1 |
2021-05-11 09:19
|
Giwdmzf.exe 49fc90c6abbe70021eaac6d8dd41c7dd AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2021-05-11 09:15
|
Olqmvkwk.exe 77b58a583c012987b81bbdc5ccc92af2 PWS Loki[b] Loki[m] AsyncRAT backdoor AgentTesla DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/mmc/300/pin.php - rule_id: 1328
|
1
209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.50.70/mmc/300/pin.php
|
8.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2021-05-11 09:12
|
IMG_052_126_097.exe 8cedabf7bcbbf4466c0698bbcc774315 AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2021-05-11 07:38
|
Mcnzurtic.exe 6989acbd9d6104b59fdbf6cb0473cd35 AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2021-05-06 10:48
|
Dwmnrn.exe ff39cfda26bd410c078d509c552688c7 AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows ComputerName DNS Cryptographic key crashed |
1
|
2
www.google.com(172.217.175.100) 172.217.161.132
|
|
|
11.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2021-05-06 10:42
|
Kvinolsz.exe d5c422ea212c924cf5d360500c87ab05 PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
2
http://209.141.50.70/mmc/300/pin.php http://www.google.com/
|
3
www.google.com(172.217.175.100) 142.250.66.68 209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2021-05-05 20:35
|
Cfzprazem.exe 98bd04ca5fb71ba249683cd17c47715d AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key crashed |
1
|
2
www.google.com(172.217.25.68) 142.250.207.68
|
|
|
9.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2021-05-05 20:22
|
Xcsyck.exe 295a89feccf93ea0e55f95d486c5036a AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself malicious URLs |
1
|
2
www.google.com(172.217.174.100) 142.250.204.36
|
|
|
3.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2021-05-05 10:30
|
Tpxgwea.exe 02c68ade0e640be3bab30307f1326981 PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/D3/13/pin.php
|
1
209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2021-05-05 10:29
|
Sugvt.exe 5753388fbfcde9e08d00ac9e2be5d881 AsyncRAT backdoor PWS .NET framework AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
9
http://198.98.60.43/1.jpg http://198.98.60.43/3.jpg http://198.98.60.43/5.jpg http://198.98.60.43/2.jpg http://198.98.60.43/4.jpg http://198.98.60.43/6.jpg http://198.98.60.43/main.php http://198.98.60.43/7.jpg http://198.98.60.43/
|
1
|
6
ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2021-05-05 10:26
|
44444.exe cce6c363c0ff7ac663cd71c5906069a6 AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows ComputerName DNS crashed |
|
1
|
|
|
5.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2021-05-05 10:19
|
Pdipucce.exe d96b7886c4e00e171709fd82c54ec891 AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2021-05-04 11:22
|
Ihxpuxr.exe 015f45de6bf81ded8c921435c471d087 AsyncRAT backdoor AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS Password |
10
http://205.185.120.57/3.jpg http://205.185.120.57/1.jpg http://205.185.120.57/2.jpg http://205.185.120.57/6.jpg http://205.185.120.57/4.jpg http://205.185.120.57/7.jpg http://205.185.120.57/main.php - rule_id: 1232 http://205.185.120.57/5.jpg http://launcher.worldofwarcraft.com/alert http://205.185.120.57/ - rule_id: 1233
|
4
launcher.worldofwarcraft.com(137.221.106.103) 205.185.120.57 - mailcious 46.105.121.228 137.221.106.103
|
7
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://205.185.120.57/main.php http://205.185.120.57/
|
11.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2021-05-03 17:04
|
17hff.exe a5b17ac04b70cc12107229c7e3a92842 AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103) 31.210.21.71 137.221.106.103
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2021-05-03 16:52
|
Naokyle.exe 9b807ec7d5c9fa755cd95453f9a7c0d0 AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103) 137.221.106.103 31.210.21.231
|
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|