5656 |
2021-03-05 14:09
|
vbc.exe e51d22ebb56c5f204b9f275337fbcfde VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5657 |
2021-03-05 14:12
|
win32.exe 3dad99752800d2418553870b6e932c66 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
8.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5658 |
2021-03-05 14:14
|
winlog.exe c8cb664fed47b0347a3e70df2d119327 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs sandbox evasion DNS |
8
http://www.bukaino.net/nsag/?tZU4=oC6r1HmZx5wn5oXPzQLXQ4VMDjeb3X29kqfgvoAAEugKEHNilNhbzg6QyG7lAWIEjI8cRCmD&Ult8E=GTgP1na8nVYlWF http://www.icepolo.com/nsag/?tZU4=KrISVuEJfroV2D55X6dLs0GN1f73ulMhv3kfCJ49OWlp4uYW/zulw4lDB/y+iFCn1yfvo+sH&Ult8E=GTgP1na8nVYlWF http://www.meow-cafe.com/nsag/?tZU4=IhldT5wLTRKRhz0Kiz0IGMqIRU2spNDmcqI1QisIjZb8FIZrE1BmbNw3zkMl85/AvgANuIfm&Ult8E=GTgP1na8nVYlWF http://www.meow-cafe.com/nsag/ http://www.mecs.club/nsag/?tZU4=0eG3A+xf/U4tD2DvywEKXt4QE5sc4N54SGadGOOgrfsIgOmM/WH/GgXAPI4MGlkByobfpq2S&Ult8E=GTgP1na8nVYlWF http://www.icepolo.com/nsag/ http://www.bukaino.net/nsag/ http://www.mecs.club/nsag/
|
18
www.bukaino.net(184.168.131.241) www.icepolo.com(91.195.241.137) www.patientsbooking.info(34.102.136.180) - mailcious www.meow-cafe.com(213.32.49.255) www.856380692.xyz(103.88.34.80) www.winabeel.com(34.102.136.180) - mailcious www.evoslancete.com() - mailcious www.myfeezinc.com(103.224.182.242) - mailcious www.robertbeauford.net(154.214.73.24) - mailcious www.mecs.club(155.133.132.7) 155.133.132.7 - malware 184.168.131.241 - mailcious 91.195.241.137 - mailcious 34.102.136.180 - mailcious 103.88.34.80 - suspicious 154.214.73.24 - mailcious 103.224.182.242 - phishing 213.32.49.255
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5659 |
2021-03-05 14:16
|
winlog2.exe b4f934c7e8c8c57260cfb11476ebff84 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb5/fre.php
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5660 |
2021-03-05 17:41
|
3w.exe bec6b3783f500e425d69ec474de49d72 VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself malicious URLs Windows |
1
http://xk.996is.com:66/kj.dll
|
4
kk1.996is.com(103.219.39.78) xk.996is.com(43.249.195.42) 43.249.195.42 103.219.39.78
|
|
|
4.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5661 |
2021-03-05 17:42
|
winlog.exe 8da730e67b8525b10717a673a151ae81 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sdworks-kh.com/zoro/zoro2/fre.php
|
2
sdworks-kh.com(46.17.46.166) 46.17.46.166
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5662 |
2021-03-05 18:11
|
1.hta 36557ac562705433cd94c97fa409cf7c Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5663 |
2021-03-05 18:17
|
payment prove_pdf.bin 103027ed80b1517d0a07aa9dc2239aa7 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs |
30
http://www.pinballphotography.com/xgxp/?pvj062Dh=ZuTVDPF5SgQ7N0sMP/GdIOlZYxb7syp7d6TSvRYCVRBo7wRtvOZEnQQ7w4eScQZ0MlrvOjLZ&GFNL6=9rz8F4dH http://www.eleriwyn.com/xgxp/?pvj062Dh=KSW9RKoNBwXe+VOf7AxGbGPbVlrTLMNWA5foeXlHWN5ScUSoVakRSWjpz6fnqGTyPmRZJ9za&GFNL6=9rz8F4dH http://www.embedded4all.com/xgxp/?pvj062Dh=MAQO4WkresSuWPfgJhHyMO4i9Ta/34acMUb3d2umT9IG2BHt6nvAEjsipknXMs/NLJo/Ycpq&GFNL6=9rz8F4dH http://www.thisisadreamright.com/xgxp/?pvj062Dh=CfKWVEuAkItgF5IFWyJ7OQiRjgh2nq8h6YY0dj9CLYmCsMNyG3zAyF1z5AbMqdF7daU4WCwT&GFNL6=9rz8F4dH http://www.albeider.com/xgxp/?pvj062Dh=qmgF2wLf18+r68arAlMCD7Yj9H/9M3t4tL9buYevap3cxv7NDgMO6mj7ZgHoTJLRWZoQ+jXP&GFNL6=9rz8F4dH http://www.kaffeeatlas.com/xgxp/ http://www.jioholdingscorp.com/xgxp/ http://www.birdsbarber.supply/xgxp/ http://www.jioholdingscorp.com/xgxp/?pvj062Dh=5PjAp+B32jyYjgUqUGbPHmS1ysjY1nR2aDqsOCBpluPJvovADcOJbFcG5nQGTdvkDLpZMRPY&GFNL6=9rz8F4dH http://www.thisisadreamright.com/xgxp/ http://www.kaffeeatlas.com/xgxp/?pvj062Dh=2mQAc+QCsiOYIbXgHj9ZzoI0gXDVhQLn4rXC5f+7/PAhm/VJ7PiM/kElHiV8BrJIjVCUS6cW&GFNL6=9rz8F4dH http://www.tourvirtualonline.com/xgxp/?pvj062Dh=PPyip6xl+ZZwVmjPfJe/QSC+HqlYSTjsW1YBtEnoo0qB7028p6dtu5O3VgtGPDwYUy4ePGtO&GFNL6=9rz8F4dH http://www.scoutlo.com/xgxp/ http://www.5996399.com/xgxp/ http://www.nextingly.com/xgxp/ http://www.scoutlo.com/xgxp/?pvj062Dh=j36Yn2mlU9atymMO/Sp4dli/1oi0w2hx7mjiv//cyIlIHOVq9NiMAtIDmqefSoe7QYElJE5E&GFNL6=9rz8F4dH http://www.albeider.com/xgxp/ http://www.eternalgrove.com/xgxp/ http://www.viverobonsaimx.com/xgxp/ http://www.pinballphotography.com/xgxp/ http://www.5996399.com/xgxp/?pvj062Dh=Xu1DQjTLUm7fkUuNbFvDt9q0tpf8gcpJJQ/PdyHmWbwgiodjiZMXDexeMyZ8hcP1Pv72xnrH&GFNL6=9rz8F4dH http://www.embedded4all.com/xgxp/ http://www.birdsbarber.supply/xgxp/?pvj062Dh=XieInFLOXr1NaXiWulLiGWZVgIlwz7nsNAQTihsIG3h4jAGaRO2PVMcwNW2ZKK5Q5ybzD0bG&GFNL6=9rz8F4dH http://www.nextingly.com/xgxp/?pvj062Dh=m0TUrT5boHKb8hvHDgnE/ZREfCPkqqWG3J4+n2X1EnQNLB/vTvGnT/CScPBNY5CwRzBvf5hI&GFNL6=9rz8F4dH http://www.eleriwyn.com/xgxp/ http://www.eternalgrove.com/xgxp/?pvj062Dh=+YwixCNSi8V2FCxe15YPcQJZCKrKvQnIWPh7Y6WCwkaWhprC0zbZQPAlEcsb0bQnYMr30Gpu&GFNL6=9rz8F4dH http://www.tourvirtualonline.com/xgxp/ http://www.viverobonsaimx.com/xgxp/?pvj062Dh=z1m0HWMKCDjSrvXSUMm8o9DWZ0alOOcCGeMBlwFUdI0VxBSOoragZfolqR3OI/AQfc9Zsj2C&GFNL6=9rz8F4dH http://www.biomedms.com/xgxp/?pvj062Dh=kC0zGJJJYLETs6GjUi/LapClV/EoumCVD9Ngc3jnQrV0zs2YN+iVypTMuCXG9uFexzRkg+Gp&GFNL6=9rz8F4dH http://www.biomedms.com/xgxp/
|
27
www.biomedms.com(34.102.136.180) www.tourvirtualonline.com(178.33.118.110) www.thisisadreamright.com(35.209.84.164) www.eternalgrove.com(52.58.78.16) www.5996399.com(45.142.156.44) www.viverobonsaimx.com(172.67.146.108) www.jioholdingscorp.com(192.185.117.215) www.eleriwyn.com(91.195.240.94) www.nextingly.com(192.0.78.25) www.scoutlo.com(52.58.78.16) www.birdsbarber.supply(34.102.136.180) www.kaffeeatlas.com(91.195.241.137) www.embedded4all.com(154.81.100.143) www.pinballphotography.com(34.102.136.180) www.albeider.com(85.13.144.165) 154.81.100.143 91.195.240.94 - phishing 91.195.241.137 - mailcious 85.13.144.165 52.58.78.16 - mailcious 34.102.136.180 - mailcious 45.142.156.44 192.185.117.215 104.21.39.152 35.209.84.164 192.0.78.25 - mailcious 178.33.118.110
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5664 |
2021-03-05 18:20
|
1.html 36557ac562705433cd94c97fa409cf7c Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5665 |
2021-03-06 09:20
|
8.iosssappp.exe df60756a8e33b721b357bd7242f4881a Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName DNS crashed |
1
https://177.47.88.62/rob20/TEST22-PC_W617601.378AC5D337BB31DB195D8B32D85BF05B/5/kps/
|
4
179.191.108.58 - mailcious 154.79.252.132 - mailcious 177.47.88.62 168.232.188.88
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 7
|
|
6.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5666 |
2021-03-06 09:21
|
http://goaqaba.com/ccwidd/4426... d41d8cd98f00b204e9800998ecf8427e VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://goaqaba.com/favicon.ico
|
3
goaqaba.com(207.244.229.15) - malware www.goaqaba.com(207.244.229.15) 207.244.229.15 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5667 |
2021-03-06 09:47
|
ama.exe 2615e1b91089b5c8fe7011eb447e5db1 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5668 |
2021-03-06 09:47
|
regasm.exe 4463feedd0b33e84f3e7454adba2c8ce Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
|
|
|
13.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5669 |
2021-03-06 09:57
|
TAX-RELIEF.exe 307e257292be5d47304c1712c8bd1342 VirusTotal Malware Check memory Checks debugger Creates executable files AppData folder malicious URLs sandbox evasion DNS DDNS |
|
2
goryhazel1.duckdns.org(197.210.28.149) 197.210.28.149
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5670 |
2021-03-06 09:58
|
vbc.exe 12313985c4147b7a2e4b6945e270ff70 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
turbinetechnlcs.com() - mailcious
|
|
|
13.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|