| 8701 |
2021-06-08 20:13
|
http://regalosfreaks.blogspot.... d808b4bbb918207dd54b242b2339afec
AgentTesla CoinHive Cryptocurrency Http API Internet API ScreenShot DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Steal credential Downloader P2P persistence AntiDebug AntiVM PNG Format JPE VirusTotal Malware Code Injection heapspray Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
86
http://regalosfreaks.blogspot.com/2012/12/sable-laser-de-anakin-skywalker-con.html
http://4.bp.blogspot.com/-uDFM1qVRXq0/UOsC8wSEXNI/AAAAAAAADy0/EOpZ5qSl1mU/w72-h72-p-k-no-nu/Pack+Completo+Friends.jpg
http://translate.googleapis.com/element/TE_20210503_00/e/js/element/element_main.js
http://www.tqlkg.com/if116o26v0zKRPPLTPTKMLOROORN
http://rcm-eu.amazon-adsystem.com/e/cm?t=regalosfreaks-21&o=30&p=42&l=ur1&category=amazon_es&banner=0R3J1Y4B94F3QYQB7VR2&f=ifr
http://regalosfreaks.blogspot.com/favicon.ico
http://rcm-eu.amazon-adsystem.com/e/cm?t=regalosfreaks-21&o=30&p=11&l=ur1&category=generico&banner=1HWYNRB8SN6CQ3VANYG2&f=ifr
http://www.yceml.net/0589/10782285-1571238489933
http://translate.googleapis.com/translate_static/js/element/main_ko.js
http://track.webgains.com/link.html?wglinkid=66911&wgcampaignid=127033&js=0
http://2.bp.blogspot.com/-XHbl-XvHCxI/ULRLWMjeXoI/AAAAAAAACzE/dMnUHfJWhpE/w72-h72-p-k-no-nu/Fraggle+Rock+-+Peluche+Matt.jpg
http://track.webgains.com/link.html?wglinkid=201293&wgcampaignid=127033
http://3.bp.blogspot.com/-9B4mlAETTLg/UN8XtCe4OwI/AAAAAAAADYI/PX7EE3w_CE4/w72-h72-p-k-no-nu/Big+Bang+Theory+Cabezones+Pack.jpg
http://4.bp.blogspot.com/-PGjaJ8a4p3Y/UMY_-UsVBRI/AAAAAAAADGA/uwwflgTsig4/w72-h72-p-k-no-nu/Darksiders+Replica+ChaosEater.jpg
http://contadores.miarroba.es/ver.php?id=668184
http://1.bp.blogspot.com/-FO23MXFAcVY/UNHuslTEzDI/AAAAAAAADNk/sq2dfI1DGaw/w72-h72-p-k-no-nu/Futurama+Gorros.jpg
http://pagead2.googlesyndication.com/pagead/js/google_top_exp.js
http://4.bp.blogspot.com/-3KkqiCraQPM/UHRczqY0xYI/AAAAAAAAB4c/KRGz6p5dngU/w72-h72-p-k-no-nu/Busto+Spiderman+Zombie.jpg
http://platform.twitter.com/widgets.js
http://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit
http://fonts.gstatic.com/s/play/v12/6aez4K2oVqwIvtU2Gw.eot
http://www.linkwithin.com/pixel.png
http://track.webgains.com/link.html?wglinkid=185916&wgcampaignid=127033
http://3.bp.blogspot.com/-k_qBTbsvAzM/UMJQMv_XYTI/AAAAAAAADBQ/56lqTThDv1U/s320/Star+Wars+Espada+Anakin+Skywalker+Con+Hoja+Extra%C3%ADble.jpg
http://translate.googleapis.com/translate_static/css/translateelement.css
http://www.yceml.net/0482/10363362-1602900629265
http://3.bp.blogspot.com/--K7q8enmwJw/UMc_cWHStAI/AAAAAAAADI8/N-iG1c6RsIQ/w72-h72-p-k-no-nu/Hulk+Marvel+Select+Figura.jpg
http://4.bp.blogspot.com/-FuCHHEKmJnA/UN8mtRNZxaI/AAAAAAAADag/Gbp34bRp7fQ/w72-h72-p-k-no-nu/Dragon+Ball+Z+-+Figura+Articulada+SonGoku+SuperSaiyan.jpg
http://www.awltovhc.com/1a107r6Az42OVTTPXTXOQPWXRRXU
http://www.linkwithin.com/widget.js
http://1.bp.blogspot.com/-4sfU6WuB5A4/TkmSvzgV1GI/AAAAAAAAAVM/55OaLN4L-es/s1600/facebook_argim.jpg
https://resources.blogblog.com/img/navbar/icons_peach.png
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/1114208092-comment_from_post_iframe.js
https://rcm-eu.amazon-adsystem.com/e/cm?t=regalosfreaks-21&o=30&p=42&l=ur1&category=amazon_es&banner=0R3J1Y4B94F3QYQB7VR2&f=ifr
https://resources.blogblog.com/img/icon_feed12.png
https://images-eu.ssl-images-amazon.com/images/G/30/associates/mariti/banner/uk_associates_14-07-2015_amazon-logo_de-assoc_3_234x60.jpg
https://www.blogger.com/static/v1/widgets/1147971663-widgets.js
https://apis.google.com/js/platform:gapi.iframes.style.common.js
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/?cb=1623150087682&p=%7B%22program%22%3A%2230%22%2C%22tag%22%3A%22regalosfreaks-21%22%2C%22linkCode%22%3A%22ur1%22%2C%22refUrl%22%3A%22http%3A%2F%2Fregalosfreaks.blogspot.com%2F2012%2F12%2Fsable-laser-de-anakin-skywalker-con.html%22%2C%22panda%22%3Atrue%7D
https://resources.blogblog.com/img/widgets/arrow_dropdown.gif
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/?cb=1623150078052&p=%7B%22program%22%3A%2230%22%2C%22tag%22%3A%22regalosfreaks-21%22%2C%22linkCode%22%3A%22ur1%22%2C%22refUrl%22%3A%22http%3A%2F%2Fregalosfreaks.blogspot.com%2F2012%2F12%2Fsable-laser-de-anakin-skywalker-con.html%22%2C%22panda%22%3Atrue%7D
https://contadores.miarroba.com/ver.php?id=668184
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9109980527255485708%26postID%3D4647081066964754927%26blogspotRpcToken%3D1963275%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9109980527255485708%26postID%3D4647081066964754927%26blogspotRpcToken%3D1963275%26bpli%3D1&passive=true&go=true
https://www.google.com/js/bg/FfCPi2TMnNz6Sf8yzawZ-WtZthvCzb7ioWpphmPTQrs.js
https://www.blogger.com/img/share_buttons_20_3.png
https://ws-eu.assoc-amazon.com/widgets/cm?t=regalosfreaks-21&o=30&p=42&l=ur1&category=amazon_es&banner=0R3J1Y4B94F3QYQB7VR2&f=ifr
https://www.blogger.com/comment-iframe.g?blogID=9109980527255485708&postID=4647081066964754927&blogspotRpcToken=1963275
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/static/v1/jsbin/2624012622-lbx__es.js
https://rcm-eu.amazon-adsystem.com/e/cm?t=regalosfreaks-21&o=30&p=11&l=ur1&category=generico&banner=1HWYNRB8SN6CQ3VANYG2&f=ifr
https://images-eu.ssl-images-amazon.com/images/G/30/associates/mariti/banner/ES_Assoc_Generic_120x600.jpg
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/?cb=1623150089682&p=%7B%22program%22%3A%2230%22%2C%22tag%22%3A%22regalosfreaks-21%22%2C%22linkCode%22%3A%22ur1%22%2C%22refUrl%22%3A%22http%3A%2F%2Fregalosfreaks.blogspot.com%2F2012%2F12%2Fsable-laser-de-anakin-skywalker-con.html%22%2C%22panda%22%3Atrue%7D
https://resources.blogblog.com/img/widgets/s_bottom.png
https://apis.google.com/js/plusone.js
https://resources.blogblog.com/img/blank.gif
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/r/json?cb=1623150083514&logType=banner_impressions&p=%7B%22mobile_supported%22%3A%22true%22%2C%22action%22%3A%22onload%22%2C%22adunit_type%22%3A%22banners%22%2C%22adunit_properties%22%3A%7B%22height%22%3A%22%24%7Bheight%7D%22%2C%22width%22%3A%22%24%7Bwidth%7D%22%2C%22category%22%3A%22%24%7Bcampaigns%7D%22%2C%22marketplace%22%3A%22amazon%22%2C%22link_id%22%3A%22%24%7Blinkid%7D%22%2C%22region%22%3A%22ES%22%7D%2C%22logType%22%3A%22banner_impressions%22%7D
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/r/json?cb=1623150087682&logType=banner_impressions&p=%7B%22mobile_supported%22%3A%22true%22%2C%22action%22%3A%22onload%22%2C%22adunit_type%22%3A%22banners%22%2C%22adunit_properties%22%3A%7B%22height%22%3A%22%24%7Bheight%7D%22%2C%22width%22%3A%22%24%7Bwidth%7D%22%2C%22category%22%3A%22%24%7Bcampaigns%7D%22%2C%22marketplace%22%3A%22amazon%22%2C%22link_id%22%3A%22%24%7Blinkid%7D%22%2C%22region%22%3A%22ES%22%7D%2C%22logType%22%3A%22banner_impressions%22%7D
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/followers.g?blogID%3D9109980527255485708%26colors%3DCgt0cmFuc3BhcmVudBILdHJhbnNwYXJlbnQaByMyMjIyMjIiByMyMjg4YmIqByNmZmZmZmYyByMwMDAwMDA6ByMyMjIyMjJCByMyMjg4YmJKByM5OTk5OTlSByMyMjg4YmJaC3RyYW5zcGFyZW50%26pageSize%3D21%26postID%3D4647081066964754927%26origin%3Dhttp://regalosfreaks.blogspot.com/%26usegapi%3D1%26jsh%3Dm;/_/scs/apps-static/_/js/k%253Doz.gapi.ko.WgTOIxoySQQ.O/am%253DAQ/d%253D1/rs%253DAGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/m%253D__features__%26bpli%3D1&followup=https://www.blogger.com/followers.g?blogID%3D9109980527255485708%26colors%3DCgt0cmFuc3BhcmVudBILdHJhbnNwYXJlbnQaByMyMjIyMjIiByMyMjg4YmIqByNmZmZmZmYyByMwMDAwMDA6ByMyMjIyMjJCByMyMjg4YmJKByM5OTk5OTlSByMyMjg4YmJaC3RyYW5zcGFyZW50%26pageSize%3D21%26postID%3D4647081066964754927%26origin%3Dhttp://regalosfreaks.blogspot.com/%26usegapi%3D1%26jsh%3Dm;/_/scs/apps-static/_/js/k%253Doz.gapi.ko.WgTOIxoySQQ.O/am%253DAQ/d%253D1/rs%253DAGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/m%253D__features__%26bpli%3D1&passive=true&go=true
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/r/json?cb=1623150078049&logType=banner_impressions&p=%7B%22mobile_supported%22%3A%22true%22%2C%22action%22%3A%22onload%22%2C%22adunit_type%22%3A%22banners%22%2C%22adunit_properties%22%3A%7B%22height%22%3A%22%24%7Bheight%7D%22%2C%22width%22%3A%22%24%7Bwidth%7D%22%2C%22category%22%3A%22%24%7Bcampaigns%7D%22%2C%22marketplace%22%3A%22amazon%22%2C%22link_id%22%3A%22%24%7Blinkid%7D%22%2C%22region%22%3A%22ES%22%7D%2C%22logType%22%3A%22banner_impressions%22%7D
https://resources.blogblog.com/img/widgets/s_top.png
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://resources.blogblog.com/img/navbar/arrows-light.png
https://www.blogger.com/static/v1/v-css/1050234869-lightbox_bundle.css
https://www.blogger.com/comment-iframe.g?blogID=9109980527255485708&postID=4647081066964754927&blogspotRpcToken=1963275&bpli=1
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/r/json?cb=1623150089682&logType=banner_impressions&p=%7B%22mobile_supported%22%3A%22true%22%2C%22action%22%3A%22onload%22%2C%22adunit_type%22%3A%22banners%22%2C%22adunit_properties%22%3A%7B%22height%22%3A%22%24%7Bheight%7D%22%2C%22width%22%3A%22%24%7Bwidth%7D%22%2C%22category%22%3A%22%24%7Bcampaigns%7D%22%2C%22marketplace%22%3A%22amazon%22%2C%22link_id%22%3A%22%24%7Blinkid%7D%22%2C%22region%22%3A%22ES%22%7D%2C%22logType%22%3A%22banner_impressions%22%7D
https://ws-eu.assoc-amazon.com/widgets/cm?t=regalosfreaks-21&o=30&p=11&l=ur1&category=generico&banner=1HWYNRB8SN6CQ3VANYG2&f=ifr
https://resources.blogblog.com/img/widgets/subscribe-yahoo.png
https://www.blogger.com/static/v1/jsbin/2575565767-cmt__es.js
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.ko.WgTOIxoySQQ.O/m=gapi_iframes,gapi_iframes_style_common/exm=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/cb=gapi.loaded_1
https://www.blogger.com/followers.g?blogID=9109980527255485708&colors=Cgt0cmFuc3BhcmVudBILdHJhbnNwYXJlbnQaByMyMjIyMjIiByMyMjg4YmIqByNmZmZmZmYyByMwMDAwMDA6ByMyMjIyMjJCByMyMjg4YmJKByM5OTk5OTlSByMyMjg4YmJaC3RyYW5zcGFyZW50&pageSize=21&postID=4647081066964754927&origin=http%3A%2F%2Fregalosfreaks.blogspot.com%2F&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.ko.WgTOIxoySQQ.O%2Fam%3DAQ%2Fd%3D1%2Frs%3DAGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg%2Fm%3D__features__&bpli=1
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
https://www.blogger.com/static/v1/jsbin/3775400722-ieretrofit.js
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9109980527255485708&zx=ba21ca9f-52ef-4f71-9a5e-873f64399f9b
https://resources.blogblog.com/img/widgets/subscribe-netvibes.png
https://www.blogger.com/navbar.g?targetBlogID=9109980527255485708&blogName=Regalos+Freaks&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=LIGHT&layoutType=LAYOUTS&searchRoot=https://regalosfreaks.blogspot.com/search&blogLocale=es&v=2&homepageUrl=http://regalosfreaks.blogspot.com/&targetPostID=4647081066964754927&blogPostOrPageUrl=http://regalosfreaks.blogspot.com/2012/12/sable-laser-de-anakin-skywalker-con.html&vt=8248516631269504934&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.ko.WgTOIxoySQQ.O%2Fam%3DAQ%2Fd%3D1%2Frs%3DAGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg%2Fm%3D__features__
https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.ko.WgTOIxoySQQ.O/m=gapi_iframes_style_common/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/cb=gapi.loaded_0
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.ko.WgTOIxoySQQ.O/m=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/cb=gapi.loaded_0
https://www.blogger.com/followers.g?blogID=9109980527255485708&colors=Cgt0cmFuc3BhcmVudBILdHJhbnNwYXJlbnQaByMyMjIyMjIiByMyMjg4YmIqByNmZmZmZmYyByMwMDAwMDA6ByMyMjIyMjJCByMyMjg4YmJKByM5OTk5OTlSByMyMjg4YmJaC3RyYW5zcGFyZW50&pageSize=21&postID=4647081066964754927&origin=http://regalosfreaks.blogspot.com/&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.ko.WgTOIxoySQQ.O%2Fam%3DAQ%2Fd%3D1%2Frs%3DAGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg%2Fm%3D__features__
https://contadores.miarroba.com/view.php?tipo=invisible&zona=0&contadorid=668184&ts=1623150074&cd=aea07c31fd7a7e1a23077e810c85ee58&unica=si&sesion=si&nueva=si&domain=regalosfreaks.blogspot.com&referer=&os=win&osv=seven&browser=ie&browserv=9.0&screen=1365x1024&depth=24&lang=ko&cookies=si&java=si&flash=2&flashv=13&quick=0&search=&sengine=&google=&url=http%3A%2F%2Fregalosfreaks.blogspot.com%2F2012%2F12%2Fsable-laser-de-anakin-skywalker-con.html&agent=
https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.ko.WgTOIxoySQQ.O/m=gapi_iframes,gapi_iframes_style_bubble/exm=plusone/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AGLTcCPr8pJzx73KJCRugZ418iKGzF4Nkg/cb=gapi.loaded_1
https://fls-eu.amazon-adsystem.com/1/associates-ads/1/OP/?cb=1623150083515&p=%7B%22program%22%3A%2230%22%2C%22tag%22%3A%22regalosfreaks-21%22%2C%22linkCode%22%3A%22ur1%22%2C%22refUrl%22%3A%22http%3A%2F%2Fregalosfreaks.blogspot.com%2F2012%2F12%2Fsable-laser-de-anakin-skywalker-con.html%22%2C%22panda%22%3Atrue%7D
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&bgint=FfCPi2TMnNz6Sf8yzawZ-WtZthvCzb7ioWpphmPTQrs
|
53
translate.googleapis.com(172.217.175.10)
1.bp.blogspot.com(172.217.175.225)
2.bp.blogspot.com(172.217.175.225) - compromised
static.ak.connect.facebook.com()
www.yceml.net(104.84.174.49)
ws-eu.assoc-amazon.com(52.95.118.186)
apis.google.com(172.217.161.78)
accounts.google.com(142.250.196.109)
authedmine.com() - mailcious
track.webgains.com(46.236.13.147)
platform.twitter.com(192.229.237.25)
contadores.miarroba.com(104.26.13.114)
www.linkwithin.com(3.19.188.212)
translate.google.com(172.217.175.78)
contadores.miarroba.es(172.67.70.74)
www.blogger.com(172.217.25.105)
3.bp.blogspot.com(172.217.175.225) - compromised
www.awltovhc.com(159.127.40.144)
pagead2.googlesyndication.com(172.217.174.98) - mailcious
zbox.zanox.com()
rcm-eu.amazon-adsystem.com(52.95.124.70)
regalosfreaks.blogspot.com(172.217.161.33) - compromised
fonts.gstatic.com(172.217.161.67)
fls-eu.amazon-adsystem.com(52.94.216.221)
resources.blogblog.com(172.217.25.105)
4.bp.blogspot.com(172.217.175.225)
www.google.com(172.217.174.100)
images-eu.ssl-images-amazon.com(13.225.116.83)
www.tqlkg.com(159.127.40.144)
142.250.66.130
89.207.16.72
142.250.66.97
3.19.188.212
142.250.204.100
142.250.204.129
46.236.13.147
172.217.31.225
142.250.204.42
104.26.12.114
23.42.214.71
142.250.66.142
142.250.66.141
172.217.26.142
99.86.205.103 - suspicious
192.229.237.25
172.217.163.233
142.250.204.131
142.250.204.137
52.95.124.70
142.250.66.65
52.95.118.186
104.26.13.38
52.94.218.163
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
5.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8702 |
2021-06-08 20:15
|
 m.dot 0f666fec8607488ee6f78afd2a0ff4d4
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://37.120.206.70/mar/vbc.exe
|
1
37.120.206.70 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8703 |
2021-06-08 20:43
|
 vbc.exe 27f582f69b0ec4fd2366cbf298f38dee
Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8704 |
2021-06-09 09:54
|
 al.exe 20f307c716a689f4afa3a76b7143db22
NPKI Antivirus PE File PE64 DLL .NET DLL PE32 VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
10.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8705 |
2021-06-09 09:54
|
 new.exe eb43b3c033bd76b51b90a51a6726a81c
DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself human activity check Windows ComputerName DNS DDNS crashed |
|
2
wekeepworking.sytes.net(79.134.225.90) - mailcious
79.134.225.90 - mailcious
|
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8706 |
2021-06-09 09:56
|
 binok-098.exe 56e0119501bf355295603914d3b13519
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8707 |
2021-06-09 09:56
|
 binalpha.exe 935847d6703bbb36edd123c1f5f60681
Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
79.134.225.90 - mailcious
|
|
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8708 |
2021-06-09 09:58
|
 ewaa.exe a805af22c4ea9de2c2c542f21933ab84
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8709 |
2021-06-09 09:59
|
 lv.exe dba9d5c211d728da4b92e0064a445ecd
AgentTesla Gen1 Gen2 Generic Malware Malicious Packer Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persis VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows DNS crashed |
|
1
rYHtYHrEKqvv.rYHtYHrEKqvv()
|
|
|
9.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8710 |
2021-06-09 10:00
|
 INV202054pdf.jar fc43547ad34a9e4c3790e60a49fbc215VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8711 |
2021-06-09 10:02
|
 binalpha-0986.exe cdc024aeb6a126fed48f71becc7c8b55
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8712 |
2021-06-09 10:04
|
 agreement.pdf 1c113114ff3e57d99a43e0b2cdd1d952VirusTotal Malware |
|
|
|
|
0.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8713 |
2021-06-09 10:05
|
 YsiNqNecL9cNFZv144OWCjioAQukPt... c9f22a0091ad275119321e7b036e5633
RTF File doc buffers extracted exploit crash unpack itself Exploit DNS crashed |
3
http://plugindownload.buzz/rose/YsiNqNecL9cNFZv144OWCjioAQukPtyy.dat
http://plugindownload.buzz/rose/YsiNqNecL9cNFZv144OWCjioAQukPtyy.doc
http://plugindownload.buzz/rose/YsiNqNecL9cNFZv144OWCjioAQukPtyy
|
2
plugindownload.buzz(192.153.57.12)
192.153.57.12
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8714 |
2021-06-09 16:23
|
Proforma Invoice·pdf.exe 24dd4963d365c33435f58adaebb1ef26
PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software crashed |
4
http://63.141.228.141/32.php/s396KA3xaZWY1
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:220834941&cup2hreq=821e0dc3f2f4acc54994383995b4c935d5c9e4e2e67bc15b9110c55ac7730735
|
3
edgedl.me.gvt1.com(34.104.35.123)
63.141.228.141
34.104.35.123
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8715 |
2021-06-09 16:23
|
 v.dot af735bdb2ca442a45fca870ba2c1b082
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.156.91.50/fresh/vbc.exe
|
2
173.208.204.37 - mailcious
103.156.91.50
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|