8191 |
2021-05-20 10:22
|
554312cx.msi 4e0a36a723ccaeb484afe5ecc7a4a889 MSOffice File PE File PE32 suspicious privilege Check memory Checks debugger unpack itself Windows utilities AntiVM_Disk VM Disk Size Check Windows ComputerName |
|
|
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8192 |
2021-05-20 15:18
|
k5dy7ow2EwylXhP.exe a1fbfc2302350826dd8fe8576b9db9cd PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8193 |
2021-05-20 16:33
|
winlog.exe b56e5eef4c0f60b0cdf971935b81893a PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://brokenpipes.ml/Bn4/fre.php
|
2
brokenpipes.ml(104.21.34.214) 172.67.165.149
|
9
ET INFO DNS Query for Suspicious .ml Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ml Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8194 |
2021-05-20 16:34
|
Delivery%20Order%208323673.xls 4100f7280e2ec85db09ee5e67b15b9dd VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
6
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php
https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
|
4
app.lead-concept.com(163.172.106.186) - mailcious
weeflow.com(5.135.142.22) 5.135.142.22
163.172.106.186 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8195 |
2021-05-20 16:35
|
fax_Documents.exe 5e9c34075c2eb3d3db131e1227383f1e Malicious Packer .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
2.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8196 |
2021-05-20 16:36
|
PO%2068601112.xls c389608ec63d30c2d36486bd7db8668f VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
https://lrt.com.pk/9mmQzL8P7.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://staging.gaiafacturacion.com/produccion/v4/include/lib/phpqrcode/cache/rzkNuqp6m1hoY.php
https://towingnow.ca/LvR2HWHdQ.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://standup.canicinteractive.com/vendor/swiftmailer/swiftmailer/lib/classes/SO2vS3SCmo1jil.php
https://euro-office.net/AwI3uwiwuU6.php
|
20
euro-office.net(198.38.82.90)
iminnovator.com(192.185.139.153)
specs2go.shawalzahid.com(158.69.144.71)
standup.canicinteractive.com(162.249.2.44) - mailcious
lrt.com.pk(104.21.92.175) - mailcious
welcometotheafterdeath.com(192.254.234.250)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
staging.gaiafacturacion.com(179.27.152.153) - mailcious
towingnow.ca(74.220.194.185)
lojamusic.com.br(162.241.2.234) 192.185.139.153
74.220.194.185
179.27.152.153 - mailcious
198.38.82.90 - phishing
192.254.234.250 - mailcious
192.185.36.81 - mailcious
162.241.2.234
172.67.196.213 - mailcious
162.249.2.44 - mailcious
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8197 |
2021-05-20 16:36
|
Inv%2006687243.xls 5186a21d30bbf28909683c4767597481 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://armaenerji.com/UserFiles/site/enerji-kablolari/HES/tbqsCGNY.php
https://plascom.ind.br/_img/parceiros/Ii2g4cYzKfaMLz7.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://mahinur.nucleustechbd.com/3IPk4Tm2As.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
https://fuherpronn.org/u52Xze2Vn28f.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://lamiragereception.com.au/ABs8dJ2ZJ3jgv0n.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
|
20
mahinur.nucleustechbd.com(67.222.155.191)
lamiragereception.com.au(67.23.226.231)
armaenerji.com(217.195.198.212) - mailcious
plascom.ind.br(191.252.142.218)
fuherpronn.org(162.241.194.204) - mailcious
specs2go.shawalzahid.com(158.69.144.71)
fotounirii.ro(89.35.173.76)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
gamberinigianluca.com(64.37.52.95)
lojamusic.com.br(162.241.2.234) 89.35.173.76
217.195.198.212 - mailcious
192.185.36.81 - mailcious
64.37.52.95 - mailcious
191.252.142.218
67.23.226.231 - mailcious
67.222.155.191 - mailcious
162.241.194.204 - mailcious
162.241.2.234
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8198 |
2021-05-20 16:39
|
invoice_996451.doc bee4631c31d5682a91174ee18d7c9335 RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed |
1
https://rotf.lol/jbx7apct
|
2
rotf.lol(104.21.63.195) 104.21.63.195
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8199 |
2021-05-20 16:41
|
mn.exe f421782c826203212a35308f4b155bad AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
11.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8200 |
2021-05-20 16:44
|
fax_Documents.zip e9ab849de3862d15c03f2dc2535a2fe0VirusTotal Malware DNS |
|
|
|
|
1.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8201 |
2021-05-20 16:57
|
fax_Documents.exe 5e9c34075c2eb3d3db131e1227383f1e Malicious Packer .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8202 |
2021-05-21 08:11
|
Main.jpg d598749a8c86b1cdd313ff6c86626c86 RTF File doc DLL PE File OS Processor Check PE32 Vulnerability VirusTotal Malware buffers extracted exploit crash unpack itself AppData folder Exploit DNS crashed |
|
|
|
|
4.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8203 |
2021-05-21 08:33
|
b.dot 7eb32d81afb5598c9ab0c6651955c42d RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed |
1
http://54.169.190.71/fresh/xloade.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8204 |
2021-05-21 08:35
|
00.exe 83377601918cdc76c76ed36c06a01546 PE File OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger Creates executable files AppData folder DNS |
|
1
|
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8205 |
2021-05-21 08:41
|
netwire-988.exe c225922e8ec40ccca7d491fa57ece50b PWS .NET framework Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName DNS Cryptographic key |
|
|
|
|
2.8 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|