| 15181 |
2021-11-10 07:43
|
 soccer.png ccbaa028f68b0ffa02796dc3ced379d0
PE File PE32 DLL Dridex TrickBot Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://46.99.175.217/soc1/TEST22-PC_W617601.378045778DBB3760B151EB7F4F5930FF/5/file/ - rule_id: 5810
|
5
216.166.148.187 - mailcious
46.99.175.217 - mailcious
185.56.175.122 - mailcious
46.99.175.149 - mailcious
65.152.201.203 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 17
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
1
https://46.99.175.217/soc1/
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15182 |
2021-11-10 08:10
|
HOWVRaY.rar 468aebaa0302d45cca1acb5c767d5e44
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15183 |
2021-11-10 08:11
|
 1.exe 93f2ef7ece667948d903fd81a9c93dae
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Cryptographic key |
1
|
2
www.google.com(172.217.31.132)
172.217.24.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15184 |
2021-11-10 08:12
|
 prof-eth.exe 4151ed1d9fe87cc363b01e33a162395d
Malicious Library PE64 PE File VirusTotal Malware Checks debugger crashed |
|
|
|
|
1.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15185 |
2021-11-10 08:15
|
 OSJBPRX.exe d7fca9e12513998245b4654c7b2b2581
Emotet NPKI Malicious Library UPX Antivirus Anti_VM Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug Anti Browser Info Stealer Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution DNS Cryptographic key crashed |
1
|
4
eth0.me(5.132.162.27)
oTxbUTdWstdCViHcF.oTxbUTdWstdCViHcF()
195.2.93.45
5.132.162.27
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
17.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15186 |
2021-11-10 08:21
|
 prof-xmr.exe fea27ec625bc1404776fd452be4d52f9
Malicious Library PE64 PE File VirusTotal Malware Checks debugger crashed |
|
|
|
|
1.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15187 |
2021-11-10 08:23
|
 .csrss.exe 95cda983b01a1425d46a0690c4d27b62
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/gb1/fre.php - rule_id: 7756
http://secure01-redirect.net/gb1/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/gb1/fre.php
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15188 |
2021-11-10 08:25
|
invoice_34567445556.wbk 8a1a3caa1e0f138dc0d8016671682438
RTF File doc VirusTotal Malware buffers extracted RWX flags setting |
|
|
|
|
2.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15189 |
2021-11-10 08:27
|
 winapi32.exe 5f20b46e52c413a9a4d79b1fb7a85b18
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic suspicious process WriteConsoleW Tofsee Windows ComputerName |
1
https://iplogger.org/1hkvy7
|
2
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15190 |
2021-11-10 09:37
|
 grand-1938209247.xls 548878f892cc6d86c17a4e2a60e4e19d
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://arancal.com/HgLCgCS3m/be.html
https://iperdesk.com/JWqj8R2nt/be.html
|
4
iperdesk.com(91.194.91.202)
arancal.com(192.254.189.168)
192.254.189.168 - mailcious
91.194.91.202 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15191 |
2021-11-10 09:39
|
 grand-1938470824.xls 9995b44e1e69c7d84be7f583cc538fdd
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
2
https://arancal.com/HgLCgCS3m/be.html
https://iperdesk.com/JWqj8R2nt/be.html
|
4
iperdesk.com(91.194.91.202)
arancal.com(192.254.189.168)
192.254.189.168 - mailcious
91.194.91.202 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15192 |
2021-11-10 09:40
|
 zuroq9 813e4625e96182b6a99b0c3a8733ff77
TA551 BazarLoader Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check DLL Checks debugger unpack itself crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15193 |
2021-11-10 09:41
|
 vbc.exe ceaa12735b1c2c2cd3fb2afd767de5fc
Loki Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq(172.67.219.104) - mailcious
172.67.219.104
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15194 |
2021-11-10 09:42
|
 Arrival_7036PDF.jar 1aec13cf9b79fd1858bbe91b6281f568
MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15195 |
2021-11-10 09:44
|
 zuroq11 8d2bb78fb0c67d821ca92f6b2bd2c005
TA551 BazarLoader Generic Malware Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check DLL Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|