| 1 |
2021-05-11 09:19
|
 Giwdmzf.exe 49fc90c6abbe70021eaac6d8dd41c7dd
AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-05-11 09:15
|
 Olqmvkwk.exe 77b58a583c012987b81bbdc5ccc92af2
PWS Loki[b] Loki[m] AsyncRAT backdoor AgentTesla DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/mmc/300/pin.php - rule_id: 1328
|
1
209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://209.141.50.70/mmc/300/pin.php
|
8.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-05-11 09:12
|
 IMG_052_126_097.exe 8cedabf7bcbbf4466c0698bbcc774315
AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-05-11 07:38
|
 Mcnzurtic.exe 6989acbd9d6104b59fdbf6cb0473cd35
AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
162.88.193.70
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-05-06 10:48
|
 Dwmnrn.exe ff39cfda26bd410c078d509c552688c7
AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows ComputerName DNS Cryptographic key crashed |
1
|
2
www.google.com(172.217.175.100)
172.217.161.132
|
|
|
11.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-05-06 10:42
|
 Kvinolsz.exe d5c422ea212c924cf5d360500c87ab05
PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
2
http://209.141.50.70/mmc/300/pin.php
http://www.google.com/
|
3
www.google.com(172.217.175.100)
142.250.66.68
209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-05-05 20:35
|
 Cfzprazem.exe 98bd04ca5fb71ba249683cd17c47715d
AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Windows DNS Cryptographic key crashed |
1
|
2
www.google.com(172.217.25.68)
142.250.207.68
|
|
|
9.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-05-05 20:22
|
 Xcsyck.exe 295a89feccf93ea0e55f95d486c5036a
AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself malicious URLs |
1
|
2
www.google.com(172.217.174.100)
142.250.204.36
|
|
|
3.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-05-05 10:30
|
 Tpxgwea.exe 02c68ade0e640be3bab30307f1326981
PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/D3/13/pin.php
|
1
209.141.50.70 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-05-05 10:29
|
 Sugvt.exe 5753388fbfcde9e08d00ac9e2be5d881
AsyncRAT backdoor PWS .NET framework AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
9
http://198.98.60.43/1.jpg
http://198.98.60.43/3.jpg
http://198.98.60.43/5.jpg
http://198.98.60.43/2.jpg
http://198.98.60.43/4.jpg
http://198.98.60.43/6.jpg
http://198.98.60.43/main.php
http://198.98.60.43/7.jpg
http://198.98.60.43/
|
1
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-05-05 10:26
|
 44444.exe cce6c363c0ff7ac663cd71c5906069a6
AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows ComputerName DNS crashed |
|
1
|
|
|
5.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-05-05 10:19
|
 Pdipucce.exe d96b7886c4e00e171709fd82c54ec891
AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
162.88.193.70
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-05-04 11:22
|
 Ihxpuxr.exe 015f45de6bf81ded8c921435c471d087
AsyncRAT backdoor AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS Password |
10
http://205.185.120.57/3.jpg
http://205.185.120.57/1.jpg
http://205.185.120.57/2.jpg
http://205.185.120.57/6.jpg
http://205.185.120.57/4.jpg
http://205.185.120.57/7.jpg
http://205.185.120.57/main.php - rule_id: 1232
http://205.185.120.57/5.jpg
http://launcher.worldofwarcraft.com/alert
http://205.185.120.57/ - rule_id: 1233
|
4
launcher.worldofwarcraft.com(137.221.106.103)
205.185.120.57 - mailcious
46.105.121.228
137.221.106.103
|
7
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
2
http://205.185.120.57/main.php
http://205.185.120.57/
|
11.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-05-03 17:04
|
 17hff.exe a5b17ac04b70cc12107229c7e3a92842
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103)
31.210.21.71
137.221.106.103
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2021-05-03 16:52
|
 Naokyle.exe 9b807ec7d5c9fa755cd95453f9a7c0d0
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic malicious URLs ComputerName DNS |
1
http://launcher.worldofwarcraft.com/alert
|
3
launcher.worldofwarcraft.com(137.221.106.103)
137.221.106.103
31.210.21.231
|
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|