8896 |
2021-06-15 10:22
|
Reynard_Hydra_pg.exe c4d8200a28032eea56da319a55cb468e AsyncRAT backdoor PWS .NET framework PE File .NET EXE OS Processor Check PE32 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName DNS DDNS |
2
http://ip-api.com/xml http://checkip.dyndns.org/
|
4
checkip.dyndns.org(131.186.113.70) ip-api.com(208.95.112.1) 162.88.193.70 208.95.112.1
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup ip-api.com ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
5.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8897 |
2021-06-15 10:23
|
MT103-150621-PDF.scr 755f6460de480381eb4e94768fe27c92 PE File PE32 DLL VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder DNS crashed |
|
|
|
|
4.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8898 |
2021-06-15 10:30
|
okcf.exe c8217715ef55fe5f5643a6cc6c7b797e AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
2
www.google.com(172.217.25.68) 142.250.66.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8899 |
2021-06-15 10:32
|
BrowzarBrowser_J1.exe e6e9e6a1d44c96471c367efff38a01d8 AsyncRAT backdoor PWS .NET framework BitCoin ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE PNG Format VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself AntiVM_Disk VM Disk Size Check Interception Windows Cryptographic key crashed |
18
http://www.browzar.com/start/?v=2000 http://www.browzar.com/start/css/ie7.css http://www.browzar.com/start/images/browzar-logo.png http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=8&utmn=124329351&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1291498423&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754190369&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.browzar.com/favicon.ico http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=7&utmn=401575654&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1028378991&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754132582&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=5&utmn=1559166995&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1813809483&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754116115&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=6&utmn=1103076332&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=643683627&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754131609&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=2&utmn=1921911740&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1021202326&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754076585&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=9&utmn=1034717112&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=824186461&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754191354&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1209025412&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x609&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=899468464&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754071247&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=1810249164&utmredir=1&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://cse.google.com/cse.js?cx=partner-pub-6510901060286821:6220175774 http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=4&utmn=1456354037&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=971644748&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754116086&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=3&utmn=1720468560&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1097611435&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1623754077296&utmac=UA-3260541-1&utmcc=__utma%3D175377393.1224321632.1623754071.1623754071.1623754071.1%3B%2B__utmz%3D175377393.1623754071.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~ http://www.google-analytics.com/ga.js http://www.browzar.com/start/css/ie8.css http://www.browzar.com/start/css/screen.css?1=1
|
8
cse.google.com(172.217.175.14) ajax.googleapis.com(172.217.161.74) www.browzar.com(139.59.176.201) www.google-analytics.com(172.217.31.142) 139.59.176.201 142.250.204.142 142.250.66.46 - mailcious 172.217.26.138
|
|
|
9.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8900 |
2021-06-15 10:32
|
w.doc 97fc7db71d3392dd83582308478e740f RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://192.3.141.164/wea/vbc.exe
|
2
139.59.176.201
192.3.141.164 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8901 |
2021-06-15 10:32
|
RFL_022_610_377.exe 571db81b25298d3b3bfb6d19ce03f71f SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8902 |
2021-06-15 10:35
|
pc_uuppdate.exe bf7b01b358903416117bc4de8e0861b2 AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Kovter DNS |
|
1
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8903 |
2021-06-15 10:37
|
bin-p.exe df75f88b30020d1128ec273659993534 AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8904 |
2021-06-15 10:39
|
bin.exe 285cc0e41ca87f5eb2a6d08680a0f94b Admin Tool (Sysinternals Devolutions inc) Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8905 |
2021-06-15 10:45
|
scbybttprepush528.exe 5f32ab11399c7596889739620f178464 Gen2 Gen1 Emotet Anti_VM PE File OS Processor Check PE32 DLL PNG Format GIF Format MSOffice File JPEG Format PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk China anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser ComputerName Remote Code Execution DNS |
56
http://cdn-file.ludashi.com/assets/jquery/jquery183.js http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b0ea6c10aa2f9f8637adaf8dca6545cc&from=tp_scbybt&forcetick=38280328 http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106151648 http://s.ludashi.com/wan?type=accurate&action=t2&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743342984&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_pwd.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=826d4532b60a11f8167a6de2a2ebb3b4&from=tp_scbybt&forcetick=38280015 http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=360b234ed2d7c7100458a3db8cec87d4&from=tp_scbybt&forcetick=38294421 http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3c8bbce5d85ff18952d12d4d3f3c0fbb&from=tp_scbybt&forcetick=38289750 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/bg.jpg http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304274775074992668_1623743310671 http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=d9da2c7d1d42abeeb954adc866e09c16&from=tp_scbybt&forcetick=38284656 http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e55055547e8d2a8cd6a58b02d78635ef&from=tp_scbybt&forcetick=38284656 http://s.ludashi.com/wan?type=accurate&action=t3&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743373002&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/main.css?t=20210323 http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=0351e7d49752fc50b3d45b851d5c1ecb&from=tp_scbybt&forcetick=38277546 http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3198fe798dd9371f1a1b673d412602e1&from=tp_scbybt&forcetick=38266125 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_weixin.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/log_btn.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/checkbox.png http://wan.ludashi.com/announce/list?callback=jQuery18304274775074992668_1623743310672&type=2&gid=cqbz&skip=0&num=5&_=1623743312955 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav03.png http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=451727ea8e9bb803e49df4ef62ea6542&from=tp_scbybt&forcetick=38289750 http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18304274775074992668_1623743310671&_=1623743313409 http://cdn-file.ludashi.com/assets/sea/sea.js http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav02.png http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav01.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/news-bg.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_qq.png http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b66114296225ca89357975808c8201b6&from=tp_scbybt&forcetick=38266187 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_code.png?t=20191021 http://s.ludashi.com/wan?type=accurate&action=t1&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743322985&ex_ary[guid]= http://wan.ludashi.com/micro/cqbz/index_lds.html?channel=tp&from=tp_repush_wd_cqbz_528 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/hovers.png http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=8b4326d365a719ea3d64e7e755a4de6d&from=tp_scbybt&forcetick=38294421 http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz×tamp=1623743312959&ex_ary[guid]= http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_left.png http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=2a1a43be6e7fcdbeaec42ddf0f59f465&from=tp_scbybt&forcetick=38266187 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_code.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e9a12aa16e6ff34eb8e20e934148f43d&from=tp_scbybt&forcetick=38293062 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_act.png?t=20191021 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/cir.png http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=04827975d3650ab9d840f338a616b9f7&from=tp_scbybt&forcetick=38280281 http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106151647 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav04.png http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_act.png?t=20191021 http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=76aa7ce20c8482e4d2b27579e9a19d03&from=tp_scbybt&forcetick=38267031 http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/line.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_right.png http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/upload.jpg http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/reg.jpg?t=20200105 https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527 https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonLoginApi.js?v=20200810
|
17
cdn-file-ssl-wan.ludashi.com(115.238.192.239) i.ludashi.com(120.27.82.56) cdn-wan.ludashi.com(122.225.67.192) wan.ludashi.com(139.129.105.182) s.ludashi.com(114.115.221.211) cdn-ssl-wan.ludashi.com(115.238.192.238) cdn-file.ludashi.com(101.227.25.212) cdn-file-ssl-pc.ludashi.com(180.163.122.228) 139.129.105.182 47.117.78.230 115.238.192.248 115.238.192.239 114.115.214.33 180.163.122.224 101.227.25.210 122.225.67.180 120.27.82.56
|
4
ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8906 |
2021-06-15 10:51
|
Document 1659904.xls c03577c814275b568037f2eb9e0fc1e3 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://cek-api.match.my.id/vendor/google/auth/src/Cache/z7kVDYvd8s.php
https://www.patie.com.br/posts/hPdcXy5hUEfG.php
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php
https://hellomeela.phptasks.com/vendor/guzzlehttp/guzzle/src/Cookie/hUXKGbfO9ibqXaw.php
https://voixdescedres.com/www.achatfromchad.com/wp-content/themes/twentyeleven/colors/AP92wBohqyRvjIt.php
https://new.ishr.co.in/wp-content/plugins/unlimited-elements-for-elementor/inc_php/addontypes/wjhhlXuZ7uwqmS.php
https://invest.arabia-investment.com/wp-content/themes/sinatra/template-parts/content/YdePNtKjW.php
https://final.foodpoint.ma/public/impactfront/vendor/bootstrap/dist/MbvBb3r7S3ARV.php
https://damta.mrboatstudio.com/wp-content/plugins/elementor/includes/admin-templates/8sgSD2JtRBnm1.php
|
20
invest.arabia-investment.com(192.254.185.136)
exam.edumation.app(134.209.3.189)
philips.dexsandbox.com(70.32.93.146)
www.patie.com.br(191.252.105.201)
hellomeela.phptasks.com(104.255.220.56)
cek-api.match.my.id(144.91.85.140)
voixdescedres.com(162.253.125.64)
damta.mrboatstudio.com(31.22.4.136)
final.foodpoint.ma(185.87.187.226)
new.ishr.co.in(164.52.201.122) 104.255.220.56 - mailcious
191.252.105.201 - mailcious
31.22.4.136
185.87.187.226 - mailcious
162.253.125.64 - mailcious
192.254.185.136 - malware
70.32.93.146 - mailcious
164.52.201.122
134.209.3.189
144.91.85.140
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8907 |
2021-06-15 10:51
|
Document 53142810.xls 76d9ad731b3417ce329035c3497d19eb VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself Tofsee Windows crashed |
1
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
|
2
exam.edumation.app(134.209.3.189) 134.209.3.189
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8908 |
2021-06-15 10:55
|
UltraMediaBurner.exe d6a73306c5bdcc557880a455bfb1a4be AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
|
|
|
3.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8909 |
2021-06-15 10:56
|
IDownload.exe 4a6b686ed3f18f9aecf846d08a6aa948 AsyncRAT backdoor PWS .NET framework njRAT PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8910 |
2021-06-15 10:58
|
img_23_61_78_802.exe d45879197ce5a42e7c810bca5e020af5 PWS Loki[b] Loki[m] DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.34.39/cap-01/pin.php - rule_id: 1961
|
1
209.141.34.39 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.34.39/cap-01/pin.php
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|