| 5686 |
2021-03-07 21:50
|
cred.dll c041d665d945d635300af02e97eb9cff
FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
2
http://190.115.18.211//fO0r5se3dW/index.php
http://185.215.113.14//fO0r5se3dW/index.php
|
2
190.115.18.211 - malware
185.215.113.14
|
|
|
6.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5687 |
2021-03-07 21:51
|
clipper.exe 4b932f40941f6db7383af06d84d21ce1
VirusTotal Malware AutoRuns Check memory Windows utilities suspicious process WriteConsoleW Windows ComputerName Remote Code Execution |
|
|
|
|
5.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5688 |
2021-03-07 21:54
|
local28.exe de84d306ca9d35321f98a6d26fc35275
VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
3.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5689 |
2021-03-07 21:55
|
kitkatrootbot.exe d082b3a44d7a40cf843b7a7a476a7d41
VirusTotal Malware PDB |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5690 |
2021-03-07 21:57
|
scr.dll 6551b9cf0ee7bc283476c82afe8efc85
VirusTotal Malware Checks debugger buffers extracted unpack itself DNS |
1
http://190.115.18.211//fO0r5se3dW/index.php?scr=up - rule_id: 350
|
1
|
|
1
|
3.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5691 |
2021-03-07 21:57
|
micro.exe 36cabdb6675e5bebf48dc3924e043f9a
Browser Info Stealer Malware download FTP Client Info Stealer Pony VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Creates executable files Windows utilities Collect installed applications AppData folder malicious URLs WriteConsoleW installed browsers check Zeus Windows Update Browser Email Trojan Software Downloader |
2
http://www.sharpn.com/Panel/micro%20(2).exe
http://sharpn.com/Panel/micro%20(2).exe
|
3
www.sharpn.com(192.185.95.74)
sharpn.com(192.185.95.74) - malware
192.185.95.74 - phishing
|
8
ET MALWARE Fareit/Pony Downloader Checkin 3
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET MALWARE Fareit/Pony Downloader Checkin 2
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK
|
|
9.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5692 |
2021-03-07 22:01
|
x86.dll 1ba871c1a93cabf46febf30fdb4cad1e
VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5693 |
2021-03-08 09:03
|
A4ge7vE97nKzwZk.exe 4bf1d28524782e3de6d241c2bb625b5e
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://159.69.119.114:3214/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
159.69.119.114
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5694 |
2021-03-08 09:04
|
conhost.exe 0a31ae5882697455a071f73191ed661c
VirusTotal Open Directory Cryptocurrency Miner Malware Cryptocurrency Malicious Traffic Check memory Checks debugger Creates executable files unpack itself malicious URLs sandbox evasion Windows Exploit Browser ComputerName Firmware DNS |
2
http://154.91.1.27/WinRing0x64.sys
http://154.91.1.27/SqlTools.exe
|
3
xmr.f2pool.com(203.107.32.162) - mailcious
203.107.32.162 - mailcious
154.91.1.27
|
6
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET POLICY Cryptocurrency Miner Checkin
ET INFO Executable Download from dotted-quad Host
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
|
|
9.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5695 |
2021-03-08 09:11
|
A4ge7vE97nKzwZk.exe 4bf1d28524782e3de6d241c2bb625b5e
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://159.69.119.114:3214/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
159.69.119.114
172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5696 |
2021-03-08 09:12
|
inst_all.exe 7ae05cc2d2a31d9dfa7edbf6beef674e
Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5697 |
2021-03-08 09:16
|
Rq9UwX3Sxdm9bAfW.exe 7f8a15aca0965d3ef7f5e36245ee20fa
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://159.69.119.114:3214/
https://www.bing.com/
https://api.ip.sb/geoip
|
6
www.google.com(172.217.161.68)
api.ip.sb(104.26.13.31)
104.26.12.31
159.69.119.114
13.107.21.200
172.217.174.196
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5698 |
2021-03-08 09:16
|
Tester.exe 3ca0d5a355b972927a2398440d58a001
VirusTotal Malware PDB Check memory Checks debugger unpack itself malicious URLs DNS |
|
|
|
|
2.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5699 |
2021-03-08 10:59
|
regasm.exe 0a8ff8379ea5957d89a01ea84130c372
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb6/fre.php - rule_id: 279
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://becharnise.ir/fb6/fre.php
|
9.6 |
M |
48 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5700 |
2021-03-08 11:09
|
regasm.exe 0a8ff8379ea5957d89a01ea84130c372
Loki Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files AppData folder malicious URLs sandbox evasion installed browsers check Browser Email ComputerName Software |
1
http://becharnise.ir/fb6/fre.php - rule_id: 279
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://becharnise.ir/fb6/fre.php
|
9.6 |
M |
48 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|