| 15121 |
2021-11-08 16:03
|
 gTiBAFGxjBXmnkn.mp3 e44025fdc31cdce162ed7573b6c501f5
Malicious Library PE File PE32 DLL VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15122 |
2021-11-08 18:17
|
 1503_1636030253_4690.exe 7a76eef4029a2403e3d912bd299c8c85
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15123 |
2021-11-08 18:19
|
 1997_1636317182_5952.exe a948eafa51f0a22337dc747dde057864
RAT Generic Malware Malicious Packer UPX ASPack Malicious Library Antivirus AntiDebug AntiVM PE File PE32 .NET EXE PE64 OS Processor Check Browser Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName Cryptographic key crashed |
3
http://pallad32.beget.tech/system32/Windforce.exe
http://www.google.com/
https://api.ip.sb/ip
|
8
pallad32.beget.tech(5.101.153.220)
www.google.com(172.217.25.68)
piatulusher.xyz(185.81.115.38)
api.ip.sb(104.26.13.31)
5.101.153.220
172.217.31.228
104.26.13.31
185.81.115.38
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
17.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15124 |
2021-11-08 18:19
|
 997_1636274799_3110.exe 58af6048e61d849aad0ab2ecfc80fbc7
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
https://cdn.discordapp.com/attachments/901604840319369236/906592297569910834/Downloader.exe
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15125 |
2021-11-08 18:20
|
 8194_1636301703_9028.exe 91d4d9e326c8fc248005b8d1ab6ce48b
PWS Loki[b] Loki.m AgentTesla RAT browser info stealer Generic Malware Antivirus Code injection ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://bitbucket.org/setupfx1/software/downloads/Tango.bin
https://bbuseruploads.s3.amazonaws.com/dd8f3efb-aea4-4888-a2bc-db69074fc43e/downloads/f3cf9db5-402d-4ac0-81bf-ed03f37f3813/Tango.bin?Signature=saZRMEukgw4Kolbfgg8osLa73Hk%3D&Expires=1636364715&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=OQ.Ov51xs6RULvB9iL41ndXqzROZqFlU&response-content-disposition=attachment%3B%20filename%3D%22Tango.bin%22
|
8
mas.to(88.99.75.82)
twitter.com(104.244.42.65)
bbuseruploads.s3.amazonaws.com(52.217.228.169) - malware
bitbucket.org(104.192.141.1) - malware
104.244.42.1 - suspicious
52.217.130.161
88.99.75.82
104.192.141.1 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .to TLD
ET INFO TLS Handshake Failure
|
|
12.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15126 |
2021-11-08 18:21
|
 2250_1636094639_2454.exe 75b5f08705e2583250dfcc7e6ec22015
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15127 |
2021-11-08 18:21
|
 sqlservr.exe 44467361d4da792208493674019ebf27
PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
12.4 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15128 |
2021-11-08 18:23
|
 2444_1636306218_6409.exe 836fce87deb457a5ec93f942091c9afc
PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
6.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15129 |
2021-11-09 07:54
|
 VIPETSDYSYUYSDYSSIUSUDYUSDUISD... 42a9c8228cc642a1ce4337a81f2e62fc
RAT Generic Malware PE File PE32 .NET DLL DLL VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15130 |
2021-11-09 07:59
|
 vbc.exe 3df4f06ab44a96ffccf63b43b46aeafd
PWS Loki[b] Loki.m Generic Malware Admin Tool (Sysinternals etc ...) Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb2/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15131 |
2021-11-09 08:01
|
doc_0002939399330.wbk 2137a5a55ef05911b840631754c6141a
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://107.172.73.207/3338/vbc.exe
http://secure01-redirect.net/gb2/fre.php
|
3
secure01-redirect.net(85.143.175.133)
85.143.175.133
107.172.73.207
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15132 |
2021-11-09 09:46
|
 .csrss.exe 954b35c0135d4044ac1ae985dc7d6c51
PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
13.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15133 |
2021-11-09 09:48
|
 vbc.exe 39019e861a94f5908ec2e6e512082c8c
RAT PWS .NET framework Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.lfykjx.com/ns87/?1bw=RTWbQzRs77Ila5QRLmVbas9ODDx+OwRLwzxShk8iAGr9WkI41KFvTo9ou2dCKZ+Nr/Swnww7&EjP=dfcdAHVPlRm
http://www.ff4ckcexr.xyz/ns87/?1bw=Y56b1gZiqgWV8B5utiwOdrje3mgDLwJvreA+DVrFBklvNe+GfnCD4GLsgWYN2bmrER35d8Hq&EjP=dfcdAHVPlRm
http://www.carollinaorganic.com/ns87/?1bw=dWLzRX4cOPYzj8uLU70ojEGiSDs2sJUYYm5fXyFzDuyDFdpz0JatNB+YLqYliROsKkZZeQ6J&EjP=dfcdAHVPlRm
http://www.jovinodossantossite.com/ns87/?1bw=Xj+zYd3w1uyWJ0Xz98VsTGNMNUdn3FeJBvm2/UJrPAFGqZTMcFcfW+ZzufpLXejkVCTsHFiU&EjP=dfcdAHVPlRm
http://www.machikado.info/ns87/?1bw=Lpsc/iPJgeHQejpB3qKSIA6K+i88I1evSnDSRKIsb22EET5Ts9XmWXkseS1wGiL3IUq/8apF&EjP=dfcdAHVPlRm
http://www.etriaf.com/ns87/?1bw=c2EGXLcAdbHDR0nfONLP3IhEWAjv/3MsLKJlUe5Cxfi7mW86cX2ZJAlrWhWjNn/WyGbP7MQb&EjP=dfcdAHVPlRm
http://www.lakesideshores.com/ns87/?1bw=NL34Hzl1PgBtSwTzZvvjdZxln/neQpXKB557iAAGhct1gZ5XQ4z8zxWdOVZVYTcUxHgasyvi&EjP=dfcdAHVPlRm
http://www.skecherspromocje.com/ns87/?1bw=b+NVlRYNfXYmRJVi49JwaMobHsrV0+KuaK4ZedcZn35A0Q4JoCoHWYQNfsSZM69xyk+bkZAN&EjP=dfcdAHVPlRm
http://www.evertownnycapartments.net/ns87/?1bw=VzAKVr6KPppO6rB3US6reKa0EIWL54j3l2E24sYzE9xBdXjSMbcOlb0yeUGyxCmdiOL3++Iu&EjP=dfcdAHVPlRm
|
18
www.desktop-exodus.com()
www.etriaf.com(34.102.136.180)
www.carollinaorganic.com(45.114.246.50)
www.skecherspromocje.com(196.245.155.38)
www.jovinodossantossite.com(164.132.152.67)
www.lfykjx.com(154.206.104.170)
www.lakesideshores.com(34.102.136.180)
www.ff4ckcexr.xyz(23.225.139.107)
www.evertownnycapartments.net(206.188.193.153)
www.machikado.info(103.224.212.220)
23.225.139.107
34.102.136.180 - mailcious
164.132.152.67
206.188.193.153
196.245.155.38
103.224.212.220
154.206.104.170
45.114.246.50
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15134 |
2021-11-09 09:49
|
 JBEE.exe 008b7b002cfe2e0b82283464a9abd835
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15135 |
2021-11-09 09:49
|
 vbc.exe acc0e6bdc5eaf1885f843ee8016758a1
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga20/fre.php - rule_id: 6926
http://secure01-redirect.net/ga20/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga20/fre.php
|
12.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|