7636 |
2021-04-27 16:46
|
http://union.jctrip.cn/wp-incl... 8d7c388e144427e46654e1f1d75de590 AgentTesla Vulnerability VirusTotal Malware MachineGuid Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://unimedunihealth.com/product/edysta/ https://lopika.buzz/?u=k8pp605&o=c9ewtnr&t=redn
|
10
astrologiaexistencial.com(31.22.4.229) - malware www.dirgantaratuba.com(103.247.9.184) - mailcious lopika.buzz(5.8.47.52) union.jctrip.cn(8.131.69.203) - mailcious unimedunihealth.com(104.21.60.205) - mailcious 5.8.47.52 8.131.69.203 31.22.4.229 103.247.9.184 172.67.201.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7637 |
2021-04-27 16:48
|
test.exe d2be9aab83d330520dbd61c621ffede3 PWS .NET framework Malicious Library AsyncRAT backdoor Dridex TrickBot VirusTotal Malware Kovter DNS |
|
2
2.tcp.ngrok.io(52.14.18.129) - mailcious 3.131.207.170
|
3
ET POLICY DNS Query to a *.ngrok domain (ngrok.io) SURICATA Applayer Mismatch protocol both directions ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
1.2 |
M |
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7638 |
2021-04-27 17:15
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious 185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7639 |
2021-04-27 17:19
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious 185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7640 |
2021-04-27 17:30
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious 185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7641 |
2021-04-27 17:39
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious 185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7642 |
2021-04-28 07:42
|
195145.exe 5b5a730628dc9eba2c12530d225c2f70VirusTotal Malware Malicious Traffic RWX flags setting suspicious process ComputerName DNS |
2
http://dimentos.com/bg http://dimentos.com/btn_bg
|
1
|
|
|
4.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7643 |
2021-04-28 09:13
|
vbc.exe 7dcb1f913eec25bc07aced21d9c1dc5d PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7644 |
2021-04-28 09:25
|
tret.exe ee1db7f0ad39df1af6eb5166447b1471VirusTotal Malware unpack itself Remote Code Execution DNS crashed |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7645 |
2021-04-28 09:25
|
zabax.exe 5ad242aab1bad0f0128498aee4878c2f PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7646 |
2021-04-28 09:28
|
reg.exe 4223fe49bf944c3dcc33270c0ddf6033 PWS .NET framework Loki Malicious Library AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs installed browsers check Windows Browser Email ComputerName Trojan Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php
|
2
amrp.tw(35.247.234.230) - mailcious 35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7647 |
2021-04-28 09:28
|
mazx.exe 342d651660cf2b0587d25f343aff786f AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) 172.67.208.174
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
|
14.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7648 |
2021-04-28 09:29
|
dl2.exe c4539adb4566822ab8dfe45aa3d5ca63VirusTotal Malware Remote Code Execution DNS |
|
|
|
|
1.8 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7649 |
2021-04-28 09:32
|
...................dot d89c98c484e9c5a9b95118076be9258aMalware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://192.3.22.5/ch/svch.exe
|
2
192.3.22.5 - mailcious
194.5.98.208
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7650 |
2021-04-28 09:40
|
mazx.exe 342d651660cf2b0587d25f343aff786fBrowser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html - rule_id: 1176 http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html - rule_id: 1176 http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) 104.21.85.176
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/ http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
13.2 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|