| 30961 |
2022-05-20 10:53
|
 vbc.exe e2af2968f48cda473f9d64b989c4e2da
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
7
http://www.beam-birds.com/ud5f/?NXeTz=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&UlSp=GVgT1hYhBj_tmD&Ab0L=OVODAhqH - rule_id: 17415
http://www.beam-birds.com/ud5f/ - rule_id: 17415
http://www.bupabii.site/ud5f/?NXeTz=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&UlSp=GVgT1hYhBj_tmD&TYIw=2deHz4Lp - rule_id: 17453
http://www.topings33.com/ud5f/?NXeTz=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&UlSp=GVgT1hYhBj_tmD - rule_id: 17411
http://www.trinityhomesolutionsok.com/ud5f/?NXeTz=d4rw7sxjDzEtx0cWy9KhsrAKz6NcO/dyweSsDbp+XQjURwGxqf7SQIXUSnVgZkPR6XcgGAI2&UlSp=GVgT1hYhBj_tmD
http://www.bupabii.site/ud5f/ - rule_id: 17453
http://www.mitrachocloud.com/ud5f/?NXeTz=dvPOeeOMFyRe5DlDhcEIH/wWv29SUESn2RfxJ6FzLkAlPBveMi7awguc7ngn9aDQsIqt875z&UlSp=GVgT1hYhBj_tmD
|
16
www.ruibaituobj.com()
www.schoolmink.online()
www.02d1qp.xyz()
www.trinityhomesolutionsok.com(104.21.30.184)
www.bjyunjian.com()
www.topings33.com(162.0.230.89)
www.mitrachocloud.com(139.162.7.23)
www.beam-birds.com(173.201.181.53)
www.bupabii.site(104.21.5.119)
www.sh09.fyi(49.0.246.21)
173.201.181.53 - mailcious
49.0.246.21
162.0.230.89 - mailcious
104.21.30.184
172.67.133.98 - mailcious
139.162.7.23
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
|
5
http://www.beam-birds.com/ud5f/
http://www.beam-birds.com/ud5f/
http://www.bupabii.site/ud5f/
http://www.topings33.com/ud5f/
http://www.bupabii.site/ud5f/
|
7.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30962 |
2022-05-20 10:52
|
 .svchost.exe ac5b584f655fe8280f459f224cc7fdfb
RAT UPX Malicious Library PE32 PE File PNG Format .NET DLL DLL GIF Format PE64 VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder DNS crashed |
|
1
|
|
|
3.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30963 |
2022-05-20 10:50
|
 .winlogon.exe 28e77704f58f711c65d20a47464ba331
PWS[m] NPKI email stealer DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30964 |
2022-05-20 10:49
|
 vbc.exe 3369ce745b233c6036e13b9b9cea8478
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php - rule_id: 13544
|
2
vmopahtqdf84hfvsqepalcbcch63gdyvah.ml(172.67.193.224) - mailcious
104.21.60.79 - mailcious
|
8
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
|
10.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30965 |
2022-05-20 10:47
|
 vbc.exe aa6422a82c0bf522ed68ecbedf0755c4
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php - rule_id: 13544
|
2
vmopahtqdf84hfvsqepalcbcch63gdyvah.ml(104.21.60.79) - mailcious
172.67.193.224
|
8
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30966 |
2022-05-20 10:47
|
 HOU.exe eee453d683008409740a96e247fc9f2b
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30967 |
2022-05-20 10:46
|
 vbc.exe 44a6829e3ee6c5d98fccde99b502f7e2
Formbook RAT UPX AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Windows DNS Cryptographic key |
15
http://www.responsabilities.com/be4o/?1bVTT=c79BKz3l0TUHIePz50u8I/cg2rCXi7QsRFuGaadjXwgEMh5ES6RiTR+uvdq0pi6horyW4JF/&TVg8Al=tFNXBt2HlNPD&A8-L=eHiptfYp
http://www.apexges.com/be4o/?1bVTT=D8dCniqxftMTif+lJ7sUUP3WxBpI6ZoUm1DKaosvxbrB8SuGPOVYD57BRA+mT8npXF2P99mT&TVg8Al=tFNXBt2HlNPD
http://www.minecraftrojectx.site/be4o/?1bVTT=GuFakCEe2pH6cDbQlHI06MgJXPf5H9hhIroyd+I9Bu1VrpuTuRJ64u5Va559A0pD9oZsGPYA&TVg8Al=tFNXBt2HlNPD&i-4B=j48tLzUh
http://www.qiyeweiiliaoo0428.com/be4o/?1bVTT=zlr8H5ZL5tcq7tK4rjie6LuQuVIN9wd37IGvbfgFABeWvsXjeHfnIrf1BI3fLei+135r2DOi&TVg8Al=tFNXBt2HlNPD
http://www.unta.xyz/be4o/?1bVTT=mG8VQJtAnJCZDVrbYGLei0RUM//bMy6T7rbVwn9F/6CaarCguZfKrxhnBGB6hl6nebYD6m5j&TVg8Al=tFNXBt2HlNPD&Pa-V=5jqLWPSH
http://www.bravesxx.com/be4o/?1bVTT=KCg19jo7xRRw+FLnrwF93z6AQmSzQw6ZT+zQHEo7E7H0SZ15yKP28G9BC1I8kfE3hzubJ2gr&TVg8Al=tFNXBt2HlNPD
http://www.moviesquery.com/be4o/
http://www.96238.top/be4o/?1bVTT=8qcXA4SuAAQ+hk1FcRQ5DZaCzhPsDt/8GjK3arru4e9jUeOIe73JiMd+Hhi4Bt9KfItTWRCo&TVg8Al=tFNXBt2HlNPD
http://www.pristinefarmlands.com/be4o/?1bVTT=i6dBrs3PAGxU+6SxVrLOYfDG0aRZa4RMghtXYnmjVxCR7Gt1uoQ9AZ2gqQ9jeHU0Y0AkfO2p&TVg8Al=tFNXBt2HlNPD
http://www.minecraftrojectx.site/be4o/
http://www.doorsmm.com/be4o/?1bVTT=4f3kHkcThPHDG9+3ZkRI9N07UJsat4k54P6xquGkTbSUr82PzrKhTcbetExRKp3rd1Yx/VHE&TVg8Al=tFNXBt2HlNPD
http://www.itt-service.com/be4o/?1bVTT=NvYU4vXV6oqlksK2T+31tCAVlVEyRtJMPVPjmkOIq+x4FoPTLEDQ97Aso3PSqbTtogIFQw+v&TVg8Al=tFNXBt2HlNPD
http://www.moviesquery.com/be4o/?1bVTT=YI7fOBfdkmMIJMc6lUQ5guGgYvr4zAn1ihvkmg8kjVzMnR9zLTor5dtORsQ+6yaSVoDCCgZ2&TVg8Al=tFNXBt2HlNPD&K8jS=dheDBJOH
http://www.responsabilities.com/be4o/
http://www.unta.xyz/be4o/
|
26
www.networklogicsa.com()
www.apexges.com(172.67.142.48)
www.itt-service.com(156.255.163.232)
www.xitaotech.com()
www.liuhumu.com()
www.96238.top(222.186.141.131)
www.qiyeweiiliaoo0428.com(54.238.241.51)
www.samrcq.com()
www.pristinefarmlands.com(208.91.197.91)
www.bravesxx.com(162.0.230.89)
www.responsabilities.com(156.224.208.178)
www.minecraftrojectx.site(185.104.45.28)
www.doorsmm.com(66.29.132.10)
www.unta.xyz(64.190.63.111)
www.moviesquery.com(172.217.161.83)
66.29.132.10
64.190.63.111 - mailcious
142.251.42.211 - mailcious
162.0.230.89 - mailcious
156.224.208.178
104.21.87.71
54.238.241.51
185.104.45.28 - mailcious
156.255.163.232
222.186.141.131
208.91.197.91 - mailcious
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30968 |
2022-05-20 10:45
|
 vbc.exe aa223c48d72371b24baf306eb49e7597
PWS[m] RAT PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30969 |
2022-05-20 10:45
|
 vbc.exe 996e533fafb2e76b54ecf127d6430795
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30970 |
2022-05-20 10:43
|
 vbc.exe fefc83495ed902d83c464f33c73be672
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://hyatqfuh9olahvxf.gq/BN3/fre.php - rule_id: 15762
|
2
hyatqfuh9olahvxf.gq(104.21.5.136) - mailcious
104.21.5.136 - malware
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://hyatqfuh9olahvxf.gq/BN3/fre.php
|
9.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30971 |
2022-05-20 10:41
|
 vbc.exe 7b7351bdf7eec81ce0dcb0c1cdd097b8
UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/gg7/fre.php
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30972 |
2022-05-20 10:40
|
 rtst1043.exe 674a91f35a3c54032850a0b7f45f81b3
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30973 |
2022-05-20 10:40
|
 vbc.exe 0d5c12ef90391b5bfc0dedeca59476b6
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
10
http://www.beam-birds.com/ud5f/ - rule_id: 17415
http://www.daskocleaning.com/ud5f/?9r4l2=lK6R7JSYqhab7fserO2ud0UFIeUwIzn6U4Z0uinaNEONfhE6Adu4jwyhJ99+Ck6Dq2P67LuP&EjU4Np=gdM0vL4XuL
http://www.animefnix.com/ud5f/?9r4l2=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&EjU4Np=gdM0vL4XuL - rule_id: 17454
http://www.topings33.com/ud5f/?9r4l2=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&EjU4Np=gdM0vL4XuL - rule_id: 17411
http://www.spaceokara.com/ud5f/?9r4l2=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&EjU4Np=gdM0vL4XuL&JwlX=-ZAhxrdx - rule_id: 17457
http://www.hayatseventeknoloji.com/ud5f/?9r4l2=ojvd2QNoKu4P+or54/aphicVJQ+jWOoKwd10hVUKozBMe5J4PPzzrG2+L/bESfR8P0zdxkWw&EjU4Np=gdM0vL4XuL&GhUR=r0GdcTaP - rule_id: 17410
http://www.spaceokara.com/ud5f/ - rule_id: 17457
http://www.beam-birds.com/ud5f/?9r4l2=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&EjU4Np=gdM0vL4XuL&Ab0L=K0DLsD1x - rule_id: 17415
http://www.hayatseventeknoloji.com/ud5f/ - rule_id: 17410
http://www.mydiga-angststoerung.com/ud5f/?9r4l2=yFld/JCYBPTDUSphYl1JLHShpmZQOPshqMvqWwFpBif6fy+DcW5/J/qkCYyqtkAAagEMdzHX&EjU4Np=gdM0vL4XuL - rule_id: 17414
|
17
www.hayatseventeknoloji.com(5.2.84.81)
www.dadagrin.com(76.164.193.180)
www.daskocleaning.com(185.220.172.4)
www.beam-birds.com(173.201.181.53)
www.animefnix.com(103.224.182.210)
www.topings33.com(162.0.230.89)
www.spaceokara.com(210.188.240.5)
www.zkf-lawyer.com()
www.mydiga-angststoerung.com(89.31.143.1)
210.188.240.5 - mailcious
89.31.143.1 - mailcious
173.201.181.53 - mailcious
162.0.230.89 - mailcious
5.2.84.81 - mailcious
185.220.172.4
76.164.193.180 - mailcious
103.224.182.210 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
9
http://www.beam-birds.com/ud5f/
http://www.animefnix.com/ud5f/
http://www.topings33.com/ud5f/
http://www.spaceokara.com/ud5f/
http://www.hayatseventeknoloji.com/ud5f/
http://www.spaceokara.com/ud5f/
http://www.beam-birds.com/ud5f/
http://www.hayatseventeknoloji.com/ud5f/
http://www.mydiga-angststoerung.com/ud5f/
|
8.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30974 |
2022-05-20 10:38
|
 vbc.exe 80dc3b7b8970ec34552a23d09447a4d3
RAT PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30975 |
2022-05-20 10:37
|
 winlog.exe 7ab3a54474c378d567a5f0cbd3ac1b52
PWS[m] PWS Loki[b] Loki.m RAT DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf20/fre.php
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|