| 14986 |
2021-11-05 10:43
|
 serwices.exe 486700627b68a06007dac77bd7efebb4
[m] Generic Malware Themida Packer task schedule Anti_VM UPX AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare WriteConsoleW VMware anti-virtualization Windows ComputerName Firmware crashed |
|
|
|
|
10.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14987 |
2021-11-05 10:45
|
 r4XZt5MYHpEdcdmzqr2D.exe fffd2903ec20ac275330f9d1d36f991d
Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces ComputerName crashed |
1
|
2
www.google.com(172.217.31.132)
172.217.174.196
|
|
|
4.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14988 |
2021-11-05 10:45
|
 vbc.exe 898badd240f8d99c109b1c8647eaa1f1
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobreplace.xyz/five/fre.php
|
2
bobreplace.xyz(172.67.216.6)
104.21.78.45
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
12.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14989 |
2021-11-05 10:47
|
 udptest.exe f98dfeecf4e63cb4d768f41491cc9a0b
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14990 |
2021-11-05 10:50
|
 v8hBqWuKscbjZRqNatPw.exe b5bd8dfef7366e06844f2b8595dd9910
Generic Malware UPX PE File PE32 .NET EXE MachineGuid Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows ComputerName |
1
http://fouratlinks.com/stockmerchandise/regular_punch_rec/zbqackY6g2W8AyNWZ8NJ.exe
|
4
google.com(172.217.161.78)
fouratlinks.com(199.192.17.247)
142.250.66.78
199.192.17.247
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14991 |
2021-11-05 10:51
|
 194.exe 9f478f53a757528c33e577205a94d607
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
1
https://cdn.discordapp.com/attachments/893177342426509335/905576251824173106/embroideries.jpg
|
6
cdn.discordapp.com(162.159.130.233) - malware
162.159.134.233 - malware
88.99.66.31 - mailcious
172.67.204.112
52.219.156.10
148.251.8.144
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14992 |
2021-11-05 10:52
|
 toolspab2.exe 59a629eeabebab84b2c62d33f3867503
Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself Remote Code Execution |
|
|
|
|
7.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14993 |
2021-11-05 10:53
|
 app.exe 3c3046f640f7825c720849aaa809c963
UPX PE File PE32 VirusTotal Malware suspicious privilege WMI Tofsee Windows ComputerName DNS |
6
http://gohnot.com/437184b899e951c3c1cc5837398e0d56/watchdog.exe
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=e7zQrRaVD7yXNGF%2FJPlncHp4PQLnlJEpfxhNEddVsa4%3D&spr=https&se=2021-11-06T02%3A12%3A03Z&rscl=x-e2eid-cb0f78cd-e60e4206-90183e58-523cbfe7-session-95b5ae1e-965d44d6-b99ecc1f-a18c89f5
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=QbWgyUsoHjIbd1td7s8MEG0y4GELL7siJ%2FqayNr1cBo%3D&spr=https&se=2021-11-06T02%3A35%3A45Z&rscl=x-e2eid-3e0ace97-75064543-86b7f26b-77602566-session-0536f786-412b4398-938e4c2d-e11a0314
|
16
ddf3f0b3-3cac-4b79-b16b-b36abf9d29e2.uuid.trumops.com()
vsblobprodscussu5shard10.blob.core.windows.net(20.150.39.196)
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com()
server13.trumops.com(172.67.139.144)
msdl.microsoft.com(204.79.197.219)
trumops.com()
vsblobprodscussu5shard58.blob.core.windows.net(13.84.56.16)
runmodes.com(172.67.207.136)
gohnot.com(172.67.196.11)
logs.trumops.com()
172.67.139.144
204.79.197.219
13.84.56.16
172.67.207.136
104.21.92.165
20.150.39.196
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Request for EXE via GO HTTP Client
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
6.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14994 |
2021-11-05 10:54
|
 sqlservr.exe ce22ab6e0ddcefdc45a9f9dae97c0dd0
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
63.250.40.204 - mailcious
34.117.59.81
|
|
|
13.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14995 |
2021-11-05 10:54
|
 mpomzx.exe 46cb216976e96c5177b934976db5f078
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.atheanas.com/vngb/?inKP_fMh=Do4PgwBFcYg4LKCfzLlVpyHNIKvOXNIqezPYssNsUvCeBFItsG3+7L4QXURvi666/FWBmDos&-Z1dnl=Ctx0
http://www.ediblewholesale.com/vngb/?inKP_fMh=5j6f4Av9tk5xZjpYv548DSz+WI0BElShrOBnvjqVaWBSAidCpQXo3zbvCXvdFIdluR6J9Glt&-Z1dnl=Ctx0
|
5
www.recifetopschoolteacher.com()
www.ediblewholesale.com(3.223.115.185)
www.atheanas.com(23.227.38.74)
3.223.115.185 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14996 |
2021-11-05 10:56
|
 HttpTwcyK3R6gQj7t7EY.exe 66569d09ee7a064449b6890633d0a6aa
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14997 |
2021-11-05 10:56
|
 ShareFolder.exe 41afb6916c0587f605747a7391a8793c
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
3
23.59.72.17
23.32.56.144
23.206.175.43
|
|
|
3.0 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14998 |
2021-11-05 10:58
|
 malik_2.0.exe d289a9602c2d07bbf8f4edc37051af6a
RAT PWS .NET framework Generic Malware Malicious Packer PE File PE32 .NET EXE VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself ComputerName DNS |
|
3
172.67.207.136
104.21.92.165
172.67.139.144
|
|
|
4.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14999 |
2021-11-05 11:00
|
 pub33.exe bd1b477a9483e240ef5eef54145a13cd
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15000 |
2021-11-05 11:01
|
 autosubplayer.exe 7ad11140cb494327c5d935d921b2bdf2
Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|