8881 |
2021-06-14 20:32
|
file7.exe 5fadd583b92b33403dec2566d5e94fa5 AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key crashed |
2
http://salam.amongus-pc4.xyz/ https://api.ip.sb/geoip
|
4
salam.amongus-pc4.xyz(172.67.175.176) api.ip.sb(104.26.12.31) 104.26.12.31 104.21.56.15
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8882 |
2021-06-14 20:32
|
ConsoleAa16.exe 9f6f8cb5647da0fc5df0142e82ac12ee AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware ComputerName DNS |
|
1
|
|
|
3.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8883 |
2021-06-14 20:33
|
dvbXGgTWnakwjEf.exe b30ee4898e8b728051cba76a6511db8c AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8884 |
2021-06-14 20:33
|
IMG_003_166_372.exe ac54156a7e43cf2ff559eccab719cd56 PWS Loki[b] Loki[m] WebCam SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ http://robyngraphs.com.au/WP/api.php
|
4
robyngraphs.com.au(192.185.198.10) checkip.dyndns.org(216.146.43.71) 131.186.161.70 192.185.198.10
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8885 |
2021-06-14 20:36
|
bxfgbttp528.exe 048ec3a35503f53f26bba3c4fb831e75 Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL PNG Format GIF Format MSOffice File JPEG Format PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution |
56
http://cdn-file.ludashi.com/assets/jquery/jquery183.js http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=09e4c113e92485d7bd0ea35e449ca2cb&from=tp_bxfgbt&forcetick=6562218 http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106142154 http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=e41ab422ea3ae3a2a30e0e077acbe54a&from=tp_bxfgbt&forcetick=6567343 http://s.ludashi.com/wan?type=accurate&action=t1&channel=tp&from=tp_wd_cqbz_528&mid=fa7bb520099706f4d9615c3663eacc55&appver=7.3.122.441&uid=0&game=cqbz×tamp=1623675350611&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=0f92d01692483eb8b14909e6aee3093a&from=tp_bxfgbt&forcetick=6576750 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/bg.jpg http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav04.png http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_wd_cqbz_528&mid=fa7bb520099706f4d9615c3663eacc55&appver=7.3.122.441&uid=0&game=cqbz×tamp=1623675340587&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/checkbox.png http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=90d869f729ff49e7f971ac326c8fc8eb&from=tp_bxfgbt&forcetick=6549921 http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=fb54bb467e8e2a384382178498dba283&from=tp_bxfgbt&forcetick=6575406 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/main.css?t=20210323 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_right.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/log_btn.png http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=0ba4bb5ca840211a1dbd0c85cdfccb35&from=tp_bxfgbt&forcetick=6567640 http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=8931bd48b499e6542e1fc0624dfb45f1&from=tp_bxfgbt&forcetick=6577062 http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106142155 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/line.png http://cdn-file.ludashi.com/assets/sea/sea.js http://s.ludashi.com/wan?type=accurate&action=t3&channel=tp&from=tp_wd_cqbz_528&mid=fa7bb520099706f4d9615c3663eacc55&appver=7.3.122.441&uid=0&game=cqbz×tamp=1623675400610&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav03.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav01.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_qq.png http://wan.ludashi.com/announce/list?callback=jQuery18304147616895588053_1623675339769&type=2&gid=cqbz&skip=0&num=5&_=1623675340581 http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18304147616895588053_1623675339769&_=1623675340758 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_code.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/news-bg.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/hovers.png http://wan.ludashi.com/micro/cqbz/index_lds.html?channel=tp&from=tp_wd_cqbz_528 http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304147616895588053_1623675339768 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_code.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_act.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/cir.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_left.png http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=3cc5f800abb63dcaaa967db280a83cde&from=tp_bxfgbt&forcetick=6572390 http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=a4ab4e8b0d0ebb8e86ff45bf61ad68de&from=tp_bxfgbt&forcetick=6549875 http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll http://s.ludashi.com/wan?type=accurate&action=t2&channel=tp&from=tp_wd_cqbz_528&mid=fa7bb520099706f4d9615c3663eacc55&appver=7.3.122.441&uid=0&game=cqbz×tamp=1623675370611&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav02.png http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=bac4e342ad13022924b63b5c8737d92e&from=tp_bxfgbt&forcetick=6549921 http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_act.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=44d0198664d9f141a41b3cadb631807f&from=tp_bxfgbt&forcetick=6575406 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_weixin.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/reg.jpg?t=20200105 http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=f74f40d9d3f7dbe214107a02d0d4fb24&from=tp_bxfgbt&forcetick=6577062 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/upload.jpg http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=a3b538ce7be1874ff2b72dd5f4b1b0f1&from=tp_bxfgbt&forcetick=6572437 http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=73c11adea036dd12475c14c07aea8ada&from=tp_bxfgbt&forcetick=6567609 http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=7.3.122.441&sign=c06884edfdac858faffcab21f28b1f7e&from=tp_bxfgbt&forcetick=6550437 https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
16
cdn-file-ssl-wan.ludashi.com(115.231.152.239) i.ludashi.com(120.27.82.56) cdn-wan.ludashi.com(122.225.67.189) wan.ludashi.com(139.129.105.182) s.ludashi.com(106.15.48.27) cdn-ssl-wan.ludashi.com(115.238.192.244) cdn-file.ludashi.com(115.223.31.230) cdn-file-ssl-pc.ludashi.com(115.231.155.197) 139.129.105.182 122.228.1.208 58.218.203.238 106.15.136.209 115.238.192.241 47.117.70.170 220.189.197.2 120.27.82.56
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Packed Executable Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8886 |
2021-06-14 20:38
|
smytprepush0601.exe 043662a4b5e44eb83cec615f2a519906 Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL GIF Format PNG Format JPEG Format MSOffice File PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution |
51
http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/third_qq.png http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=ed8d04e217c85ce38b28b2b7a14c2092&from=tp_smy&forcetick=25749500 http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=60abb736226b67e38da632b1d4c24c15&from=tp_smy&forcetick=25770687 http://s.ludashi.com/wan?type=accurate&action=t2&channel=tp&from=tp_repush_wd_smy_0602&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.124.1372&uid=0&game=smy×tamp=1623694563795&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_log_code.png?t=20191021 http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_repush_wd_smy_0602&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.124.1372&uid=0&game=smy×tamp=1623694533779&ex_ary[guid]= http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18307006377802007682_1623694532937 http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=f4e8e9b31b11e234dee59fe472d088e0&from=tp_smy&forcetick=25762609 http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=47b47bcfa6c5029ab2bfb51f720936ce&from=tp_smy&forcetick=25776156 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/log_btn_h.png http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106150315 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/log_btn.png http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_reg_act.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=77906996013bbaf7e3ca19e1d558c68a&from=tp_smy&forcetick=25748937 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/bg.jpg http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/news-bg.png http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/main.css http://cdn-file.ludashi.com/assets/sea/sea.js http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527 http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=66df569a3aeeb7869204d79fe11f7491&from=tp_smy&forcetick=25776796 http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106150315 http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=7954c23acccb4bfa62d72866afa965e4&from=tp_smy&forcetick=25766421 http://wan.ludashi.com/micro/smy/index_lds.html?channel=tp&from=tp_repush_wd_smy_0602 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_log_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=25baa6e62faa843942d92cc14594ad51&from=tp_smy&forcetick=25766125 http://wan.ludashi.com/announce/list?callback=jQuery18307006377802007682_1623694532938&type=2&gid=smy&skip=0&num=5&_=1623694533775 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/nav.png http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/third_weixin.png http://s.ludashi.com/wan?type=accurate&action=t3&channel=tp&from=tp_repush_wd_smy_0602&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.124.1372&uid=0&game=smy×tamp=1623694593796&ex_ary[guid]= http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=e28b7572437fa62aa43f1ef6109e08e4&from=tp_smy&forcetick=25776796 http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=7aea1cc77f8bb52d38e31c063c851959&from=tp_smy&forcetick=25748984 http://cdn-file.ludashi.com/assets/jquery/jquery183.js http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=50d7eac9189f1ce415c0dfbd6f16b68f&from=tp_smy&forcetick=25766390 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_reg_code.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/login_tit.png http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=a2612552cf2b04d28e8af4a04dbdc642&from=tp_smy&forcetick=25774468 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/checkbox.png http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_log_act.png?t=20191021 http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18307006377802007682_1623694532937&_=1623694534167 http://s.ludashi.com/wan?type=accurate&action=t1&channel=tp&from=tp_repush_wd_smy_0602&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.124.1372&uid=0&game=smy×tamp=1623694543796&ex_ary[guid]= http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=8dd7e35d4c24b3fcbec96ed7da88fd43&from=tp_smy&forcetick=25774468 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/input_reg_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=5fb78c378592f03400b5fc72d4fc9f72&from=tp_smy&forcetick=25770687 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/reg.jpg?t=20200105 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/upload.jpg http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.124.1372&sign=27958460376b89b465c6ca27aea5fc22&from=tp_smy&forcetick=25748984 http://cdn-file.ludashi.com/wan/micro/smy/assets_lds/cir.png https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
17
cdn-file-ssl-wan.ludashi.com(115.231.152.238) i.ludashi.com(120.27.82.56) cdn-wan.ludashi.com(122.228.1.209) wan.ludashi.com(139.129.105.182) s.ludashi.com(106.15.48.27) cdn-ssl-wan.ludashi.com(115.231.152.241) cdn-file.ludashi.com(115.223.31.226) cdn-file-ssl-pc.ludashi.com(115.231.155.197) 139.129.105.182 115.231.152.244 106.15.139.192 183.136.197.99 115.238.192.244 - malware 115.223.31.231 122.225.67.189 114.115.214.33 120.27.82.56
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8887 |
2021-06-14 20:39
|
bzsc_taskpoprepush610.exe 3e1936560764da4e13811919dbd3a4f7 Gen1 Emotet PE File OS Processor Check PE32 DLL MSOffice File VirusTotal Malware PDB buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check human activity check Windows Browser ComputerName Remote Code Execution |
8
http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106150615 http://s.ludashi.com/wan?type=weiduan&action=inst_fail&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=c31b6b0eeb0da26ced82fe6f5b4d97fc&from=ludashi_ludashi_bzsc&forcetick=36580859 http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll http://s.ludashi.com/wan?type=weiduan&action=wd_show_overtime&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=7e2f9770369b973979b84b0a7ba1b93e&from=ludashi_ludashi_bzsc&forcetick=36580859 http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=8dbcdbe04436982a0dee6e2aa3920b5c&from=ludashi_ludashi_bzsc&forcetick=36549375 http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=fc2e0ddff238e6ac11536c16239165e1&from=ludashi_ludashi_bzsc&forcetick=36550437 http://s.ludashi.com/wan?type=weiduan&action=install&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=12a7c98a3a51cd6d30cc1485e4a3a3e1&from=ludashi_ludashi_bzsc&forcetick=36549234 http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=ludashi_ludashi&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=2.2021.6.9&sign=f028c48ca22563e963d6ed5b91e0cba2&from=ludashi_ludashi_bzsc&forcetick=36549375
|
6
cdn-file-ssl-wan.ludashi.com(115.238.192.241) s.ludashi.com(139.224.193.172) cdn-file-ssl-pc.ludashi.com(115.231.155.220) 47.117.70.170 115.238.192.242 183.136.197.99
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
7.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8888 |
2021-06-14 20:40
|
m.dot 56e5691ddfadf1e5fb84ab02c956c35d RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed |
1
http://192.3.141.164/mal/win32.exe
|
1
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8889 |
2021-06-14 20:42
|
sdly_taskpop61.exe bc7522c569863c07247effeed6adda85 Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL JPEG Format PNG Format MSOffice File PE64 GIF Format VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution |
51
http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/log_btn_h.png http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106142055 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/cir.png http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106142055 http://s.ludashi.com/wan?type=weiduan&action=install&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=8ffeb14d433dcc0c2b98a3cf2716c5f4&from=taskpop_sdly&forcetick=2950015 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_code.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=9326e042414b37b0a465d68435568572&from=taskpop_sdly&forcetick=2976109 http://wan.ludashi.com/micro/sdly/index_lds.html?channel=taskpop&from=taskpop_wd_sdly http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/login_tit.png http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=bda3e2d3873bc6b8751a06ecfa64faa6&from=taskpop_sdly&forcetick=2971046 http://s.ludashi.com/wan?type=accurate&action=t1&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly×tamp=1623672829177&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/log_btn.png http://s.ludashi.com/wan?type=weiduan&action=run&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=bb1adc4f55a84cf7c0830a76e4cfec69&from=taskpop_sdly&forcetick=2978593 http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=faf774bde5506632e0936450a2b05bac&from=taskpop_sdly&forcetick=2950062 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_act.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/checkbox.png http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=c8bafc2df3f18850e666c570733e30ee&from=taskpop_sdly&forcetick=2964062 http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=90fc48554d411fc4bdbd8c4cba5dcac7&from=taskpop_sdly&forcetick=2966703 http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18308462895474002294_1623672818022&_=1623672819545 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_pwd.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_code.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/bg.jpg http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18308462895474002294_1623672818021 http://cdn-file.ludashi.com/assets/sea/sea.js http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527 http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=5ecbfcbcece4eea0291ea4146880caf7&from=taskpop_sdly&forcetick=2979031 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/main.css http://s.ludashi.com/wan?type=accurate&action=t3&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly×tamp=1623672879174&ex_ary[guid]= http://cdn-file.ludashi.com/assets/jquery/jquery183.js http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=9816a49d782b4cc6abf68cd3e4f25e57&from=taskpop_sdly&forcetick=2976109 http://wan.ludashi.com/announce/list?callback=jQuery18308462895474002294_1623672818022&type=2&gid=sdly&skip=0&num=5&_=1623672819146 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/nav.png http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=29e0f6a694aea37940ed2c0d91f5f3c5&from=taskpop_sdly&forcetick=2966750 http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=222806ca1968aee2104845ac0bb1e961&from=taskpop_sdly&forcetick=2950546 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/upload.jpg http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/third_qq.png http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=31673de8d494f02142e1edb517399942&from=taskpop_sdly&forcetick=2950062 http://s.ludashi.com/wan?type=accurate&action=t0&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly×tamp=1623672819149&ex_ary[guid]= http://s.ludashi.com/wan?type=accurate&action=t2&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly×tamp=1623672849175&ex_ary[guid]= http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=76d90940607a4e1fc8c4e780c107c434&from=taskpop_sdly&forcetick=2971046 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/news-bg.png http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/reg.jpg?t=20200105 http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=a77a4190d391498058b650400ce279b4&from=taskpop_sdly&forcetick=2979031 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_act.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_pwd.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/third_weixin.png http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=1eb066f8aee684651bb6886e75ddddec&from=taskpop_sdly&forcetick=2966453 https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
17
cdn-file-ssl-wan.ludashi.com(115.238.192.241) i.ludashi.com(120.27.82.56) cdn-wan.ludashi.com(122.225.67.192) wan.ludashi.com(139.129.105.182) s.ludashi.com(139.224.193.172) cdn-ssl-wan.ludashi.com(115.238.192.242) cdn-file.ludashi.com(115.223.31.227) cdn-file-ssl-pc.ludashi.com(183.136.197.99) 139.129.105.182 47.117.76.201 115.238.192.244 - malware 58.218.203.239 115.238.192.238 183.136.197.100 122.225.67.193 106.15.139.117 120.27.82.56
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8890 |
2021-06-14 23:48
|
2.dll cdc6ef36562b097aa88cd1d4e7e839cb PE File PE64 DLL OS Processor Check VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
1.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8891 |
2021-06-15 01:08
|
DOCUMENT.EXE 53964b6a40bfe2b10d36ba5e3d52966a PWS Loki[b] Loki[m] .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8892 |
2021-06-15 02:14
|
converted-1620651173-127d take... 6610377e92153714fb04734249387c2bunpack itself |
|
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8893 |
2021-06-15 10:16
|
img_23_61_78_802.exe d45879197ce5a42e7c810bca5e020af5 PWS Loki[b] Loki[m] DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.34.39/cap-01/pin.php - rule_id: 1961
|
1
209.141.34.39 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://209.141.34.39/cap-01/pin.php
|
8.4 |
M |
33 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8894 |
2021-06-15 10:19
|
MONDAY-FAX(EMAIL).exe e5fc908b43a9096e833093739b2421b6 Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
13.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8895 |
2021-06-15 10:19
|
vbc.exe 5cea1235379d5c9fbe382c5514fd1335 AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
|
|
|
8.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|