| 14131 |
2021-10-27 18:10
|
 ebj1i5m.jpg 4fb7a13f579d6c44324206a7c1818f4c
Malicious Library UPX PE File OS Processor Check PE32 DLL PDB unpack itself crashed |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14132 |
2021-10-27 18:10
|
 sqlservr.exe b60e5e6ba330fe48dc60036585244dd6
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://63.250.40.204/~wpdemo/file.php?search=5277961 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
14.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14133 |
2021-10-27 18:11
|
 1.html 80a23da8fd4e2533fdd4d0ec0952d0a2
Antivirus AntiDebug AntiVM MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
21
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6774392999284712153&zx=247d28b0-ea9a-4510-bda0-6f0c0f607db2
https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ajsjwdijwidjwdidwj.blogspot.com/p/1.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ajsjwdijwidjwdidwj.blogspot.com/p/1.html%26type%3Dblog%26bpli%3D1&go=true
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://www.google.com/css/maia.css
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.googleapis.com/css?family=Open+Sans:300
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxM.woff
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fajsjwdijwidjwdidwj.blogspot.com%2Fp%2F1.html&type=blog&bpli=1
https://www.blogger.com/blogin.g?blogspotURL=https://ajsjwdijwidjwdidwj.blogspot.com/p/1.html&type=blog
https://www.google-analytics.com/analytics.js
https://www.blogger.com/static/v1/widgets/1470655889-widgets.js
https://fonts.gstatic.com/s/opensans/v26/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ.woff
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
|
16
resources.blogblog.com(172.217.175.105)
www.google.com(142.251.42.132)
www.gstatic.com(172.217.175.3)
fonts.googleapis.com(142.251.42.138)
accounts.google.com(172.217.161.77)
www.google-analytics.com(172.217.31.142)
fonts.gstatic.com(216.58.220.99)
www.blogger.com(172.217.175.105)
142.250.66.105
142.250.204.131
172.217.25.4 - suspicious
142.250.66.35
172.217.161.170
142.250.66.77
172.217.31.238 - suspicious
142.250.66.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14134 |
2021-10-27 18:12
|
 v2worottu.zip 179547d6f870b7ecf096bc3fd7481c59
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.6 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14135 |
2021-10-27 18:39
|
 Recover-your-messages-immediea... 0319309723ce48319ed9fd8a13fea03d
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14136 |
2021-10-27 21:58
|
 goal.exe 58ee2cdf0199c4e0ff5c2fd1dba4d01a
RAT PWS .NET framework [m] Generic Malware Generic Malware task schedule Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14137 |
2021-10-27 22:00
|
 pub3.exe 9d9e728b344d741f97483e7628d7bedc
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14138 |
2021-10-27 22:02
|
 syurouexcel.xlsx 7a7164733e1a94437a5f7e88e10f8d62unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14139 |
2021-10-27 22:07
|
 DownFlSetup999.exe fbe63f23b748aa26ebb75e73edc84520
RAT PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
11
https://the-lead-bitter.com/ - rule_id: 6273
https://iplogger.org/1aNhd7
https://niemannbest.me/?user=p9_3 - rule_id: 6275
https://niemannbest.me/?user=p9_2 - rule_id: 6275
https://niemannbest.me/?user=p9_1 - rule_id: 6275
https://niemannbest.me/?user=p9_7 - rule_id: 6275
https://niemannbest.me/?user=p9_6 - rule_id: 6275
https://niemannbest.me/?user=p9_5 - rule_id: 6275
https://niemannbest.me/?user=p9_4 - rule_id: 6275
https://iplogger.org/1aBhd7
https://api.ip.sb/ip
|
11
api.ip.sb(104.26.12.31)
querahinor.xyz(45.129.99.59)
the-lead-bitter.com(104.21.66.135) - mailcious
niemannbest.me(104.21.51.48) - mailcious
iplogger.org(88.99.66.31) - mailcious
172.67.160.101
172.67.75.172 - mailcious
45.129.99.59
88.99.66.31 - mailcious
193.150.103.37
104.21.51.48 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
8
https://the-lead-bitter.com/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
https://niemannbest.me/
|
11.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14140 |
2021-10-27 22:12
|
 protocol-67578875.xls 5e7a750fba321c306f9820c5f422529e
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://maberic.com/3XRJdBEjFc/l.html
https://ost.net.br/toXuNS00/l.html
https://atochagaleria.com.ar/CnijALAyxR/l.html
|
6
atochagaleria.com.ar(192.99.46.215)
ost.net.br(162.241.2.103)
maberic.com(199.79.62.121)
162.241.2.103 - mailcious
192.99.46.215 - malware
199.79.62.121 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14141 |
2021-10-27 22:14
|
 protocol-681080435.xls ffae16ac46573765379065dcae2ec248
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://maberic.com/3XRJdBEjFc/l.html
https://ost.net.br/toXuNS00/l.html
https://atochagaleria.com.ar/CnijALAyxR/l.html
|
6
atochagaleria.com.ar(192.99.46.215)
ost.net.br(162.241.2.103)
maberic.com(199.79.62.121)
162.241.2.103 - mailcious
192.99.46.215 - malware
199.79.62.121 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14142 |
2021-10-27 22:16
|
 1.xls b1de71a7369b8398d18708df20890588VirusTotal Malware Check memory RWX flags setting unpack itself suspicious process Tofsee Interception |
1
https://www.bitly.com/kddjkodwkwdokdwi
|
2
www.bitly.com(67.199.248.15) - mailcious
67.199.248.15 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14143 |
2021-10-28 09:29
|
 1.xls b1de71a7369b8398d18708df20890588VirusTotal Malware Check memory unpack itself suspicious process Tofsee Interception |
|
2
www.bitly.com(67.199.248.14) - mailcious
67.199.248.14 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14144 |
2021-10-28 09:34
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14145 |
2021-10-28 09:35
|
 1.xls b1de71a7369b8398d18708df20890588VirusTotal Malware Check memory unpack itself suspicious process Tofsee Interception |
|
2
www.bitly.com(67.199.248.14) - mailcious
67.199.248.15 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|