| 1 |
2021-11-19 11:26
|
 vbc.exe 8e7f8e88aec31a4a7ceee224e539f1a8
PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
|
1
|
|
|
12.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-11-19 10:58
|
 test_1.exe 51b5e9e7d1d63c1acd6df20dda31004a
PWS .NET framework Generic Malware UPX Antivirus KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
12.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-11-18 14:50
|
 scrss.exe 632300e7486ea3fb4085ebd8df35b0d4
PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.oasiganaiblog.com/fl9w/?KtkPc=CIP349Hp/Y/CUPtSAStBubsgIipLocbYDd5ttL2HU0Aq1N99rxqoTNXSh/LSY67UGejTbBhd&mzrd=zZVh-vi054
|
3
www.super-ultra-porn.net()
www.oasiganaiblog.com(118.27.122.251)
118.27.122.251
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-11-18 14:33
|
 csrss.exe 8970a7286be6110a9578b40290d5ca72
Loki PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd4/fre.php - rule_id: 6874
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd4/fre.php
|
14.6 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-11-18 14:19
|
 vbc.exe c4839f9e9d80100927eb39678175bbe6
PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs |
8
http://www.pharmacylinked.com/mwev/?EDK8bDR=kSazBseQ9VA3+O2zd86vUZtCsq4ujZp9CdzcCGRo6ROqLCJkM3TozqGUh8fUjNaeUw+D9gOF&BZ=E2M4oNWx_Ln
http://www.bestinvest-4u.com/mwev/?EDK8bDR=fRnCKhUrMCsINhKSEJ00SnwJClpGmde6QLCdonPH4+C+ymFGyBrwuHjsYcSXUmVI/fDrkcVg&BZ=E2M4oNWx_Ln
http://www.9linefarms.com/mwev/?EDK8bDR=IjrmxmCQQngtXgE+DfjHEVuIkvJ5tkiLJEgsa0CnjrXivTO01eRXbjBJ5bSESAMJcdRVK1b8&BZ=E2M4oNWx_Ln
http://www.scion-go-getter.com/mwev/?EDK8bDR=Y+Hyy1N5D5MxwHpLzGerXtl/+e9k+2VYdp+JCOaNjGnZwwqutoqB71RoDgAXCJ7sEd8Lkw64&BZ=E2M4oNWx_Ln - rule_id: 7365
http://www.scion-go-getter.com/mwev/?EDK8bDR=Y+Hyy1N5D5MxwHpLzGerXtl/+e9k+2VYdp+JCOaNjGnZwwqutoqB71RoDgAXCJ7sEd8Lkw64&BZ=E2M4oNWx_Ln
http://www.thegurusigavebirthto.com/mwev/?EDK8bDR=6Sc3LlBJxZZC4+mEboPE99cD6wuRe5iQ+Pzmr10Fl76FDXQrWG9i3gEbb3AnXvsJeMTBS4sp&BZ=E2M4oNWx_Ln - rule_id: 6986
http://www.thegurusigavebirthto.com/mwev/?EDK8bDR=6Sc3LlBJxZZC4+mEboPE99cD6wuRe5iQ+Pzmr10Fl76FDXQrWG9i3gEbb3AnXvsJeMTBS4sp&BZ=E2M4oNWx_Ln
http://www.recbi56ni.com/mwev/?EDK8bDR=37LaxqPx4dRJgntBfpfjAqJd/Q4WaiTc/uUmetkq2PeO5XcZr3uM1g2Xyz18XUSrQIrn/awF&BZ=E2M4oNWx_Ln
|
15
www.recbi56ni.com(63.250.42.132)
www.scion-go-getter.com(35.209.150.94)
www.bestinvest-4u.com(172.67.141.192)
www.squareleatherbox.net(185.225.17.147)
www.carthy.foundation(209.17.116.163)
www.9linefarms.com(34.102.136.180)
www.pharmacylinked.com(34.102.136.180)
www.thegurusigavebirthto.com(192.0.78.24)
209.17.116.163 - mailcious
35.209.150.94
34.102.136.180 - mailcious
63.250.42.132
192.0.78.24 - mailcious
172.67.141.192
185.225.17.147
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.scion-go-getter.com/mwev/
http://www.thegurusigavebirthto.com/mwev/
|
10.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-11-18 14:13
|
 sqlservr.exe 3412c25937783c5151f42c1576b6bbbc
Lokibot PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php - rule_id: 8026
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php
|
1
188.40.209.107 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php
|
14.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-11-18 14:09
|
 vbc.exe 186ee2b0fbae609d44351da0241dd0ec
PWS .NET framework Emotet Gen2 Gen1 RAT Formbook Generic Malware NSIS UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus ASPack Anti_VM KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs installed browsers check Windows Browser |
|
|
|
|
10.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-11-18 14:05
|
 .csrss.exe 48230cc4b335325066ecf05f69c021da
PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb8/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-11-18 13:56
|
 vbc.exe 26e5c50888216d7043a917cd84b4a5f4
Loki PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/gb3/fre.php - rule_id: 8005
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/gb3/fre.php
|
12.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-11-18 13:54
|
 vbc.exe 60dcceaab4c8bc1cb2ae40251a8c392c
PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.boja.us/g2fg/?t8rL=Uvpera99IV2OzBgAl3mMHF7BadqhtVwIukChDce3tyGtvQmPDA41NDQvG4CGoBtKBH2+mXS4&1bVHT=mzrd
http://www.pointman.us/g2fg/?t8rL=1ZbWzwWDL2ZiH2u1e82kp5544c8o4bU6/Cno46UvU9Ov/ThGKN6gBzPIzbuqtbHMhKvUbk0K&1bVHT=mzrd
|
5
www.pointman.us(172.67.157.76)
www.boja.us(104.21.31.223)
www.5gmalesdf.sbs()
104.21.31.223
172.67.157.76
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|