| 15571 |
2021-11-18 13:51
|
 15_1637082780_2946.exe 9733aef1c8ec194a3198ab8e0130b7d4
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15572 |
2021-11-18 13:52
|
 bird.png b56472432fa955761c7b65e7dee8ef60
UPX PE File OS Processor Check PE32 Remote Code Execution |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15573 |
2021-11-18 13:52
|
http://msg-intl.qy.net/v5/ypt/... d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://msg-intl.qy.net/v5/ypt/dec
http://msg-intl.qy.net/favicon.ico
|
2
msg-intl.qy.net(159.138.102.146)
159.138.102.146
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15574 |
2021-11-18 13:52
|
 1307_1637053872_8294.exe 5e435815f049849380d659c3acd2d586
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
7.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15575 |
2021-11-18 13:53
|
 123_3k.exe 6d1eaa01bd0f3d10232bf630175b839b
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15576 |
2021-11-18 13:54
|
 vbc.exe 60dcceaab4c8bc1cb2ae40251a8c392c
PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.boja.us/g2fg/?t8rL=Uvpera99IV2OzBgAl3mMHF7BadqhtVwIukChDce3tyGtvQmPDA41NDQvG4CGoBtKBH2+mXS4&1bVHT=mzrd
http://www.pointman.us/g2fg/?t8rL=1ZbWzwWDL2ZiH2u1e82kp5544c8o4bU6/Cno46UvU9Ov/ThGKN6gBzPIzbuqtbHMhKvUbk0K&1bVHT=mzrd
|
5
www.pointman.us(172.67.157.76)
www.boja.us(104.21.31.223)
www.5gmalesdf.sbs()
104.21.31.223
172.67.157.76
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15577 |
2021-11-18 13:56
|
 vbc.exe 26e5c50888216d7043a917cd84b4a5f4
Loki PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/gb3/fre.php - rule_id: 8005
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/gb3/fre.php
|
12.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15578 |
2021-11-18 13:56
|
 .winlogon.exe bdecfbc4b9c5903f3aed22d53243d223
Generic Malware Admin Tool (Sysinternals etc ...) UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
14.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15579 |
2021-11-18 13:58
|
 winlogon.exe 295acb5c48efe1c1e6c57889667737bd
Malicious Library UPX PE File PE32 OS Processor Check DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15580 |
2021-11-18 14:00
|
 XUBS bef026b729256d39132f096b48001494
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger unpack itself Kovter ComputerName DNS |
|
28
81.0.236.90
195.154.133.20
104.251.214.46
138.185.72.26
185.184.25.237
103.75.201.2
94.177.248.64
176.104.106.96
212.237.5.209
207.38.84.195
158.69.222.101
51.68.175.8
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
110.232.117.186
45.142.114.231
91.200.186.228
216.158.226.206
107.182.225.142
66.42.55.5
58.227.42.236
212.237.56.116
212.237.17.99
45.118.135.203
50.116.54.215
191.252.196.221
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15581 |
2021-11-18 14:01
|
 vbc.exe 0a770b1e9cad5b9c83a9514bc4083aee
Loki Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
2
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php - rule_id: 6875
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
2
74f26d34ffff049368a6cff8812f86ee.ml(104.21.22.146)
104.21.22.146
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15582 |
2021-11-18 14:01
|
 winbox.exe d6b53ece8c20cf28f16303c1e79bd51c
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 Check memory Checks debugger unpack itself Check virtual network interfaces Remote Code Execution |
|
|
|
|
1.4 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15583 |
2021-11-18 14:03
|
 Client300US.exe 50cca6dcc4b8820bc69b0fdd79a9effc
RAT PWS .NET framework Generic Malware Malicious Packer Antivirus Malicious Library UPX PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder |
1
|
2
www.google.com(142.250.196.132)
142.250.204.100
|
|
|
5.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15584 |
2021-11-18 14:05
|
 .csrss.exe 48230cc4b335325066ecf05f69c021da
PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb8/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15585 |
2021-11-18 14:07
|
 UnletDeejay1500.exe 3e88c11d9b4cbdf2e30c039521a3ba7d
UltraVNC Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
6.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|