| 30946 |
2022-05-20 13:22
|
 Adetij.exe 34762bcb146dc13c3b1c33b1d0b2ffab
RAT Generic Malware Antivirus PE File PE64 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://thddghdd1.com/Iebjg_Vscqefpm.png
|
2
thddghdd1.com(31.31.196.4)
31.31.196.4 - mailcious
|
|
|
6.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30947 |
2022-05-20 13:20
|
 cop.exe ee22e44649d164a89bdb5ff6ba8410ae
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself WriteConsoleW DNS |
3
http://uacdrc.cf/n/Lcang_Qarrkkgi.png
http://www.lqunnew.com/rx29/?lZ6l=tlAkrDQ7fwbEJS3Hr8zrfc95eA87tCkz9dtgGcCaS9Im0s+iFJ0ue5ctkukzeula70a118sC&vRipR=7nGx66NPeB
http://www.jasonid.com/rx29/?lZ6l=mHcFwNUVijBkQGx6cjD2hjPUY0thYO+cSfzHyL6zjWc4PIuCSTZNKMVOvZC7qqAHoen1iJ6S&vRipR=7nGx66NPeB
|
7
www.lqunnew.com(156.238.103.4)
uacdrc.cf(192.185.174.177)
www.jasonid.com(13.115.25.84)
www.beadilowa.store()
192.185.174.177 - malware
13.115.25.84 - mailcious
156.238.103.4
|
3
ET INFO DNS Query for Suspicious .cf Domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .CF Domain with Minimal Headers
|
|
3.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30948 |
2022-05-20 13:19
|
 euload.exe b6faf276b5309500ce7e52fb7053722b
Gen2 Gen1 UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware |
|
|
|
|
0.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30949 |
2022-05-20 13:18
|
 koboko.exe 57e6d8c2eb8585c0250814c8a8be2b9b
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.ratiousa.com/nk6l/?W6A=6GBxKScpkglvou3hO7CxwWbEZSd+ssVnkLpJ/0dp5eWQyu9ro9An6y61ImYTL0mAbqPwNFD6&5j=GVoxstTXhHU8vz - rule_id: 8596
http://www.427521.com/nk6l/?W6A=S//+tPDJemxBQ2XP913JHZo0zUCq5MIVLyjFXr6RkOniHrvRduhSuxtZBcTOhHOFA2Gb26RB&5j=GVoxstTXhHU8vz
http://www.poeticdaily.com/nk6l/?W6A=rVD8+QajG6hBV5DMpuwEZ0RCKhEDH8x71UIWoVFRrcLN1VQdus1DI2AqPYOGAxFyY53e8M0A&5j=GVoxstTXhHU8vz - rule_id: 6235
|
8
www.storyofsol.com()
www.poeticdaily.com(34.102.136.180)
www.semapisus.xyz()
www.ratiousa.com(3.134.153.35)
www.427521.com(1.32.253.110)
3.134.153.35
34.102.136.180 - mailcious
1.32.253.110
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.ratiousa.com/nk6l/
http://www.poeticdaily.com/nk6l/
|
5.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30950 |
2022-05-20 13:17
|
 rmaa1045.exe 7a40a64fe13828c7d84f38c5c014b6f3
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30951 |
2022-05-20 13:16
|
 mo.exe e1ca14960f10e03626452fffbe57a87f
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic ICMP traffic unpack itself WriteConsoleW DNS |
3
http://www.coastalprecisionpainting.com/rx29/?X48xI8ZX=zHCO7pkqkEsXRaEtaq3NMLg2kEfwcfvgNPJNt7zNRAQ1QSuaywxNqZAS3bVTeKiTQ+PvBfZw&Ez=ltCpO81
http://uacdrc.cf/m/Hjacjj_Saknuvuf.png
http://www.sverigeochvarlden.com/rx29/?X48xI8ZX=9OJdw6AqaLFu2CpTEaL60IC+kV8XOuE0/iJQW1PtG6+ocC4VtnQuwuhzCtKdssjBA9XKIvBj&Ez=ltCpO81
|
6
uacdrc.cf(192.185.174.177)
www.sverigeochvarlden.com(54.38.220.85)
www.coastalprecisionpainting.com(216.239.32.21)
192.185.174.177 - malware
54.38.220.85 - mailcious
216.239.32.21 - mailcious
|
3
ET INFO DNS Query for Suspicious .cf Domain
ET HUNTING Request to .CF Domain with Minimal Headers
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30952 |
2022-05-20 13:15
|
 rtst1079.exe d0843a99636d4ea881efc2a2aa215f13
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30953 |
2022-05-20 11:33
|
 tsusbhub.sys cc6d4a26254eb72c93ac848ecfcfb4af
PE File PE64 PDB RCE |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30954 |
2022-05-20 11:24
|
 tsusbhub.sys cc6d4a26254eb72c93ac848ecfcfb4af
PE File PE64 PDB RCE |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30955 |
2022-05-20 11:00
|
 vbc.exe 0c5c5af36d67e89a321bff54e6f6e431
Loki UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/gg1/fre.php - rule_id: 17804
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/gg1/fre.php
|
10.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30956 |
2022-05-20 10:58
|
 vbc.exe 4cdaf23ecd5a6a6ac3710f263395e9dc
PWS[m] PWS Loki[b] Loki.m DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gg2/fre.php
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30957 |
2022-05-20 10:56
|
 men.exe 45edc34840d4064a30068fbce08d3216
PWS[m] RAT PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
ftp.amalgama-com.gq() - mailcious
|
1
ET INFO DNS Query for Suspicious .gq Domain
|
|
12.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30958 |
2022-05-20 10:56
|
 vc.exe 601cb87d67c4a5061370292274d4c8cf
PE32 .NET EXE PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
6.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30959 |
2022-05-20 10:54
|
 .wininit.exe 76b37fd531e91dde71258126c47cd3f1
Loki PWS[m] PWS Loki[b] Loki.m .NET framework DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf2/fre.php - rule_id: 16952
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
1
http://sempersim.su/gf2/fre.php
|
13.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30960 |
2022-05-20 10:54
|
 rtst1087.exe 1f6c28a22d4252ae27e3c147bc7e5f5b
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|