| 15151 |
2021-11-09 10:06
|
 callyzx.exe 9ad32640d60932d2bda2fa6d65435019
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.duoceshi.info/cy88/?0V0hlT=LLYOGeqeqGLCAhAcohwM6EwtLbLFoXR93wrgTXB/YUwaO9tA5EilYc/UD20th9NA7FUU4Dep&OVoh0L=oL08q0BPhVqtrpeP
http://www.alan-parks-nft-collection.com/cy88/?0V0hlT=a2ZcoZmk027xC9ToLl6dY3Kv+ch2oQckdmj5hf84KnhSasE2LoGl3ecd2o6DcC4KPN9ESgcB&OVoh0L=oL08q0BPhVqtrpeP
http://www.usacreditfreedom.net/cy88/?0V0hlT=HdI+XLKi+1dWVJYAlSwoFWpiorRpU/GAXVbKHMfx/kvz8Mn3pS9mjkEc7sFU6MQJC2ifE1/O&OVoh0L=oL08q0BPhVqtrpeP
|
6
www.alan-parks-nft-collection.com(46.166.184.123)
www.usacreditfreedom.net(34.102.136.180)
www.duoceshi.info(111.230.157.183)
111.230.157.183
185.206.180.167
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15152 |
2021-11-09 10:08
|
 7149_1636211541_7624.exe 65ecbb1c38b4ac891d8a90870e115398
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15153 |
2021-11-09 10:10
|
 vbc.exe 08588477f0297262109025dcdf0a3237
RAT PWS .NET framework Ave Maria WARZONE RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Packer Malicious Library UPX DNS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows ComputerName Cryptographic key keylogger |
1
|
6
darkworldblackerlocker.dumb1.com(198.46.132.206)
lockerrollercooller.mywire.org(198.46.132.206)
www.google.com(172.217.25.68)
142.250.199.68
142.250.204.132
198.46.132.206
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15154 |
2021-11-09 10:10
|
 9807_1636022097_3475.exe c591e112978c89efa345907759db9363
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15155 |
2021-11-09 10:10
|
 artifact.exe eba3ab1cdf7058b3cb52fe63dd2950df
Malicious Library PE File PE32 VirusTotal Malware RWX flags setting DNS |
|
2
66.42.44.124
198.46.132.206
|
|
|
3.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15156 |
2021-11-09 10:12
|
 vbc.exe 46c3f0a11804275f801722c913efbc44
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
14.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15157 |
2021-11-09 10:14
|
 vbc.exe 225d57c6cfe5370d9e8433ce7466c5e1
PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15158 |
2021-11-09 10:18
|
 vbc.exe 88d735da9f8ca6d1cfb1ff692715cc8b
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key |
9
http://www.adornel.online/upi8/?mfsl7bO=WCYcamE4OpyvlGAM/6VYMp5sz4MiornE7eOrtWBiw93c7YzR/9rQfjXC9Ao6JY/ZAx2dt/o2&lZB=UFQL6PspOrB8cBA - rule_id: 7009
http://www.adornel.online/upi8/?mfsl7bO=WCYcamE4OpyvlGAM/6VYMp5sz4MiornE7eOrtWBiw93c7YzR/9rQfjXC9Ao6JY/ZAx2dt/o2&lZB=UFQL6PspOrB8cBA
http://www.riyiflower.com/upi8/?mfsl7bO=URnhYor5h/a1eY4I1MRYkyvU/C6iyySQl5i/LfsqcAvS3n8t8VZBTJEv9CggEU7Qj9zQFGa7&lZB=UFQL6PspOrB8cBA
http://www.usbgdt.com/upi8/?mfsl7bO=3UbDyqfhk74iQenn2rb1PNAqbmd7pBi1w5Vc7dibSIZzJ8oi4VLl/LL4Ih1QKPlRxuUAFdow&lZB=UFQL6PspOrB8cBA
http://www.americanmamallc.com/upi8/?mfsl7bO=vjlpkTRLC5Dgfw3UkMfSv+OxhP+8YeLsZXlPwFsHyA3oiy9X6axLIvtArF0KGxnNi0HYfTxk&lZB=UFQL6PspOrB8cBA
http://www.terabyte-hosting.com/upi8/?mfsl7bO=IksKFeB7Nhcr1UyvjUDc9raNq3yFKaWYeG8ZFa7N8PFOP2WxrCOsBm67wrG0znY6SYLdq5hH&lZB=UFQL6PspOrB8cBA
http://www.orderonlinegift.com/upi8/?mfsl7bO=vxARSuSoqZK18t0E7sgbRYlEAQ3eiG2xpdFiyjWjeE35797axIfeZv8GrLi/CrHYLYoZksiT&lZB=UFQL6PspOrB8cBA
http://www.worldtravelcostarica.com/upi8/?mfsl7bO=kak2erzwbk6dFhAabuUNPYc5MM8Ck6cWAVuSImrNuXpPcwWoMzKM7Th/w52UZO8cralg/c95&lZB=UFQL6PspOrB8cBA
https://www.bing.com/
|
19
www.google.com(172.217.25.68)
www.terabyte-hosting.com(156.239.239.145)
www.adornel.online(194.245.148.189)
www.orderonlinegift.com(198.54.117.210)
www.usbgdt.com(198.54.117.211)
www.americanmamallc.com(34.102.136.180)
www.riyiflower.com(173.231.37.93)
www.worldtravelcostarica.com(74.220.199.6)
www.laminaparfum.com(173.249.0.223)
198.54.117.215 - mailcious
172.217.24.100
156.239.239.145
13.107.21.200
34.102.136.180 - mailcious
198.54.117.217 - phishing
74.220.199.6 - mailcious
173.231.37.93
173.249.0.223
194.245.148.189
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.adornel.online/upi8/
|
12.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15159 |
2021-11-09 10:19
|
 .csrss.exe db35515ceab913ff5f5802c0bd9ebf70
PWS Loki[b] Loki.m RAT .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb1/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15160 |
2021-11-09 10:21
|
 val.exe 892c9fd3a36e5344a74a21961350084d
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
5.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15161 |
2021-11-09 10:23
|
 soccer.png 292276fb4e37646aeca245bffb21ef21
PE File PE32 DLL Dridex TrickBot Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://46.99.175.217/soc1/TEST22-PC_W617601.BBEDF130CF73A299F033BBC993DA0177/5/file/ - rule_id: 5810
|
4
216.166.148.187 - mailcious
45.36.99.184 - mailcious
181.129.167.82 - mailcious
46.99.175.217 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 8
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
1
https://46.99.175.217/soc1/
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15162 |
2021-11-09 10:54
|
 ascvjkfd.exe 115d4ac308403ea6cffaf5d7ff23a501
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
5.4 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15163 |
2021-11-09 13:22
|
 gTiBAFGxjBXmnkn.mp3 e44025fdc31cdce162ed7573b6c501f5
Malicious Library PE File PE32 DLL VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15164 |
2021-11-09 13:39
|
 gTiBAFGxjBXmnkn.mp3 e44025fdc31cdce162ed7573b6c501f5
Malicious Library PE File PE32 DLL VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15165 |
2021-11-09 14:03
|
 nncncd.txt.ps1 86d95bf7851b34a2eddf0cb4fc6c8988
Generic Malware Antivirus VirusTotal Malware powershell Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://179.61.237.75/A/MONEUE.txt
|
1
|
|
|
5.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|