| 21946 |
2023-01-22 14:16
|
 smss.exe c5bafe3458d291bf09cd412eae71d481
PWS[m] PWS Loki[b] Loki.m RAT .NET framework Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.147/line/five/fre.php
|
1
171.22.30.147 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21947 |
2023-01-22 14:14
|
 NCNXJ2.exe 1b95646f069d9414608be6d31fca0c1e
RAT PE32 .NET EXE PE File VirusTotal Malware DNS |
|
1
20.100.196.69 - mailcious
|
|
|
2.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21948 |
2023-01-22 14:12
|
 5.exe f23ff5d9ea897d2ba65fb4e487795762
Generic Malware Antivirus PE32 .NET EXE PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1065559920067481620/1065560635041136640/NCNXJ2.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.130.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21949 |
2023-01-22 14:10
|
 2.exe e021c2a0b08a04a19b2d878cd27c67ba
Generic Malware Antivirus PE32 .NET EXE PE File PowerShell powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1065559920067481620/1065560578116038686/WHost.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21950 |
2023-01-22 14:07
|
 xlsrd.cpl e8bab18bed7a61cadf2f0e0131329897
Malicious Library UPX Antivirus PE32 OS Processor Check DLL PE File VirusTotal Malware PDB DNS |
|
1
194.5.212.164 - mailcious
|
|
|
2.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21951 |
2023-01-22 14:07
|
 shade2.1.exe 37f6aa9e499c346e972f75d131ef890e
Malicious Library UPX PE32 PE File OS Processor Check Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
oneness.duckdns.org(194.5.212.164) - mailcious
194.5.212.164 - mailcious
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21952 |
2023-01-22 14:07
|
 so2game.exe 74cd52b7a6ea76b9427da5898629a4ff
EnigmaProtector UPX PE32 PE File VirusTotal Malware DNS |
|
1
|
|
|
2.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21953 |
2023-01-22 14:05
|
 14141.exe 58ccd490229a6eb997fd8bfa74dee077
Malicious Library UPX PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself Windows RCE crashed |
|
|
|
|
3.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21954 |
2023-01-22 14:05
|
 micors.scr 2f6dcf7a07419a52e28076150c868971
PWS[m] RAT email stealer Generic Malware Downloader Antivirus Socket ScreenShot DNS Code injection Sniff Audio KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Malware download AveMaria NetWireRC VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows RAT ComputerName DNS Cryptographic key crashed |
|
1
|
1
ET MALWARE Warzone RAT Response (Inbound)
|
|
13.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21955 |
2023-01-22 14:04
|
 img-078-410-00.exe a6280d3f50d1b373d5fa5f45247ac08b
PWS[m] RAT PWS .NET framework PDF Suspicious Link SMTP PDF AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Email ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://ipinfo.io/ip
|
4
apps.identrust.com(23.43.165.66)
ipinfo.io(34.117.59.81)
34.117.59.81
121.254.136.57
|
3
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
14.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21956 |
2023-01-22 14:02
|
 Y6F8h5 5c1d49ce048a20458519ba0b762d84c7
Malicious Library UPX Antivirus PE32 OS Processor Check DLL PE File VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21957 |
2023-01-22 14:01
|
 7.exe bea17f1ca9914a3522979ab418c34f3a
Generic Malware Antivirus PE32 .NET EXE PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1065559920067481620/1065560693295812668/WindowsDefenderSmarttScreen.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21958 |
2023-01-22 14:00
|
 WHost.exe 2b886cf83705877c1fae3a07a6c4339e
RAT Generic Malware task schedule Malicious Packer Antivirus AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
16.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21959 |
2023-01-22 13:59
|
 vbc.exe f40f44f01175541ccf44f0c9064487b4
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha1/fre.php
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21960 |
2023-01-22 13:58
|
48.exe 49c19748e633bbb852b7a759eaf78be3
Themida Packer Anti_VM Malicious Library MPRESS UPX PE32 PE File VirusTotal Malware |
|
|
|
|
1.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|