| 7711 |
2021-04-28 18:31
|
 IMG_88134.exe 4d0b19cd29e6c8ce724607b85771de8d
AsyncRAT backdoor Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-935E964B23126C54BA3A2FFC8EA154CE.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-258E48939AFC85C28CC3028886F4A492.html - rule_id: 1176
http://45.14.115.62:5405//
https://api.ip.sb/geoip
|
5
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious
api.ip.sb(172.67.75.172)
45.14.115.62
172.67.75.172
172.67.208.174
|
3
ET INFO DNS Query for Suspicious .ml Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
18.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7712 |
2021-04-29 07:19
|
 Startup%20Host.exe 8b6cf8530332474edbdec4dd82292a02
PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself suspicious process WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
3.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7713 |
2021-04-29 07:27
|
 vbc.exe 9644a199c0d74c2f223b042b93899333
Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7714 |
2021-04-29 07:27
|
 chrome.exe 9a802cbec55102eee639f4f3034e452f
Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Checks debugger buffers extracted exploit crash unpack itself malicious URLs Windows Exploit Cryptographic key crashed |
|
|
|
|
10.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7715 |
2021-04-29 07:30
|
m.dot b733cd69833b58ee8e56e8ca6212966b
AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://107.173.191.48/deck/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7716 |
2021-04-29 09:03
|
 AnnualReport.exe 7908cc9996b7423c766157d8119df254
Antivirus PE File PE32 OS Processor Check VirusTotal Malware powershell PDB suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution DNS Cryptographic key |
|
|
|
|
7.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7717 |
2021-04-29 09:04
|
 FLP_5012_306_171.exe a746c90dae245470777071a6c41dea07
KeyBase AgentTesla Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Password |
9
http://5azc.xyz/3.jpg
http://5azc.xyz/1.jpg
http://5azc.xyz/
http://5azc.xyz/7.jpg
http://5azc.xyz/main.php
http://5azc.xyz/6.jpg
http://5azc.xyz/4.jpg
http://5azc.xyz/2.jpg
http://5azc.xyz/5.jpg
|
2
5azc.xyz(45.144.225.201)
45.144.225.201 - mailcious
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
12.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7718 |
2021-04-29 09:05
|
 6fsjd89gdsug.exe 77be0dd6570301acac3634801676b5d7
Ficker Stealer PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory ICMP traffic Collect installed applications sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Stealer Browser ComputerName DNS Software |
1
http://api.ipify.org/?format=xml
|
4
sweyblidian.com(92.62.115.177) - mailcious
api.ipify.org(107.22.233.72)
92.62.115.177
54.225.165.85
|
3
ET POLICY External IP Lookup (ipify .org)
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
|
|
9.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7719 |
2021-04-29 09:23
|
 4.html a5b6964b3df390bbc68275fae8aacf51VirusTotal Malware crashed |
|
|
|
|
0.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7720 |
2021-04-29 09:24
|
 svch.exe 372f96b73c0ff71825a027aca714dc7b
Socket PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE32 PE File DNS AsyncRAT backdoor Loki Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
2
eyecos.ga(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
13.8 |
M |
23 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7721 |
2021-04-29 09:27
|
 4.html a5b6964b3df390bbc68275fae8aacf51
AntiDebug AntiVM Antivirus VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
3
http://firas.alifares.org/jihad/3.txt
http://firas.alifares.org/defender/11.txt
http://firas.alifares.org/defender/ss.vbs
|
2
firas.alifares.org(69.10.38.126) - malware
69.10.38.126 - malware
|
1
ET INFO PowerShell DownloadFile Command Common In Powershell Stagers
|
|
12.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7722 |
2021-04-29 09:33
|
 svch.exe 372f96b73c0ff71825a027aca714dc7b
Socket PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE32 PE File DNS AsyncRAT backdoor Loki Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
2
eyecos.ga(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
12.8 |
M |
23 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7723 |
2021-04-29 09:37
|
 svch.exe 372f96b73c0ff71825a027aca714dc7b
PWS Loki .NET framework AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
2
eyecos.ga(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
12.8 |
M |
23 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7724 |
2021-04-29 10:03
|
 FLP_5012_306_171.exe a746c90dae245470777071a6c41dea07
KeyBase AgentTesla Gen1 AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Password |
9
http://5azc.xyz/3.jpg
http://5azc.xyz/1.jpg
http://5azc.xyz/
http://5azc.xyz/7.jpg
http://5azc.xyz/main.php
http://5azc.xyz/6.jpg
http://5azc.xyz/4.jpg
http://5azc.xyz/2.jpg
http://5azc.xyz/5.jpg
|
2
5azc.xyz(45.144.225.201)
45.144.225.201 - mailcious
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
11.4 |
M |
22 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7725 |
2021-04-29 10:29
|
 FPI_0485010214.exe 00bc3f04139ef508d1b9908f5664ded3
AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
131.186.113.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|