| 10081 |
2021-05-01 09:55
|
 ozflkjgfkldsad.exe b573e394640d7c1d5493e0f57c905390
PWS .NET framework Gen1 Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
10
http://malcacnba.ac.ug/vcruntime140.dll
http://malcacnba.ac.ug/mozglue.dll
http://malcacnba.ac.ug/softokn3.dll
http://malcacnba.ac.ug/ - rule_id: 1259
http://malcacnba.ac.ug/
http://malcacnba.ac.ug/msvcp140.dll
http://malcacnba.ac.ug/freebl3.dll
http://malcacnba.ac.ug/nss3.dll
http://malcacnba.ac.ug/sqlite3.dll
http://malcacnba.ac.ug/main.php
|
2
malcacnba.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
16.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10082 |
2021-05-01 09:40
|
 azflkjgfkldsad.exe eb6c0ff23c01dd3528789c8142890547
PWS Loki .NET framework Gen1 Malicious Packer DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check ENERGETIC BEAR VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs Windows ComputerName DNS |
8
http://185.215.113.77/ozflkjgfkldsad.exe
http://macakslcaq.ug/index.php
http://malcacnba.ac.ug/freebl3.dll
http://malcacnba.ac.ug/mozglue.dll
http://malcacnba.ac.ug/softokn3.dll
http://malcacnba.ac.ug/msvcp140.dll
http://malcacnba.ac.ug/nss3.dll
http://malcacnba.ac.ug/sqlite3.dll
|
3
macakslcaq.ug(185.215.113.77) - malware
malcacnba.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10083 |
2021-05-01 09:38
|
 ac.exe 6a61a028d6282029c5899a3ffcc84e60
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
3
icacxndo.ac.ug() - suspicious
icando.ug(194.5.98.107) - suspicious
194.5.98.107
|
|
|
11.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10084 |
2021-05-01 09:36
|
 mena.exe d20e703cb462af7eb09f6d0010e09e71
AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10085 |
2021-05-01 09:34
|
 regasm.exe 16b0a44545b16aea4333dc824ab02199
PWS Loki .NET framework Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php - rule_id: 1177
|
2
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://amrp.tw/kayo/gate.php
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10086 |
2021-05-01 09:29
|
 ds1.exe 5af92f78e6b00eff95b14018a5dda8fc
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself DNS |
|
|
|
|
8.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10087 |
2021-05-01 09:29
|
 ds2.exe 3cdb00a25552429b06fb3be209614149
PWS .NET framework Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10088 |
2021-04-30 18:14
|
 vbc.exe 877d8424f6d09301998cf3840c42dcb9
AsyncRAT backdoor Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
2.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10089 |
2021-04-30 18:06
|
 templex.exe c37d480d603a248b0e230a1c15590266
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10090 |
2021-04-30 18:01
|
 regasm.exe 37207e8bd9430777ab0e27cf4a4fc26a
PWS Loki AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://kushikushi.us/chief/kev/fre.php
|
2
kushikushi.us(185.29.127.141)
185.29.127.141
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10091 |
2021-04-30 17:59
|
 kayx.exe 129e1d37b93430b4bd894b16c53cd6bc
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows crashed |
3
http://www.wirebeevehicles.com/bwk/?EDK8gDR=VOL7UDcQYRljSosxQOYPJG6yJtUQAld58UNriPOjT+IDxU4HyvwawJh1yPzk3AG9OprqJGoe&BZ=E2M4oNPx_Ln
http://www.fragrancecollector.com/bwk/?EDK8gDR=LZ0Uj0vFRx/4vDVTGDC73qa8DXiw0WGVyXki5dqgklz7zfTX+bG4IBE0uelYToudE5/XdoAX&BZ=E2M4oNPx_Ln
https://www.bing.com/
|
7
www.lovenfys.com()
www.wirebeevehicles.com(148.66.138.166)
www.fragrancecollector.com(74.208.236.213)
www.google.com(172.217.174.100)
74.208.236.213 - mailcious
148.66.138.166 - mailcious
172.217.163.228
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10092 |
2021-04-30 09:31
|
 s68r0hZ49vns9tk.exe 081bff782d62aebc69b61009e6000ab8
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10093 |
2021-04-29 22:26
|
 CleanApex.exe c58d5a146655600ac6ecfa5a779b437b
Gen2 PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic WMI Creates executable files Windows utilities AppData folder WriteConsoleW Tofsee Ransomware Windows ComputerName DNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b
|
3
edgedl.me.gvt1.com(34.104.35.123)
34.104.35.123
142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10094 |
2021-04-29 22:21
|
 Producto.exe 964bd83c36b8ec52a37dc9dc4b5a457e
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10095 |
2021-04-29 10:44
|
 kellyx.exe d6593adf011c7683f63a0a4cd86b44f4
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7B3CB491E69F14DD03AE67C19E9537DE.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5EFD3570C629C1296C13C331574DEE53.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious
104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
14.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|