7231 |
2021-04-13 16:19
|
regasm.exe 7166ec978025327fdb93b5b0d030da8c Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://gccorps.com/chief/kev/fre.php
|
2
gccorps.com(5.2.75.32) 185.212.131.111
|
|
|
12.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7232 |
2021-04-13 16:20
|
FbApl.jpg 2c2cb2aa0782874d3c14cdd6f063f979 Process Kill FindFirstVolume CryptGenKey Antivirus VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
|
2
u.teknik.io(5.79.72.163) - malware 5.79.72.163 - malware
|
|
|
10.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7233 |
2021-04-13 16:21
|
winlog.exe 196192ae86384d7ffa0ea7e43ec7d640VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7234 |
2021-04-13 16:22
|
invoice_533512.doc deb5aa8655bc71b6c4e23b82fd44f067VirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7235 |
2021-04-13 16:24
|
new.exe c36a3651ef04581af4045653f06112f0 Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.darrelbrodkemd.com/vu9b/?GF=DKgWlxbvssy6GDc3qFox94e9LyMrLuiA0aBh6vQ5eR+PiLixQVab2gSgw2bVtLslSfB0cozp&llvt=fTRHuZwpY2Pl0J http://www.darrelbrodkemd.com/vu9b/
|
2
www.darrelbrodkemd.com(100.24.251.71) - mailcious 100.24.251.71 - mailcious
|
|
|
8.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7236 |
2021-04-13 16:24
|
svchost.exe 10a6ee4d2adc0ebf2c35aa538c391622VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7237 |
2021-04-13 16:41
|
a9e09cd67ad4df01_zhxpwnkb2xox5... 38b02c707606809973c80710a99fcd07VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.4 |
|
11 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7238 |
2021-04-13 18:09
|
regasm.exe 7166ec978025327fdb93b5b0d030da8cBrowser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://gccorps.com/chief/kev/fre.php - rule_id: 935
|
2
gccorps.com(5.2.75.32) - mailcious 185.212.131.111 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://gccorps.com/chief/kev/fre.php
|
12.6 |
M |
10 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7239 |
2021-04-14 07:44
|
%c4%90%e1%bb%81%20C%c6%b0%c6%a... 826864ae301ac28e4a146cfd90ec473eMalware download VirusTotal Malware Malicious Traffic unpack itself Windows DNS |
1
http://45.77.9.151/443.dll
|
1
|
6
ET INFO Dotted Quad Host DLL Request ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
5.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7240 |
2021-04-14 08:01
|
vbc.exe 6cf0200d66b943e0c41ce00807ffe6c8FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Remote Code Execution DNS |
18
http://www.webgomo.com/u6nq/?jfIXkD=SJahp8ZgLKBLeEw+JP1CtZAjO/8RCCYuCYBr+ahXFSbTuZjNHmVgp8Kfz4Je2Pt/IjurR7iF&YPc=yVylp85xvxIXPV http://www.xn--3bss1rzz1apulk7k.com/u6nq/ http://www.drinkjoisi.com/u6nq/?jfIXkD=HHLZx8uXdVEL5sIi4Qhl+dXD0XjsJeb2Y3TX8/ZiLqv3S+d10eFI57bZ+Tv9ScYahdp7TaH4&YPc=yVylp85xvxIXPV http://www.legalopinion.guru/u6nq/ http://www.webgomo.com/u6nq/ http://www.nyclgbxyi.icu/u6nq/ http://www.xn--3bss1rzz1apulk7k.com/u6nq/?jfIXkD=R4wRqmGFPjH8JAb+A8lzOmKJPejSdwbfE+Ot6R13XYj1gCI5taOp9+IDE08PqvW/QAI/rZfv&YPc=yVylp85xvxIXPV http://www.foivgohl.com/u6nq/?jfIXkD=YHvWfgyTeOO8vJz3Qr0CaGVWOjPM5DV68PGCAW/ufgQebwovY+nib4yut9ZTDzE2UXFvF8SK&YPc=yVylp85xvxIXPV http://www.drinkjoisi.com/u6nq/ http://www.205southsignalstojai.com/u6nq/ http://www.legalopinion.guru/u6nq/?jfIXkD=D5mIrqti24HNtHmeGm2yPUY1hS7UiwTv12d5cjxJfuLLMvFCw4k9mM+pM/mMxbtRmkmPxt7v&YPc=yVylp85xvxIXPV http://www.kenkelconsulting.com/u6nq/ http://www.nyclgbxyi.icu/u6nq/?jfIXkD=UXYrmMJ4u/B1+0WUExyHbxAt0m6f2mslIKSkRRcWxo5onae3DrFHsgQkCsGRGM+FoeqLQIti&YPc=yVylp85xvxIXPV http://www.nubiaurquizopeluqueria.com/u6nq/?jfIXkD=hf/WfZBHYY4DdyGWkhub7RWq0Z7p5DE7Wbr3yBhKMx/2QIu4qyMRNQCZ6eRRdvBNtSfiWcZc&YPc=yVylp85xvxIXPV http://www.foivgohl.com/u6nq/ http://www.nubiaurquizopeluqueria.com/u6nq/ http://www.kenkelconsulting.com/u6nq/?jfIXkD=ErxCIhrfUCX6Yp5sejZJtF+wo6Jo148aBDn7Fzy+yibKoXLFQcLoBP6k6zU4f2Fwwu1Afjl1&YPc=yVylp85xvxIXPV http://www.205southsignalstojai.com/u6nq/?jfIXkD=6KwRkc8GCQPM+S+o9hKUwrpx/IpjrLCdEWb8uFULZjP+PN2NkxQcmVQosxnw4NrdoJLUPJkh&YPc=yVylp85xvxIXPV
|
24
www.webgomo.com(3.13.255.157) www.drinkjoisi.com(34.102.136.180) www.205southsignalstojai.com(184.168.131.241) www.yourfaithinluck.com() www.kenkelconsulting.com(34.102.136.180) www.xn--3bss1rzz1apulk7k.com(103.149.26.92) www.legalopinion.guru(35.186.238.101) www.hvygcj.com(104.165.219.251) www.hearts2give.com() www.metropolitanez.net() www.nyclgbxyi.icu(172.67.214.127) www.setosahealth.com() www.bluehensolutions.com() www.foivgohl.com(210.152.86.230) www.nubiaurquizopeluqueria.com(192.185.35.176) 35.186.238.101 - mailcious 52.15.160.167 104.21.86.40 192.185.35.176 - mailcious 103.149.26.92 34.102.136.180 - mailcious 184.168.131.241 - mailcious 210.152.86.230 104.165.219.251
|
3
ET MALWARE FormBook CnC Checkin (GET) ET INFO HTTP POST Request to Suspicious *.icu domain ET INFO DNS Query for Suspicious .icu Domain
|
|
8.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7241 |
2021-04-14 08:06
|
................................. dae55a5d59ed3f95a35a9ad4f633b358FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
22
http://www.eoapdj.com/qjnt/?MZkp=tDoVZ8LrXdfM2UePKwC2rJ8resXPJc2dnDhd6WgKQtKZKBlahDoyQOcxbwTJkNKzfSZAVv0R&U4kp=Ntx0ULGP4BTDMV0 http://www.investiose.info/qjnt/?MZkp=ZxcvZy8ZLczqtvfEla7uZ1L3KAM6BWVTFYDKbjT+DQ7ivFAcZk5kBU1oTK1xQfOK60beZP/V&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 876 http://www.frienzmusic.com/qjnt/ http://www.crochenista.com/qjnt/?MZkp=J6zJO2/PwCYDrPfd6ahXoqg8qe3TXVYRwNW46sX1F3TUCNiZ+HIDBehPRyNHfGKllpDSpMGn&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 788 http://www.libertyss.com/qjnt/?MZkp=T4Dbya7zRkj16kTLtWUPXPtW5SPliNL4iZJFD7KCtGJwUlsdNK5uEwEJh9hz3AP36X7VeJEk&U4kp=Ntx0ULGP4BTDMV0 http://www.frotaconceitos.com/qjnt/?MZkp=SklQbBNIGDp60jmvc81YaO0+TakJjqFF7kfS9N7pp+kjm4De+jDioVGollGezL8QEhW81teu&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 878 http://www.warriormovers.com/qjnt/?MZkp=ZloBTpog1XpNf+wk1FYIj/PbKl44EdMQG0QlJcdkzx7vf5IbO8Fhxe+U6jjqYB73pzbLmZvg&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 877 http://www.graniteinaminute.com/qjnt/ - rule_id: 875 http://www.graniteinaminute.com/qjnt/?MZkp=Kc40ChrvGMsz5sDUgJdI1Tm80ndRwqOobrZe5CnH/KVtq0OHhWuXcnL+C6x+hGBLT8rXGqGg&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 875 http://www.warriormovers.com/qjnt/ - rule_id: 877 http://www.phenomlearning.com/qjnt/?MZkp=WI8JaetFPlzEEOGlHcuNECQ5ajgQYI90CCACSj2nuajKFDjgs1eXlKD9lsoYQqmcwsae0cVZ&U4kp=Ntx0ULGP4BTDMV0 http://www.crochenista.com/qjnt/ - rule_id: 788 http://www.qs-industrial.com/qjnt/ http://www.phenomlearning.com/qjnt/ http://www.eoapdj.com/qjnt/ http://www.gailrichardson.com/qjnt/?MZkp=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 797 http://www.frotaconceitos.com/qjnt/ - rule_id: 878 http://www.gailrichardson.com/qjnt/ - rule_id: 797 http://www.qs-industrial.com/qjnt/?MZkp=Trcx7sIz3LbBEBUCXdOp/eOytLuMV8hMNa+9OSM+DuhSXGbAh0UZQVrA5aZ/AO5e9Gzf6ou7&U4kp=Ntx0ULGP4BTDMV0 http://www.frienzmusic.com/qjnt/?MZkp=dDSt6GS+2NiAQr9aRgBajSU7AtJ5Qx8lN5XbL7DZCOVbMbdHey2pr7C5pxf0UzYLijUZ73r2&U4kp=Ntx0ULGP4BTDMV0 http://www.libertyss.com/qjnt/ http://www.investiose.info/qjnt/ - rule_id: 876
|
24
www.frotaconceitos.com(23.227.38.74) www.graniteinaminute.com(182.50.132.242) www.phenomlearning.com(162.241.80.12) www.frienzmusic.com(74.208.236.55) www.investiose.info(34.102.136.180) www.crochenista.com(162.241.216.98) www.xjbpsh.net() www.halostreams.net() www.warriormovers.com(182.50.132.242) www.libertyss.com(34.102.136.180) www.eoapdj.com(45.39.88.198) www.qs-industrial.com(50.118.194.27) www.gailrichardson.com(52.58.78.16) www.bhcsva.com() 23.95.122.25 - mailcious 74.208.236.55 162.241.80.12 45.39.88.198 52.58.78.16 - mailcious 34.102.136.180 - mailcious 182.50.132.242 - mailcious 50.118.194.27 162.241.216.98 - mailcious 23.227.38.74 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
12
http://www.investiose.info/qjnt/ http://www.crochenista.com/qjnt/ http://www.frotaconceitos.com/qjnt/ http://www.warriormovers.com/qjnt/ http://www.graniteinaminute.com/qjnt/ http://www.graniteinaminute.com/qjnt/ http://www.warriormovers.com/qjnt/ http://www.crochenista.com/qjnt/ http://www.gailrichardson.com/qjnt/ http://www.frotaconceitos.com/qjnt/ http://www.gailrichardson.com/qjnt/ http://www.investiose.info/qjnt/
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7242 |
2021-04-14 10:02
|
damianox.exe 3534cff2da4426a7b51d85b1296f0490 Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7243 |
2021-04-14 10:04
|
data.pdf e891577b2d323d94f32ccc6bc52eadd9VirusTotal Malware DNS |
|
1
|
|
|
3.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7244 |
2021-04-14 10:09
|
wealthx.exe f00ffaeabd21162b932ee541d469adff AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key |
2
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-13AD0F88B76E2403189110A8CCEDF6CA.html https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-13AD0F88B76E2403189110A8CCEDF6CA.html
|
2
bornforthis.ml(104.21.17.57) 172.67.222.176
|
3
ET INFO DNS Query for Suspicious .ml Domain ET INFO Suspicious Domain (*.ml) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7245 |
2021-04-14 13:45
|
https://newblogheresee.blogspo... 885b4b76fea2a5416dacad19f6c6a200 Antivirus Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
27
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png https://newblogheresee.blogspot.com/p/10.html https://www.gstatic.com/og/_/js/k=og.qtm.en_US.T8yAM6CK-Po.O/rt=j/m=q_d,qawd,qmd,qsd,qmutsd,qapid/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtt/d=1/ed=1/rs=AA2YrTuuRoat3QFBNDnlCzQThfgcGSSOYA https://www.google.com/css/maia.css https://fonts.googleapis.com/css?family=Open+Sans:300 https://www.gstatic.com/og/_/ss/k=og.qtm.wAbcuUp7kU4.L.I9.O/m=qawd,qmd/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTvQzNaB0NuEvEIdM4vQJzSWN9x4uw https://ssl.gstatic.com/gb/images/p1_c9bc74a1.png https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff https://www.google-analytics.com/analytics.js https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fnewblogheresee.blogspot.com%2Fp%2F10.html&bpli=1 https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3922155243674983324&zx=6368326c-5617-4d33-8fa0-fb641f91753d https://www.blogger.com/static/v1/v-css/281434096-static_pages.css https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.RrjSsKk8Szw.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8bhQb3qTfNhmC8kzOOB-dQGGlNzA/cb=gapi.loaded_0 https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff https://www.blogger.com/static/v1/widgets/1893845785-widgets.js https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700 https://www.blogger.com/blogin.g?blogspotURL=https://newblogheresee.blogspot.com/p/10.html https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js https://www.blogger.com/img/blogger-logotype-color-black-1x.png https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js https://newblogheresee.blogspot.com/favicon.ico https://resources.blogblog.com/img/icon18_wrench_allbkg.png https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://newblogheresee.blogspot.com/p/10.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://newblogheresee.blogspot.com/p/10.html%26bpli%3D1&passive=true&go=true
|
22
newblogheresee.blogspot.com(172.217.25.97) resources.blogblog.com(142.250.196.105) www.google.com(172.217.161.36) www.gstatic.com(172.217.175.3) ssl.gstatic.com(172.217.174.99) accounts.google.com(172.217.31.173) www.google-analytics.com(216.58.197.238) apis.google.com(216.58.197.142) fonts.gstatic.com(172.217.175.227) fonts.googleapis.com(172.217.174.106) www.blogger.com(142.250.196.105) 142.250.66.106 172.217.24.78 216.58.199.9 142.250.66.137 172.217.25.3 216.58.200.4 - suspicious 142.250.66.99 172.217.161.129 216.58.221.237 142.250.66.46 142.250.66.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|