| 8896 |
2021-06-15 10:22
|
 Reynard_Hydra_pg.exe c4d8200a28032eea56da319a55cb468e
AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName DNS DDNS |
2
http://ip-api.com/xml
http://checkip.dyndns.org/
|
4
checkip.dyndns.org(131.186.113.70)
ip-api.com(208.95.112.1)
162.88.193.70
208.95.112.1
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
5.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8897 |
2021-06-15 10:23
|
 MT103-150621-PDF.scr 755f6460de480381eb4e94768fe27c92
PE File PE32 DLL VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder DNS crashed |
|
|
|
|
4.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8898 |
2021-06-15 10:30
|
 okcf.exe c8217715ef55fe5f5643a6cc6c7b797e
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
2
www.google.com(172.217.25.68)
142.250.66.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8899 |
2021-06-15 10:32
|
 BrowzarBrowser_J1.exe e6e9e6a1d44c96471c367efff38a01d8
AsyncRAT backdoor PWS .NET framework BitCoin ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE PNG Format VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself AntiVM_Disk VM Disk Size Check Interception Windows Cryptographic key crashed |
18
http://www.browzar.com/start/?v=2000
http://www.browzar.com/start/css/ie7.css
http://www.browzar.com/start/images/browzar-logo.png
http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=8&utmn=124329351&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1291498423&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754190369&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.browzar.com/favicon.ico
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=7&utmn=401575654&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1028378991&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754132582&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=5&utmn=1559166995&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1813809483&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754116115&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=6&utmn=1103076332&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=643683627&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754131609&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=2&utmn=1921911740&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1021202326&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754076585&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=9&utmn=1034717112&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=824186461&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754191354&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1209025412&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x609&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=899468464&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754071247&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=1810249164&utmredir=1&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://cse.google.com/cse.js?cx=partner-pub-6510901060286821:6220175774
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=4&utmn=1456354037&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=971644748&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754116086&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=3&utmn=1720468560&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1097611435&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754077296&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
http://www.google-analytics.com/ga.js
http://www.browzar.com/start/css/ie8.css
http://www.browzar.com/start/css/screen.css?1=1
|
8
cse.google.com(172.217.175.14)
ajax.googleapis.com(172.217.161.74)
www.browzar.com(139.59.176.201)
www.google-analytics.com(172.217.31.142)
139.59.176.201
142.250.204.142
142.250.66.46 - mailcious
172.217.26.138
|
|
|
9.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8900 |
2021-06-15 10:32
|
 w.doc 97fc7db71d3392dd83582308478e740f
RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://192.3.141.164/wea/vbc.exe
|
2
139.59.176.201
192.3.141.164 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8901 |
2021-06-15 10:32
|
 RFL_022_610_377.exe 571db81b25298d3b3bfb6d19ce03f71f
SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.113.70)
131.186.161.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8902 |
2021-06-15 10:35
|
 pc_uuppdate.exe bf7b01b358903416117bc4de8e0861b2
AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Kovter DNS |
|
1
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8903 |
2021-06-15 10:37
|
 bin-p.exe df75f88b30020d1128ec273659993534
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8904 |
2021-06-15 10:39
|
 bin.exe 285cc0e41ca87f5eb2a6d08680a0f94b
Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8905 |
2021-06-15 10:45
|
 scbybttprepush528.exe 5f32ab11399c7596889739620f178464
Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL PNG Format GIF Format MSOffice File JPEG Format PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution DNS |
56
http://cdn-file.ludashi.com/assets/jquery/jquery183.js
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_pwd.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b0ea6c10aa2f9f8637adaf8dca6545cc&from=tp_scbybt&forcetick=38280328
http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106151648
http://s.ludashi.com/wan?type=accurate&action=t2&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743342984&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_pwd.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=826d4532b60a11f8167a6de2a2ebb3b4&from=tp_scbybt&forcetick=38280015
http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=360b234ed2d7c7100458a3db8cec87d4&from=tp_scbybt&forcetick=38294421
http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3c8bbce5d85ff18952d12d4d3f3c0fbb&from=tp_scbybt&forcetick=38289750
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/bg.jpg
http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304274775074992668_1623743310671
http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=d9da2c7d1d42abeeb954adc866e09c16&from=tp_scbybt&forcetick=38284656
http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e55055547e8d2a8cd6a58b02d78635ef&from=tp_scbybt&forcetick=38284656
http://s.ludashi.com/wan?type=accurate&action=t3&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743373002&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/main.css?t=20210323
http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=0351e7d49752fc50b3d45b851d5c1ecb&from=tp_scbybt&forcetick=38277546
http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3198fe798dd9371f1a1b673d412602e1&from=tp_scbybt&forcetick=38266125
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_weixin.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/log_btn.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/checkbox.png
http://wan.ludashi.com/announce/list?callback=jQuery18304274775074992668_1623743310672&type=2&gid=cqbz&skip=0&num=5&_=1623743312955
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav03.png
http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=451727ea8e9bb803e49df4ef62ea6542&from=tp_scbybt&forcetick=38289750
http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18304274775074992668_1623743310671&_=1623743313409
http://cdn-file.ludashi.com/assets/sea/sea.js
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav02.png
http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav01.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/news-bg.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_qq.png
http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b66114296225ca89357975808c8201b6&from=tp_scbybt&forcetick=38266187
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_code.png?t=20191021
http://s.ludashi.com/wan?type=accurate&action=t1&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743322985&ex_ary[guid]=
http://wan.ludashi.com/micro/cqbz/index_lds.html?channel=tp&from=tp_repush_wd_cqbz_528
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/hovers.png
http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=8b4326d365a719ea3d64e7e755a4de6d&from=tp_scbybt&forcetick=38294421
http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743312959&ex_ary[guid]=
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_left.png
http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=2a1a43be6e7fcdbeaec42ddf0f59f465&from=tp_scbybt&forcetick=38266187
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_code.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e9a12aa16e6ff34eb8e20e934148f43d&from=tp_scbybt&forcetick=38293062
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_act.png?t=20191021
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/cir.png
http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=04827975d3650ab9d840f338a616b9f7&from=tp_scbybt&forcetick=38280281
http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106151647
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav04.png
http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_act.png?t=20191021
http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=76aa7ce20c8482e4d2b27579e9a19d03&from=tp_scbybt&forcetick=38267031
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/line.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_right.png
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/upload.jpg
http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/reg.jpg?t=20200105
https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527
https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527
https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
17
cdn-file-ssl-wan.ludashi.com(115.238.192.239)
i.ludashi.com(120.27.82.56)
cdn-wan.ludashi.com(122.225.67.192)
wan.ludashi.com(139.129.105.182)
s.ludashi.com(114.115.221.211)
cdn-ssl-wan.ludashi.com(115.238.192.238)
cdn-file.ludashi.com(101.227.25.212)
cdn-file-ssl-pc.ludashi.com(180.163.122.228)
139.129.105.182
47.117.78.230
115.238.192.248
115.238.192.239
114.115.214.33
180.163.122.224
101.227.25.210
122.225.67.180
120.27.82.56
|
4
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8906 |
2021-06-15 10:51
|
Document 1659904.xls c03577c814275b568037f2eb9e0fc1e3
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://cek-api.match.my.id/vendor/google/auth/src/Cache/z7kVDYvd8s.php
https://www.patie.com.br/posts/hPdcXy5hUEfG.php
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php
https://hellomeela.phptasks.com/vendor/guzzlehttp/guzzle/src/Cookie/hUXKGbfO9ibqXaw.php
https://voixdescedres.com/www.achatfromchad.com/wp-content/themes/twentyeleven/colors/AP92wBohqyRvjIt.php
https://new.ishr.co.in/wp-content/plugins/unlimited-elements-for-elementor/inc_php/addontypes/wjhhlXuZ7uwqmS.php
https://invest.arabia-investment.com/wp-content/themes/sinatra/template-parts/content/YdePNtKjW.php
https://final.foodpoint.ma/public/impactfront/vendor/bootstrap/dist/MbvBb3r7S3ARV.php
https://damta.mrboatstudio.com/wp-content/plugins/elementor/includes/admin-templates/8sgSD2JtRBnm1.php
|
20
invest.arabia-investment.com(192.254.185.136)
exam.edumation.app(134.209.3.189)
philips.dexsandbox.com(70.32.93.146)
www.patie.com.br(191.252.105.201)
hellomeela.phptasks.com(104.255.220.56)
cek-api.match.my.id(144.91.85.140)
voixdescedres.com(162.253.125.64)
damta.mrboatstudio.com(31.22.4.136)
final.foodpoint.ma(185.87.187.226)
new.ishr.co.in(164.52.201.122)
104.255.220.56 - mailcious
191.252.105.201 - mailcious
31.22.4.136
185.87.187.226 - mailcious
162.253.125.64 - mailcious
192.254.185.136 - malware
70.32.93.146 - mailcious
164.52.201.122
134.209.3.189
144.91.85.140
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8907 |
2021-06-15 10:51
|
Document 53142810.xls 76d9ad731b3417ce329035c3497d19eb
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself Tofsee Windows crashed |
1
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
|
2
exam.edumation.app(134.209.3.189)
134.209.3.189
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8908 |
2021-06-15 10:55
|
 UltraMediaBurner.exe d6a73306c5bdcc557880a455bfb1a4be
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8909 |
2021-06-15 10:56
|
 IDownload.exe 4a6b686ed3f18f9aecf846d08a6aa948
AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8910 |
2021-06-15 10:58
|
 img_23_61_78_802.exe d45879197ce5a42e7c810bca5e020af5
PWS Loki[b] Loki[m] DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.34.39/cap-01/pin.php - rule_id: 1961
|
1
209.141.34.39 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.34.39/cap-01/pin.php
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|