| 7231 |
2021-04-13 16:19
|
 regasm.exe 7166ec978025327fdb93b5b0d030da8c
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://gccorps.com/chief/kev/fre.php
|
2
gccorps.com(5.2.75.32)
185.212.131.111
|
|
|
12.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7232 |
2021-04-13 16:20
|
 FbApl.jpg 2c2cb2aa0782874d3c14cdd6f063f979
Process Kill FindFirstVolume CryptGenKey Antivirus VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
|
2
u.teknik.io(5.79.72.163) - malware
5.79.72.163 - malware
|
|
|
10.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7233 |
2021-04-13 16:21
|
 winlog.exe 196192ae86384d7ffa0ea7e43ec7d640VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7234 |
2021-04-13 16:22
|
invoice_533512.doc deb5aa8655bc71b6c4e23b82fd44f067VirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7235 |
2021-04-13 16:24
|
new.exe c36a3651ef04581af4045653f06112f0
Azorult .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
2
http://www.darrelbrodkemd.com/vu9b/?GF=DKgWlxbvssy6GDc3qFox94e9LyMrLuiA0aBh6vQ5eR+PiLixQVab2gSgw2bVtLslSfB0cozp&llvt=fTRHuZwpY2Pl0J
http://www.darrelbrodkemd.com/vu9b/
|
2
www.darrelbrodkemd.com(100.24.251.71) - mailcious
100.24.251.71 - mailcious
|
|
|
8.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7236 |
2021-04-13 16:24
|
 svchost.exe 10a6ee4d2adc0ebf2c35aa538c391622VirusTotal Malware unpack itself Remote Code Execution DNS |
|
|
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7237 |
2021-04-13 16:41
|
a9e09cd67ad4df01_zhxpwnkb2xox5... 38b02c707606809973c80710a99fcd07VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.4 |
|
11 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7238 |
2021-04-13 18:09
|
 regasm.exe 7166ec978025327fdb93b5b0d030da8cBrowser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://gccorps.com/chief/kev/fre.php - rule_id: 935
|
2
gccorps.com(5.2.75.32) - mailcious
185.212.131.111 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://gccorps.com/chief/kev/fre.php
|
12.6 |
M |
10 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7239 |
2021-04-14 07:44
|
 %c4%90%e1%bb%81%20C%c6%b0%c6%a... 826864ae301ac28e4a146cfd90ec473eMalware download VirusTotal Malware Malicious Traffic unpack itself Windows DNS |
1
http://45.77.9.151/443.dll
|
1
|
6
ET INFO Dotted Quad Host DLL Request
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
5.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7240 |
2021-04-14 08:01
|
 vbc.exe 6cf0200d66b943e0c41ce00807ffe6c8FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Remote Code Execution DNS |
18
http://www.webgomo.com/u6nq/?jfIXkD=SJahp8ZgLKBLeEw+JP1CtZAjO/8RCCYuCYBr+ahXFSbTuZjNHmVgp8Kfz4Je2Pt/IjurR7iF&YPc=yVylp85xvxIXPV
http://www.xn--3bss1rzz1apulk7k.com/u6nq/
http://www.drinkjoisi.com/u6nq/?jfIXkD=HHLZx8uXdVEL5sIi4Qhl+dXD0XjsJeb2Y3TX8/ZiLqv3S+d10eFI57bZ+Tv9ScYahdp7TaH4&YPc=yVylp85xvxIXPV
http://www.legalopinion.guru/u6nq/
http://www.webgomo.com/u6nq/
http://www.nyclgbxyi.icu/u6nq/
http://www.xn--3bss1rzz1apulk7k.com/u6nq/?jfIXkD=R4wRqmGFPjH8JAb+A8lzOmKJPejSdwbfE+Ot6R13XYj1gCI5taOp9+IDE08PqvW/QAI/rZfv&YPc=yVylp85xvxIXPV
http://www.foivgohl.com/u6nq/?jfIXkD=YHvWfgyTeOO8vJz3Qr0CaGVWOjPM5DV68PGCAW/ufgQebwovY+nib4yut9ZTDzE2UXFvF8SK&YPc=yVylp85xvxIXPV
http://www.drinkjoisi.com/u6nq/
http://www.205southsignalstojai.com/u6nq/
http://www.legalopinion.guru/u6nq/?jfIXkD=D5mIrqti24HNtHmeGm2yPUY1hS7UiwTv12d5cjxJfuLLMvFCw4k9mM+pM/mMxbtRmkmPxt7v&YPc=yVylp85xvxIXPV
http://www.kenkelconsulting.com/u6nq/
http://www.nyclgbxyi.icu/u6nq/?jfIXkD=UXYrmMJ4u/B1+0WUExyHbxAt0m6f2mslIKSkRRcWxo5onae3DrFHsgQkCsGRGM+FoeqLQIti&YPc=yVylp85xvxIXPV
http://www.nubiaurquizopeluqueria.com/u6nq/?jfIXkD=hf/WfZBHYY4DdyGWkhub7RWq0Z7p5DE7Wbr3yBhKMx/2QIu4qyMRNQCZ6eRRdvBNtSfiWcZc&YPc=yVylp85xvxIXPV
http://www.foivgohl.com/u6nq/
http://www.nubiaurquizopeluqueria.com/u6nq/
http://www.kenkelconsulting.com/u6nq/?jfIXkD=ErxCIhrfUCX6Yp5sejZJtF+wo6Jo148aBDn7Fzy+yibKoXLFQcLoBP6k6zU4f2Fwwu1Afjl1&YPc=yVylp85xvxIXPV
http://www.205southsignalstojai.com/u6nq/?jfIXkD=6KwRkc8GCQPM+S+o9hKUwrpx/IpjrLCdEWb8uFULZjP+PN2NkxQcmVQosxnw4NrdoJLUPJkh&YPc=yVylp85xvxIXPV
|
24
www.webgomo.com(3.13.255.157)
www.drinkjoisi.com(34.102.136.180)
www.205southsignalstojai.com(184.168.131.241)
www.yourfaithinluck.com()
www.kenkelconsulting.com(34.102.136.180)
www.xn--3bss1rzz1apulk7k.com(103.149.26.92)
www.legalopinion.guru(35.186.238.101)
www.hvygcj.com(104.165.219.251)
www.hearts2give.com()
www.metropolitanez.net()
www.nyclgbxyi.icu(172.67.214.127)
www.setosahealth.com()
www.bluehensolutions.com()
www.foivgohl.com(210.152.86.230)
www.nubiaurquizopeluqueria.com(192.185.35.176)
35.186.238.101 - mailcious
52.15.160.167
104.21.86.40
192.185.35.176 - mailcious
103.149.26.92
34.102.136.180 - mailcious
184.168.131.241 - mailcious
210.152.86.230
104.165.219.251
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO DNS Query for Suspicious .icu Domain
|
|
8.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7241 |
2021-04-14 08:06
|
................................. dae55a5d59ed3f95a35a9ad4f633b358FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
22
http://www.eoapdj.com/qjnt/?MZkp=tDoVZ8LrXdfM2UePKwC2rJ8resXPJc2dnDhd6WgKQtKZKBlahDoyQOcxbwTJkNKzfSZAVv0R&U4kp=Ntx0ULGP4BTDMV0
http://www.investiose.info/qjnt/?MZkp=ZxcvZy8ZLczqtvfEla7uZ1L3KAM6BWVTFYDKbjT+DQ7ivFAcZk5kBU1oTK1xQfOK60beZP/V&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 876
http://www.frienzmusic.com/qjnt/
http://www.crochenista.com/qjnt/?MZkp=J6zJO2/PwCYDrPfd6ahXoqg8qe3TXVYRwNW46sX1F3TUCNiZ+HIDBehPRyNHfGKllpDSpMGn&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 788
http://www.libertyss.com/qjnt/?MZkp=T4Dbya7zRkj16kTLtWUPXPtW5SPliNL4iZJFD7KCtGJwUlsdNK5uEwEJh9hz3AP36X7VeJEk&U4kp=Ntx0ULGP4BTDMV0
http://www.frotaconceitos.com/qjnt/?MZkp=SklQbBNIGDp60jmvc81YaO0+TakJjqFF7kfS9N7pp+kjm4De+jDioVGollGezL8QEhW81teu&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 878
http://www.warriormovers.com/qjnt/?MZkp=ZloBTpog1XpNf+wk1FYIj/PbKl44EdMQG0QlJcdkzx7vf5IbO8Fhxe+U6jjqYB73pzbLmZvg&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 877
http://www.graniteinaminute.com/qjnt/ - rule_id: 875
http://www.graniteinaminute.com/qjnt/?MZkp=Kc40ChrvGMsz5sDUgJdI1Tm80ndRwqOobrZe5CnH/KVtq0OHhWuXcnL+C6x+hGBLT8rXGqGg&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 875
http://www.warriormovers.com/qjnt/ - rule_id: 877
http://www.phenomlearning.com/qjnt/?MZkp=WI8JaetFPlzEEOGlHcuNECQ5ajgQYI90CCACSj2nuajKFDjgs1eXlKD9lsoYQqmcwsae0cVZ&U4kp=Ntx0ULGP4BTDMV0
http://www.crochenista.com/qjnt/ - rule_id: 788
http://www.qs-industrial.com/qjnt/
http://www.phenomlearning.com/qjnt/
http://www.eoapdj.com/qjnt/
http://www.gailrichardson.com/qjnt/?MZkp=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&U4kp=Ntx0ULGP4BTDMV0 - rule_id: 797
http://www.frotaconceitos.com/qjnt/ - rule_id: 878
http://www.gailrichardson.com/qjnt/ - rule_id: 797
http://www.qs-industrial.com/qjnt/?MZkp=Trcx7sIz3LbBEBUCXdOp/eOytLuMV8hMNa+9OSM+DuhSXGbAh0UZQVrA5aZ/AO5e9Gzf6ou7&U4kp=Ntx0ULGP4BTDMV0
http://www.frienzmusic.com/qjnt/?MZkp=dDSt6GS+2NiAQr9aRgBajSU7AtJ5Qx8lN5XbL7DZCOVbMbdHey2pr7C5pxf0UzYLijUZ73r2&U4kp=Ntx0ULGP4BTDMV0
http://www.libertyss.com/qjnt/
http://www.investiose.info/qjnt/ - rule_id: 876
|
24
www.frotaconceitos.com(23.227.38.74)
www.graniteinaminute.com(182.50.132.242)
www.phenomlearning.com(162.241.80.12)
www.frienzmusic.com(74.208.236.55)
www.investiose.info(34.102.136.180)
www.crochenista.com(162.241.216.98)
www.xjbpsh.net()
www.halostreams.net()
www.warriormovers.com(182.50.132.242)
www.libertyss.com(34.102.136.180)
www.eoapdj.com(45.39.88.198)
www.qs-industrial.com(50.118.194.27)
www.gailrichardson.com(52.58.78.16)
www.bhcsva.com()
23.95.122.25 - mailcious
74.208.236.55
162.241.80.12
45.39.88.198
52.58.78.16 - mailcious
34.102.136.180 - mailcious
182.50.132.242 - mailcious
50.118.194.27
162.241.216.98 - mailcious
23.227.38.74 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
12
http://www.investiose.info/qjnt/
http://www.crochenista.com/qjnt/
http://www.frotaconceitos.com/qjnt/
http://www.warriormovers.com/qjnt/
http://www.graniteinaminute.com/qjnt/
http://www.graniteinaminute.com/qjnt/
http://www.warriormovers.com/qjnt/
http://www.crochenista.com/qjnt/
http://www.gailrichardson.com/qjnt/
http://www.frotaconceitos.com/qjnt/
http://www.gailrichardson.com/qjnt/
http://www.investiose.info/qjnt/
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7242 |
2021-04-14 10:02
|
damianox.exe 3534cff2da4426a7b51d85b1296f0490
Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7243 |
2021-04-14 10:04
|
 data.pdf e891577b2d323d94f32ccc6bc52eadd9VirusTotal Malware DNS |
|
1
|
|
|
3.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7244 |
2021-04-14 10:09
|
wealthx.exe f00ffaeabd21162b932ee541d469adff
AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key |
2
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-13AD0F88B76E2403189110A8CCEDF6CA.html
https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-13AD0F88B76E2403189110A8CCEDF6CA.html
|
2
bornforthis.ml(104.21.17.57)
172.67.222.176
|
3
ET INFO DNS Query for Suspicious .ml Domain
ET INFO Suspicious Domain (*.ml) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7245 |
2021-04-14 13:45
|
https://newblogheresee.blogspo... 885b4b76fea2a5416dacad19f6c6a200
Antivirus Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
27
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://newblogheresee.blogspot.com/p/10.html
https://www.gstatic.com/og/_/js/k=og.qtm.en_US.T8yAM6CK-Po.O/rt=j/m=q_d,qawd,qmd,qsd,qmutsd,qapid/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtt/d=1/ed=1/rs=AA2YrTuuRoat3QFBNDnlCzQThfgcGSSOYA
https://www.google.com/css/maia.css
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.gstatic.com/og/_/ss/k=og.qtm.wAbcuUp7kU4.L.I9.O/m=qawd,qmd/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhbr,qhch,qhga,qhid,qhin,qhlo,qhmn,qhpc,qhpr,qhsf,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTvQzNaB0NuEvEIdM4vQJzSWN9x4uw
https://ssl.gstatic.com/gb/images/p1_c9bc74a1.png
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fnewblogheresee.blogspot.com%2Fp%2F10.html&bpli=1
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3922155243674983324&zx=6368326c-5617-4d33-8fa0-fb641f91753d
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.RrjSsKk8Szw.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8bhQb3qTfNhmC8kzOOB-dQGGlNzA/cb=gapi.loaded_0
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://www.blogger.com/static/v1/widgets/1893845785-widgets.js
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/blogin.g?blogspotURL=https://newblogheresee.blogspot.com/p/10.html
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://newblogheresee.blogspot.com/favicon.ico
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://newblogheresee.blogspot.com/p/10.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://newblogheresee.blogspot.com/p/10.html%26bpli%3D1&passive=true&go=true
|
22
newblogheresee.blogspot.com(172.217.25.97)
resources.blogblog.com(142.250.196.105)
www.google.com(172.217.161.36)
www.gstatic.com(172.217.175.3)
ssl.gstatic.com(172.217.174.99)
accounts.google.com(172.217.31.173)
www.google-analytics.com(216.58.197.238)
apis.google.com(216.58.197.142)
fonts.gstatic.com(172.217.175.227)
fonts.googleapis.com(172.217.174.106)
www.blogger.com(142.250.196.105)
142.250.66.106
172.217.24.78
216.58.199.9
142.250.66.137
172.217.25.3
216.58.200.4 - suspicious
142.250.66.99
172.217.161.129
216.58.221.237
142.250.66.46
142.250.66.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|