| 1 |
2021-10-29 09:34
|
 pd.exe c7b844578dca69166f414ea0c28e0384
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
4.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-10-29 09:19
|
 vbc.exe 1d03eee90db5e3881e7111490bd0d76d
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://gridnetworks.xyz/five/fre.php
|
2
gridnetworks.xyz(172.67.209.118)
104.21.16.10
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-10-29 09:17
|
 dllhost.exe fdebcac35105439faeecb9658e617a8c
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.libertyquartermaster.com/kzk9/?1bxdAHD=lQWMBkwrhmWz63jtUzXLTMN6LJKSSp5MpzhCN2bai0hlUDGE91c1O/aLF41w75q/inmarkMn&LZa0=kJEXUjV
|
3
www.forschungsraumtheater.com()
www.libertyquartermaster.com(199.34.228.164)
199.34.228.164
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-10-29 09:11
|
 .csrss.exe 0a7a0226b591a93d521911b140c0ba11
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
14.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-10-29 09:08
|
 .wininit.exe 4f811d4d3659bf698a270ebea91dd3ed
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/fd3/fre.php
|
12.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-10-29 07:36
|
 vbc.exe 1b4af97e5bb29267e445511854e12b87
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php - rule_id: 6744
|
2
bobbyelectronics.xyz(104.21.92.21) - mailcious
104.21.92.21 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobbyelectronics.xyz/five/fre.php
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-10-28 11:07
|
 rundll32.exe 72e7be10798c5a7c59972edb0a24f1d6
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.kangrungao.com/fqiq/?RRH=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&rVBxDv=S0GhCN - rule_id: 7035
http://www.kangrungao.com/fqiq/?RRH=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&rVBxDv=S0GhCN
http://www.esyscoloradosprings.com/fqiq/?RRH=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&rVBxDv=S0GhCN - rule_id: 6444
http://www.hillcresthomegroup.com/fqiq/?RRH=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&rVBxDv=S0GhCN
http://www.eclecticrenaissancewoman.com/fqiq/?RRH=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&rVBxDv=S0GhCN - rule_id: 7032
http://www.eclecticrenaissancewoman.com/fqiq/?RRH=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&rVBxDv=S0GhCN
http://www.benisano.com/fqiq/?RRH=1FzMW+0+OiUuFtKwwdX+18qfmmqzzEGxfDkpxhvrj8NPxWXEAOb928cDHixNpwT1SnXUPxEA&rVBxDv=S0GhCN
|
12
www.eclecticrenaissancewoman.com(74.220.199.6)
www.benisano.com(154.55.180.142)
www.quicksticks.community() - mailcious
www.esyscoloradosprings.com(108.167.135.122) - mailcious
www.kangrungao.com(101.32.31.22)
www.hillcresthomegroup.com(3.33.152.147)
www.creationslazzaroni.com()
108.167.135.122 - mailcious
15.197.142.173
74.220.199.6 - mailcious
101.32.31.22
154.55.180.142
|
2
SURICATA HTTP unable to match response to request
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.kangrungao.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.eclecticrenaissancewoman.com/fqiq/
|
7.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|