10081 |
2021-05-01 09:55
|
ozflkjgfkldsad.exe b573e394640d7c1d5493e0f57c905390 PWS .NET framework Gen1 Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
10
http://malcacnba.ac.ug/vcruntime140.dll http://malcacnba.ac.ug/mozglue.dll http://malcacnba.ac.ug/softokn3.dll http://malcacnba.ac.ug/ - rule_id: 1259 http://malcacnba.ac.ug/ http://malcacnba.ac.ug/msvcp140.dll http://malcacnba.ac.ug/freebl3.dll http://malcacnba.ac.ug/nss3.dll http://malcacnba.ac.ug/sqlite3.dll http://malcacnba.ac.ug/main.php
|
2
malcacnba.ac.ug(185.215.113.77) 185.215.113.77 - malware
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
16.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10082 |
2021-05-01 09:40
|
azflkjgfkldsad.exe eb6c0ff23c01dd3528789c8142890547 PWS Loki .NET framework Gen1 Malicious Packer DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check ENERGETIC BEAR VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs Windows ComputerName DNS |
8
http://185.215.113.77/ozflkjgfkldsad.exe http://macakslcaq.ug/index.php http://malcacnba.ac.ug/freebl3.dll http://malcacnba.ac.ug/mozglue.dll http://malcacnba.ac.ug/softokn3.dll http://malcacnba.ac.ug/msvcp140.dll http://malcacnba.ac.ug/nss3.dll http://malcacnba.ac.ug/sqlite3.dll
|
3
macakslcaq.ug(185.215.113.77) - malware malcacnba.ac.ug(185.215.113.77) 185.215.113.77 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10083 |
2021-05-01 09:38
|
ac.exe 6a61a028d6282029c5899a3ffcc84e60 PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
3
icacxndo.ac.ug() - suspicious icando.ug(194.5.98.107) - suspicious 194.5.98.107
|
|
|
11.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10084 |
2021-05-01 09:36
|
mena.exe d20e703cb462af7eb09f6d0010e09e71 AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10085 |
2021-05-01 09:34
|
regasm.exe 16b0a44545b16aea4333dc824ab02199 PWS Loki .NET framework Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php - rule_id: 1177
|
2
amrp.tw(35.247.234.230) - mailcious 35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://amrp.tw/kayo/gate.php
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10086 |
2021-05-01 09:29
|
ds1.exe 5af92f78e6b00eff95b14018a5dda8fc PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself DNS |
|
|
|
|
8.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10087 |
2021-05-01 09:29
|
ds2.exe 3cdb00a25552429b06fb3be209614149 PWS .NET framework Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10088 |
2021-04-30 18:14
|
vbc.exe 877d8424f6d09301998cf3840c42dcb9 AsyncRAT backdoor Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
2.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10089 |
2021-04-30 18:06
|
templex.exe c37d480d603a248b0e230a1c15590266 SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10090 |
2021-04-30 18:01
|
regasm.exe 37207e8bd9430777ab0e27cf4a4fc26a PWS Loki AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://kushikushi.us/chief/kev/fre.php
|
2
kushikushi.us(185.29.127.141) 185.29.127.141
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10091 |
2021-04-30 17:59
|
kayx.exe 129e1d37b93430b4bd894b16c53cd6bc AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows crashed |
3
http://www.wirebeevehicles.com/bwk/?EDK8gDR=VOL7UDcQYRljSosxQOYPJG6yJtUQAld58UNriPOjT+IDxU4HyvwawJh1yPzk3AG9OprqJGoe&BZ=E2M4oNPx_Ln http://www.fragrancecollector.com/bwk/?EDK8gDR=LZ0Uj0vFRx/4vDVTGDC73qa8DXiw0WGVyXki5dqgklz7zfTX+bG4IBE0uelYToudE5/XdoAX&BZ=E2M4oNPx_Ln https://www.bing.com/
|
7
www.lovenfys.com() www.wirebeevehicles.com(148.66.138.166) www.fragrancecollector.com(74.208.236.213) www.google.com(172.217.174.100) 74.208.236.213 - mailcious 148.66.138.166 - mailcious 172.217.163.228
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10092 |
2021-04-30 09:31
|
s68r0hZ49vns9tk.exe 081bff782d62aebc69b61009e6000ab8 PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10093 |
2021-04-29 22:26
|
CleanApex.exe c58d5a146655600ac6ecfa5a779b437b Gen2 PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic WMI Creates executable files Windows utilities AppData folder WriteConsoleW Tofsee Ransomware Windows ComputerName DNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b
|
3
edgedl.me.gvt1.com(34.104.35.123) 34.104.35.123 142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10094 |
2021-04-29 22:21
|
Producto.exe 964bd83c36b8ec52a37dc9dc4b5a457e PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10095 |
2021-04-29 10:44
|
kellyx.exe d6593adf011c7683f63a0a4cd86b44f4 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7B3CB491E69F14DD03AE67C19E9537DE.html - rule_id: 1176 http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5EFD3570C629C1296C13C331574DEE53.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious 104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/ http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
14.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|