| 15496 |
2021-11-17 13:38
|
11_16(2).pcapng a91dc162e1b3a5ce9d3ecbc949f5d104
AntiDebug AntiVM OS Processor Check Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15497 |
2021-11-17 17:24
|
 sample2-22c.exe f5dab510fcdeda1d81e0ece63e302e75
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware sandbox evasion Ransom Message ComputerName |
|
|
|
|
4.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15498 |
2021-11-17 17:24
|
 vbc.exe eb3c1a04e3ad5c57d32507e027432732
Loki Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq(172.67.219.104) - mailcious
104.21.62.32 - mailcious
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15499 |
2021-11-17 17:26
|
 ea95zSw6dmdVE5Mh.exe 458dfc1cf8a888378d0b129c117e2ea6
Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15500 |
2021-11-17 17:29
|
 billion.exe 0e6b2b68110c10ec992ae04dfb70d628
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key |
1
https://cdn.discordapp.com/attachments/893177342426509335/910054123980877824/babe.jpg
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.129.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15501 |
2021-11-17 17:29
|
 dllhost.exe be96aa77ab7f76401001197bdb7d3e50
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Code injection AntiDebug AntiVM PE File PE32 .NET EXE Dridex TrickBot VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Kovter Windows DNS Cryptographic key crashed |
1
|
4
www.google.com(142.250.207.4)
202.55.133.118
13.107.21.200
172.217.25.4 - suspicious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
11.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15502 |
2021-11-17 17:29
|
 vbc.exe 7c875245a2618b56ad9f9ee5b11bc6c8
Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
14
http://www.shyezhuo.com/s564/?DVoh7=2GrapIe6ItaFFknROml73pv0cgwBQmPYZZ7mdImcBQwY3AApWnrpiBowaynuclZYYj7IDedM&6l=TlPx
http://www.goodfellascandoit.com/s564/?DVoh7=ZwqRkEb4YRudDQ5ao8MwUHoxZPnMRmYHWHgc2VuI9I/AWmS3hl7qr2I2ZaHL5QcQU5yYttSO&6l=TlPx
http://www.gymass.com/s564/?DVoh7=mZz/UD0sXu6NPFw+t/AnerZg+DQ2IFpihByc1oG/U8wldi4ETkat0SIWDqG2aHPqXpodcPrp&6l=TlPx
http://www.productorslleida.cat/s564/?DVoh7=7vabDz73e2nBzFkhscXM1YUiiHdja1EfGByayVmH6y4sIKs7M/TWvQk3EGFoqlqGhGGH9VVQ&6l=TlPx
http://www.lrzoi.com/s564/?DVoh7=/DnP3brMbYSuodHq+1CqfNqxM6iFwKvfgvTsg7hi5QHuFPK85k4JAi7jkrMCin/3ikeWNIS0&6l=TlPx
http://www.ankitparihar.tech/s564/?DVoh7=qce3mniYJcUhGx6jJjQMypui68ggNYf4/cO+HRHDV2VTi0u3SOO7dhmWmLL1mXoL3jcKGyMD&6l=TlPx
http://www.realitytv.info/s564/?DVoh7=zFCjVjU4JD89Kye1rgvfte5q2HyViySNgPaGPcqg7zhnj9W/GJZy3a1Uiylr3MkqWgTQSH3i&6l=TlPx
http://www.krishnaengg.net/s564/?DVoh7=NlM2N+iiFwPSoOT/Rr2+VMHzjg0aPXuW8iNMk7SgAqucDRmRukkc4UYfZernm7k5MkxzPDpj&6l=TlPx
http://www.fuli.tech/s564/?DVoh7=9f6qGfOfyDOlMScrH6KKwHJ+2xXQ8xdlAf1yPUDkje30zSjnzLS7xurMqwj7zaj6zJzd0cBy&6l=TlPx
http://www.accoladeleatherco.com/s564/?DVoh7=THangPgtxD5xwoas5y2S8tj4iTZ/CIysvf0w5FQFBkXYtdNoA6jg0UBXoRSeu31uR0gRAIpl&6l=TlPx
http://www.lo-nen.com/s564/?DVoh7=IoV10A9O9hI6xjd/Eu7xuTiDCqg5LFcSex0dmUHIfcr7tPMxLFFZRdTUSRPxaWdhtzN0wraY&6l=TlPx
http://www.darqaftan.com/s564/?DVoh7=JzBuSKaJNb6j5KfT1bFXWjNUE/5oXAoCXlzu9BAxc5PloFX7PVbr115No1e84HoruL7HfMze&6l=TlPx
http://www.tuthuocgiadinh.store/s564/?DVoh7=DKK7aaacJqL9nJRf1WUrmc6x0mDq8ntwSfjAo261O7x5yXk6bM/WINMG1mzVKolgsX3t92gZ&6l=TlPx
http://www.irlimcastore.com/s564/?DVoh7=tkxI0Mb4LtGWKS3F0F6uiGGSRSKHBaD6YH7HRTUImw9RnBOVaG+V/J3focIq/1NJJ9X8IXvr&6l=TlPx
|
28
www.shyezhuo.com(156.230.178.28)
www.whatyoulike.online()
www.gymass.com(156.235.177.206)
www.irlimcastore.com(107.152.33.165)
www.lo-nen.com(34.80.190.141)
www.realitytv.info(34.102.136.180)
www.goodfellascandoit.com(34.80.190.141)
www.darqaftan.com(185.111.247.38)
www.productorslleida.cat(82.194.74.104)
www.fuli.tech(3.64.163.50)
www.tuthuocgiadinh.store(13.250.192.238)
www.accoladeleatherco.com(23.227.38.74)
www.krishnaengg.net(154.196.6.137)
www.ankitparihar.tech(195.201.204.153)
www.lrzoi.com(172.67.174.54)
104.21.30.245
34.80.190.141 - mailcious
107.152.33.165
34.102.136.180 - mailcious
82.194.74.104 - mailcious
3.64.163.50 - mailcious
156.230.178.28
195.201.204.153
156.235.177.206
23.227.38.74 - mailcious
185.111.247.38 - malware
154.196.6.137
13.250.255.10 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15503 |
2021-11-17 17:31
|
 2906_1637086033_3996.exe 074c305083d2c589eea80e5abfe8bb6b
Lazarus Family Generic Malware Themida Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
2
202.55.133.118
45.9.20.149
|
|
|
8.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15504 |
2021-11-17 17:33
|
 .winlogon.exe 47d08228361cddd38a4b1835a8bc6602
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
14.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15505 |
2021-11-17 17:37
|
 oVVrfAQR2OXSaEC.exe 077ab459c72b81cb0a9180be9634d730
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.chiragghee.com/i8p2/?V4=OnbYc0KiNs0ncPomR3rwn5M0z9YhfQSLxRNH7w/blG3zpeEwVCaiF6pxksx7RiNNmc9Wh/rM&SP=cnxTbjA0
http://www.k-nakano-pf22.com/i8p2/?V4=twryHme8p+ffYx1Rb9RlAVY4vxEuhgWkJhX3e0eMs6vWVXrOOMACzrDkpUXJlus3uHSnhk7K&SP=cnxTbjA0
http://www.agronegociobrasil.online/i8p2/?V4=MEOHpVx0tLMPrk8L+13fOyk/lRKeXmYYn/YnK6qhkRl2YLan8ypXqp1140nDT+MSbiSpyOXn&SP=cnxTbjA0
http://www.musikmanagement.net/i8p2/?V4=MIOHUTqOUO+w7B+w7hVMpdlEY0ZZMjpwRJSOwMq/SHxunWwRtYQX0xqniT4MWtfvC6mEcebS&SP=cnxTbjA0
http://www.elshamy-steel.com/i8p2/?V4=85a+532FuBX+oehNjmqYhMGZRWiBmZc+B1woa2nlYleoS7T7Z58rFg8+l+A26F0/WH6CDMeZ&SP=cnxTbjA0
http://www.rectory.estate/i8p2/?V4=id1fRSNdi/AiMnUiSikaEyszCqWc9QlUlbN+D2O3lGoFO0fC+aqpPaJ3xWo2ji09BKPOqYRP&SP=cnxTbjA0
http://www.free-soccer-academy-free.com/i8p2/?V4=3/8bOaIrc5paVy5HO+8QVBlRtJfWc9BV4FwpTl1mWMV8U7E8CLx1drvxm0CByBR6rbbYRF5i&SP=cnxTbjA0
http://www.homevalue805.com/i8p2/?V4=FBxVOka+kUqQrHC+OEMKsUsY7gnSoCXNFz7yy9OHHTmfjb4K1ETnR1a4WC0Brzjra/HNRoPp&SP=cnxTbjA0
http://www.denvercouplesclinic.com/i8p2/?V4=1mH0VPUAxyttQH3j/Qjn2XXglkPq8TEMoiAaQ3gT9QSF9h5g8fixIqYEIhjwWMUm33GSjKfU&SP=cnxTbjA0
|
19
www.agronegociobrasil.online(52.9.247.58)
www.k-nakano-pf22.com(103.3.1.9)
www.meuchats.com()
www.chiragghee.com(34.102.136.180)
www.free-soccer-academy-free.com(162.249.125.214)
www.musikmanagement.net(168.119.107.124)
www.denvercouplesclinic.com(182.50.132.242)
www.rectory.estate(209.17.116.163)
www.homevalue805.com(54.203.43.200)
www.elshamy-steel.com(45.58.143.8)
162.249.125.214
209.17.116.163 - mailcious
168.119.107.124
103.3.1.9
45.58.143.8
34.102.136.180 - mailcious
52.9.247.58
182.50.132.242 - mailcious
54.148.177.125
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15506 |
2021-11-18 07:45
|
 3459_1636981320_8453.exe 81dedb5db683337a0adb0e0151f25f2c
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15507 |
2021-11-18 07:46
|
 F9le301G89W0s2g4jLO5 0b4d015c501a2e0ae188e475a33fcbc1
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger ICMP traffic unpack itself sandbox evasion Kovter ComputerName DNS |
|
20
195.154.146.35
177.72.80.14
45.79.33.48
168.197.250.14
54.38.242.185
191.252.103.16
51.210.242.234
207.148.81.119
51.178.61.60
66.42.57.149
78.46.73.125
196.44.98.190
78.47.204.80
142.4.219.173
195.77.239.39
185.148.169.10
37.59.209.141
85.214.67.203
37.44.244.177
54.37.228.122
|
6
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 17
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15508 |
2021-11-18 07:48
|
 sqlservr.exe 67ef19646c0f8efc314968cdacb5aecc
PWS Loki[b] Loki.m RAT .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php
|
1
188.40.209.107 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15509 |
2021-11-18 07:49
|
 D6 885fb1b58445b2cb1b1a7ffed080d1bb
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger unpack itself sandbox evasion Kovter ComputerName DNS |
|
28
81.0.236.90
195.154.133.20
104.251.214.46
138.185.72.26
185.184.25.237
103.75.201.2
94.177.248.64
176.104.106.96
212.237.5.209
207.38.84.195
158.69.222.101
51.68.175.8
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
110.232.117.186
45.142.114.231
91.200.186.228
216.158.226.206
107.182.225.142
66.42.55.5
58.227.42.236
212.237.56.116
212.237.17.99
45.118.135.203
50.116.54.215
191.252.196.221
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15510 |
2021-11-18 07:50
|
 4949_1636976693_455.exe e42d69acb75be7780874c9ea58e4aa46
AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself Windows DNS Cryptographic key |
|
3
185.184.25.237
103.8.26.102
45.142.212.122
|
|
|
10.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|