| 32881 |
2022-03-31 23:55
|
 8haN b98c6ef0d51ef8c074efdd3d9e908027
UPX Malicious Library OS Processor Check DLL PE32 PE File Dridex TrickBot ENERGETIC BEAR Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
17
54.38.143.246 - mailcious
5.189.160.61 - mailcious
202.29.239.162 - mailcious
2.58.16.87 - mailcious
78.47.204.80 - mailcious
188.166.229.148 - mailcious
94.177.178.26 - mailcious
185.148.168.15 - mailcious
87.106.97.83 - mailcious
37.59.209.141 - mailcious
103.82.248.59 - mailcious
103.133.214.242 - mailcious
104.131.62.48 - mailcious
128.199.192.135 - mailcious
59.148.253.194 - mailcious
195.77.239.39 - mailcious
119.59.125.140 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 4
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32882 |
2022-03-31 23:55
|
midp.jpg 5355154670a8e5261fe9d71f68b82aacVirusTotal Malware |
|
|
|
|
0.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32883 |
2022-03-31 23:52
|
 Crypted.exe 771ca3d222ad356cdf342e0810dbccb5
Gen1 UPX Malicious Library Malicious Packer AntiDebug AntiVM .NET EXE PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Mars Stealer Stealer Windows Browser Email ComputerName DNS |
2
http://62.204.41.179/request
http://62.204.41.179/game.php
|
1
|
1
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
|
|
15.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32884 |
2022-03-31 23:47
|
15280e00-7fca-11eb-80a4-74fb10... 39fbb163c74178ee85c14570886bb196
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself Browser Email |
|
|
|
|
4.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32885 |
2022-03-31 23:45
|
 vbc.exe d638b63bad8888a8530a233d3480b257
UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://plxnva67001gs6gljacjpqudhatjqf.tk/Exodus1/fre.php
|
2
plxnva67001gs6gljacjpqudhatjqf.tk(104.21.35.131)
104.21.35.131
|
9
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET DNS Query to a .tk domain - Likely Hostile
|
|
9.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32886 |
2022-03-31 23:45
|
 vbc.exe 7c94aa32389a4c60deaff803f672082f
UPX Malicious Library PE32 PE File VirusTotal Malware ICMP traffic RWX flags setting unpack itself RCE crashed |
1
http://ars9095genesh.com/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/Kyfsiwyhfqbvuipyaopjrelhauwieyg
|
2
ars9095genesh.com(52.74.83.175) - mailcious
52.74.83.175 - mailcious
|
|
|
4.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32887 |
2022-03-31 23:43
|
 kaks.exe f2b4fdf20acd1e717e3db2605d2b8734
AntiDebug AntiVM PE32 PE File Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Mars Stealer Stealer Windows Browser Email ComputerName DNS |
2
http://62.204.41.179/request
http://62.204.41.179/game.php
|
1
|
1
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
|
|
10.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32888 |
2022-03-31 23:43
|
 vbc.exe 4ff80074421cab2af69c56605f954d36
UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://mail.outlook-webpage-auth.ml/dan/fre.php
|
2
mail.outlook-webpage-auth.ml(104.255.168.254)
104.255.168.254 - mailcious
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
9.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32889 |
2022-03-31 23:41
|
 loader7.exe db26325f7359def9589a1fb2d5a9c7a5
UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://gaviscon.tk/Concord/fre.php
|
2
gaviscon.tk(104.21.5.90)
104.21.5.90
|
9
ET DNS Query to a .tk domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
9.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32890 |
2022-03-31 23:40
|
 vbc.exe c6c79e0dce5a0c4e5c7e6bbc70e9857f
Loki UPX Malicious Library PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://62.197.136.176/userbob/five/fre.php - rule_id: 15349
|
2
208.91.199.224 - mailcious
62.197.136.176 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://62.197.136.176/userbob/five/fre.php
|
9.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32891 |
2022-03-31 23:39
|
 vbc.exe 31bd61238d81bc1306ee4b216eb267d6
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
4
http://www.varildolum.com/r75h/?zZhP4Hl=LSpxqllVGoe8JbBf0Nx9tnfLFBN3h+SWEHYtESPIwAVbIJ6cTtMMeENzc2bZ8MuXY9DkEjA7&U4kt=Ntxdpr6XAPcTtvA
http://www.solucioneswebcr.com/r75h/?zZhP4Hl=HJz1yu2OONWHCULTT/x0wNwNtzkn8yQ3hnZzZ0PSpklYtTyf/N7k14FD3gT6pIe6aeUEH1oj&U4kt=Ntxdpr6XAPcTtvA
http://www.supportukraine-pic.com/r75h/?zZhP4Hl=R5d831cWOdHshFRzP2izREUZW95Y1hOLOMtsC9w0gqqczjZa10FJmEGvvjHOEERFL4gkWqzv&U4kt=Ntxdpr6XAPcTtvA - rule_id: 15378
http://www.at-tadayyun.com/r75h/?zZhP4Hl=9nINLuPg1Il+7/Tbnfy8dnELDNGAs93afE/XCYVLE42ONXesS+SgvtFvW28iEoU8ffh8yClA&U4kt=Ntxdpr6XAPcTtvA - rule_id: 14665
|
8
www.solucioneswebcr.com(152.160.210.78)
www.varildolum.com(38.54.255.69)
www.at-tadayyun.com(162.0.210.84)
www.supportukraine-pic.com(34.117.168.233)
162.0.210.84 - mailcious
34.117.168.233 - mailcious
38.54.255.69
152.160.210.78
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.supportukraine-pic.com/r75h/
http://www.at-tadayyun.com/r75h/
|
7.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32892 |
2022-03-31 23:38
|
 vbc.exe 671c417da43176bf5ed787059f578f51
UPX Malicious Library PE32 PE File VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32893 |
2022-03-31 23:36
|
 waw.exe b16bfe691894734cdd7bebd68ea1ae0f
Formbook RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Discord ComputerName DNS Cryptographic key crashed |
11
http://www.wardrobewish.com/vfm2/?u4=xFRA/ZsYTxxn24bJ/jcMhSii4dNufCWdBvsb1mO4rqoNH7g09ph9BLE6/jBEDhrQmNhx/iPX&Ir=Y48Du8lh - rule_id: 14895
http://www.vaytinchaptoanquoc.online/vfm2/?u4=VfJNoKurPyvSFIdR7ErPiFbnIVUmtpGMpFlXVt4HqSSBLwamMcgLOuLZCbMTz/GvtkLeKbXG&Ir=Y48Du8lh
http://www.aquaeyego.com/vfm2/?u4=y7teq5zCDIDTiwMu1VEAVeO9lgqs1S7skq6PCyWDeQqVZrUOK0ANSiHRo2eoTcU6T4BmCM5m&Ir=Y48Du8lh - rule_id: 14306
http://www.web-extended.info/vfm2/?u4=0/aOlsVzQNujx6oGnCwnuIobzSRp9DxuA7R7PPYU7ZDC5bwQWQF6UpwQEOr00ILhbSNg9lCd&Ir=Y48Du8lh - rule_id: 14302
http://www.reidandwriteon.com/vfm2/?u4=iazj1yCAC9+IEZvIbwwUuRys3w8J91i/TrIN0QXPASrw3xaIeqQg2oHB2bD2+cqhAdjWJk10&Ir=Y48Du8lh - rule_id: 14482
http://www.fyzmb.com/vfm2/?u4=AxIjRUzDGUvbkB6Rm2q1Nxc5I1/yxsgG9NsoQ/kdjfUH/k6LCmxecZqTkIi+j9aSMMytfGYi&Ir=Y48Du8lh - rule_id: 14549
http://www.trio-med.store/vfm2/?u4=/jcoefob8pYwv2OuvrBqgLJjPFIMmwKm56dFIWoW+z9u755k1iYEToa/W5//TwB/P+f1J/lG&Ir=Y48Du8lh - rule_id: 14308
http://www.hksquarefarm.com/vfm2/?u4=S5a+2qFer29nIp6szIrvkw5qrBHAGx7iVINoyPYx3nSDmAmQmHThwxS1qVkcDFw7LhNUhxHu&Ir=Y48Du8lh - rule_id: 14300
http://www.vehiculosvivienda.com/vfm2/?u4=K+h2u0EglPC/woIZxlAPfMZLLv8RrAeSxafGlut3HLStSCyulfwBkqxzCRtiBObk6a1B4TaQ&Ir=Y48Du8lh
http://www.swedishchess.com/vfm2/?u4=KZQlOgZetInl30JULzKU70/xF1m2mF96LyBkwU0DKCr4/JQw0JXML3NWx+TZAiLNvCW1CZ/w&Ir=Y48Du8lh - rule_id: 14543
https://cdn.discordapp.com/attachments/956061086933741588/958733126711001118/morrrri_Cysvcaid.png
|
24
www.hksquarefarm.com(65.21.171.229)
www.trio-med.store(87.236.16.206)
www.vaytinchaptoanquoc.online(172.217.175.243)
www.vehiculosvivienda.com(217.160.0.87)
www.eds.center()
www.swedishchess.com(212.123.41.108)
www.aquaeyego.com(34.102.136.180)
www.wardrobewish.com(3.19.116.195)
www.web-extended.info(34.102.136.180)
www.68132.online() - mailcious
cdn.discordapp.com(162.159.133.233) - malware
www.fyzmb.com(173.231.37.83)
www.palette-replus.com()
www.reidandwriteon.com(192.0.78.25)
142.250.196.115 - mailcious
162.159.133.233 - malware
65.21.171.229 - mailcious
34.102.136.180 - mailcious
87.236.16.206 - malware
173.231.37.83 - mailcious
3.18.7.81 - mailcious
217.160.0.87
212.123.41.108 - mailcious
192.0.78.25 - mailcious
|
5
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
8
http://www.wardrobewish.com/vfm2/
http://www.aquaeyego.com/vfm2/
http://www.web-extended.info/vfm2/
http://www.reidandwriteon.com/vfm2/
http://www.fyzmb.com/vfm2/
http://www.trio-med.store/vfm2/
http://www.hksquarefarm.com/vfm2/
http://www.swedishchess.com/vfm2/
|
10.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32894 |
2022-03-31 23:36
|
 Jp2MHuMgZeLCQmE.exe 57d3f379290c4e93822080034c6276b6
PWS[m] PWS .NET framework Generic Malware UPX Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware AgentTesla powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Checks Bios Detects VirtualBox powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW VMware anti-virtualization Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
smtp.freshkbana.com(208.91.199.223)
208.91.199.224 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
15.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32895 |
2022-03-31 23:36
|
apa.jpg 10ac30ebbed68584400f8ccd814e2a60
ELF VirusTotal Malware |
|
|
|
|
1.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|