6076 |
2021-03-17 17:48
|
invoice_34457.doc 7ea6f21fe3034329bfd23235650d3f38 LokiBot Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit crashed |
1
|
6
bit.do(54.83.52.76) - mailcious kweend.com(54.227.98.220) - mailcious wsdyrkkrsuccessmorev.dns.army(103.125.191.187) - malware 54.227.98.220 - mailcious 54.83.52.76 - suspicious 103.125.191.187 - malware
|
7
ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
4.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6077 |
2021-03-17 17:56
|
putty.exe 6fa14b3b1c54a26f0b9bbcd2f6b45899 VirusTotal Malware Check memory Checks debugger unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
1 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6078 |
2021-03-17 17:58
|
putty.exe 6fa14b3b1c54a26f0b9bbcd2f6b45899 VirusTotal Malware Check memory Checks debugger unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
1 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6079 |
2021-03-17 18:19
|
linas138.dll e905846ca83adae7c9fa32e55ed1b826 Trickbot VirusTotal Malware Checks debugger unpack itself suspicious process Remote Code Execution |
|
|
|
|
3.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6080 |
2021-03-17 18:21
|
winlog2.exe f51bde692301062e32b59eb71505e141 Azorult .NET framework VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6081 |
2021-03-17 18:22
|
linas139.dll 190b62c21a3413d44cc73e4098b6987b Trickbot VirusTotal Malware Checks debugger unpack itself suspicious process Remote Code Execution |
|
|
|
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6082 |
2021-03-17 18:31
|
Stgedo.exe 4fa1dbfe022061e6699ae4754b45cb4f AsyncRAT backdoor VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D9F79B55F8D4D9EC712336B52F5A918A.html - rule_id: 361
|
2
liverpoolofcfanclub.com(104.21.31.39) - mailcious 172.67.174.240
|
|
1
http://liverpoolofcfanclub.com/liverpool-fc-news/features/
|
3.2 |
M |
28 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6083 |
2021-03-17 18:32
|
linas139.dll 190b62c21a3413d44cc73e4098b6987b Trickbot Dridex TrickBot VirusTotal Malware Report suspicious privilege Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process IP Check Kovter ComputerName Remote Code Execution DNS crashed |
1
http://ip.anysrc.net/plain
|
8
ip.anysrc.net(116.203.16.95) 103.239.165.24 27.116.63.22 123.200.26.246 - mailcious 122.2.28.70 - mailcious 180.92.238.186 - mailcious 154.126.176.30 - mailcious 116.203.16.95
|
6
ET CNC Feodo Tracker Reported CnC Server group 4 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET POLICY curl User-Agent Outbound SURICATA Applayer Mismatch protocol both directions ET CNC Feodo Tracker Reported CnC Server group 1
|
|
9.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6084 |
2021-03-17 18:32
|
regasm.exe f5ddb8aeb5d10b0b6d8d1825326f4433Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
3
http://becharnise.ir/fb16/fre.php http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
becharnise.ir(185.208.180.121) - mailcious 185.208.180.121 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
10.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6085 |
2021-03-17 18:40
|
winlog.exe e4647cc71d27837d5cb8a9a0b0707dabVirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder malicious URLs sandbox evasion ComputerName crashed |
|
|
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6086 |
2021-03-17 22:45
|
Build.exe 780293b790c796c29b8d0cbf92053af2 Azorult .NET framework AsyncRAT backdoor Malware download VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName |
8
http://dsulum.anonymous-sec.com/moab//connection.php http://dsulum.anonymous-sec.com/moab//check_panel.php http://dsulum.anonymous-sec.com/moab/login.php http://dsulum.anonymous-sec.com/moab//getCommand.php?id=bTBhYl83QzYwMjRBRA http://dsulum.anonymous-sec.com/moab//receive.php?command=T25saW5l&vicID=bTBhYl83QzYwMjRBRA http://dsulum.anonymous-sec.com/moab/ http://dsulum.anonymous-sec.com/moab//receive.php?command=UGluZ2Vk&vicID=bTBhYl83QzYwMjRBRA http://dsulum.anonymous-sec.com/moab//receive.php?command=TmV3TG9nfEJOfFN1Y2N8Qk58Q2xpZW50IGlzIENvbm5lY3RlZA&vicID=bTBhYl83QzYwMjRBRA
|
2
dsulum.anonymous-sec.com(91.234.99.171) - malware 91.234.99.171 - phishing
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET MALWARE Win32/BlackNET CnC Keep-Alive
|
|
4.4 |
M |
47 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6087 |
2021-03-17 22:48
|
NotepadPlus.txt e83b5f2b03ffe236917d448f42937528VirusTotal Malware Code Injection Checks debugger buffers extracted unpack itself sandbox evasion Browser ComputerName crashed |
|
2
premiumfonts.net(185.215.113.33) 185.215.113.33
|
|
|
5.8 |
M |
7 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6088 |
2021-03-17 22:58
|
dcrat.exe a16225aa2cb7f0c1c4f975bb7a9eede0 Azorult .NET framework VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
M |
51 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6089 |
2021-03-17 22:59
|
kleiman.exe f67d50d3ca318b7dc910ea10830f5c39 AsyncRAT backdoor VirusTotal Malware DNS |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
1
coroloboxorozor.com() - mailcious
|
|
|
2.2 |
M |
52 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6090 |
2021-03-17 23:00
|
scvhost900.exe d488957da746ffc43cf8b843c8452aa9VirusTotal Malware Check memory Checks debugger unpack itself |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.0 |
M |
45 |
Zero
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|