| 7501 |
2021-04-22 17:22
|
 regasm.exe 07da81ad26a1698f87210276d494a47b
Glupteba VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
1
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7502 |
2021-04-22 17:23
|
 melo.jpg.exe 82b9be6f5cc10510495e9a3368683747
Process Kill FindFirstVolume CryptGenKey Antivirus VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
5
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256
https://paste.ee/r/p7EHC
https://paste.ee/r/oSlYJ
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
5
paste.ee(104.26.4.223) - mailcious
edgedl.gvt1.com(142.250.34.2)
142.250.204.110
142.250.34.2
104.26.5.223 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
13.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7503 |
2021-04-22 18:07
|
regasm3.exe 92ac3623e3748c80f1e1ea0db2fa60e6Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bncoporations.cf/Bn1/fre.php
|
1
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
7.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7504 |
2021-04-22 18:07
|
regasm2.exe 45cedd5a027ea7c1ed4225993caeadbdBrowser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://qrnigroup.xyz/chief/dv2/mcee/fre.php
|
2
qrnigroup.xyz(193.233.75.49)
193.233.75.49
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7505 |
2021-04-22 18:09
|
 vbc.exe 58d0d12b0154f392ecfb42d58423410cBrowser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://issth.com/chief/dav/fre.php
|
2
issth.com(185.209.1.112)
193.233.75.49
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7506 |
2021-04-22 18:11
|
 regasm4.exe 9826149259eccf734d45bd71270e51a0
PWS .NET framework AsyncRAT backdoor VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7507 |
2021-04-22 18:17
|
 win322.exe ba4e0f120566235da275e3039eb7b4ea
PWS .NET framework AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AppData folder Windows Cryptographic key |
|
|
|
|
9.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7508 |
2021-04-22 18:17
|
 win32.exe 5142ebebd753168ef8dcb4614b2af84f
PWS .NET framework AsyncRAT backdoor VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName DNS Cryptographic key |
|
|
|
|
2.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7509 |
2021-04-22 18:22
|
 IMG_045_00_37_3210.pdf.exe 99e0c2ac9236cfedc7dbeffdde956fe2
KeyBase Keylogger VirusTotal Malware malicious URLs ComputerName |
|
2
zvv.asia(45.133.1.27)
45.133.1.27 - mailcious
|
|
|
3.2 |
M |
28 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7510 |
2021-04-22 18:25
|
 IMG_10540078520047.pdf.exe 0584b79b0075099a377c30ffa0bfee28
KeyBase Keylogger Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.161.70)
131.186.161.70
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
17 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7511 |
2021-04-22 18:36
|
regasm3.exe 92ac3623e3748c80f1e1ea0db2fa60e6Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
|
1
bncoporations.cf() - mailcious
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
7.4 |
M |
22 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7512 |
2021-04-22 18:43
|
regasm3.exe 92ac3623e3748c80f1e1ea0db2fa60e6Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
|
1
bncoporations.cf() - mailcious
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
7.4 |
M |
22 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7513 |
2021-04-22 22:02
|
O28C.dll d0b30b11795c869a2d3c83be6761067b
Emotet VirusTotal Malware Checks debugger RWX flags setting unpack itself sandbox evasion Windows Cryptographic key |
|
|
|
|
3.6 |
|
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7514 |
2021-04-23 09:54
|
 catalog-1600996489.xlsm aae89be1368bd7f31a17df732c50520cCheck memory unpack itself Tofsee crashed |
|
4
eletrocoghi.com.br(192.185.216.95)
ozmontelectrical.com(162.144.12.242)
162.144.12.242
192.185.216.95 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7515 |
2021-04-23 09:55
|
 catalog-1604441556.xlsm 414c41ce670225a38e8c4aeda37df315Check memory unpack itself Tofsee DNS crashed |
|
4
ozmontelectrical.com(162.144.12.242)
eletrocoghi.com.br(192.185.216.95)
192.185.216.95 - malware
162.144.12.242
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|