| 15481 |
2021-11-17 08:15
|
 nVgyRFrTE68Yd9s6 01f5cb1e8de71d40cf1a92f46951b19c
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 17
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15482 |
2021-11-17 08:16
|
 vbc.exe 9fbeaae1750a7b646e74a0a6bb4de7a5
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware Antivirus Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
2
http://gridnetworks.xyz/five/fre.php - rule_id: 7189
http://gridnetworks.xyz/five/fre.php
|
2
gridnetworks.xyz(104.21.16.10)
104.21.16.10
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://gridnetworks.xyz/five/fre.php
|
16.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15483 |
2021-11-17 08:17
|
 luko12 f4a6ec71e178159db07d8dcc066755be
Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check DLL Checks debugger unpack itself Remote Code Execution crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15484 |
2021-11-17 08:19
|
 chungzx.exe 3368d7af54523d7dc1901ab5d1b40a9b
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Socket Internet API Code injection Sniff Audio KeyLogger Escalate priviledges Downloader persistence Create Service DGA Steal credential DNS HTTP FTP ScreenShot VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security WriteConsoleW Windows DNS DDNS keylogger |
|
2
yjune2021.duckdns.org(194.5.97.131) - mailcious
194.5.97.131 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15485 |
2021-11-17 08:20
|
 luko9 c276da8a99182e5a827024ee1fe1074e
Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check DLL Checks debugger unpack itself Remote Code Execution crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15486 |
2021-11-17 08:20
|
 atultipret.png 7f3a161e5830c102cf17783a66e9b6d4
Emotet Malicious Library UPX PE File PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://97.83.40.67/top148/TEST22-PC_W617601.1BBCF5FF4F4FF07FD3115B33878531FF/5/file/
|
7
194.5.97.131 - mailcious
46.99.175.149 - mailcious
179.189.229.254 - mailcious
185.56.175.122 - mailcious
216.166.148.187 - mailcious
65.152.201.203 - mailcious
97.83.40.67 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 8
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15487 |
2021-11-17 08:22
|
 werfer.exe c621ac54b1b9e74991047eb747c7c952
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15488 |
2021-11-17 08:22
|
 XBByNUNWvIEvawb68 e86945ed547f642291afcf2f5c2112a0
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
21
103.75.201.2
45.76.176.10
51.68.175.8
212.237.5.209
207.38.84.195
66.42.55.5
195.154.133.20
45.118.135.203
94.177.248.64
58.227.42.236
104.251.214.46
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
81.0.236.93 - mailcious
138.185.72.26
97.83.40.67 - mailcious
185.184.25.237
45.142.114.231
188.93.125.116
|
5
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 17
|
|
5.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15489 |
2021-11-17 08:25
|
 EdUpsazo.exe 4c2b14026f587144fe0db520c40806e6
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
https://cdn.discordapp.com/attachments/902978026868965390/909005676829880410/AnthonySantosInventoryManagementSystem.dll
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15490 |
2021-11-17 08:27
|
 vbc.exe b7e6359e34d893bb3b1c9649801aa236
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
12.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15491 |
2021-11-17 08:29
|
 vbc.exe 33f3be1623b34c94b468c44313544024
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15492 |
2021-11-17 08:31
|
 bluezx.exe c1d61910d2c8361dbe84d484a5a12a01
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(131.186.113.70)
132.226.8.169
172.67.188.154
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
12.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15493 |
2021-11-17 08:33
|
 file_02.exe 7e726b581b08953c12d3edb4db2c2488
Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
10.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15494 |
2021-11-17 08:36
|
 wlanext32.exe 485931562730550c0dd729d3d2c26434
Generic Malware Themida Packer Malicious Packer PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15495 |
2021-11-17 08:40
|
 chikwazx.exe 843f2acb5a70e82a543855e716b2ce9c
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS crashed |
13
http://www.scoocs.info/mvc8/?nvDHJR=gtxde&OB=QAAzND8Vxj93BCJLH8XgIAd3eRYPUgqMqPVn1TLvnMEe6LHU0Wi+2KqBt2GiAI542eN4rAsy
http://www.revelstyle.com/mvc8/?nvDHJR=gtxde&OB=KhHkaqV2pxzYEtxXOZqKnhEwbBa2wcnXm5kmVMDYLytu5SuvIls9x4byPfBUNUaQ6aOXGnQK
http://www.milda.digital/mvc8/?OB=OJsT9eH3LnjQtOzGcOYPuhYjtx5qQYRTS9x0zNEiZrL4/bWrgoursir8ZWswphyaFe+G5ldc&nvDHJR=gtxde
http://www.littlekylskap.com/mvc8/?OB=tiKEbzLZZrUKsAwJ/sxTA6yr/f9nTFEDhFQFjdQ20YnCLi2G2MNGDcXIhk6bRdFS+fKrrCI7&nvDHJR=gtxde
http://www.asagency.xyz/mvc8/?OB=rT3QEwb/ijRAARunaomLwNnxjKdMqrTAF8F7GGptv7DI/rJ5cOCbvg6zWvjFXKIlbm9DU/tu&nvDHJR=gtxde
http://www.firmaheijnen.com/mvc8/?OB=G3ihUkZ6JzrBMvpKoqPcWz2/GlZM0MqsCKXd82wXT8+S+dFScJOu0IUCXrFkQKO8CwDlgHP7&nvDHJR=gtxde
http://www.naamgem.com/mvc8/?OB=j3Af5XRUezgmydnFoRmHaFlLnKwILO/BWw6n020RcbV14pts70bSI32UY/qTuyhcmPhgBYQQ&nvDHJR=gtxde
http://www.mab.network/mvc8/?OB=eWuQmXzSeweQoYJYQ6yiFuj5EqGrWBSiy/m6AxFgoQUAJO8BYoGzlM7Y1jLdth+BxTnG6yuX&nvDHJR=gtxde
http://www.tokencord.com/mvc8/?OB=BYf0zAKtDQQZsdqaCgtJsqduoKFRddgui11PToTLy7RPVYSaKAlt7QUnj5utdKb5f8Jhp78W&nvDHJR=gtxde
http://www.valentinaturals.com/mvc8/?nvDHJR=gtxde&OB=LFaWDNJJ8LwsB3Cvo+1/dtn/WK8C9mKXRffxxK6Vnpy7GUZK7Vfjv7Ih4ReBgetaAHZPyvaf
http://www.staginglaneperf.com/mvc8/?OB=gFRqfEYC92qx40qqTbQRQqjNwW+J09ncvqNZ2WGC03WU9OF5aW6GAl5L4iOP3dH5WKMtam/o&nvDHJR=gtxde
http://www.youandiconsulting.com/mvc8/?nvDHJR=gtxde&OB=EpC5wqvZS9F1/Tmlm5iLNBR8Q8YHzUAaJWzlNDHYOMZZB9lIYTkXOBtDpP8CfT99QMYyBIPx
https://cdn.discordapp.com/attachments/907771805069115456/907930937109655562/Uxhjrkfgzxoigdcovhkknaxjaqdmkxy
|
30
www.scoocs.info(172.217.31.147)
www.milda.digital(156.67.72.57)
www.firmaheijnen.com(91.184.0.95)
www.valentinaturals.com(100.24.208.97)
www.naamgem.com(198.54.117.216)
www.latinversionista.online()
www.mab.network(139.99.69.103)
www.revelstyle.com(52.58.78.16)
www.youandiconsulting.com(34.102.136.180)
www.staginglaneperf.com(205.178.144.150)
www.littlekylskap.com(23.227.38.74)
cdn.discordapp.com(162.159.129.233) - malware
www.tokencord.com(162.243.47.214)
www.asagency.xyz(192.64.119.138)
www.mascotairportcarwash.online()
www.lubot.net()
142.250.66.115
162.159.133.233 - malware
156.67.72.57 - phishing
192.64.119.138
198.54.117.210 - mailcious
162.243.47.214
52.58.78.16 - mailcious
205.178.144.150
34.102.136.180 - mailcious
35.172.94.1 - phishing
139.99.69.103
23.227.38.74 - mailcious
172.67.188.154
91.184.0.95 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
13.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|