151 |
2023-02-09 10:43
|
hjf.exe b0dd3b97aaab029d1253cb0c3794d455 Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
16
http://www.ecomicsvilla.com/8qa3/ http://www.f1253.com/8qa3/ http://www.soroptimistofamador.com/8qa3/?NB=c5Eeb7dn/8EYxC+M6re+nHBh7m2i5KbribjzLk2BVWQgprnRWDOreo3dlS1Tf/13fTrHvW7qwb+7jwCe0+JVEy4ZSMH4EcsXdNb8klM=&PNbL=jX-jTZzzH14-6O http://www.pushpaholidays.com/8qa3/ http://www.defituesday.com/8qa3/?NB=g/K91+24+PHAiHPhvyuFXzVpVj02gVzNZeKGHjuCFrMmzpuKet/E+G0ypAyl4zj9I8Z7auL/coT2Y4uPH7ZahhTSjlAwmlMiIr0KtvE=&PNbL=jX-jTZzzH14-6O http://www.theedenpublicschool.com/8qa3/ http://www.soroptimistofamador.com/8qa3/ http://www.f1253.com/8qa3/?NB=J0i+HNrGClYTAcXYOGMjUfCCY+jxRA7qTJ0QlwQRMh/eBqJkbuSEepiRopmRQgF/HN5KR+bmQ7TE+zYnqYNLGx5YeZCqzK5CyODJ6qA=&PNbL=jX-jTZzzH14-6O http://www.theedenpublicschool.com/8qa3/?NB=awREWtMMj+lRHHM6AQdmRgvwbUZmvp8tQda9g/jpnZpjQndokfCyaw0eStkt3W3LDFF5IEfACaY0uUEW+xg0qs2ozgMGzCLbcweLr7E=&PNbL=jX-jTZzzH14-6O http://www.pushpaholidays.com/8qa3/?NB=uwc3uy5jUwBmgGhOFs3IT1KM06KJvn6K5bdvjpj3r4WyLQ/DzhXqBqj1ZuMMRVOGVDo2DjphbD36wW4cqg2mbD0xix1zXMzS8AuI19o=&PNbL=jX-jTZzzH14-6O http://www.defituesday.com/8qa3/ http://www.boltag.xyz/8qa3/?NB=qnytmCaQLfU4zsrtGjFnzBqU0b3giDP99e6pyqNb4SbHI20/4CVvCJHspsGpbucyTs/cyReYkpquPSKEraK1PzjSbuif9SuGl0f0RSw=&PNbL=jX-jTZzzH14-6O http://www.boltag.xyz/8qa3/ http://www.ecomicsvilla.com/8qa3/?NB=NoEkgSowB96SWPAg7xVMgGDZv5EdP4jNoDX46qfudZBh/ww1VORetC7JM6bTsJ7/lBMT+kpLr5o69A4fo6ZiQJ0mwjKygXrKvZBCDz0=&PNbL=jX-jTZzzH14-6O http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip http://www.ambilis.com/8qa3/?NB=Yw6YD0s17PM9etjv/emAmMlEED9F94kmNvL7jtaM45zABScbtKoqJqCX2gTJEUJahVXOtkWRgK0fQ0tM1LEfveKg/13pcGnAI9Ia8t8=&PNbL=jX-jTZzzH14-6O
|
17
www.pushpaholidays.com(216.239.36.21) www.defituesday.com(199.59.243.222) - mailcious www.boltag.xyz(199.192.31.98) www.theedenpublicschool.com(162.214.81.26) www.f1253.com(34.92.178.239) www.ambilis.com(199.59.243.222) www.sqlite.org(45.33.6.223) www.ecomicsvilla.com(198.252.102.191) www.soroptimistofamador.com(162.241.230.71) 216.239.32.21 - mailcious 199.59.243.222 - mailcious 162.214.81.26 162.241.230.71 198.252.102.191 45.33.6.223 199.192.31.98 34.92.178.239
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
152 |
2023-02-09 10:34
|
vbc.exe 900820f261e82e5c51ecaa86f2f68f86 Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
https://sempersim.su/ha9/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious
|
1
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
|
7.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
153 |
2023-02-08 09:36
|
beau.exe c71d6374ee14811b90b888115a68ee38 Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
154 |
2023-02-07 17:46
|
vbc.exe ecd901a84b82d00a82d45b4d0123352c Loki Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName Remote Code Execution DNS Software |
1
http://sempersim.su/ha1/fre.php - rule_id: 26323
|
3
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious 62.204.41.5 - malware
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET DROP Dshield Block Listed Source group 1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha1/fre.php
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
155 |
2023-02-02 10:03
|
vbc.exe 2ee13ecd998734cd7fc80b882c7c3eab Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha4/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
156 |
2023-02-02 10:01
|
aaaaa.exe a62b834fd42367f384b1a6a7250a3e9f Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/davidhill/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
9.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157 |
2023-02-01 17:01
|
vbc.exe 3c201fc4355b967aefaae295cc6fa701 Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha3/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
158 |
2023-02-01 11:10
|
sof.exe 512fcd3048ecc3311759e82e00c9888d Malicious Library UPX PE32 PE File OS Processor Check FormBook Browser Info Stealer Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows Browser |
6
http://www.cc445588.com/u8ow/?Dzrpg=62q5EqcnfAyBypYvnqoA1ROFBJdmRil8RYNtaokkVqBfVHhuvt18W13ZgbKvv1idEuKG0I3o&OtWl4v=wZO03VaH8xi4q http://www.institutolilica.org/u8ow/?Dzrpg=q2/ZXzpzMsZzN7QI9PE33rS9KrhX7Ifq2pnps7I/LklzzNmAUl1swL40UZz1AVub4OUx8vIp&OtWl4v=wZO03VaH8xi4q http://www.ethoscoverage.com/u8ow/?Dzrpg=c930e5NKV3yATX+rRJ9x00M5gQxU3EZxFJwcjlURWpp3ci+t2iK60qIsEQ2II1mzLFamBbnm&OtWl4v=wZO03VaH8xi4q http://www.auskunfton.com/u8ow/?Dzrpg=XM3FZlITpxXSgA9+cTB7ZhVcPqaY38ec5Na2oo7T8ju3Qulh/na9l3w1YqSNFzstDE46GLeZ&OtWl4v=wZO03VaH8xi4q http://www.ssgbusiness.net/u8ow/?Dzrpg=1B7Q2w9kUJo6GoGJlvPlwfFjDLECNjBWc4vepFtNCOZmReStEqDkY+Zv2zKXTRGoYBraAfj5&OtWl4v=wZO03VaH8xi4q http://www.wonderatwork.com/u8ow/?Dzrpg=r1lq2ICONhGS56U29iXOhWGc4J2FcsBtOsTouXqOx3iBFMDMYguyCqzF/DiMPl0vcF/rmZdh&OtWl4v=wZO03VaH8xi4q
|
18
www.ssgbusiness.net(18.193.36.153) www.cc445588.com(156.235.210.188) www.connmnn.site() www.wonderatwork.com(13.248.243.5) www.auskunfton.com(192.64.115.133) www.tylerarchercoaching.com(203.170.80.250) www.unitech-usa.com() www.ethoscoverage.com(66.96.160.134) www.vft6.site() www.fmh2022.online() www.institutolilica.org(199.15.163.128) 156.235.210.188 13.248.243.5 - phishing 66.96.160.134 192.64.115.133 18.193.36.153 - mailcious 203.170.80.250 - phishing 199.15.163.148 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
159 |
2023-01-28 23:46
|
ndiiche.exe f020e4ab9dacdc83e6b1a4537b5338bc Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
12
http://www.nortonarmouriesfilm.com/poub/?wh=BLnufXe+htRCJdGMYs/UIkE1Ord2liFe7+FZV+PhK0RoHbV4k3bf7bz0LTVkvk/OGnLD7I6n&Tj=CpFH http://www.solarisgp.com/poub/?wh=9Qzq7/cNmiO8gP9g7/YMtyKdZgN9O07G8B4F6oxSOqz0nOfrx3Lpm7qgjAA/myBvkEyuhsV5&Tj=CpFH http://www.648t.com/poub/?wh=K8JDXtj1csEOsKt7xN7TZ8myjnIuEtILOF7bd7rtPsNZcZO59acCwiCQGa6VYblFlBTd7Emg&Tj=CpFH http://www.peiphitan.com/poub/?wh=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&Tj=CpFH - rule_id: 22766 http://www.peiphitan.com/poub/?wh=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&Tj=CpFH http://www.cheapboden.com/poub/?wh=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&Tj=CpFH - rule_id: 26428 http://www.cheapboden.com/poub/?wh=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&Tj=CpFH http://www.webbestsec.online/poub/?wh=jgTv/1nzzve2Jrh/0z5DiZA6sCl7Ik6h/Wzr0n6YWtqGHAR2J6qU+m/Pu18WZVT3NAPAa7xl&Tj=CpFH - rule_id: 22769 http://www.webbestsec.online/poub/?wh=jgTv/1nzzve2Jrh/0z5DiZA6sCl7Ik6h/Wzr0n6YWtqGHAR2J6qU+m/Pu18WZVT3NAPAa7xl&Tj=CpFH http://www.yh77988.com/poub/?wh=ubOq6EmcWJHLexQvrdYoxlPS9zWtdvyg1lRZMQ6IzP/COg+XLfTkcV2mzLAwLHYPjC3yOytw&Tj=CpFH http://www.drzjup.space/poub/?wh=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&Tj=CpFH - rule_id: 23154 http://www.craftedinglass.com/poub/?wh=EAlLP+uq+Ypg0P22Y7QQF4n9hEibmSp0Rua/l7jXqEqDwRVMV6dsul2LxqZZ7UVqr4u2oUAH&Tj=CpFH
|
22
www.peiphitan.com(192.64.115.133) - www.yh77988.com(180.215.65.145) - www.drzjup.space(172.255.33.179) - www.atomicconnections.org() - www.nortonarmouriesfilm.com(172.67.154.28) - www.solarisgp.com(139.162.163.163) - www.craftedinglass.com(185.199.220.38) - www.648t.com(38.54.132.94) - www.cheapboden.com(104.21.35.28) - www.797322.com(136.0.161.67) - www.valenteimmigration.com() - www.webbestsec.online(2.57.90.16) - 38.54.132.94 172.255.33.179 - 139.162.163.163 - 185.199.220.38 - 192.64.115.133 - 172.67.154.28 - 2.57.90.16 - 136.0.161.67 - 172.67.212.73 - 180.215.65.145 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.peiphitan.com/poub/ http://www.cheapboden.com/poub/ http://www.webbestsec.online/poub/ http://www.drzjup.space/poub/
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
160 |
2023-01-28 23:44
|
nala.exe c5edcf43ecc797a13c565d436c6a541c Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
9
http://www.bayuerlangga.com/poub/?DzrpX=dv0D7ZTz3/rxoN5YFbhM+9+2l8xA4Y/6clNyq177/TmsgguRLFhMDXEtC4LvmLwAeDsjJnOC&OtNl4v=wZOPRFRhutzde - rule_id: 22767 http://www.bayuerlangga.com/poub/?DzrpX=dv0D7ZTz3/rxoN5YFbhM+9+2l8xA4Y/6clNyq177/TmsgguRLFhMDXEtC4LvmLwAeDsjJnOC&OtNl4v=wZOPRFRhutzde http://www.indumentaria.org/poub/?DzrpX=9Sa8+P8S3yj6JdUqO31/UZB16X9Ks4Ridk1FRmPwwVNbyLlcfiBQ0oaMQtKZUhqBNydmsduR&OtNl4v=wZOPRFRhutzde - rule_id: 23155 http://www.indumentaria.org/poub/?DzrpX=9Sa8+P8S3yj6JdUqO31/UZB16X9Ks4Ridk1FRmPwwVNbyLlcfiBQ0oaMQtKZUhqBNydmsduR&OtNl4v=wZOPRFRhutzde http://www.crusadia.net/poub/?DzrpX=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&OtNl4v=wZOPRFRhutzde http://www.midundao.net/poub/?DzrpX=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&OtNl4v=wZOPRFRhutzde - rule_id: 26429 http://www.midundao.net/poub/?DzrpX=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&OtNl4v=wZOPRFRhutzde http://www.craftedinglass.com/poub/?DzrpX=EAlLP+uq+Ypg0P22Y7QQF4n9hEibmSp0Rua/l7jXqEqDwRVMV6dsul2LxqZZ7UVqr4u2oUAH&OtNl4v=wZOPRFRhutzde http://www.lastperfection.com/poub/?DzrpX=EXP7ahyuJHd+DC2PxusCp4nPQa2PWB9KfA+YKNPy3UTBymMENUkVQxO9qe9TtwNEd8Oku9Yz&OtNl4v=wZOPRFRhutzde
|
16
www.bayuerlangga.com(203.175.9.15) - www.bekansas.com() - www.indumentaria.org(91.195.240.94) - www.jojooo.xyz() - www.lastperfection.com(104.21.95.23) - www.craftedinglass.com(185.199.220.38) - www.crusadia.net(212.192.29.71) - www.midundao.net(172.247.35.173) - www.tokendownload.space(67.21.71.208) - 91.195.240.94 - 172.247.35.173 - 67.21.71.208 - 212.192.29.71 - 203.175.9.15 - 172.67.169.72 - 185.199.220.38 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.bayuerlangga.com/poub/ http://www.indumentaria.org/poub/ http://www.midundao.net/poub/
|
5.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
161 |
2023-01-28 23:21
|
trt.exe 8b37c8c2c2beefd373d98526c700109a Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
8
http://www.tierhilfe.wien/u8ow/?JDK8bDY=BNajd84x3VAExzzQflw6GjYFlyzNvm1WOYGGTG/CWQYqYezsWt9IyX5R3a8hLkeEY2unUTwo&BX=E2J4tHWPDV2 http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip http://www.majorcaplanetary.com/u8ow/?JDK8bDY=rg0x9k48BKFOT14G/iw7IxZbNT5LWXCSQjqICaoNMU98v63jtjWg9tD+TEkF8dNfmdfDoVF3&BX=E2J4tHWPDV2 http://www.purexerxes.info/u8ow/?JDK8bDY=tbsfNZRlB98CfZgoTqrjLUCdFMkabRU6asYKntiT3OToNHmlZVwHzipV6t31IXe50H8bAWrH&BX=E2J4tHWPDV2 http://www.calcomfcu.site/u8ow/?JDK8bDY=1wpVf/B9vxcntabxREqD8jaAVGNnU10L3+k9w0T6qCRRyiTszTDXQCuvCeV0JLYYiyzuPf2r&BX=E2J4tHWPDV2 http://www.topjeugd.online/u8ow/?JDK8bDY=7/P217W1f7A/Yo/xgJYekXFs5F27/ruVUOvep71/WwZyMjQajMqCTifHO1h+TczMm1hqSB8i&BX=E2J4tHWPDV2 http://www.auskunfton.com/u8ow/?JDK8bDY=XM3FZlITpxXSgA9+cTB7ZhVcPqaY38ec5Na2oo7T8ju3Qulh/na9l3w1YqSNFzstDE46GLeZ&BX=E2J4tHWPDV2 http://www.guantanamera.site/u8ow/?JDK8bDY=x/hIzmU3zKEE/ypFCUvzcrdcFQjbfxVIaJO1OQoFT6HLsvhw7gT61bmnxhwjemW1FSLJv5Rt&BX=E2J4tHWPDV2
|
23
www.fmh2022.online() - www.fifththird.in() - www.majorcaplanetary.com(103.178.175.19) - www.unitech-usa.com() - www.calcomfcu.site(209.17.116.163) - www.rvwl.ink() - www.oth6ykn9h4g.site() - www.tierhilfe.wien(195.30.84.166) - www.purexerxes.info(172.67.199.86) - www.topjeugd.online(185.104.28.238) - www.sqlite.org(45.33.6.223) - www.harborretired.com() - www.guantanamera.site(208.91.197.27) - www.milwaukeedeals.online() - www.auskunfton.com(192.64.115.133) - 209.17.116.163 - 104.21.21.157 - 185.104.28.238 - mailcious 195.30.84.166 - 103.178.175.19 - 208.91.197.27 - 192.64.115.133 - 45.33.6.223 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
162 |
2023-01-26 11:02
|
nmnb.exe 58a93d1d064b9e8265ea798531adb0bf Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
8
http://www.drzjup.space/poub/?J48=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&EhU4Nv=gdM0vL4huV - rule_id: 23154 http://www.soldbylena.com/poub/?J48=Yx1Go82kz3quMGBdMT8MTkTpwx2C2fKFreghtdDiaVm/DdA3lQSzkCq363BA4rx6egegMd3w&EhU4Nv=gdM0vL4huV http://www.cheapboden.com/poub/?J48=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&EhU4Nv=gdM0vL4huV http://www.peiphitan.com/poub/?J48=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&EhU4Nv=gdM0vL4huV - rule_id: 22766 http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip http://www.midundao.net/poub/?J48=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&EhU4Nv=gdM0vL4huV http://www.agence-dragonne.com/poub/?J48=AJ1lnItlOBOMu4VTxug+YhiyjjMIB0X6igB7b1gQ1/FyMjSiMMj6SiFHodYf6/xohFqvUB4/&EhU4Nv=gdM0vL4huV http://www.elektrogo.xyz/poub/?J48=kDUzKCy494oCEChFShINt/qIs4aj4rKFw2/eKTVt/tzluLb40v7G/v2cQ7gHUqwc6NHSG5Wb&EhU4Nv=gdM0vL4huV
|
22
www.soldbylena.com(142.250.206.243) www.etgadu.global() www.midundao.net(172.247.35.173) www.cheapboden.com(172.67.212.73) www.crusadia.net(212.192.29.71) www.peiphitan.com(192.64.115.133) - mailcious www.agence-dragonne.com(153.127.67.174) www.sqlite.org(45.33.6.223) www.drzjup.space(172.255.33.179) - mailcious www.elektrogo.xyz(85.159.66.93) www.tokendownload.space(67.21.71.208) 85.159.66.93 - mailcious 172.255.33.179 - mailcious 172.247.35.173 67.21.71.208 212.192.29.71 192.64.115.133 104.21.35.28 - mailcious 142.250.206.243 - phishing 45.33.6.223 77.73.134.27 - malware 153.127.67.174
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
2
http://www.drzjup.space/poub/ http://www.peiphitan.com/poub/
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
163 |
2023-01-26 10:55
|
file.exe 70c2bfb3dd7b6467020e6ca5d7f037a3 Malicious Library UPX PE32 PE File OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows DNS |
4
http://www.alloahucondos.com/w12e/?AdhDQXr=Am4O/Gq5Ync1FuJsqsgsoCg+9OpYuQdFtmmXHaZllHoL6K1n+mbbjZKawvl3CJ7PMuTqHmnI&1bm=ml4L1LOpyLI0n http://www.car-deals-75816.com/w12e/?AdhDQXr=trBIi//oN83t2rzOyuxo8RhWQb4DfxA31Jpi1HgoFpc+sPkjvwtJR7tkNzChFLywBIpqobR9&1bm=ml4L1LOpyLI0n http://www.ideeksha.net/w12e/?AdhDQXr=6DxUQ+HCSRqCEizWiEucg+SXtE+UbnUdS+5N0El4w4v4UDUGZHvS5Nx9GPBpeSVN1yu5asm5&1bm=ml4L1LOpyLI0n http://www.gpsarhealthcare.com/w12e/?AdhDQXr=+dElbzIZz+A8J3CIEYanBxRMrjm5MhmkPJXtCcXIvGUuSglwlsakZ/yF6M4jzsobramRNR8Q&1bm=ml4L1LOpyLI0n
|
9
www.ideeksha.net(34.102.136.180) www.gpsarhealthcare.com(154.23.50.169) www.car-deals-75816.com(104.247.82.93) www.alloahucondos.com(154.218.100.185) 104.247.82.93 34.102.136.180 - mailcious 154.218.100.185 37.230.138.123 - mailcious 154.23.50.169
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
164 |
2023-01-25 05:10
|
vbc.exe cdcbca7a700fdee5246a10aef03525b7 Loki Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha1/fre.php - rule_id: 26323
|
2
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha1/fre.php
|
7.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
165 |
2023-01-25 04:46
|
c4.exe d2dac4794ef6d00cdfaa25638ed72acd Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Discord Browser Email ComputerName DNS Cryptographic key crashed keylogger |
2
https://discord.com/api/webhooks/1046445380516188160/wYE1I5gUYgWGIjd87Qj_KINgc0H4L5OkXe6VRMrVqnd9j7v1JJkSUywS6H4xPPyCnrLe https://api.ipify.org/
|
4
discord.com(162.159.136.232) - mailcious api.ipify.org(104.237.62.211) 173.231.16.76 162.159.138.232 - mailcious
|
3
ET INFO Observed Discord Domain (discord .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discord .com)
|
|
11.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|