| 7636 |
2021-04-27 16:46
|
http://union.jctrip.cn/wp-incl... 8d7c388e144427e46654e1f1d75de590
AgentTesla Vulnerability VirusTotal Malware MachineGuid Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://unimedunihealth.com/product/edysta/
https://lopika.buzz/?u=k8pp605&o=c9ewtnr&t=redn
|
10
astrologiaexistencial.com(31.22.4.229) - malware
www.dirgantaratuba.com(103.247.9.184) - mailcious
lopika.buzz(5.8.47.52)
union.jctrip.cn(8.131.69.203) - mailcious
unimedunihealth.com(104.21.60.205) - mailcious
5.8.47.52
8.131.69.203
31.22.4.229
103.247.9.184
172.67.201.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7637 |
2021-04-27 16:48
|
test.exe d2be9aab83d330520dbd61c621ffede3
PWS .NET framework Malicious Library AsyncRAT backdoor Dridex TrickBot VirusTotal Malware Kovter DNS |
|
2
2.tcp.ngrok.io(52.14.18.129) - mailcious
3.131.207.170
|
3
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
SURICATA Applayer Mismatch protocol both directions
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
1.2 |
M |
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7638 |
2021-04-27 17:15
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7639 |
2021-04-27 17:19
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7640 |
2021-04-27 17:30
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7641 |
2021-04-27 17:39
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7642 |
2021-04-28 07:42
|
 195145.exe 5b5a730628dc9eba2c12530d225c2f70VirusTotal Malware Malicious Traffic RWX flags setting suspicious process ComputerName DNS |
2
http://dimentos.com/bg
http://dimentos.com/btn_bg
|
1
|
|
|
4.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7643 |
2021-04-28 09:13
|
vbc.exe 7dcb1f913eec25bc07aced21d9c1dc5d
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7644 |
2021-04-28 09:25
|
tret.exe ee1db7f0ad39df1af6eb5166447b1471VirusTotal Malware unpack itself Remote Code Execution DNS crashed |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7645 |
2021-04-28 09:25
|
zabax.exe 5ad242aab1bad0f0128498aee4878c2f
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7646 |
2021-04-28 09:28
|
 reg.exe 4223fe49bf944c3dcc33270c0ddf6033
PWS .NET framework Loki Malicious Library AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs installed browsers check Windows Browser Email ComputerName Trojan Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php
|
2
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7647 |
2021-04-28 09:28
|
mazx.exe 342d651660cf2b0587d25f343aff786f
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174)
172.67.208.174
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
|
14.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7648 |
2021-04-28 09:29
|
dl2.exe c4539adb4566822ab8dfe45aa3d5ca63VirusTotal Malware Remote Code Execution DNS |
|
|
|
|
1.8 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7649 |
2021-04-28 09:32
|
...................dot d89c98c484e9c5a9b95118076be9258aMalware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://192.3.22.5/ch/svch.exe
|
2
192.3.22.5 - mailcious
194.5.98.208
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7650 |
2021-04-28 09:40
|
mazx.exe 342d651660cf2b0587d25f343aff786fBrowser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174)
104.21.85.176
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
13.2 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|