| 1 |
2021-11-03 09:56
|
 vbc.exe d0a58eae99dfb90ea4aa5dbf24d2fb93
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
13.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-11-03 09:52
|
 vbc.exe d5dda7896090f45e89504fbd260dba84
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName Software |
1
http://cloudservertech.xyz/five/fre.php
|
2
cloudservertech.xyz(104.21.4.43)
172.67.131.165
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
14.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-11-03 09:39
|
 vbc.exe fc7595f0624a1cad2d0d8c2155065d67
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://bbelectronics.xyz/five/fre.php
|
2
bbelectronics.xyz(104.21.84.25)
104.21.84.25
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
13.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-11-03 09:35
|
 .wininit.exe ae442bf7856a39e487b74862733b7ddc
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd3/fre.php
|
13.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-11-03 09:30
|
 vbc.exe afbc8496a860b67a11981b3d601fb0cd
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga20/fre.php - rule_id: 6926
http://secure01-redirect.net/ga20/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga20/fre.php
|
12.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-11-03 08:02
|
 csrss.exe 58efcac56ff319990d2cc6d9110e981e
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd4/fre.php - rule_id: 6874
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd4/fre.php
|
14.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-11-02 17:50
|
 isssch.exe 0587ab2b7897ebbdedb5d5e1289bd683
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-11-02 17:48
|
 .csrss.exe 96a5e7556e6b7631e4e6655fdd5a757b
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
13.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-11-02 17:48
|
 vbc.exe 4a785dbc6b09f17d9a1975b842a4d34a
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-11-02 17:45
|
 sqlservr.exe 0235dd2db63e1e5623f2ef0801f4fdf6
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
12.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-11-02 17:43
|
 ziyu.exe dc6c8fb72b02cf9237d1e53ae5f67d33
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.maderasbelpa.com/q36e/?rVIHUD=EqeW6SAl9FJzoeDHWj/YF9TgE8efKKQ4Pmg8ue1g5q5bEz8iOEUD/wlYbr13ZMIF3iNdSTYW&JL08lv=apITk4n0RzRXDj
http://www.cryptobittoday.com/q36e/?rVIHUD=DN3aVSZG/U0++lT+0fVvbufIBnAdZk+ZoHOaYfEXYW8R0x8OP+k20nLHFyxm+/QL+KRefSY+&JL08lv=apITk4n0RzRXDj
http://www.thelocal.team/q36e/?rVIHUD=qi3H4tEgcVwXD72sceGH+HK1WFwdKftW4mHCAeUScLw6Fjps1+Rxs5h+axJO8H8FB7z+5f8d&JL08lv=apITk4n0RzRXDj
http://www.zappbug.xyz/q36e/?rVIHUD=80PKnOqhWgN9+dHZllw+VIQgdRXBceevobQv1g5ZSBRNMlW6Hrl+2jCo8PsKVVVanm95zBDz&JL08lv=apITk4n0RzRXDj
http://www.ridgeviewcustombuilders.com/q36e/?rVIHUD=L55PozxYru8nt/ygCriiFFIZFhuy3wYqGUmubpbM5rtJlvXqMIahCKFL2JQhy/ceXa8FYM29&JL08lv=apITk4n0RzRXDj
http://www.iiilonline.com/q36e/?rVIHUD=pVofMjfCTyY3O/qureEJAO/yEXAm+0qTBMqG75Ke/4eusG2zjbK2wA1kpIk1HOIfGKGUHj7z&JL08lv=apITk4n0RzRXDj
http://www.drosselma.space/q36e/?rVIHUD=kltuCfhKvxyy9RCI8dBJjSc5PaFfYsfzEeGsxYSRKqEIU7GymTGRizCul3N7/fTeXwq0Stg/&JL08lv=apITk4n0RzRXDj
http://www.zerw2.com/q36e/?rVIHUD=Rntl1NDHd9XnQLwgazHh+Zc5uliS6OLgFgrLKpN7DQMYQsVoIfR806hPJBBKgUUeQ3E3JCNy&JL08lv=apITk4n0RzRXDj
http://www.levanttradegroup.com/q36e/?rVIHUD=xh+jwISDwMLdMjCO2eLJ1RMoxVH/jmr5ryDnG+1eSX1so3eWn5VyQ56AVFR8zPZipxIcTqmt&JL08lv=apITk4n0RzRXDj
http://www.lifeworkswap.com/q36e/?rVIHUD=Q0cF2NUfPjSIXvAVUhwbscpYkb6g6sx01Eb/JVEmkOE6Br4IyYelssa5hFYxMF5lm7zxf54r&JL08lv=apITk4n0RzRXDj
http://www.scarjamfam.com/q36e/?rVIHUD=+o1xI9CZ5TIVfhewedt6Nlo/cgi76wJS4nXbeV8SpkfKatp/sNiLSjEBuCfEng9dq1dygV1M&JL08lv=apITk4n0RzRXDj
|
24
www.zappbug.xyz(172.67.196.33)
www.iiilonline.com(109.106.254.230)
www.thelocal.team(3.33.152.147)
www.drosselma.space(92.119.113.254)
www.zerw2.com(44.227.65.245)
www.chainvfy-top.xyz()
www.levanttradegroup.com(34.102.136.180)
www.scarjamfam.com(3.64.163.50)
www.lichtladens.com()
www.ridgeviewcustombuilders.com(198.54.117.211)
www.lifeworkswap.com(217.21.190.175)
www.maderasbelpa.com(190.106.131.237)
www.cryptobittoday.com(13.115.25.84)
44.227.76.166 - mailcious
3.33.152.147
198.54.117.211 - phishing
217.21.190.175
13.115.25.84
34.102.136.180 - mailcious
92.119.113.254 - mailcious
3.64.163.50 - mailcious
104.21.60.115
109.106.254.230
190.106.131.237
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-11-02 11:10
|
 .wininit.exe a1e313336f30f6f1e0ef11480dd1ab58
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd3/fre.php
|
11.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|