| 30931 |
2022-05-20 13:40
|
 csrsrv.exe 37710c8c1faa69416e6fd5ef93bff1b2
Emotet Gen1 Hide_EXE UPX Malicious Library PE32 PE File OS Processor Check PNG Format Browser Info Stealer Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName RCE DNS Cryptographic key crashed |
1
|
4
gmFMagEgnkEUxRohcPQxG.gmFMagEgnkEUxRohcPQxG()
eth0.me(5.132.162.27)
5.132.162.27
34.159.232.110
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
14.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30932 |
2022-05-20 13:39
|
 asdf.EXE c7a310982da68b10360854f9cd78e718
PWS[m] PWS Loki[b] Loki.m RAT Formbook Hide_EXE UPX Malicious Library ASPack Socket ScreenShot DNS Internet API HTTP KeyLogger Http API AntiDebug AntiVM PE32 .NET EXE PE File OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Mars Stealer Stealer Windows Browser Email ComputerName crashed Downloader |
6
http://rockphil.ac.ug/index.php - rule_id: 16324
http://rockrock.ug/gggate.php
http://185.215.113.89/pm.exe
http://rockrock.ug/request
http://185.215.113.89/dl/0414/azne_Tauzqofu.png - rule_id: 16325
http://185.215.113.89/cc.exe
|
3
rockrock.ug(185.215.113.89) - mailcious
rockphil.ac.ug(185.215.113.89) - mailcious
185.215.113.89 - malware
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET HUNTING Suspicious Terse Request for .bmp
ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
|
2
http://rockphil.ac.ug/index.php
http://185.215.113.89/dl/0414/azne_Tauzqofu.png
|
19.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30933 |
2022-05-20 13:39
|
 vbc.exe 4bd0d6054b35f571797a9b8390f3bcb1
Formbook UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
10
http://www.mentalnayaarifmetika.online/ocgr/?Jt7=WCPK4waAr5EXG8SW/rbcYrxYoSsYkto1Afd9Drm9jpJADNSd9KR9P4A2ZEhlrXip+80cdLiS&EHU40X=gbTpoN4xgh - rule_id: 16474
http://www.gororidev.com/ocgr/?Jt7=CglZAdqKI4AKHQuCU7FdwE7dC8SMdkwEmBZeJ7l2L0O3GKLqYdKx6HbKgknW7qSwV5X0L234&EHU40X=gbTpoN4xgh - rule_id: 17608
http://www.qhzhuhang.com/ocgr/?Jt7=yRoshgl1Kd0yap1abTFGlOR+vQLsdWkR2TaYFQ5d1mXFMep1L7dJsUXB4mJOIs4/vCavNYSF&EHU40X=gbTpoN4xgh - rule_id: 16728
http://www.ccav11.xyz/ocgr/?Jt7=iHGDCwWKkwajeFiaocK4h8/yIB8fTb9A2eYGs12SzQOxDvZT+refwGGwhXJfsc3tlXPll4gX&EHU40X=gbTpoN4xgh - rule_id: 16733
http://www.china-eros.com/ocgr/?Jt7=qDvYC5m4FoszFU+Vp6m5OPXfpIDlzM66LrfQrgsPi50JocG3AsatNmPzsaXlkVYqJnWne39t&EHU40X=gbTpoN4xgh - rule_id: 16732
http://www.huvao.com/ocgr/?Jt7=1BqqsZcSeHUYuLa0ktWW1SuLtWUnTVqW01pVhrAmDJFH4s00jT11wkJDr58ul/5Cm9zwmeoo&EHU40X=gbTpoN4xgh - rule_id: 16730
http://www.american-atlantic.net/ocgr/?Jt7=RCN0VIpPIbqX+jLn/AQqQ/q9rwjWgBzqDKQUWB8z/5wW9rduUkS+4T3/hFI0ke1BigbtdviD&EHU40X=gbTpoN4xgh - rule_id: 16584
http://www.candybox-eru.com/ocgr/?Jt7=DU4A/HWYkvBhbTpG9k7sV4IFfO7ANwyKWVC9E+avnPVm3ivJNJVAEJXHA20gue8cQR5gvbEi&EHU40X=gbTpoN4xgh - rule_id: 17375
http://www.14offresimportantes.com/ocgr/?Jt7=8ZdUUo4I14o7v6SqFFh6AcxVD05OKNU9/uteRgLuOzxmTEAovyPMpYOv8l2QPlwJ9BFGx0aC&EHU40X=gbTpoN4xgh - rule_id: 16936
http://www.modelahs.com/ocgr/?Jt7=HSTVl81TnQSQZ+z58DCrY7APmHBIs552oy5/yZU1JEhYnHbXWTCUVjz2U2XNmQ77lcnK5IlZ&EHU40X=gbTpoN4xgh
|
26
www.14offresimportantes.com(37.187.131.150)
www.modelahs.com(92.52.218.10)
www.kincsemto.net()
www.candybox-eru.com(118.27.125.237)
www.garglimited.com()
www.doxofcolor.com()
www.gororidev.com(99.86.207.87)
www.qhzhuhang.com(107.186.149.66)
www.myamazonloan.net() - mailcious
www.huvao.com(104.21.89.61)
www.china-eros.com(107.163.199.68)
www.mentalnayaarifmetika.online(185.68.16.179)
www.edisson-bd.com()
www.american-atlantic.net(3.33.152.147)
www.ccav11.xyz(35.201.101.222)
35.201.101.222 - mailcious
107.163.199.68 - mailcious
3.33.152.147
54.192.175.27
37.187.131.150 - mailcious
92.52.218.10
107.186.149.66 - mailcious
185.68.16.179 - mailcious
103.176.113.85
118.27.125.237 - mailcious
104.21.89.61
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
9
http://www.mentalnayaarifmetika.online/ocgr/
http://www.gororidev.com/ocgr/
http://www.qhzhuhang.com/ocgr/
http://www.ccav11.xyz/ocgr/
http://www.china-eros.com/ocgr/
http://www.huvao.com/ocgr/
http://www.american-atlantic.net/ocgr/
http://www.candybox-eru.com/ocgr/
http://www.14offresimportantes.com/ocgr/
|
9.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30934 |
2022-05-20 13:37
|
 cpwsfmvg.exe fbdd6ec733a992431f55c00f88600fbd
[m] Generic Malware task schedule Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30935 |
2022-05-20 13:36
|
 vbc.exe c3d24ca1d36fa354df3de6ca57a979d4
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
23
http://www.allyouneedstore.xyz/p0ip/
http://www.cryptomnis.com/p0ip/
http://www.allowdrops.xyz/p0ip/
http://www.co1l7o8vy.com/p0ip/?ndlLiZV=6TOoXCUBEI00OLJ2v0IkqEYP8Ak7kvqc5z3P/jb0y5Nd3/OUQgmnUWJin0pZyBjcN7Aa6ULf&v4at-=1bGdx4LxDxtLS0Up&SHfH=yVDtERPP
http://www.unleashingyou-lifecoaching.com/p0ip/
http://www.allowdrops.xyz/p0ip/?ndlLiZV=bA8/18/o/0iGirBzmXDhFL/OUmmykOiZm3SEC++o+RtQ7W5jFCo6ZADpOn30oLvPwzRp+Tpl&v4at-=1bGdx4LxDxtLS0Up&xABS=FVExIJeH
http://www.exilings.com/p0ip/?ndlLiZV=yl/dFwJMdSceaWRi0W0NnKfJF9+pX0fjdtGqu/bS1X0jBltUbF2fKROpu7SUx2G3hqZy3uP/&v4at-=1bGdx4LxDxtLS0Up
http://www.modelofindia.com/p0ip/?ndlLiZV=jTnPppuaMZ1HoZ6KzD1Iip5jj11YrkS86uCN+cQfi5Hp16rqQ2XNIby0ZfJ3d8J/Ac2KA5et&v4at-=1bGdx4LxDxtLS0Up&xQGV=0T3lvHfX
http://www.tjkt8.com/p0ip/?ndlLiZV=/nGvWTz6DV0e/9gpebojwxydOIry15ThwqcEi0r2QdeZ756mjvubiiGf9XIzpvaeRq/0Os6U&v4at-=1bGdx4LxDxtLS0Up&wLOT=-ZvPMplP
http://www.yustunning.com/p0ip/
http://www.unleashingyou-lifecoaching.com/p0ip/?ndlLiZV=19lq8R7h13lfkSAyCUuAmCqzZXWAStdmJc/tI8v9Q6E9O8G0co7M14/yVJDsEplNLDGL06UW&v4at-=1bGdx4LxDxtLS0Up&tvLg=gbtx6bZH
http://www.claris-studio.cloud/p0ip/?ndlLiZV=ZGnBy5Z0ttcTRq4htgRCrece1m8F9IuBR3JJANp8NpQMtcgccah7Tn8PHKe5ox5u+dYNNI9j&v4at-=1bGdx4LxDxtLS0Up&B0lc=t8eT0PpX
http://www.tjkt8.com/p0ip/
http://www.allyouneedstore.xyz/p0ip/?ndlLiZV=CDhfe6DaxWKDNWY2qb2gtTZFP733Xb+Qcka5A5JsfNJiWRSRTH/LqA/CqBIEVVfG4QqIeoQk&v4at-=1bGdx4LxDxtLS0Up&Tj1h=2dmH-tAh
http://www.claris-studio.cloud/p0ip/
http://www.hidinginplainsight.digital/p0ip/?ndlLiZV=qukW209GbqUzJ3O6Nt6aMZtsyRSJCKw2PVXi+aAmtwOxY2LUOvtsctYoEUZb5ik+2Z5jFPyL&v4at-=1bGdx4LxDxtLS0Up&jm8e=dzrXEJ20
http://www.cryptomnis.com/p0ip/?ndlLiZV=afYEiXLcgNxv5urPpopWNOSFMUQuzsk1Gi9ko/kZj91YZQe5VTOSuQVdM+qBwUR/OVRTLbsh&v4at-=1bGdx4LxDxtLS0Up&jYkL=4hlti0Jp
http://www.beamaster.info/p0ip/?ndlLiZV=qxrnwwIJiftwK0JhBIX6gKsCcuRe0nZ8C0jtfWZwP3QVk5QIEhmdc2JROB7F/SAUCcQeAWX+&v4at-=1bGdx4LxDxtLS0Up&hjmJ=GT0PC280
http://www.co1l7o8vy.com/p0ip/
http://www.beamaster.info/p0ip/
http://www.modelofindia.com/p0ip/
http://www.hidinginplainsight.digital/p0ip/
http://www.yustunning.com/p0ip/?ndlLiZV=3yWzJACcMRxJ7LW6h/fS39XU15hbhguZ/2QvZyzEvkBMJuj3zWBbm4/rdT02hE/fbh6NSYxA&v4at-=1bGdx4LxDxtLS0Up&tujX=cbRld0AP
|
24
www.hidinginplainsight.digital(34.102.136.180)
www.beamaster.info(109.234.164.72)
www.claris-studio.cloud(213.186.33.5)
www.allowdrops.xyz(198.54.117.217)
www.alaskanwave.net()
www.cryptomnis.com(34.102.136.180)
www.co1l7o8vy.com(54.248.8.29)
www.allyouneedstore.xyz(23.227.38.74)
www.exilings.com(162.0.223.36)
www.yustunning.com(23.227.38.74)
www.tjkt8.com(23.235.165.144)
www.xiangqinmao.com()
www.modelofindia.com(3.64.163.50)
www.unleashingyou-lifecoaching.com(34.102.136.180)
www.nft-id.net()
162.0.223.36
198.54.117.211 - phishing
54.248.8.29
34.102.136.180 - mailcious
213.186.33.5 - mailcious
109.234.164.72
3.64.163.50 - mailcious
23.227.38.74 - mailcious
23.235.165.144
|
4
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30936 |
2022-05-20 13:35
|
 vbc.exe 0ffe5b11dd9dd40ecd5351b0b49d740c
PWS[m] RAT PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30937 |
2022-05-20 13:35
|
 MMgPaaTLnCEW9ld.exe dd85efd89363d750152bd9216dd9141d
Formbook RAT PWS .NET framework AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows Cryptographic key |
7
http://www.mevabedungnga.store/qg2u/?Mjn4iLj0=xuXyia/8G4N/pWNgwBnc1tcS5+95qUaBdS/r3U7KWMiGNwpspCsdcm5OUBF6/S12o0iQlDS9&NTxxQD=Ip9Dkd
http://www.klostop.com/qg2u/?Mjn4iLj0=AWGmSfY/GP3Mzb4VKMFFII2SLdNErEIaWmBHwe1nAScaf62C3iLxX0rnYeN7cXthRRDJ6jiW&NTxxQD=Ip9Dkd
http://www.tumpiums.com/qg2u/?Mjn4iLj0=wmSREH1CIA6LyCESY0aFEeb8PraVXrkj7lk8FDyKbw5t01e2W1K1duOQeiDPxvgOdgrHFo0E&NTxxQD=Ip9Dkd
http://www.noni-sok.com/qg2u/?Mjn4iLj0=EtImqYq3h7/fBIPxO2EYnOECvTRQhemY7hskLQ8CBXMp8FOPrFX/G6mR0t8gL4HLz/7u4eIX&NTxxQD=Ip9Dkd
http://www.pedro-china.com/qg2u/?Mjn4iLj0=cUMmiXG1BRxKBvNY3K90TzJqaOS8osTvg97/3BLH3KdQorrWbNRexIiu0W1+75UZ/Y/p3WnH&NTxxQD=Ip9Dkd
http://www.ziperpay.com/qg2u/?Mjn4iLj0=fbBOSZaqv+JG5RlmUEG7FQp5TbHnmkCb3bDynOtP+7MIESxrCWZ5W2f0FWfm8RahUkau4miW&NTxxQD=Ip9Dkd
http://www.firatambalaj.online/qg2u/?Mjn4iLj0=zkbYrFqk0mfHvYDhlTPCYaoD6in6sncQ2yolZoQ8DjJqqKwYs/oHgdHDwCqI2ylQeFVfTstS&NTxxQD=Ip9Dkd
|
14
www.mevabedungnga.store(13.250.255.10)
www.tumpiums.com(66.29.155.51)
www.ginx74.com()
www.ziperpay.com(34.102.136.180)
www.firatambalaj.online(93.89.226.17)
www.klostop.com(34.102.136.180)
www.noni-sok.com(154.88.73.219)
www.pedro-china.com(154.221.96.146)
154.221.96.146
154.88.73.219
34.102.136.180 - mailcious
13.250.192.238 - mailcious
93.89.226.17 - mailcious
66.29.155.51
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30938 |
2022-05-20 13:35
|
 domla.exe aee375e4146251b66ba38231c842eb87
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself DNS |
2
http://www.c8wl4.icu/sh30/?ElS=32m7mfAEDVP/GHUXHD+8od+jrQQbAdOAxR+qPOYIv6yQ2z5VB8MPplP7k4z9JD4v5HtP7E97&Qtu=JlzpxZHpbLV - rule_id: 16052
http://www.vs368.com/sh30/?ElS=H4tMHU755tPJ5yzd3Ew6DVGstGcr6734abZdejQYMRhvD/07Sx7qYkYpXzn94LNWSvgEvl3U&Qtu=JlzpxZHpbLV
|
6
www.thedirectmedia.com() - mailcious
www.fastted.info()
www.vs368.com(156.234.222.237)
www.c8wl4.icu(192.151.226.170)
156.234.222.237
192.151.226.170 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO DNS Query for Suspicious .icu Domain
|
1
http://www.c8wl4.icu/sh30/
|
5.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30939 |
2022-05-20 13:34
|
 .wininit.exe 6fe5d177bbb51993bd295d3246551743
Loki PWS[m] PWS Loki[b] Loki.m RAT Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf8/fre.php - rule_id: 16816
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/gf8/fre.php
|
13.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30940 |
2022-05-20 13:34
|
 vbc.exe 765610beaf98118cdb0ce8c382c3f22e
Formbook UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
11
http://www.ageofcryptos.com/ocgr/?rVIHm=/7YxqUa9m6G+5RhPxc9MRqyWJ3uHfA/CqbgrUyjJCZIsasmpWtsD/jId67xFo7gVLCDNXM6H&AR0lIJ=3fyte - rule_id: 16467
http://www.mentalnayaarifmetika.online/ocgr/?rVIHm=WCPK4waAr5EXG8SW/rbcYrxYoSsYkto1Afd9Drm9jpJADNSd9KR9P4A2ZEhlrXip+80cdLiS&AR0lIJ=3fyte - rule_id: 16474
http://www.012skz.xyz/ocgr/?rVIHm=fwUI6HO3GwC4ho+rCOt8uOG3y4OFFQo345CiduuW6M0Z98al2Ps32D1azflCF88VS0ULZChE&AR0lIJ=3fyte - rule_id: 16470
http://www.modelahs.com/ocgr/?rVIHm=HSTVl81TnQSQZ+z58DCrY7APmHBIs552oy5/yZU1JEhYnHbXWTCUVjz2U2XNmQ77lcnK5IlZ&AR0lIJ=3fyte
http://www.gororidev.com/ocgr/?rVIHm=CglZAdqKI4AKHQuCU7FdwE7dC8SMdkwEmBZeJ7l2L0O3GKLqYdKx6HbKgknW7qSwV5X0L234&AR0lIJ=3fyte - rule_id: 17608
http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?rVIHm=zPygAtD6WBCktZtQPXlKDZlA/HZsirEX7sR/nsRGa9MzDbsKrwIos3cOQacdXIV3zcQlF33/&AR0lIJ=3fyte - rule_id: 16731
http://www.climatecheckin.com/ocgr/?rVIHm=my2q1NuXctYKCs6DXvTb6ruw/KDTz60d6WsIAMY2C0rj0xG2SWCvi9uVAHS2wYSWFYS9icCP&AR0lIJ=3fyte - rule_id: 16472
http://www.anotherdegen.com/ocgr/?rVIHm=+BiMKbsJy6ic3OU3y1/RElnpQoxU6WmXsHnY/bR1ZGxNfbIN4+jLHkkx2sSeY8A8ujZh0BsT&AR0lIJ=3fyte - rule_id: 16734
http://www.ccav11.xyz/ocgr/?rVIHm=iHGDCwWKkwajeFiaocK4h8/yIB8fTb9A2eYGs12SzQOxDvZT+refwGGwhXJfsc3tlXPll4gX&AR0lIJ=3fyte - rule_id: 16733
http://www.dreamonetnpasumo1.xyz/ocgr/?rVIHm=tMAm4LsigZ52kuHo581PUM09YWd13i7DIh2byjUU9EFdaI+IsZMQmPE2OL6XDpuPOXVAnOsn&AR0lIJ=3fyte - rule_id: 17366
http://www.qhzhuhang.com/ocgr/?rVIHm=yRoshgl1Kd0yap1abTFGlOR+vQLsdWkR2TaYFQ5d1mXFMep1L7dJsUXB4mJOIs4/vCavNYSF&AR0lIJ=3fyte - rule_id: 16728
|
25
www.modelahs.com(92.52.218.10)
www.012skz.xyz(172.247.0.172)
www.dreamonetnpasumo1.xyz(150.95.255.38)
www.ageofcryptos.com(62.149.128.40)
www.gororidev.com(99.86.207.5)
www.demetbatmaz.com() - mailcious
www.qhzhuhang.com(107.186.149.66)
www.xn--hj2bz6fwvan2be1g5tb.com(61.14.208.3)
www.mentalnayaarifmetika.online(185.68.16.179)
www.souplant.com(185.255.121.5)
www.climatecheckin.com(172.217.31.179)
www.ccav11.xyz(35.201.101.222)
www.anotherdegen.com(198.54.117.211)
172.217.31.179 - suspicious
23.224.179.6
35.201.101.222 - mailcious
61.14.208.3 - mailcious
99.86.207.7
92.52.218.10
150.95.255.38 - mailcious
107.186.149.66 - mailcious
185.255.121.5 - mailcious
198.54.117.217 - phishing
185.68.16.179 - mailcious
62.149.128.40 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.ageofcryptos.com/ocgr/
http://www.mentalnayaarifmetika.online/ocgr/
http://www.012skz.xyz/ocgr/
http://www.gororidev.com/ocgr/
http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/
http://www.climatecheckin.com/ocgr/
http://www.anotherdegen.com/ocgr/
http://www.ccav11.xyz/ocgr/
http://www.dreamonetnpasumo1.xyz/ocgr/
http://www.qhzhuhang.com/ocgr/
|
9.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30941 |
2022-05-20 13:30
|
 rtst1058.exe 3d955768ec92553ed5ce8763951ea94b
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30942 |
2022-05-20 13:29
|
 .winlogon.exe e5de3d7a842f077da31aec68eec0a6e5
PWS[m] RAT NPKI email stealer Socket DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
11.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30943 |
2022-05-20 13:27
|
 7 a779b4298cfb967f3dad8155e41bb53c
Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot ENERGETIC BEAR Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process AntiVM_Disk VM Disk Size Check Kovter Windows ComputerName DNS crashed |
|
10
94.23.45.86 - mailcious
201.94.166.162 - mailcious
159.65.88.10 - mailcious
209.97.163.214 - mailcious
131.100.24.231 - mailcious
150.95.66.124 - mailcious
173.239.37.178 - mailcious
172.105.70.96 - mailcious
149.56.131.28 - mailcious
89.29.244.7 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 6
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 24
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30944 |
2022-05-20 13:26
|
 wlanext32.exe c62851430b3ba42e3f5137a554596167
Malicious Packer Malicious Library PE File PE64 VirusTotal Malware Checks debugger RCE crashed |
|
|
|
|
2.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30945 |
2022-05-20 13:22
|
 smss.exe ac918dea5d3998bb8794d4826ffc0b79
Loki PWS[m] PWS Loki[b] Loki.m RAT .NET framework Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf16/fre.php - rule_id: 17217
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://sempersim.su/gf16/fre.php
|
14.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|