| 1 |
2021-09-24 09:20
|
 vbc.exe 7b74904762e17b9fc2337043401456cd
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
14
http://www.elliotpioneer.com/b2c0/
http://www.6233v.com/b2c0/?5j=TXWnycs9/xQM88J50NGMQUHmzvUS8Ow5beoaBntAR1L12gyUTl4Vs8xkkPbSltJIhMz7f2PR&vTd8K=LHQx
http://www.6233v.com/b2c0/
http://www.playstarexch.com/b2c0/?5j=F+Gco1RrSA+q6KRKzyydjUzXzSLtfZhJDsnZ0YatH9yILxLZnbeI6GZ7F32+m8aTJR9d/lLK&vTd8K=LHQx
http://www.newstodayupdate.com/b2c0/
http://www.ideemimarlikinsaat.com/b2c0/?5j=BhwIz8la4HUVi1nMBiVIC5A9YxwCbjsxx995Kt+xQMqbSybskl546EwbcvTy7pfoVmGr2lPQ&vTd8K=LHQx
http://www.playstarexch.com/b2c0/
http://www.dxxlewis.com/b2c0/
http://www.roleconstructora.com/b2c0/?5j=1K0N61gHDa1dphA2mScjseGlMpXBLPWPRyroe9GKqjCieTRKzq19FpKJorkSVL2IbFhLWsH/&vTd8K=LHQx
http://www.dxxlewis.com/b2c0/?5j=9ahEnHZeeTorCCf1BxWsn/rXQiL42ezX5ROQBOh91FMP3dxhyP3zcRxjW2sluygknGFgWtoi&vTd8K=LHQx
http://www.roleconstructora.com/b2c0/
http://www.elliotpioneer.com/b2c0/?5j=/Ci6lA1yaE3CUS8uYzq6dZWl1lKVRbc/m6rjse/j6toaEbYIMAGoPQ/GjZ3pODpgFVgK+X0m&vTd8K=LHQx
http://www.newstodayupdate.com/b2c0/?5j=ngE3zTESEmF1TlzaI1JtRqVv6LVi69c0ageAEF+ggQEJgbQkBMu6yGJsOdi7lkxHgRVmVRi9&vTd8K=LHQx
http://www.ideemimarlikinsaat.com/b2c0/
|
15
www.avito-rules.com()
www.bjyxszd520.xyz()
www.thesewhitevvalls.com()
www.6233v.com(134.122.133.171)
www.playstarexch.com(34.102.136.180)
www.dxxlewis.com(207.97.200.47)
www.roleconstructora.com(192.185.131.113)
www.newstodayupdate.com(34.102.136.180)
www.ideemimarlikinsaat.com(178.18.193.120)
www.elliotpioneer.com(34.102.136.180)
134.122.133.171 - mailcious
192.185.131.113
178.18.193.120
34.102.136.180 - mailcious
207.97.200.47
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-09-24 09:19
|
 vbc.exe 8fdf6032932fa1a0c9b0fd342ee8bee1
RAT PWS .NET framework Gen2 Gen1 Emotet CryptBot Formbook Generic Malware NSIS Malicious Library Malicious Packer UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM ASPack KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Windows Browser ComputerName |
|
|
|
|
11.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-09-22 22:25
|
 hussanzx.exe 88f75a26375befa941b2b57d7e302c32
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=473 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
16.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-09-22 22:16
|
 vbc.exe a96ab325cb199f7130a1496e377cdb58
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
2
checkvim.com(5.180.136.169) - mailcious
5.180.136.169
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
12.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-09-22 10:22
|
 tiganazx.exe baffd35ab2f86aa9a397a286ac5df964
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
1
http://www.simplereturnz.com/lgym/?ohr0k=cV7UcUtXTZKCIEYOjXnd0zC4KZQdXRc9FOSXfhNDQWAzOd9uX1hXyuC/lUTZjdsknEOAS/0F&1bm=3fe4HJEhWHjpOl
|
5
www.after-that-term.com()
www.roenlie.com(81.166.139.5)
www.simplereturnz.com(208.91.197.13)
208.91.197.13 - mailcious
81.166.139.5
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-09-22 10:18
|
 vbc.exe 15c0994e6c4cff319deb5e35339c204b
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself DNS |
8
http://www.beybey.bet/hosg/?wPT=t1QL297U4khOE/XUjdt+RZ7WaDVgPv23XO17NjpkvNnU/WisW3HaLmUN0VdBDjHtMo8oarmJ&oZN=6lbLphf0F
http://www.turningheadshairsalon.biz/hosg/?wPT=O8PvSHEI1+HTySJOYla/lpLOHRJF+tECo1INoKS8Fz1F5feCQSibUHkAmh8sQknM6WsyOVar&oZN=6lbLphf0F
http://www.metadata.directory/hosg/
http://www.sarahannsartstudio.com/hosg/?wPT=BSGwCtLZjnGtcghTjeJ22/B7nzm9KxnmQDBouGRUWo6meRRcOp+D33w8wneug6CfjgpaVSXB&oZN=6lbLphf0F
http://www.sarahannsartstudio.com/hosg/
http://www.metadata.directory/hosg/?wPT=c0xJ62F3co+3d6SQ7Let0hP51UxLX5MQhIyNHKWrkaR91sSKDLD7G+CHdT3UAyFJXYLUu2Gd&oZN=6lbLphf0F
http://www.turningheadshairsalon.biz/hosg/
http://www.beybey.bet/hosg/
|
12
www.rdplvh.com()
www.dgwb8.com()
www.sarahannsartstudio.com(162.241.253.231)
www.blueflypr.com()
www.beybey.bet(184.168.131.241)
www.metadata.directory(185.199.111.153)
www.turningheadshairsalon.biz(34.80.190.141)
www.brbl.xyz()
185.199.111.153 - malware
34.80.190.141 - mailcious
184.168.131.241 - mailcious
162.241.253.231 - malware
|
2
ET INFO Observed DNS Query to .biz TLD
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-09-22 10:04
|
 .winlogon.exe 7bbd97d7b4acd4b0a3cf3bb19883c348
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-09-22 09:57
|
 4wk3N3ftnNDhOk5.exe 722235b69b44bcc7ebcf84c4356923a0
RAT PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-09-22 09:50
|
 vbc.exe 571fbd383fdd865a8232b66a32fcdea1
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.fixnds.net/n90q/?TjPx=P6KHl7TAGZAH71a4RnFQbUY9wI712ZxOLEoxdKJtbTI+a932MHV87nmrVKQgNeA2xOLZZdND&6l=mnSl
http://www.cadylovesphil.com/n90q/?TjPx=PaCWC483jJ1HtEcfQf62PsMYoCFYOsO8vjZT/E/YBK1tRvRehhDd7ldpB+xgDE+kOptxT42i&6l=mnSl
http://www.rogerbennettdirect.com/n90q/?TjPx=jjoFFvlqTx20XcgYMQ4XkTqs/me3vbqvtySxBe6GswElSHbgnA1OjDpMmx0BBxbFFt1y++tp&6l=mnSl
http://www.exsalon.com/n90q/?TjPx=EWb7O5uBPUrKCxYatUDuT7v/S66I5c1eO1NheRiQPi6D0MQzxHiFURYLxG1IV//P9S0W5zX1&6l=mnSl
http://www.melisjewelryoutlet.com/n90q/?TjPx=IWUWHJdqOUXlXVbqgsytsBCjtgFzXL9PVTKzOkAVbq3Wshw07ptXs3J1aper+w7Ppoi+2UWd&6l=mnSl
http://www.hbo9x.com/n90q/?TjPx=VuCFI60C2Fa7BRxontB00GmI3hvNk9tk8ncjsg6qmPVslE9ClHmpoI5ZTylurzZorUZRxbZS&6l=mnSl
http://www.yyoutlets.com/n90q/?TjPx=C8aqPgrbrEZnqb9rrq1oEiWl0ZHCdquyaSR6E3K+XYj+LRrgfi5jsiI15JZ5hMnZiQ0ipQzI&6l=mnSl
http://www.adorotudoisso.club/n90q/?TjPx=+AznKtSaeUwG4Xhx64dkxKeTbLa++kdbf8CsCGDIfyM3i3hWyBe26u1HjGAigACJ/I2g9jsl&6l=mnSl
http://www.gofirstclasstransportation.com/n90q/?TjPx=0cADqPZotqwvqOMSx7rwGQPvTd92CQ4aGVB1mEVI6ZXtvSXOsayYXTl19amwUpnq95YPp+92&6l=mnSl
|
18
www.adorotudoisso.club(208.113.216.170)
www.fixnds.net(45.91.203.242)
www.yyoutlets.com(104.16.199.133)
www.hbo9x.com(198.54.117.217)
www.rogerbennettdirect.com(45.38.95.23)
www.cadylovesphil.com(184.168.131.241)
www.gofirstclasstransportation.com(34.102.136.180)
www.melisjewelryoutlet.com(35.82.7.11)
www.exsalon.com(3.223.115.185)
45.38.95.23
184.168.131.241 - mailcious
198.54.117.212 - mailcious
34.102.136.180 - mailcious
35.82.7.11
104.16.199.133 - phishing
3.223.115.185 - mailcious
208.113.216.170
45.91.203.242
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|