| 151 |
2023-02-09 10:43
|
 hjf.exe b0dd3b97aaab029d1253cb0c3794d455
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
16
http://www.ecomicsvilla.com/8qa3/
http://www.f1253.com/8qa3/
http://www.soroptimistofamador.com/8qa3/?NB=c5Eeb7dn/8EYxC+M6re+nHBh7m2i5KbribjzLk2BVWQgprnRWDOreo3dlS1Tf/13fTrHvW7qwb+7jwCe0+JVEy4ZSMH4EcsXdNb8klM=&PNbL=jX-jTZzzH14-6O
http://www.pushpaholidays.com/8qa3/
http://www.defituesday.com/8qa3/?NB=g/K91+24+PHAiHPhvyuFXzVpVj02gVzNZeKGHjuCFrMmzpuKet/E+G0ypAyl4zj9I8Z7auL/coT2Y4uPH7ZahhTSjlAwmlMiIr0KtvE=&PNbL=jX-jTZzzH14-6O
http://www.theedenpublicschool.com/8qa3/
http://www.soroptimistofamador.com/8qa3/
http://www.f1253.com/8qa3/?NB=J0i+HNrGClYTAcXYOGMjUfCCY+jxRA7qTJ0QlwQRMh/eBqJkbuSEepiRopmRQgF/HN5KR+bmQ7TE+zYnqYNLGx5YeZCqzK5CyODJ6qA=&PNbL=jX-jTZzzH14-6O
http://www.theedenpublicschool.com/8qa3/?NB=awREWtMMj+lRHHM6AQdmRgvwbUZmvp8tQda9g/jpnZpjQndokfCyaw0eStkt3W3LDFF5IEfACaY0uUEW+xg0qs2ozgMGzCLbcweLr7E=&PNbL=jX-jTZzzH14-6O
http://www.pushpaholidays.com/8qa3/?NB=uwc3uy5jUwBmgGhOFs3IT1KM06KJvn6K5bdvjpj3r4WyLQ/DzhXqBqj1ZuMMRVOGVDo2DjphbD36wW4cqg2mbD0xix1zXMzS8AuI19o=&PNbL=jX-jTZzzH14-6O
http://www.defituesday.com/8qa3/
http://www.boltag.xyz/8qa3/?NB=qnytmCaQLfU4zsrtGjFnzBqU0b3giDP99e6pyqNb4SbHI20/4CVvCJHspsGpbucyTs/cyReYkpquPSKEraK1PzjSbuif9SuGl0f0RSw=&PNbL=jX-jTZzzH14-6O
http://www.boltag.xyz/8qa3/
http://www.ecomicsvilla.com/8qa3/?NB=NoEkgSowB96SWPAg7xVMgGDZv5EdP4jNoDX46qfudZBh/ww1VORetC7JM6bTsJ7/lBMT+kpLr5o69A4fo6ZiQJ0mwjKygXrKvZBCDz0=&PNbL=jX-jTZzzH14-6O
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.ambilis.com/8qa3/?NB=Yw6YD0s17PM9etjv/emAmMlEED9F94kmNvL7jtaM45zABScbtKoqJqCX2gTJEUJahVXOtkWRgK0fQ0tM1LEfveKg/13pcGnAI9Ia8t8=&PNbL=jX-jTZzzH14-6O
|
17
www.pushpaholidays.com(216.239.36.21)
www.defituesday.com(199.59.243.222) - mailcious
www.boltag.xyz(199.192.31.98)
www.theedenpublicschool.com(162.214.81.26)
www.f1253.com(34.92.178.239)
www.ambilis.com(199.59.243.222)
www.sqlite.org(45.33.6.223)
www.ecomicsvilla.com(198.252.102.191)
www.soroptimistofamador.com(162.241.230.71)
216.239.32.21 - mailcious
199.59.243.222 - mailcious
162.214.81.26
162.241.230.71
198.252.102.191
45.33.6.223
199.192.31.98
34.92.178.239
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 152 |
2023-02-09 10:34
|
 vbc.exe 900820f261e82e5c51ecaa86f2f68f86
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
https://sempersim.su/ha9/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
|
1
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
|
7.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 153 |
2023-02-08 09:36
|
 beau.exe c71d6374ee14811b90b888115a68ee38
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 154 |
2023-02-07 17:46
|
 vbc.exe ecd901a84b82d00a82d45b4d0123352c
Loki Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName Remote Code Execution DNS Software |
1
http://sempersim.su/ha1/fre.php - rule_id: 26323
|
3
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
62.204.41.5 - malware
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET DROP Dshield Block Listed Source group 1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha1/fre.php
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 155 |
2023-02-02 10:03
|
 vbc.exe 2ee13ecd998734cd7fc80b882c7c3eab
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha4/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 156 |
2023-02-02 10:01
|
 aaaaa.exe a62b834fd42367f384b1a6a7250a3e9f
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/davidhill/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 157 |
2023-02-01 17:01
|
 vbc.exe 3c201fc4355b967aefaae295cc6fa701
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha3/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 158 |
2023-02-01 11:10
|
 sof.exe 512fcd3048ecc3311759e82e00c9888d
Malicious Library UPX PE32 PE File OS Processor Check FormBook Browser Info Stealer Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows Browser |
6
http://www.cc445588.com/u8ow/?Dzrpg=62q5EqcnfAyBypYvnqoA1ROFBJdmRil8RYNtaokkVqBfVHhuvt18W13ZgbKvv1idEuKG0I3o&OtWl4v=wZO03VaH8xi4q
http://www.institutolilica.org/u8ow/?Dzrpg=q2/ZXzpzMsZzN7QI9PE33rS9KrhX7Ifq2pnps7I/LklzzNmAUl1swL40UZz1AVub4OUx8vIp&OtWl4v=wZO03VaH8xi4q
http://www.ethoscoverage.com/u8ow/?Dzrpg=c930e5NKV3yATX+rRJ9x00M5gQxU3EZxFJwcjlURWpp3ci+t2iK60qIsEQ2II1mzLFamBbnm&OtWl4v=wZO03VaH8xi4q
http://www.auskunfton.com/u8ow/?Dzrpg=XM3FZlITpxXSgA9+cTB7ZhVcPqaY38ec5Na2oo7T8ju3Qulh/na9l3w1YqSNFzstDE46GLeZ&OtWl4v=wZO03VaH8xi4q
http://www.ssgbusiness.net/u8ow/?Dzrpg=1B7Q2w9kUJo6GoGJlvPlwfFjDLECNjBWc4vepFtNCOZmReStEqDkY+Zv2zKXTRGoYBraAfj5&OtWl4v=wZO03VaH8xi4q
http://www.wonderatwork.com/u8ow/?Dzrpg=r1lq2ICONhGS56U29iXOhWGc4J2FcsBtOsTouXqOx3iBFMDMYguyCqzF/DiMPl0vcF/rmZdh&OtWl4v=wZO03VaH8xi4q
|
18
www.ssgbusiness.net(18.193.36.153)
www.cc445588.com(156.235.210.188)
www.connmnn.site()
www.wonderatwork.com(13.248.243.5)
www.auskunfton.com(192.64.115.133)
www.tylerarchercoaching.com(203.170.80.250)
www.unitech-usa.com()
www.ethoscoverage.com(66.96.160.134)
www.vft6.site()
www.fmh2022.online()
www.institutolilica.org(199.15.163.128)
156.235.210.188
13.248.243.5 - phishing
66.96.160.134
192.64.115.133
18.193.36.153 - mailcious
203.170.80.250 - phishing
199.15.163.148 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 159 |
2023-01-28 23:46
|
 ndiiche.exe f020e4ab9dacdc83e6b1a4537b5338bc
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
12
http://www.nortonarmouriesfilm.com/poub/?wh=BLnufXe+htRCJdGMYs/UIkE1Ord2liFe7+FZV+PhK0RoHbV4k3bf7bz0LTVkvk/OGnLD7I6n&Tj=CpFH
http://www.solarisgp.com/poub/?wh=9Qzq7/cNmiO8gP9g7/YMtyKdZgN9O07G8B4F6oxSOqz0nOfrx3Lpm7qgjAA/myBvkEyuhsV5&Tj=CpFH
http://www.648t.com/poub/?wh=K8JDXtj1csEOsKt7xN7TZ8myjnIuEtILOF7bd7rtPsNZcZO59acCwiCQGa6VYblFlBTd7Emg&Tj=CpFH
http://www.peiphitan.com/poub/?wh=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&Tj=CpFH - rule_id: 22766
http://www.peiphitan.com/poub/?wh=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&Tj=CpFH
http://www.cheapboden.com/poub/?wh=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&Tj=CpFH - rule_id: 26428
http://www.cheapboden.com/poub/?wh=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&Tj=CpFH
http://www.webbestsec.online/poub/?wh=jgTv/1nzzve2Jrh/0z5DiZA6sCl7Ik6h/Wzr0n6YWtqGHAR2J6qU+m/Pu18WZVT3NAPAa7xl&Tj=CpFH - rule_id: 22769
http://www.webbestsec.online/poub/?wh=jgTv/1nzzve2Jrh/0z5DiZA6sCl7Ik6h/Wzr0n6YWtqGHAR2J6qU+m/Pu18WZVT3NAPAa7xl&Tj=CpFH
http://www.yh77988.com/poub/?wh=ubOq6EmcWJHLexQvrdYoxlPS9zWtdvyg1lRZMQ6IzP/COg+XLfTkcV2mzLAwLHYPjC3yOytw&Tj=CpFH
http://www.drzjup.space/poub/?wh=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&Tj=CpFH - rule_id: 23154
http://www.craftedinglass.com/poub/?wh=EAlLP+uq+Ypg0P22Y7QQF4n9hEibmSp0Rua/l7jXqEqDwRVMV6dsul2LxqZZ7UVqr4u2oUAH&Tj=CpFH
|
22
www.peiphitan.com(192.64.115.133) -
www.yh77988.com(180.215.65.145) -
www.drzjup.space(172.255.33.179) -
www.atomicconnections.org() -
www.nortonarmouriesfilm.com(172.67.154.28) -
www.solarisgp.com(139.162.163.163) -
www.craftedinglass.com(185.199.220.38) -
www.648t.com(38.54.132.94) -
www.cheapboden.com(104.21.35.28) -
www.797322.com(136.0.161.67) -
www.valenteimmigration.com() -
www.webbestsec.online(2.57.90.16) -
38.54.132.94
172.255.33.179 -
139.162.163.163 -
185.199.220.38 -
192.64.115.133 -
172.67.154.28 -
2.57.90.16 -
136.0.161.67 -
172.67.212.73 -
180.215.65.145 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.peiphitan.com/poub/
http://www.cheapboden.com/poub/
http://www.webbestsec.online/poub/
http://www.drzjup.space/poub/
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 160 |
2023-01-28 23:44
|
 nala.exe c5edcf43ecc797a13c565d436c6a541c
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
9
http://www.bayuerlangga.com/poub/?DzrpX=dv0D7ZTz3/rxoN5YFbhM+9+2l8xA4Y/6clNyq177/TmsgguRLFhMDXEtC4LvmLwAeDsjJnOC&OtNl4v=wZOPRFRhutzde - rule_id: 22767
http://www.bayuerlangga.com/poub/?DzrpX=dv0D7ZTz3/rxoN5YFbhM+9+2l8xA4Y/6clNyq177/TmsgguRLFhMDXEtC4LvmLwAeDsjJnOC&OtNl4v=wZOPRFRhutzde
http://www.indumentaria.org/poub/?DzrpX=9Sa8+P8S3yj6JdUqO31/UZB16X9Ks4Ridk1FRmPwwVNbyLlcfiBQ0oaMQtKZUhqBNydmsduR&OtNl4v=wZOPRFRhutzde - rule_id: 23155
http://www.indumentaria.org/poub/?DzrpX=9Sa8+P8S3yj6JdUqO31/UZB16X9Ks4Ridk1FRmPwwVNbyLlcfiBQ0oaMQtKZUhqBNydmsduR&OtNl4v=wZOPRFRhutzde
http://www.crusadia.net/poub/?DzrpX=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&OtNl4v=wZOPRFRhutzde
http://www.midundao.net/poub/?DzrpX=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&OtNl4v=wZOPRFRhutzde - rule_id: 26429
http://www.midundao.net/poub/?DzrpX=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&OtNl4v=wZOPRFRhutzde
http://www.craftedinglass.com/poub/?DzrpX=EAlLP+uq+Ypg0P22Y7QQF4n9hEibmSp0Rua/l7jXqEqDwRVMV6dsul2LxqZZ7UVqr4u2oUAH&OtNl4v=wZOPRFRhutzde
http://www.lastperfection.com/poub/?DzrpX=EXP7ahyuJHd+DC2PxusCp4nPQa2PWB9KfA+YKNPy3UTBymMENUkVQxO9qe9TtwNEd8Oku9Yz&OtNl4v=wZOPRFRhutzde
|
16
www.bayuerlangga.com(203.175.9.15) -
www.bekansas.com() -
www.indumentaria.org(91.195.240.94) -
www.jojooo.xyz() -
www.lastperfection.com(104.21.95.23) -
www.craftedinglass.com(185.199.220.38) -
www.crusadia.net(212.192.29.71) -
www.midundao.net(172.247.35.173) -
www.tokendownload.space(67.21.71.208) -
91.195.240.94 -
172.247.35.173 -
67.21.71.208 -
212.192.29.71 -
203.175.9.15 -
172.67.169.72 -
185.199.220.38 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.bayuerlangga.com/poub/
http://www.indumentaria.org/poub/
http://www.midundao.net/poub/
|
5.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 161 |
2023-01-28 23:21
|
 trt.exe 8b37c8c2c2beefd373d98526c700109a
Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
8
http://www.tierhilfe.wien/u8ow/?JDK8bDY=BNajd84x3VAExzzQflw6GjYFlyzNvm1WOYGGTG/CWQYqYezsWt9IyX5R3a8hLkeEY2unUTwo&BX=E2J4tHWPDV2
http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip
http://www.majorcaplanetary.com/u8ow/?JDK8bDY=rg0x9k48BKFOT14G/iw7IxZbNT5LWXCSQjqICaoNMU98v63jtjWg9tD+TEkF8dNfmdfDoVF3&BX=E2J4tHWPDV2
http://www.purexerxes.info/u8ow/?JDK8bDY=tbsfNZRlB98CfZgoTqrjLUCdFMkabRU6asYKntiT3OToNHmlZVwHzipV6t31IXe50H8bAWrH&BX=E2J4tHWPDV2
http://www.calcomfcu.site/u8ow/?JDK8bDY=1wpVf/B9vxcntabxREqD8jaAVGNnU10L3+k9w0T6qCRRyiTszTDXQCuvCeV0JLYYiyzuPf2r&BX=E2J4tHWPDV2
http://www.topjeugd.online/u8ow/?JDK8bDY=7/P217W1f7A/Yo/xgJYekXFs5F27/ruVUOvep71/WwZyMjQajMqCTifHO1h+TczMm1hqSB8i&BX=E2J4tHWPDV2
http://www.auskunfton.com/u8ow/?JDK8bDY=XM3FZlITpxXSgA9+cTB7ZhVcPqaY38ec5Na2oo7T8ju3Qulh/na9l3w1YqSNFzstDE46GLeZ&BX=E2J4tHWPDV2
http://www.guantanamera.site/u8ow/?JDK8bDY=x/hIzmU3zKEE/ypFCUvzcrdcFQjbfxVIaJO1OQoFT6HLsvhw7gT61bmnxhwjemW1FSLJv5Rt&BX=E2J4tHWPDV2
|
23
www.fmh2022.online() -
www.fifththird.in() -
www.majorcaplanetary.com(103.178.175.19) -
www.unitech-usa.com() -
www.calcomfcu.site(209.17.116.163) -
www.rvwl.ink() -
www.oth6ykn9h4g.site() -
www.tierhilfe.wien(195.30.84.166) -
www.purexerxes.info(172.67.199.86) -
www.topjeugd.online(185.104.28.238) -
www.sqlite.org(45.33.6.223) -
www.harborretired.com() -
www.guantanamera.site(208.91.197.27) -
www.milwaukeedeals.online() -
www.auskunfton.com(192.64.115.133) -
209.17.116.163 -
104.21.21.157 -
185.104.28.238 - mailcious
195.30.84.166 -
103.178.175.19 -
208.91.197.27 -
192.64.115.133 -
45.33.6.223 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 162 |
2023-01-26 11:02
|
 nmnb.exe 58a93d1d064b9e8265ea798531adb0bf
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
8
http://www.drzjup.space/poub/?J48=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&EhU4Nv=gdM0vL4huV - rule_id: 23154
http://www.soldbylena.com/poub/?J48=Yx1Go82kz3quMGBdMT8MTkTpwx2C2fKFreghtdDiaVm/DdA3lQSzkCq363BA4rx6egegMd3w&EhU4Nv=gdM0vL4huV
http://www.cheapboden.com/poub/?J48=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&EhU4Nv=gdM0vL4huV
http://www.peiphitan.com/poub/?J48=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&EhU4Nv=gdM0vL4huV - rule_id: 22766
http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip
http://www.midundao.net/poub/?J48=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&EhU4Nv=gdM0vL4huV
http://www.agence-dragonne.com/poub/?J48=AJ1lnItlOBOMu4VTxug+YhiyjjMIB0X6igB7b1gQ1/FyMjSiMMj6SiFHodYf6/xohFqvUB4/&EhU4Nv=gdM0vL4huV
http://www.elektrogo.xyz/poub/?J48=kDUzKCy494oCEChFShINt/qIs4aj4rKFw2/eKTVt/tzluLb40v7G/v2cQ7gHUqwc6NHSG5Wb&EhU4Nv=gdM0vL4huV
|
22
www.soldbylena.com(142.250.206.243)
www.etgadu.global()
www.midundao.net(172.247.35.173)
www.cheapboden.com(172.67.212.73)
www.crusadia.net(212.192.29.71)
www.peiphitan.com(192.64.115.133) - mailcious
www.agence-dragonne.com(153.127.67.174)
www.sqlite.org(45.33.6.223)
www.drzjup.space(172.255.33.179) - mailcious
www.elektrogo.xyz(85.159.66.93)
www.tokendownload.space(67.21.71.208)
85.159.66.93 - mailcious
172.255.33.179 - mailcious
172.247.35.173
67.21.71.208
212.192.29.71
192.64.115.133
104.21.35.28 - mailcious
142.250.206.243 - phishing
45.33.6.223
77.73.134.27 - malware
153.127.67.174
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
2
http://www.drzjup.space/poub/
http://www.peiphitan.com/poub/
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 163 |
2023-01-26 10:55
|
 file.exe 70c2bfb3dd7b6467020e6ca5d7f037a3
Malicious Library UPX PE32 PE File OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows DNS |
4
http://www.alloahucondos.com/w12e/?AdhDQXr=Am4O/Gq5Ync1FuJsqsgsoCg+9OpYuQdFtmmXHaZllHoL6K1n+mbbjZKawvl3CJ7PMuTqHmnI&1bm=ml4L1LOpyLI0n
http://www.car-deals-75816.com/w12e/?AdhDQXr=trBIi//oN83t2rzOyuxo8RhWQb4DfxA31Jpi1HgoFpc+sPkjvwtJR7tkNzChFLywBIpqobR9&1bm=ml4L1LOpyLI0n
http://www.ideeksha.net/w12e/?AdhDQXr=6DxUQ+HCSRqCEizWiEucg+SXtE+UbnUdS+5N0El4w4v4UDUGZHvS5Nx9GPBpeSVN1yu5asm5&1bm=ml4L1LOpyLI0n
http://www.gpsarhealthcare.com/w12e/?AdhDQXr=+dElbzIZz+A8J3CIEYanBxRMrjm5MhmkPJXtCcXIvGUuSglwlsakZ/yF6M4jzsobramRNR8Q&1bm=ml4L1LOpyLI0n
|
9
www.ideeksha.net(34.102.136.180)
www.gpsarhealthcare.com(154.23.50.169)
www.car-deals-75816.com(104.247.82.93)
www.alloahucondos.com(154.218.100.185)
104.247.82.93
34.102.136.180 - mailcious
154.218.100.185
37.230.138.123 - mailcious
154.23.50.169
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 164 |
2023-01-25 05:10
|
 vbc.exe cdcbca7a700fdee5246a10aef03525b7
Loki Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha1/fre.php - rule_id: 26323
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha1/fre.php
|
7.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 165 |
2023-01-25 04:46
|
 c4.exe d2dac4794ef6d00cdfaa25638ed72acd
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Discord Browser Email ComputerName DNS Cryptographic key crashed keylogger |
2
https://discord.com/api/webhooks/1046445380516188160/wYE1I5gUYgWGIjd87Qj_KINgc0H4L5OkXe6VRMrVqnd9j7v1JJkSUywS6H4xPPyCnrLe
https://api.ipify.org/
|
4
discord.com(162.159.136.232) - mailcious
api.ipify.org(104.237.62.211)
173.231.16.76
162.159.138.232 - mailcious
|
3
ET INFO Observed Discord Domain (discord .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
|
|
11.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|