7576 |
2021-04-24 20:55
|
info-33549970.xlsm effeb6845cee0ab05c452d39f9e5382d VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
studio.joellemagazine.com(162.241.194.86) shapoorjipallonji.online(162.241.123.16) 162.241.194.86 162.241.123.16
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7577 |
2021-04-24 21:02
|
http://107.172.130.145/.-........ e5d0475ba492d39bb533e3014c866d68 AgentTesla Malware download VirusTotal Malware MachineGuid Code Injection Malicious Traffic Checks debugger exploit crash unpack itself Windows utilities malicious URLs Windows Exploit DNS crashed |
2
http://107.172.130.145/.-.......................-/http.dot http://107.172.130.145/me/http.exe
|
1
|
6
ET INFO Possible RTF File With Obfuscated Version Header ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7578 |
2021-04-24 21:09
|
http.exe 53b0e38d2219a3ecbc04c80ec1faec1d AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
5.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7579 |
2021-04-26 09:21
|
local.exe 9820b61c2ef614e025f986fafa130e39 |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7580 |
2021-04-26 09:24
|
apps.exe cd155fbcc108d054d747ab4514f3cfd6VirusTotal Malware Code Injection buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious TLD Tofsee Windows Exploit DNS crashed |
46
https://exws.ru/css/themify-icons.css https://fonts.googleapis.com/css?family=Open+Sans:300,400,600%7CPoppins:300,400,500,600&subset=cyrillic https://exws.ru/downloads/js/vendor/isotope.pkgd.min.js https://exws.ru/downloads/js/main.js https://exws.ru/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=nb%3A1%3Acl%3A754%3Aar%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175915%3Aet%3A1619427555%3Ac%3A1%3Arn%3A620849982%3Arqn%3A2%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A%2C%2C%2C%2C%2C%2C%2C%2C6%2C13572%2C13636%2C3%2C13566%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427555&wmode=5 https://exws.ru/downloads/js/jquery.ajaxchimp.min.js https://exws.ru/images/logotype/logo-white.png https://mc.yandex.ru/metrika/advert.gif https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOVuhv.woff https://exws.ru/downloads/ https://exws.ru/images/logotype/logo-dark.png https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLDz8Z1xlEw.woff https://exws.ru/downloads/js/vendor/jquery-2.2.0.min.js https://exws.ru/favicon.ico https://use.fontawesome.com/releases/v5.0.6/js/all.js https://fonts.gstatic.com/s/opensans/v18/mem8YaGs126MiZpBA-UFUZ0d.woff https://exws.ru/downloads/js/style.changer.js https://exws.ru/css/sparkicons.css https://exws.ru/downloads/js/placeholder.js https://mc.yandex.ru/watch/36586115?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afp%3A6737%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175855%3Aet%3A1619427536%3Ac%3A1%3Arn%3A611767612%3Arqn%3A1%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A0%2C0%2C0%2C3%2C1%2C1%2C1%2C22%2C%2C%2C%2C%2C%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427536%3At%3AEXWS.RU%20-%20%D0%A6%D0%B5%D0%BD%D1%82%D1%80%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BE%D0%BA%20%D0%B8%20%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D0%B9&wmode=5 https://exws.ru/downloads/templates/default/default.css https://exws.ru/css/et-line.css https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OVuhv.woff https://mc.yandex.ru/watch/36586115?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=nb%3A1%3Acl%3A754%3Aar%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175915%3Aet%3A1619427555%3Ac%3A1%3Arn%3A620849982%3Arqn%3A2%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A%2C%2C%2C%2C%2C%2C%2C%2C6%2C13572%2C13636%2C3%2C13566%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427555&wmode=5 https://www.free-kassa.ru/img/fk_btn/16.png https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLEj6Z1xlEw.woff https://exws.ru/downloads/js/jquery.magnific-popup.min.js https://exws.ru/downloads/usercp.php?msg=Требуется%20авторизация: https://exws.ru/css/bootstrap.min.css https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afp%3A6737%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175855%3Aet%3A1619427536%3Ac%3A1%3Arn%3A611767612%3Arqn%3A1%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A0%2C0%2C0%2C3%2C1%2C1%2C1%2C22%2C%2C%2C%2C%2C%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427536%3At%3AEXWS.RU%20-%20%D0%A6%D0%B5%D0%BD%D1%82%D1%80%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BE%D0%BA%20%D0%B8%20%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D0%B9&wmode=5 https://exws.ru/downloads/js/smoothscroll.js https://exws.ru/downloads/js/owl.carousel.min.js https://exws.ru/css/owl.carousel.css https://mc.yandex.ru/metrika/tag.js https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfedA.woff https://exws.ru/css/magnific-popup.css https://exws.ru/css/style.css https://exws.ru/fonts/sparkicons.eot@wwjpvu https://exws.ru/images/screen/launcher.png https://informer.yandex.ru/informer/36586115/3_0_202020FF_000000FF_1_pageviews https://exws.ru/downloads/js/plugins.js https://exws.ru/downloads/login.php https://www.webmoney.ru/img/icons/88x31_wm_white_blue.png https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLGT9Z1xlEw.woff https://exws.ru/fonts/et-line.eot@
|
16
exws.ru(104.21.55.21) informer.yandex.ru(93.158.134.119) fonts.googleapis.com(172.217.26.42) use.fontawesome.com(23.111.9.35) fonts.gstatic.com(216.58.220.131) www.webmoney.ru(145.239.95.188) www.free-kassa.ru(104.22.18.208) mc.yandex.ru(93.158.134.119) 23.111.9.35 87.250.250.119 104.22.18.208 87.250.251.119 51.254.201.70 142.250.204.42 216.58.220.195 104.21.55.21
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7581 |
2021-04-26 09:29
|
6eb374b32f94435381bd3f41b0ab76... feb36e29ac649a1adec4fbcd1662bb42VirusTotal Malware DNS |
|
|
|
|
1.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7582 |
2021-04-26 09:36
|
"http://5.79.75.210/0beU0RimJU... Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7583 |
2021-04-26 15:16
|
mg20201223-1.exe 0a13d106fa3997a0c911edd5aa0e147a Ranumbot VirusTotal Malware WriteConsoleW DNS |
|
896
140.95.1.190 140.95.1.191 140.95.1.192 140.95.1.193 140.95.1.194 140.95.1.195 140.95.1.196 140.95.1.197 140.95.1.198 140.95.1.199 140.95.3.114 140.95.3.115 140.95.3.112 140.95.3.113 140.95.3.110 140.95.3.111 140.95.1.58 140.95.1.59 140.95.1.52 140.95.1.53 140.95.1.50 140.95.1.51 140.95.1.56 140.95.1.57 140.95.1.54 140.95.1.55 140.95.2.226 140.95.1.169 140.95.1.168 140.95.1.165 140.95.1.164 140.95.1.167 140.95.1.166 140.95.1.161 140.95.1.160 140.95.1.163 140.95.1.162 140.95.3.116 140.95.3.117 140.95.2.230 140.95.3.118 140.95.2.220 140.95.1.66 140.95.0.142 140.95.0.143 140.95.0.140 140.95.0.141 140.95.0.146 140.95.0.147 140.95.0.144 140.95.0.145 140.95.2.140 140.95.2.141 140.95.0.148 140.95.0.149 140.95.2.144 140.95.2.145 140.95.2.146 140.95.2.147 140.95.2.158 140.95.2.71 140.95.0.128 140.95.2.18 140.95.2.72 140.95.2.75 140.95.2.74 140.95.2.77 140.95.0.129 140.95.2.79 140.95.2.78 140.95.2.153 140.95.1.228 140.95.1.229 140.95.1.226 140.95.1.150 140.95.1.224 140.95.1.225 140.95.1.222 140.95.1.223 140.95.1.220 140.95.1.151 140.95.2.99 140.95.2.150 140.95.2.93 140.95.2.157 140.95.2.91 140.95.2.90 140.95.2.97 140.95.2.96 140.95.2.95 140.95.2.156 140.95.2.243 140.95.0.120 140.95.2.241 140.95.2.240 140.95.2.247 140.95.2.155 140.95.2.245 140.95.0.121 140.95.2.249 140.95.2.154 140.95.3.18 140.95.3.19 140.95.3.14 140.95.0.91 140.95.3.16 140.95.3.17 140.95.3.10 140.95.3.11 140.95.3.12 140.95.0.90 140.95.1.16 140.95.1.17 140.95.1.14 140.95.1.15 140.95.1.12 140.95.1.13 140.95.1.10 140.95.1.11 140.95.1.18 140.95.1.19 140.95.1.121 140.95.1.120 140.95.1.123 140.95.1.122 140.95.1.125 140.95.1.124 140.95.1.127 140.95.0.27 140.95.1.129 140.95.1.128 140.95.1.136 140.95.0.32 140.95.1.134 140.95.1.135 140.95.0.37 140.95.1.133 140.95.1.63 140.95.1.62 140.95.1.61 140.95.1.60 140.95.1.67 140.95.1.130 140.95.1.65 140.95.1.64 140.95.1.69 140.95.1.131 140.95.1.154 140.95.1.155 140.95.1.156 140.95.1.157 140.95.0.99 140.95.0.98 140.95.1.152 140.95.1.153 140.95.0.95 140.95.0.94 140.95.0.97 140.95.0.96 140.95.1.158 140.95.1.159 140.95.0.93 140.95.0.92 140.95.3.87 140.95.3.86 140.95.2.3 140.95.3.85 140.95.3.84 140.95.2.215 140.95.3.83 140.95.2.37 140.95.3.81 140.95.3.80 140.95.2.213 140.95.2.36 140.95.0.212 140.95.0.213 140.95.0.210 140.95.0.211 140.95.0.216 140.95.0.217 140.95.0.214 140.95.0.215 140.95.0.191 140.95.0.190 140.95.0.218 140.95.0.219 140.95.0.195 140.95.0.194 140.95.0.197 140.95.0.196 140.95.2.117 140.95.2.116 140.95.2.115 140.95.2.114 140.95.2.113 140.95.2.112 140.95.2.111 140.95.2.110 140.95.2.119 140.95.2.118 140.95.2.225 140.95.2.0 140.95.2.29 140.95.2.2 140.95.2.22 140.95.2.23 140.95.2.20 140.95.2.21 140.95.2.26 140.95.2.1 140.95.2.24 140.95.2.25 140.95.0.106 140.95.0.107 140.95.0.104 140.95.0.105 140.95.0.102 140.95.0.103 140.95.0.100 140.95.0.101 140.95.2.221 140.95.0.108 140.95.0.109 140.95.2.7 140.95.2.223 140.95.2.89 140.95.2.222 140.95.2.238 140.95.2.239 140.95.0.68 140.95.0.69 140.95.0.64 140.95.0.65 140.95.0.66 140.95.0.67 140.95.0.60 140.95.0.61 140.95.0.62 140.95.0.63 140.95.3.65 140.95.3.64 140.95.3.67 140.95.3.66 140.95.3.61 140.95.3.60 140.95.3.63 140.95.3.62 140.95.2.5 140.95.3.68 140.95.1.183 140.95.1.182 140.95.1.181 140.95.1.180 140.95.1.187 140.95.1.186 140.95.1.185 140.95.1.184 140.95.3.101 140.95.3.100 140.95.1.189 140.95.1.188 140.95.3.105 140.95.3.102 140.95.3.107 140.95.3.106 140.95.1.29 140.95.1.28 140.95.1.27 140.95.1.26 140.95.1.25 140.95.1.24 140.95.1.23 140.95.1.22 140.95.1.21 140.95.1.20 140.95.1.118 140.95.1.119 140.95.1.110 140.95.1.111 140.95.1.112 140.95.1.113 140.95.1.114 140.95.1.115 140.95.1.116 140.95.1.117 140.95.0.199 140.95.0.198 140.95.3.15 140.95.2.224 140.95.0.193 140.95.2.159 140.95.0.192 140.95.1.248 140.95.1.249 140.95.1.244 140.95.1.245 140.95.1.246 140.95.1.247 140.95.1.240 140.95.1.241 140.95.1.242 140.95.1.243 140.95.2.66 140.95.1.126 140.95.2.64 140.95.2.65 140.95.2.62 140.95.2.63 140.95.2.60 140.95.2.61 140.95.2.68 140.95.2.69 140.95.1.239 140.95.1.238 140.95.3.28 140.95.1.231 140.95.1.230 140.95.1.233 140.95.1.232 140.95.1.235 140.95.1.234 140.95.1.237 140.95.1.236 140.95.2.88 140.95.2.148 140.95.2.149 140.95.2.80 140.95.2.81 140.95.2.82 140.95.2.83 140.95.2.84 140.95.2.85 140.95.2.86 140.95.2.87 140.95.3.119 140.95.3.21 140.95.3.20 140.95.3.23 140.95.3.22 140.95.3.25 140.95.3.24 140.95.3.27 140.95.3.26 140.95.3.29 140.95.2.151 140.95.2.11 140.95.2.13 140.95.2.12 140.95.0.254 140.95.0.255 140.95.0.252 140.95.0.253 140.95.0.250 140.95.0.251 140.95.0.155 140.95.0.159 140.95.0.157 140.95.0.156 140.95.0.151 140.95.0.150 140.95.0.153 140.95.0.158 140.95.2.143 140.95.2.15 140.95.2.227 140.95.2.14 140.95.2.28 140.95.2.6 140.95.0.154 140.95.2.19 140.95.0.15 140.95.0.14 140.95.0.17 140.95.0.16 140.95.0.11 140.95.0.10 140.95.0.13 140.95.0.12 140.95.0.19 140.95.0.18 140.95.0.152 140.95.2.231 140.95.2.27 140.95.2.236 140.95.1.70 140.95.1.71 140.95.1.72 140.95.1.73 140.95.1.74 140.95.1.75 140.95.1.76 140.95.1.77 140.95.1.78 140.95.1.79 140.95.2.152 140.95.1.147 140.95.1.146 140.95.0.80 140.95.1.144 140.95.1.143 140.95.1.142 140.95.1.141 140.95.1.140 140.95.0.88 140.95.0.89 140.95.2.237 140.95.1.149 140.95.1.148 140.95.1.200 140.95.1.201 140.95.1.202 140.95.1.203 140.95.1.204 140.95.1.205 140.95.1.206 140.95.1.207 140.95.1.208 140.95.1.209 140.95.2.73 140.95.2.76 140.95.0.164 140.95.0.165 140.95.0.166 140.95.0.167 140.95.0.160 140.95.0.161 140.95.0.162 140.95.0.163 140.95.0.168 140.95.0.169 140.95.2.122 140.95.2.123 140.95.2.120 140.95.2.121 140.95.2.126 140.95.2.127 140.95.2.124 140.95.2.125 140.95.2.128 140.95.2.129 140.95.2.59 140.95.2.58 140.95.2.57 140.95.2.56 140.95.2.55 140.95.2.54 140.95.2.53 140.95.2.52 140.95.2.51 140.95.2.50 140.95.0.111 140.95.0.110 140.95.0.113 140.95.0.112 140.95.0.115 140.95.0.114 140.95.0.117 140.95.0.116 140.95.0.119 140.95.0.118 140.95.0.1 140.95.0.0 140.95.0.3 140.95.0.2 140.95.0.5 140.95.0.4 140.95.0.7 140.95.0.6 140.95.0.9 140.95.0.8 140.95.3.89 140.95.3.88 140.95.0.51 140.95.0.50 140.95.0.53 140.95.0.52 140.95.0.55 140.95.0.54 140.95.0.57 140.95.0.56 140.95.0.59 140.95.0.58 140.95.2.9 140.95.2.8 140.95.2.229 140.95.2.228 140.95.3.78 140.95.3.79 140.95.3.72 140.95.3.73 140.95.3.70 140.95.3.71 140.95.3.76 140.95.3.77 140.95.3.74 140.95.3.75 140.95.0.209 140.95.0.208 140.95.0.205 140.95.0.204 140.95.0.207 140.95.0.206 140.95.0.201 140.95.0.200 140.95.0.203 140.95.0.202 140.95.2.232 140.95.2.98 140.95.1.38 140.95.1.39 140.95.2.233 140.95.1.34 140.95.1.35 140.95.1.36 140.95.1.37 140.95.1.30 140.95.1.31 140.95.1.32 140.95.1.33 140.95.1.109 140.95.1.108 140.95.3.8 140.95.1.103 140.95.1.102 140.95.1.101 140.95.1.100 140.95.1.107 140.95.1.106 140.95.1.105 140.95.1.104 140.95.2.234 140.95.2.92 140.95.2.235 140.95.2.94 140.95.1.89 140.95.1.88 140.95.2.242 140.95.1.81 140.95.1.80 140.95.1.83 140.95.1.82 140.95.1.85 140.95.1.84 140.95.1.87 140.95.1.86 140.95.2.246 140.95.2.166 140.95.2.167 140.95.2.164 140.95.2.165 140.95.2.162 140.95.2.163 140.95.2.160 140.95.2.161 140.95.1.255 140.95.1.254 140.95.1.253 140.95.1.252 140.95.1.251 140.95.1.250 140.95.2.248 140.95.0.188 140.95.0.189 140.95.2.192 140.95.0.234 140.95.0.235 140.95.0.236 140.95.0.237 140.95.0.230 140.95.0.231 140.95.0.232 140.95.0.233 140.95.0.238 140.95.0.239 140.95.0.180 140.95.0.181 140.95.3.36 140.95.3.37 140.95.3.34 140.95.3.35 140.95.3.32 140.95.3.33 140.95.3.30 140.95.3.31 140.95.3.69 140.95.3.38 140.95.3.39 140.95.0.241 140.95.0.240 140.95.0.243 140.95.0.242 140.95.0.245 140.95.0.244 140.95.0.247 140.95.0.246 140.95.0.249 140.95.0.248 140.95.0.122 140.95.0.123 140.95.0.124 140.95.0.125 140.95.0.126 140.95.0.127 140.95.3.109 140.95.3.108 140.95.2.244 140.95.2.218 140.95.2.219 140.95.2.214 140.95.2.139 140.95.2.216 140.95.2.217 140.95.2.210 140.95.2.211 140.95.2.212 140.95.2.138 140.95.2.188 140.95.2.189 140.95.2.184 140.95.2.185 140.95.2.186 140.95.2.187 140.95.2.180 140.95.2.181 140.95.2.182 140.95.2.183 140.95.3.43 140.95.3.42 140.95.3.41 140.95.3.40 140.95.3.47 140.95.3.46 140.95.3.45 140.95.3.44 140.95.3.49 140.95.3.48 140.95.3.103 140.95.2.136 140.95.3.126 140.95.3.104 140.95.3.123 140.95.3.122 140.95.3.121 140.95.3.120 140.95.3.127 140.95.2.133 140.95.3.125 140.95.3.124 140.95.2.132 140.95.1.45 140.95.1.44 140.95.1.47 140.95.1.46 140.95.1.41 140.95.1.40 140.95.1.43 140.95.1.42 140.95.2.70 140.95.1.49 140.95.1.48 140.95.1.172 140.95.1.173 140.95.1.170 140.95.1.171 140.95.1.176 140.95.1.177 140.95.1.174 140.95.1.175 140.95.1.178 140.95.1.179 140.95.1.213 140.95.1.212 140.95.1.211 140.95.1.210 140.95.1.217 140.95.1.216 140.95.1.215 140.95.1.214 140.95.1.219 140.95.1.218 140.95.2.203 140.95.3.13 140.95.1.68 140.95.0.82 140.95.0.83 140.95.2.202 140.95.1.145 140.95.0.81 140.95.2.142 140.95.0.86 140.95.0.87 140.95.0.177 140.95.0.176 140.95.0.175 140.95.0.174 140.95.0.173 140.95.0.172 140.95.0.171 140.95.0.170 140.95.2.135 140.95.2.134 140.95.2.137 140.95.0.85 140.95.2.131 140.95.2.130 140.95.0.179 140.95.0.178 140.95.2.168 140.95.2.169 140.95.2.48 140.95.2.49 140.95.2.44 140.95.2.39 140.95.2.46 140.95.2.47 140.95.2.40 140.95.2.41 140.95.2.42 140.95.2.38 140.95.2.45 140.95.3.94 140.95.3.95 140.95.3.96 140.95.3.97 140.95.3.90 140.95.3.91 140.95.3.92 140.95.3.93 140.95.3.98 140.95.3.99 140.95.0.46 140.95.0.47 140.95.0.44 140.95.0.45 140.95.0.42 140.95.0.43 140.95.0.40 140.95.0.41 140.95.3.0 140.95.2.10 140.95.2.43 140.95.0.48 140.95.0.49 140.95.3.1 140.95.2.17 140.95.0.20 140.95.2.4 140.95.0.21 140.95.0.22 140.95.0.23 140.95.2.16 140.95.0.24 140.95.0.25 140.95.0.33 140.95.1.137 140.95.0.31 140.95.0.30 140.95.1.132 140.95.0.36 140.95.0.35 140.95.0.34 140.95.0.39 140.95.0.38 140.95.1.138 140.95.1.139 140.95.0.28 140.95.0.29 140.95.0.26 140.95.2.209 140.95.2.208 140.95.2.67 140.95.2.207 140.95.2.206 140.95.2.205 140.95.2.204 140.95.1.98 140.95.1.99 140.95.1.96 140.95.1.97 140.95.1.94 140.95.1.95 140.95.1.92 140.95.1.93 140.95.1.90 140.95.1.91 140.95.2.201 140.95.1.227 140.95.2.200 140.95.2.171 140.95.2.170 140.95.2.173 140.95.2.172 140.95.2.175 140.95.2.174 140.95.2.177 140.95.2.176 140.95.2.179 140.95.2.178 140.95.2.250 140.95.2.251 140.95.2.252 140.95.2.253 140.95.0.84 140.95.2.254 140.95.3.82 140.95.2.255 140.95.0.227 140.95.0.226 140.95.0.225 140.95.0.224 140.95.0.223 140.95.0.222 140.95.0.221 140.95.0.220 140.95.0.186 140.95.0.187 140.95.0.184 140.95.0.185 140.95.0.182 140.95.0.183 140.95.0.229 140.95.0.228 140.95.2.104 140.95.2.105 140.95.2.106 140.95.2.107 140.95.2.100 140.95.2.101 140.95.2.102 140.95.2.103 140.95.2.108 140.95.2.109 140.95.3.9 140.95.2.35 140.95.2.34 140.95.0.139 140.95.0.138 140.95.2.31 140.95.2.30 140.95.2.33 140.95.2.32 140.95.0.133 140.95.0.132 140.95.0.131 140.95.0.130 140.95.0.137 140.95.0.136 140.95.0.135 140.95.0.134 140.95.1.4 140.95.1.5 140.95.1.6 140.95.1.7 140.95.1.0 140.95.1.1 140.95.1.2 140.95.1.3 140.95.1.8 140.95.1.9 140.95.3.6 140.95.3.7 140.95.3.4 140.95.3.5 140.95.3.2 140.95.3.3 140.95.0.79 140.95.0.78 140.95.0.77 140.95.0.76 140.95.0.75 140.95.0.74 140.95.0.73 140.95.0.72 140.95.0.71 140.95.0.70 140.95.2.199 140.95.2.198 140.95.2.197 140.95.2.196 140.95.2.195 140.95.2.194 140.95.2.193 140.95.1.221 140.95.2.191 140.95.2.190 140.95.3.50 140.95.3.51 140.95.3.52 140.95.3.53 140.95.3.54 140.95.3.55 140.95.3.56 140.95.3.57 140.95.3.58 140.95.3.59
|
1
ET SCAN Potential SSH Scan OUTBOUND
|
|
3.2 |
M |
57 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7584 |
2021-04-26 15:29
|
regasm3.exe 92ac3623e3748c80f1e1ea0db2fa60e6Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bncoporations.cf/Bn1/fre.php
|
1
bncoporations.cf() - mailcious
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
7.8 |
M |
44 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7585 |
2021-04-26 15:35
|
regasm3.exe 92ac3623e3748c80f1e1ea0db2fa60e6Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bncoporations.cf/Bn1/fre.php
|
1
bncoporations.cf() - mailcious
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
7.8 |
M |
44 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7586 |
2021-04-26 17:59
|
winlog.exe 4b233f24f3a1a17bb7e23f49e7589806 PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows Cryptographic key |
|
|
|
|
9.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7587 |
2021-04-26 18:00
|
file 45a0cfbd6749929ebd451bd5a04120e4Code Injection Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
9
https://www.googletagmanager.com/gtag/js?id=UA-829541-1 https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T https://www.aaxdetect.com/pxext.gif https://c.aaxads.com/aax.js?pub=AAX3221EY&hst=&ver=1.2 https://www.google-analytics.com/plugins/ua/ec.js https://c.aaxads.com/pxusr.gif https://cdn.otnolatrnup.com/Scripts/infinity.js.aspx?guid=5ff0fb62-0643-4ff1-aaee-c737f9ffc0e0 https://www.google-analytics.com/analytics.js https://l3.aaxads.com/log?___stu13p=aveoaamactga5dnnuee25ti2rm86bcrodqacb&lwbsh=AAX&dewh=SSP_CLIENT_control&dgeg=0&dgw=desktop&flg=AAX3221EY&fw=YONGDONG&ff=KR&xjg=4&dss=0&skw=899&slg=8PR6YK195&gq=&vhuyqdph=rtb-nv-dcos-ssp-10-6-46-228-14293&vg=-1&vyu=042211_229_042211_95_ssp&vf=&yhuvlrq=4&yk=899&yz=1365&yvlg=&ylg=00001619427471141029496787422051&vvsDeExfnhw=CONTROL&qsd=0&oz=0&gdss=green&uwbsh=&jgsu_hqi=1&fvha=0&jgivwu=&jgsu=0&fvvwu=&wfi_fps=&wfi_vwdwxv=&wfi_sus=&vxf=0&xvs_hqi=1&xvs_vwdwxv=0&xvs_ogi=&xvs_vwulqj=&xifd=-1&frssd_vwdwxv=&frssd_dssolhg=&jixqgo=1600&jwg=100&lqlg=&qjixqgo=1700&ugo=800&lg_ghwdlov=°=2&gvwduw=138&ghqg=420&sf=&uhtxuo=file%3A%2F%2F%2FC%3A%2FUsers%2Ftest22%2FAppData%2FLocal%2FTemp%2Ffile.html&nzui=
|
17
www.googletagmanager.com(142.250.196.104) www.aaxdetect.com(104.75.34.8) c.aaxads.com(104.75.22.243) translate.google.com(172.217.26.46) cdn.otnolatrnup.com(104.19.214.37) l3.aaxads.com(104.75.22.243) static.mediafire.com(104.16.202.237) www.google-analytics.com(216.58.197.174) 104.19.215.37 142.250.66.110 104.16.203.237 - mailcious 142.250.204.142 216.58.197.110 104.75.34.8 104.75.22.243 142.250.204.72 104.16.202.237 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7588 |
2021-04-26 18:02
|
svchost.exe 33293b91e0212a207697a9248bc10ed5 PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process VMware anti-virtualization Windows ComputerName Cryptographic key Software |
|
|
|
|
11.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7589 |
2021-04-26 18:02
|
regasm.exe 8228bdbc0be3433aa24927fda1903650 PWS Loki Malicious Library AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://elringklinsger.com/chief/dv2/blly/fre.php
|
1
|
|
|
16.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7590 |
2021-04-26 18:04
|
winlog.exe b49746e926f5e9398910a1c72f5c8aa6 PWS .NET framework Loki Malicious Library AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://techarnise.ru/fb20/fre.php
|
2
techarnise.ru(47.91.76.92) 47.91.76.92
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|