
winlog.exe 8da730e67b8525b10717a673a151ae81
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sdworks-kh.com/zoro/zoro2/fre.php
|
2
sdworks-kh.com(46.17.46.166)
46.17.46.166
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5662 |
2021-03-05 18:11
|
1.hta 36557ac562705433cd94c97fa409cf7c
Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5663 |
2021-03-05 18:17
|
payment prove_pdf.bin 103027ed80b1517d0a07aa9dc2239aa7
FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs |
30
http://www.pinballphotography.com/xgxp/?pvj062Dh=ZuTVDPF5SgQ7N0sMP/GdIOlZYxb7syp7d6TSvRYCVRBo7wRtvOZEnQQ7w4eScQZ0MlrvOjLZ&GFNL6=9rz8F4dH
http://www.eleriwyn.com/xgxp/?pvj062Dh=KSW9RKoNBwXe+VOf7AxGbGPbVlrTLMNWA5foeXlHWN5ScUSoVakRSWjpz6fnqGTyPmRZJ9za&GFNL6=9rz8F4dH
http://www.embedded4all.com/xgxp/?pvj062Dh=MAQO4WkresSuWPfgJhHyMO4i9Ta/34acMUb3d2umT9IG2BHt6nvAEjsipknXMs/NLJo/Ycpq&GFNL6=9rz8F4dH
http://www.thisisadreamright.com/xgxp/?pvj062Dh=CfKWVEuAkItgF5IFWyJ7OQiRjgh2nq8h6YY0dj9CLYmCsMNyG3zAyF1z5AbMqdF7daU4WCwT&GFNL6=9rz8F4dH
http://www.albeider.com/xgxp/?pvj062Dh=qmgF2wLf18+r68arAlMCD7Yj9H/9M3t4tL9buYevap3cxv7NDgMO6mj7ZgHoTJLRWZoQ+jXP&GFNL6=9rz8F4dH
http://www.kaffeeatlas.com/xgxp/
http://www.jioholdingscorp.com/xgxp/
http://www.birdsbarber.supply/xgxp/
http://www.jioholdingscorp.com/xgxp/?pvj062Dh=5PjAp+B32jyYjgUqUGbPHmS1ysjY1nR2aDqsOCBpluPJvovADcOJbFcG5nQGTdvkDLpZMRPY&GFNL6=9rz8F4dH
http://www.thisisadreamright.com/xgxp/
http://www.kaffeeatlas.com/xgxp/?pvj062Dh=2mQAc+QCsiOYIbXgHj9ZzoI0gXDVhQLn4rXC5f+7/PAhm/VJ7PiM/kElHiV8BrJIjVCUS6cW&GFNL6=9rz8F4dH
http://www.tourvirtualonline.com/xgxp/?pvj062Dh=PPyip6xl+ZZwVmjPfJe/QSC+HqlYSTjsW1YBtEnoo0qB7028p6dtu5O3VgtGPDwYUy4ePGtO&GFNL6=9rz8F4dH
http://www.scoutlo.com/xgxp/
http://www.5996399.com/xgxp/
http://www.nextingly.com/xgxp/
http://www.scoutlo.com/xgxp/?pvj062Dh=j36Yn2mlU9atymMO/Sp4dli/1oi0w2hx7mjiv//cyIlIHOVq9NiMAtIDmqefSoe7QYElJE5E&GFNL6=9rz8F4dH
http://www.albeider.com/xgxp/
http://www.eternalgrove.com/xgxp/
http://www.viverobonsaimx.com/xgxp/
http://www.pinballphotography.com/xgxp/
http://www.5996399.com/xgxp/?pvj062Dh=Xu1DQjTLUm7fkUuNbFvDt9q0tpf8gcpJJQ/PdyHmWbwgiodjiZMXDexeMyZ8hcP1Pv72xnrH&GFNL6=9rz8F4dH
http://www.embedded4all.com/xgxp/
http://www.birdsbarber.supply/xgxp/?pvj062Dh=XieInFLOXr1NaXiWulLiGWZVgIlwz7nsNAQTihsIG3h4jAGaRO2PVMcwNW2ZKK5Q5ybzD0bG&GFNL6=9rz8F4dH
http://www.nextingly.com/xgxp/?pvj062Dh=m0TUrT5boHKb8hvHDgnE/ZREfCPkqqWG3J4+n2X1EnQNLB/vTvGnT/CScPBNY5CwRzBvf5hI&GFNL6=9rz8F4dH
http://www.eleriwyn.com/xgxp/
http://www.eternalgrove.com/xgxp/?pvj062Dh=+YwixCNSi8V2FCxe15YPcQJZCKrKvQnIWPh7Y6WCwkaWhprC0zbZQPAlEcsb0bQnYMr30Gpu&GFNL6=9rz8F4dH
http://www.tourvirtualonline.com/xgxp/
http://www.viverobonsaimx.com/xgxp/?pvj062Dh=z1m0HWMKCDjSrvXSUMm8o9DWZ0alOOcCGeMBlwFUdI0VxBSOoragZfolqR3OI/AQfc9Zsj2C&GFNL6=9rz8F4dH
http://www.biomedms.com/xgxp/?pvj062Dh=kC0zGJJJYLETs6GjUi/LapClV/EoumCVD9Ngc3jnQrV0zs2YN+iVypTMuCXG9uFexzRkg+Gp&GFNL6=9rz8F4dH
http://www.biomedms.com/xgxp/
|
27
www.biomedms.com(34.102.136.180)
www.tourvirtualonline.com(178.33.118.110)
www.thisisadreamright.com(35.209.84.164)
www.eternalgrove.com(52.58.78.16)
www.5996399.com(45.142.156.44)
www.viverobonsaimx.com(172.67.146.108)
www.jioholdingscorp.com(192.185.117.215)
www.eleriwyn.com(91.195.240.94)
www.nextingly.com(192.0.78.25)
www.scoutlo.com(52.58.78.16)
www.birdsbarber.supply(34.102.136.180)
www.kaffeeatlas.com(91.195.241.137)
www.embedded4all.com(154.81.100.143)
www.pinballphotography.com(34.102.136.180)
www.albeider.com(85.13.144.165)
154.81.100.143
91.195.240.94 - phishing
91.195.241.137 - mailcious
85.13.144.165
52.58.78.16 - mailcious
34.102.136.180 - mailcious
45.142.156.44
192.185.117.215
104.21.39.152
35.209.84.164
192.0.78.25 - mailcious
178.33.118.110
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5664 |
2021-03-05 18:20
|
1.html 36557ac562705433cd94c97fa409cf7c
Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5665 |
2021-03-06 09:20
|
8.iosssappp.exe df60756a8e33b721b357bd7242f4881a
Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName DNS crashed |
1
https://177.47.88.62/rob20/TEST22-PC_W617601.378AC5D337BB31DB195D8B32D85BF05B/5/kps/
|
4
179.191.108.58 - mailcious
154.79.252.132 - mailcious
177.47.88.62
168.232.188.88
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 7
|
|
6.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5666 |
2021-03-06 09:21
|
http://goaqaba.com/ccwidd/4426... d41d8cd98f00b204e9800998ecf8427e
VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://goaqaba.com/favicon.ico
|
3
goaqaba.com(207.244.229.15) - malware
www.goaqaba.com(207.244.229.15)
207.244.229.15 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5667 |
2021-03-06 09:47
|
ama.exe 2615e1b91089b5c8fe7011eb447e5db1
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5668 |
2021-03-06 09:47
|
regasm.exe 4463feedd0b33e84f3e7454adba2c8ce
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
|
|
|
13.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5669 |
2021-03-06 09:57
|
TAX-RELIEF.exe 307e257292be5d47304c1712c8bd1342
VirusTotal Malware Check memory Checks debugger Creates executable files AppData folder malicious URLs sandbox evasion DNS DDNS |
|
2
goryhazel1.duckdns.org(197.210.28.149)
197.210.28.149
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5670 |
2021-03-06 09:58
|
vbc.exe 12313985c4147b7a2e4b6945e270ff70
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
turbinetechnlcs.com() - mailcious
|
|
|
13.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|