| 15466 |
2021-11-17 08:01
|
 file_01.exe c7381f53aae8af38e0878fd55fd4233a
Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
10.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15467 |
2021-11-17 08:02
|
 doziezx.exe 76155ad95f94ea29559fe97bc4c81e95
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.hallo-hesselmann.com/cfn8/?T8RH=NEfyf4toB+RdjO5gQ1PgT/ZstUKx09wqxauHm1+slt0krD9xPU03NS7OR5/HHzgYLb3uZy3f&R2Mdy=MjOdFdspzh5xMnip
http://www.593911.com/cfn8/?T8RH=0X+mEJGV98UYyhCKLHL7jmejuLoMIWVNGdNAiiUIEmLoDDjSYP7nkG92WW4963ajhzkvhtMF&R2Mdy=MjOdFdspzh5xMnip
http://www.aactoday.info/cfn8/?T8RH=DuUD/Cdqc0lQXY02LHjysZWSjY2RmF9SxuVPEwcA4dl+PoOWyUrk3H93E3+srg55eZoi0axi&R2Mdy=MjOdFdspzh5xMnip
http://www.azurebunk.com/cfn8/?T8RH=nWy44g3zerCKw4xiFQegrHbayFabgFQBB8ytm/qjJc64uy7qEw6/bGr4whUPI3iYG9wPxxrM&R2Mdy=MjOdFdspzh5xMnip
http://www.greenjoeyardworks.com/cfn8/?T8RH=PJPgExsIALClnKAFgD7Z54k4dCSvPjRjcJwVDm3EvNPNz/mv4sXC/5NQCGOobxJRtnQq9Rl1&R2Mdy=MjOdFdspzh5xMnip
http://www.qqsmt02.com/cfn8/?T8RH=GIkBaXi2pJdhN7ctNHRTnYZyaGBbv3XgPC+aBa8chlzhEdyTcxmMhCdBgJ8NbVa30rfKKKLu&R2Mdy=MjOdFdspzh5xMnip
http://www.wrochtthurl.quest/cfn8/?T8RH=9BGGmrkXLF/GNUpOAQU4N2yXzXcYEQw1Vi9wNe+Z0LDCLy9w5M8gmWZ+AXa1c/VdiyWsN25p&R2Mdy=MjOdFdspzh5xMnip
http://www.tuuttidisney.quest/cfn8/?T8RH=GNR/cswuQQHsj9alaiOTwsMtTfgjjwHaPXULHhsvxr+YpYQ1zxQIHyoui5q6J5P1st2KAqws&R2Mdy=MjOdFdspzh5xMnip
http://www.lorodicahtoyof4.xyz/cfn8/?T8RH=c3/zSZhtnZoS6gGpPxHptTCxpX2LheSHAJ+mdzyu2CbAg2TEOJYPAERTD9yP8FBUDxV642r0&R2Mdy=MjOdFdspzh5xMnip
|
19
www.grandfreightxx.com()
www.593911.com(134.122.133.133)
www.azurebunk.com(52.37.245.235)
www.greenjoeyardworks.com(172.217.31.147)
www.lorodicahtoyof4.xyz(150.95.255.38)
www.tuuttidisney.quest(37.123.118.150)
www.wrochtthurl.quest(37.123.118.150)
www.hallo-hesselmann.com(213.133.104.4)
www.qqsmt02.com(47.243.170.138)
www.aactoday.info(54.90.47.105)
www.68122.online()
44.238.240.115
37.123.118.150 - mailcious
134.122.133.133 - mailcious
150.95.255.38 - mailcious
142.250.199.83
47.243.170.138
54.90.47.105
213.133.104.4
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15468 |
2021-11-17 08:02
|
 vbc.exe 8be9e5d41b1921702f3e3cfe036b3321
Loki Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq(172.67.219.104) - mailcious
104.21.62.32 - mailcious
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15469 |
2021-11-17 08:03
|
 JW0R24WXLkzpA2H.exe d58a1ea878651914926bc2a48c2b853d
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15470 |
2021-11-17 08:05
|
 luko5 850964e5f638c8365f0f0a8bd18c95b6
Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check DLL Checks debugger unpack itself Remote Code Execution crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15471 |
2021-11-17 08:05
|
 333.exe 840a9628f0b877320c144b9968a036be
Emotet Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File PE32 OS Proc VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution DNS |
|
6
BgglqzlfstthqrDVch.BgglqzlfstthqrDVch()
91.219.236.162
185.163.47.176 - mailcious
193.38.54.238
178.23.190.57
74.119.192.122
|
|
|
12.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15472 |
2021-11-17 08:07
|
 .winlogon.exe bcef49bcee517cf2adc318beb174108c
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
14.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15473 |
2021-11-17 08:08
|
 aPIm2GsjA a0e796dcc0c4ac7bf48876ff02833456
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15474 |
2021-11-17 08:09
|
 vbc.exe c420e0d15b69b8ec5a0dc42cc213595f
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(93.189.47.205)
93.189.47.205
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15475 |
2021-11-17 08:09
|
 a 4e5a57bf7816af85829a14bae48168f8
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15476 |
2021-11-17 08:09
|
 VVYUYDUYFUFHHJFJ.dll 60801952075f6e5a6db71c6ed9a9c0a3
RAT Generic Malware Malicious Packer PE File PE32 .NET DLL DLL VirusTotal Malware PDB |
|
|
|
|
1.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15477 |
2021-11-17 08:11
|
 ETS_0100000456_063256.exe a0b0b8907720674c5ee356cb6186a2a7
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
193.122.6.168
104.21.19.200
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15478 |
2021-11-17 08:12
|
 PP 3496897bb3865e4a5b95ea6c1856183c
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15479 |
2021-11-17 08:13
|
 5MfZPgP06 b59a88609656e2f8c798e6eb1012c747
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15480 |
2021-11-17 08:14
|
 vbc.exe 2437829910089579a1af310d495b385b
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
13.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|