| 5701 |
2021-03-08 11:16
|
marxlo.exe d4768f13b1bd46461e9f1fdca905d794
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
9.8 |
|
10 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5702 |
2021-03-08 11:21
|
ntB.dll 4da066bbfe178014ed1042ce90b87ab0
VirusTotal Malware Checks debugger RWX flags setting unpack itself sandbox evasion |
|
|
|
|
3.8 |
M |
52 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5703 |
2021-03-08 11:24
|
winlog5.exe 57e47d9cc7e182ce53425dcf9f1c9dcc
Loki Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software crashed |
1
http://becharnise.ir/fa16/fre.php - rule_id: 229
|
2
becharnise.ir(185.208.180.121) - mailcious
185.208.180.121 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://becharnise.ir/fa16/fre.php
|
13.4 |
M |
51 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5704 |
2021-03-08 11:29
|
Update.exe 808e1ade2dea30a742f120a5a26d6a32VirusTotal Malware malicious URLs WriteConsoleW |
|
2
gore.p-e.kr(125.185.111.249) - mailcious
125.185.111.249 - mailcious
|
|
|
3.2 |
M |
63 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5705 |
2021-03-08 11:42
|
chashepro3.exe c277ca9bda5cde270d97fb1cbe5568d0Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Firmware DNS Cryptographic key Software crashed |
5
http://74.119.193.164:3214/
https://iplogger.org/favicon.ico
https://iplogger.org/1aSny7
https://iplogger.org/1rst77
https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63)
iplogger.org(88.99.66.31)
whois.iana.org(192.0.32.59)
api.ip.sb(104.26.13.31)
195.88.209.205 - mailcious
192.0.32.59
104.26.12.31
88.99.66.31 - mailcious
74.119.193.164
172.104.79.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
21.6 |
M |
48 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5706 |
2021-03-08 15:15
|
fre.php ea9f466d28c594dc4741469805fd440cCode Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5707 |
2021-03-08 15:15
|
chart.class.php 556b2524384b1b773732cd9648a23b14Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5708 |
2021-03-08 15:16
|
GeoIP.dat aa73c65c8661963aac79f1f2ae16e910Code Injection unpack itself Windows utilities malicious URLs Windows |
4
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://www.bing.com/favicon.ico
|
|
|
|
3.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5709 |
2021-03-08 15:17
|
geoip.inc bf1e7e0fd0b9755f974217e69c63a31aCode Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5710 |
2021-03-08 15:18
|
index.html d41d8cd98f00b204e9800998ecf8427eCode Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5711 |
2021-03-08 15:18
|
fre.php ea9f466d28c594dc4741469805fd440cCode Injection unpack itself Windows utilities malicious URLs Windows DNS |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.bing.com/favicon.ico
|
1
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5712 |
2021-03-08 15:20
|
chart.class.php 556b2524384b1b773732cd9648a23b14Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5713 |
2021-03-08 15:20
|
GeoIP.dat aa73c65c8661963aac79f1f2ae16e910Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5714 |
2021-03-08 15:20
|
fre.php ea9f466d28c594dc4741469805fd440c |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5715 |
2021-03-08 15:20
|
geoip.inc bf1e7e0fd0b9755f974217e69c63a31aCode Injection unpack itself Windows utilities malicious URLs Windows |
3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://www.bing.com/favicon.ico
|
|
|
|
3.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|