| 30991 |
2022-05-19 11:40
|
 vbc.exe 4c64cf8753a33ad06b5ffa18baaf4f7e
Loki PWS[m] PWS Loki[b] Loki.m .NET framework DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf19/fre.php - rule_id: 17498
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
7
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/gf19/fre.php
|
13.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30992 |
2022-05-19 11:38
|
 vbc.exe 68fcd1ebd9de5ff4645e62008dd04ece
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE DNS |
|
2
45.252.249.58
121.254.136.27
|
|
|
3.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30993 |
2022-05-19 11:34
|
 kellyzx.exe ccfb1788d4a0c8d790b8453c95b936a6
PWS[m] PWS Loki[b] Loki.m .NET framework DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://85.202.169.172/kelly/five/fre.php
|
1
85.202.169.172 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30994 |
2022-05-19 11:33
|
 vbc.exe 57d5a8f8fdd09080d20d3e02e9b38e39
RAT PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30995 |
2022-05-19 11:32
|
 ybc.exe 06f7be0f46c7ab974296fab19e27d72a
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic ICMP traffic unpack itself WriteConsoleW |
3
http://www.pikoulas.com/s4s9/?9rjLOny=3vqAv/gt5DerAq7HPAwyJoPw7zrgcTtdtO4QpfeR1/H0ZZNTPgD+5mr2mohCBijEZAPiMH6C&lZ6D=p2JpD2spElJ01XFP
http://www.bj-ours.com/s4s9/?9rjLOny=x4oGNzt2/NQO4GZEumsckSxTNK9h+syhpzau8+oEqiwLafmB6eRdtop1+evK3WKB8vKrM7qp&lZ6D=p2JpD2spElJ01XFP
http://vitrifrig0.com/n/Awfdbwlu_Abmcjjxt.jpg
|
7
vitrifrig0.com(192.185.174.179)
www.52appmj.com() - mailcious
www.pikoulas.com(34.205.242.146)
www.bj-ours.com(161.8.178.116)
161.8.178.116
3.94.41.167 - mailcious
192.185.174.179 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30996 |
2022-05-19 11:32
|
 vbc.exe 864bbb6314ae4dda7385906f77fafd29
Formbook RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
8
http://www.luxurybathshowers.com/n6g4/?Blq=wNT20nlCC+70zF1dj2VvlajHS1qEluo7RFpjBdU4pvAsmgfvk7OHpoOtOifZyqHHhkZABirB&RvE=JlMpjP3hIbv
http://www.lojas-marias.com/n6g4/?Blq=TLEfg0hRnrZPcnYqH+5VOmv8AlAgrPRjTjTVBNqqBZfa0++7AI5xrB+dAMg9LLi6clhi6lha&RvE=JlMpjP3hIbv - rule_id: 17249
http://www.uspplongee.com/n6g4/?Blq=YEAzGNA3cn/vo1gMImtX9JznxcWz/G0oG2So/zeJzf8A8dVj5v82iw4Nf4enBCkSMIUiakIM&RvE=JlMpjP3hIbv - rule_id: 17603
http://www.lucianaejoaoalberto.com/n6g4/?Blq=PDy0X1NkxyeRTPS9Hg1+w0z6zI6vnvFOvFKK5AHuzUwb//Ug4g5dl9YRwhfo+s5tspSgwq+W&RvE=JlMpjP3hIbv
http://www.topgir.site/n6g4/?Blq=1jrNSiRaeUH2bwhAtkaFZi0oIeqJI57QOdDhJ8cuTIogrMLfVSvkRBJrKH+19cSQ9aLBBwRJ&RvE=JlMpjP3hIbv - rule_id: 17586
http://www.o-taguro.com/n6g4/?Blq=uuG58PPwe9VxWO/vIXFUVGJ5XjmQTEmzvQuy5/6xJ84IguGgWMhlXszIJFsimyvsoD6ahQvQ&RvE=JlMpjP3hIbv - rule_id: 17601
http://www.jamesreadtanusa.com/n6g4/?Blq=T/V9232TN4PjucCwYjNRob4pJIAHZz6ft2wCm65vS+Ocj7fFlNP5KXcBigkedQCEz2XJhWmY&RvE=JlMpjP3hIbv
http://www.duowb.com/n6g4/?Blq=5PV4mspD1PFz/74IFdmDBcebXAvLzSFpcq0mxRQSDi6/xMlpRTwAtA7Y6+o0U2CnCu8VJgFc&RvE=JlMpjP3hIbv
|
17
www.topgir.site(34.117.168.233)
www.lucianaejoaoalberto.com(34.95.69.141)
www.duowb.com(108.62.16.145)
www.luxurybathshowers.com(34.102.136.180)
www.theastralark.com()
www.uspplongee.com(38.34.163.59)
www.lojas-marias.com(23.227.38.74)
www.jamesreadtanusa.com(35.209.127.155)
www.o-taguro.com(99.86.207.125)
34.117.168.233 - mailcious
35.209.127.155
108.62.16.145
54.192.175.23
34.102.136.180 - mailcious
38.34.163.59 - mailcious
34.95.69.141 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.lojas-marias.com/n6g4/
http://www.uspplongee.com/n6g4/
http://www.topgir.site/n6g4/
http://www.o-taguro.com/n6g4/
|
11.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30997 |
2022-05-19 11:31
|
 .winlogon.exe 4c86de3ecf018c944d5d92fa8e65a568
PWS[m] PWS .NET framework email stealer DNS Code injection KeyLogger Downloader Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check Windows DNS Cryptographic key crashed |
|
2
107.173.62.82
172.67.188.70
|
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30998 |
2022-05-19 11:30
|
 012ad0ea06b8f77deba8c35e8c0088... b9f57465b9327dc74ac5c2516d0e9002
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.65.81)
v.xyzgamev.com(104.21.40.196) - mailcious
172.67.188.70
121.254.136.27
104.21.40.196 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30999 |
2022-05-19 11:27
|
 game-installer.torrent.exe 15de4c1a25c5466f420f48738f10dc29
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself RCE DNS |
|
1
|
|
|
3.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31000 |
2022-05-19 11:26
|
 bobbyzx.exe f09c574d47617319ec0a826217a22a70
PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31001 |
2022-05-19 11:25
|
 Bdf.exe 4356ec13f3ecf498927e9201c486efe8
PWS[m] RAT PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
3
api.telegram.org(149.154.167.220)
172.67.188.70
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31002 |
2022-05-19 11:24
|
 vbc.exe e88e40a62db068f13a05e03dfb353e90
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE DNS |
|
1
|
|
|
3.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31003 |
2022-05-19 11:24
|
 vbc.exe f1f8fb39e415aa754ab38f42e9f6bb68
Formbook RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
6
http://www.duniacuan.online/n6g4/?Bxo834d=H+B+k+qiHMEH4lG1+Dp/ozBWPUXFvqdW8k3ooRnseHQkdgyscNG4g7T4aIsyVS3an/qiYNKv&AnB=O0DXNTu0N0 - rule_id: 17244
http://www.smoothie-optics.com/n6g4/?Bxo834d=6A9jyCAZ8VzXJOrFpbJUcoLza8fQpM6C3Y1fY0GqHBwVeFfzwNmYzgw1EmkBZn2clRmLzJgR&AnB=O0DXNTu0N0
http://www.starline-pools.com/n6g4/?Bxo834d=2R28cU87d8Bz3EFJF7g3mkY5qTF01K+xMdycjSB/8WfyShb7xDw5vOh3wURsS0DDLwPlLe7S&AnB=O0DXNTu0N0
http://www.kapamilla.com/n6g4/?Bxo834d=2KTXcooR36+qr2mKjML4Yxq/ehx4Ohy24qXiWsUJDaTqYLf52ZksQgD3KdpwhdkbtLx8dpO0&AnB=O0DXNTu0N0 - rule_id: 17581
http://www.cliffpassphotographyllc.com/n6g4/?Bxo834d=RmKugVRP2DDcl7uKkKENJP8vqqTPjhikGwoqkD2t4Fv9KQzc/VBT6RnH58Jd459E8lRBCaTo&AnB=O0DXNTu0N0 - rule_id: 17243
http://www.cariniclinicalconsulting.com/n6g4/?Bxo834d=+n/S6rY8aVC0Hfg+vPIBztEU8DcQhwbT5vVl6QccAqX+H7QGnq5WvLIIV7v/on1XbKLlx7rr&AnB=O0DXNTu0N0 - rule_id: 17724
|
13
www.smoothie-optics.com(150.95.255.38)
www.cliffpassphotographyllc.com(34.102.136.180)
www.kapamilla.com(34.102.136.180)
www.duniacuan.online(198.54.117.211)
www.admincost.com()
www.hulizb6.com()
www.cariniclinicalconsulting.com(104.21.75.67)
www.starline-pools.com(162.215.226.4)
34.102.136.180 - mailcious
150.95.255.38 - mailcious
198.54.117.216 - phishing
162.215.226.4 - mailcious
172.67.215.254 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.duniacuan.online/n6g4/
http://www.kapamilla.com/n6g4/
http://www.cliffpassphotographyllc.com/n6g4/
http://www.cariniclinicalconsulting.com/n6g4/
|
12.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31004 |
2022-05-19 11:23
|
 becda8cf74894fc066a7c672773ba9... 18eccb1cb55d8d0f85f051a4051e590d
Emotet UPX Malicious Packer Malicious Library PE32 OS Processor Check PE File VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(119.207.65.81)
v.xyzgamev.com(104.21.40.196) - mailcious
172.67.188.70
121.254.136.27
104.21.40.196 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 31005 |
2022-05-19 11:21
|
 dj.exe dd6738b8bd7f1450c7c21f6bd71b6fa2
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself DNS |
4
http://www.davispp.com/lt17/?jFN8ld=3vga1QHbs5IZQDecmeBRzvB7X4cN9V512nUQDaYLNb3NDtIUZSfjVgh1loWuVKPGH5opG13N&Ppm=_0GDCjlXRtrXu
http://www.ontopoetics.com/lt17/?jFN8ld=nZgEXS+oZtvzQ5r51wVjH6BjRJ2Rw1axQ+lriXHyh4vc/hxz0aIffk2tcbCYWJV+PA0U6TQR&Ppm=_0GDCjlXRtrXu
http://www.fastonlineprescriptions.com/lt17/?jFN8ld=73rk+orgEpy27+zMAaMQJFeW88Y512m4PCXKYgKW50mcSxWU82Z5cEbtPVfpZQYZiaxiMB9D&Ppm=_0GDCjlXRtrXu
http://www.tzxc3441.xyz/lt17/?jFN8ld=CsYv+VTVNUh00Baw9JVYtpO333zQB1BV7Yd43ApDKy0wiwpbKszaan16DSpNCvzEWgZesUAC&Ppm=_0GDCjlXRtrXu
|
8
www.davispp.com(34.102.136.180)
www.ontopoetics.com(34.102.136.180)
www.tzxc3441.xyz(107.161.23.204)
www.fastonlineprescriptions.com(64.98.145.30)
64.98.145.30 - mailcious
172.67.188.70
34.102.136.180 - mailcious
209.141.38.71 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
6.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|