| 15331 |
2021-11-13 13:01
|
 VBC.exe a183768631f68d124acdc41ae7f952ae
RAT Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.newleafcosmetix.com/9gr5/?YBZL=Od/+cgVvbmih1uevlyZToqiOsKxz+10WKq+xZAdaehsJQNs1xy87wMgIe9HJb6RUWSmi99av&6l=t8eT-nbPWVIxU
|
3
www.newleafcosmetix.com(34.102.136.180)
www.golfteesy.com()
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15332 |
2021-11-13 13:03
|
 .winlogon.exe daf84fefe9b9a1649218f09792fdc2c4
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(142.250.207.4)
13.107.21.200
216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15333 |
2021-11-13 13:04
|
 .csrss.exe 05c54117e01be9fe65f0af1b709a3e7b
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities AppData folder Windows |
4
http://www.adaquestgame.com/h6eg/?VRNt=TJwyR0TlkIBcAVw/9aND4gXSZASytqXToWLIxmFIrpIdEkvXsUxe+xoxDb3FrPM/CMASvnVH&ndkHzH=Utx4qLXhdhBT
http://www.cavallitowerofficial.net/h6eg/?VRNt=N94FWVaNNMuG9BwlOsLcdDJ3Sv+b9pM8NsaNHjKzbOQOm1ujqSwIdQ4MLzqGtDvJiiFUcZ85&ndkHzH=Utx4qLXhdhBT
http://www.volkcarteil.com/h6eg/?VRNt=CsMhPagKJdXDYgIlXEohqX4NqKa+B5yABf/teOSFOZEZr8qXY7chrUT5bPy51K+siPtpQhw4&ndkHzH=Utx4qLXhdhBT
http://www.defendingdata.com/h6eg/?VRNt=owl5DQqhgpQ3E2OoLjyK6mR5NoaxYjvbH7LFJNM9oSvie3V0uFpsnTWx9hjBAX+QkqcsSgmi&ndkHzH=Utx4qLXhdhBT
|
11
www.uuckpp.com()
www.adaquestgame.com(81.169.145.95)
www.volkcarteil.com(198.136.51.154)
www.defendingdata.com(3.223.115.185)
www.mdf108.space(119.8.50.32)
www.cavallitowerofficial.net(34.102.136.180)
198.136.51.154
119.8.50.32
34.102.136.180 - mailcious
81.169.145.95 - mailcious
3.223.115.185 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15334 |
2021-11-13 13:05
|
 bobo.scr 018c7bb6e89ac68224be64da67a911e4
RAT PWS .NET framework Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15335 |
2021-11-13 13:05
|
 ctrl.exe 40c37050c249f05871e545b3f03a6261
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.1527brokenoakdrive.site/nk6l/?w2J=jP0XjeSgSwb6GljuZIUzr+Wr4LOzEwTYnwZ8MMYm+mej+m4fHGukAN1SliFlR5pUPmwRfLY8&tFQh=YP4Hk0O8
|
4
www.1527brokenoakdrive.site(172.67.187.223)
www.kaka.digital() - mailcious
www.mnbvending.com()
104.21.64.211 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15336 |
2021-11-13 13:07
|
 scene.exe 810257cb60e0d1a1ed732106e342d2b6
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
11.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15337 |
2021-11-13 13:09
|
 loader2.exe cfecaaffb48e173260fd2013ba106e60
Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
7
http://www.strainpsterling.com/yao3/?-Z1dnl=hhgLd90lT5x8wIZrMj7YuyXENJreDYauqRly+J6en/E4gum1n3yZpFGI6buVCRbu11Elk2Q4&2d3=oneha
http://www.cidufetal.com/yao3/?-Z1dnl=PgD1La7e3VbxpopY+hNhawMocaOHF3kYA0v7KyWJLMyw7ZvUGCVfCw+P8wVtSLZcEZKYgifg&2d3=oneha
http://www.stocksellingevent100.com/yao3/?-Z1dnl=BGuMCVlr1/SjT1z1AAzUUtLKDyYsXWUO0Ads+mHXzt+060+ddi/rRJfvKPC7GEH2yK42rxRF&2d3=oneha
http://www.expansionsound.com/yao3/?-Z1dnl=q99EJLW1r1s7p6MH8wi+X/Yze9wL3RhCKM8rPSo10Y1QbU063na87NbqXeAJq8VscFzhiapO&2d3=oneha
http://www.modularscleanroom.com/yao3/?-Z1dnl=IIyhjFh4SG7Uw4Uhh2YtXVVOzEcvrVZdRjb0WDI293OUsHKTq93rx4d1LR/r+8q8Dj/h5Cjk&2d3=oneha
http://www.dariushbordbar.com/yao3/?-Z1dnl=ugOQ1tTSiCrhyhBEVpHPwUaoK7it8NBZmXhBsi2HgeUC9jMMuZAJ0FSd6IrHg6mGql3d3ox7&2d3=oneha
http://www.uewb.net/yao3/?-Z1dnl=Yo8SHF+0eK7x5mXwht3X2wJ4x/UaoJLF2T7s2/ZKGpmAn1Fo1l2hmtgtadKtuRBwyXmVdlRC&2d3=oneha
|
21
www.threeminutesupdate.com()
www.uewb.net(67.227.213.146)
www.expansionsound.com(192.99.246.76)
www.dariushbordbar.com(34.102.136.180)
www.cidufetal.com(64.251.1.115)
www.biz-financeagency.com()
www.docpipe.net(93.190.41.161)
www.testsigmaos.com()
www.modularscleanroom.com(198.54.117.244)
www.strainpsterling.com(104.21.94.221)
www.objuration.xyz()
www.stocksellingevent100.com(104.21.32.199)
www.2578990540.com(192.168.0.113)
172.67.154.179
104.21.94.221
64.251.1.115
198.54.117.244 - phishing
34.102.136.180 - mailcious
192.99.246.76
93.190.41.161
67.227.213.146
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15338 |
2021-11-13 13:09
|
 scan_01.exe 7a060a1e3aa99e966da96c0ce81195ce
Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
10.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15339 |
2021-11-13 13:10
|
 slhost.exe 7663a0f9957107e7ef91c493a3c85261
Themida Packer PE64 PE File VirusTotal Malware Windows DNS crashed |
|
1
|
|
|
3.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15340 |
2021-11-13 13:11
|
 .csrss.exe 9467f0290a6b538c51b06a1c69499879
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15341 |
2021-11-13 13:12
|
 vms.exe 34cca2013eb9b2941a65971919bf356d
Themida Packer PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process AppData folder WriteConsoleW VMware anti-virtualization Tofsee Windows Discord ComputerName Firmware crashed Downloader |
6
http://depressionk1d.ug/k8FppT/index.php?scr=1
http://cdn.discordapp.com/attachments/878034206570209333/908810887417176084/vms.exe
http://cdn.discordapp.com/attachments/878034206570209333/908810886561534042/slhost.exe
http://depressionk1d.ug/k8FppT/index.php
https://cdn.discordapp.com/attachments/878034206570209333/908810886561534042/slhost.exe
https://cdn.discordapp.com/attachments/878034206570209333/908810887417176084/vms.exe
|
4
depressionk1d.ug(178.208.83.45)
cdn.discordapp.com(162.159.130.233) - malware
162.159.135.233 - malware
178.208.83.45 - malware
|
4
ET MALWARE Amadey CnC Check-In
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY EXE File Downloaded from Discord
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
11.0 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15342 |
2021-11-13 13:14
|
 jet.exe 30f4ab81bdabc5f278037984f4e44754
Loki PWS Loki[b] Loki.m Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga22/fre.php - rule_id: 7884
http://secure01-redirect.net/ga22/fre.php
|
2
secure01-redirect.net(176.32.33.47)
176.32.33.47
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga22/fre.php
|
13.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15343 |
2021-11-13 13:14
|
 vms.exe 2bc350586fbde00fff7707d69c30941f
Themida Packer PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process AppData folder WriteConsoleW VMware anti-virtualization Windows ComputerName Firmware crashed |
2
http://depressionk1d.ug/k8FppT/index.php?scr=1
http://depressionk1d.ug/k8FppT/index.php
|
2
depressionk1d.ug(178.208.83.45)
178.208.83.45 - malware
|
1
ET MALWARE Amadey CnC Check-In
|
|
11.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15344 |
2021-11-13 13:16
|
 sqlservr.exe e69812f7a7295a5cf8b7d43c3969ae8e
PWS Loki[b] Loki.m RAT Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
14.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15345 |
2021-11-13 13:16
|
 csrss.exe 6c08bec27edf8a2e7bb77bf406354d3b
Loki PWS Loki[b] Loki.m RAT Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd4/fre.php - rule_id: 6874
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(176.32.33.47)
176.32.33.47
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd4/fre.php
|
13.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|