| 33001 |
2022-03-29 18:32
|
 vbc.exe b56daa79ce1d21efee3f6481572fae90
Loki Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://outlook-webpage-auth.ml/worldwide/logs/fre.php - rule_id: 14993
|
3
outlook-webpage-auth.ml(104.255.168.254) - mailcious
104.255.168.254 - mailcious
2.56.56.61
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://outlook-webpage-auth.ml/worldwide/logs/fre.php
|
11.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33002 |
2022-03-29 18:31
|
 vbc.exe 6403569f222640afc2d34aaa91dc6a3b
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
5
http://www.supportukraine-pic.com/r75h/?EjUt5d=R5d831cWOdHshFRzP2izREUZW95Y1hOLOMtsC9w0gqqczjZa10FJmEGvvjHOEERFL4gkWqzv&Ir=Y4HlpvGPodl4VjU
http://www.tiyu372.net/r75h/?EjUt5d=OfAs8F5luNrFJVsm53obo3zgxqK0UcBIMGJwC68QDRUUtrdezQqWKl0mWZFAUepJoqRk51Ol&Ir=Y4HlpvGPodl4VjU
http://www.javideejay.com/r75h/?EjUt5d=S2FpbYq/sg/muwPmTGttr2/DPaqYBIKtwgoWB9plTFY64EBgukVhM2pX9dfT3mo+4TqzY08g&Ir=Y4HlpvGPodl4VjU
http://www.x27o66w.cfd/r75h/?EjUt5d=mmCNx4CZKJWOhBX4BQVFOFipIbgtkN5tzTAVg57fr5rJkE7oSwL3gzm61B4oLoWnrScXnmEQ&Ir=Y4HlpvGPodl4VjU
http://www.nftsaber.com/r75h/?EjUt5d=IBvNslctcngU6RYcQrTyN5ujex3ZgPDN15aiGU+rTSlUfThlisWe9xoahso1snUeGVL0IOo3&Ir=Y4HlpvGPodl4VjU
|
10
www.x27o66w.cfd(43.154.50.22)
www.tiyu372.net(104.140.179.66)
www.javideejay.com(160.181.186.55)
www.supportukraine-pic.com(34.117.168.233)
www.nftsaber.com(217.160.0.102)
104.140.179.66
43.154.50.22 - mailcious
34.117.168.233 - mailcious
217.160.0.102 - malware
160.181.186.55
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33003 |
2022-03-29 18:30
|
 vbc.exe 6b3f562fed4b02f64fedca858435dad8
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
11
http://www.winexhearts.com/b6zn/?lxldV=Jn5Vw+zhMDCfbW3vcsW8CKA+62R/2ZFIWwVybxuQR6sKotdCCC9Y6o4oARjINPJcLeFsp/Cr&Tj8=YBZL
http://www.porsedanbe.xyz/b6zn/?lxldV=fyjq07MWe6nm2XK5ao3u6ev4aBelBQviq/89I3X5J4aoiOfeC/2EimcC8f5zCddZfjnNc+Zh&Tj8=YBZL
http://www.goldlinesoftware.com/b6zn/?lxldV=B3DzB3QGNvmSD+RhwwojB57yuks2LRHVEf/STjB6aQGy+oMSvP7nQkC2VnzSw8e8JAoDhmrq&Tj8=YBZL
http://www.elaneboutique.com/b6zn/?lxldV=GIVna4LAxh09LvV6o3teZLfjvTf0ph4Dc0xnl8dYgy7OUKYgpOHbpXlXvEdLUQKc4SEzX2XB&Tj8=YBZL
http://www.nickyscents.com/b6zn/?lxldV=3+3/BzYE67+X0AYmgw/lWs7lQXbVogqhZUTDS5QbBFVl8Calw27ZtetDO9/XzWxERjro7W6L&Tj8=YBZL
http://www.xhypxjkc.com/b6zn/?lxldV=q3TYMdfNEX064PrE+b7saFNTHp055AOmXdOyvTsWD1OVPTv+rD/WG4c8cJQIB22+va7zZ64M&Tj8=YBZL
http://www.pied-metal.com/b6zn/?lxldV=8hwk6Gj0xnS6lIBbaHSUXVY381VONfsJ4ruRFMOOYFCQx/sYOxEvF8lcMYyhxo3RobpCIL+4&Tj8=YBZL
http://www.shardakova.info/b6zn/?lxldV=UklKEZrWB286zOcnALfBMr05A1MjsHp/s3MiAOtbFSvjkznrsR4zUAIW3gp6BZJ0nLqWq0UC&Tj8=YBZL
http://www.ktnhit.xyz/b6zn/?lxldV=UUC1eaI+vEe5J7nSCwzEuhsjm1VaYzewN/kE+sKHOfLh/jHcWHKS3dXl6AnkEOPLyE3lBqxc&Tj8=YBZL
http://www.hscc100.com/b6zn/?lxldV=FDJ2bPILfzUw577QWjRWMaA0NLsVC9Q/KGn4IOmKudl2b+o3FTQA/bSQuuKqGQu+2A1zQzu1&Tj8=YBZL
http://www.bluefuid.com/b6zn/?lxldV=TPrUdCsEfLs7O6F9Vi3wdu0OapOxaKCdwhAs3mqyth/C1fqzEeEAbX582Gi3r6RZeidW3kkR&2dB=oneha
|
26
www.hscc100.com(154.23.198.121)
www.elaneboutique.com(74.208.236.230)
www.pied-metal.com(212.227.247.117)
www.porsedanbe.xyz(104.21.96.147)
www.aedomain.xyz()
www.xhypxjkc.com(108.186.180.177)
www.shardakova.info(144.76.194.189)
www.goldlinesoftware.com(199.188.200.201)
www.ktnhit.xyz(34.102.136.180)
www.uptownfirst.com()
www.winexhearts.com(104.21.66.132)
www.bluefuid.com(104.18.128.14)
www.taiwancustoms.com()
www.petdlvr.com()
www.nickyscents.com(34.102.136.180)
www.imzztoken.xyz()
104.18.128.14
144.76.194.189
104.21.66.132
212.227.247.117
74.208.236.230 - phishing
34.102.136.180 - mailcious
154.23.198.121
108.186.180.177 - mailcious
172.67.182.213
199.188.200.201
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33004 |
2022-03-29 18:30
|
 vbc.exe d844a312629808aa11a8813c4f92c9e5
PWS[m] PWS .NET framework UPX SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33005 |
2022-03-29 18:28
|
 vbc.exe 95fed5ca9d7e7b30795bbfc52024baa9
Loki Malicious Library UPX PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://62.197.136.186/oluwa/five/fre.php - rule_id: 14521
|
1
62.197.136.186 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://62.197.136.186/oluwa/five/fre.php
|
10.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33006 |
2022-03-29 18:26
|
 vbc.exe 694199269a9a455dc84e388f592ac636
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.turkishcreatives.net/m0e8/?Txlt=v05aFR3XXE+WNLqaQbXCuaBgGTrJHKX9gL6JLpitXc4/kUVT2lWlcWMbG9MG0aqn4fLlNI43&JtxL=XPCxA0uPf
http://www.u4ik28o.cfd/m0e8/?Txlt=5GefEyZxG9lEmZ1C67s2g7Y2PVHs2erQoLlk6i9h+Hl7eO//gzDrWeib8GOl3X+yvnqAObZp&JtxL=XPCxA0uPf - rule_id: 14361
http://www.bokobsa.com/m0e8/?Txlt=NiIFzFypB3a3UP/FfZppj7L4ZT2hJAJl4BZMm0lyjkphv2LLMZdDICElLBofVusq0rvKft2i&JtxL=XPCxA0uPf
|
7
www.turkishcreatives.net(198.54.117.217)
www.lkihpdhz.cfd()
www.u4ik28o.cfd(43.154.50.22)
www.bokobsa.com(156.244.118.152)
198.54.117.215 - mailcious
156.244.118.152
43.154.50.22 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.u4ik28o.cfd/m0e8/
|
5.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33007 |
2022-03-29 18:25
|
 .win32.exe 819b4c7c0922d5b882f74fab0ead1e4f
Generic Malware Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself DNS |
|
1
|
|
|
2.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33008 |
2022-03-29 18:24
|
 CDQ.exe 271a615ca2750512c76bffae116135df
AgentTesla PWS[m] RAT browser info stealer Google Chrome User Data ScreenShot Create Service Socket DNS Code injection Sniff Audio KeyLogger Downloader Escalate priviledges AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed keylogger |
|
3
drgeraldvanluven12.zapto.org(66.154.98.162)
136.144.41.109 - malware
66.154.98.162
|
1
ET POLICY DNS Query to DynDNS Domain *.zapto .org
|
|
18.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33009 |
2022-03-29 18:24
|
 neworder019209.exe e7054a13910b427ad6a5187a0ae7fe86
Malicious Library UPX PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(158.101.44.242)
132.226.8.169
104.21.19.200
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
11.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33010 |
2022-03-29 18:22
|
 sammy.exe c8feea08103ca5a05b2aed8d80ad073f
Malicious Library UPX PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
132.226.8.169
172.67.188.154
|
3
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33011 |
2022-03-29 18:21
|
 build.exe 0a1db748908d7d1124091bbee8acd691
RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName |
|
2
tlsprotectgo.xyz(135.181.157.15)
135.181.157.15
|
|
|
3.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33012 |
2022-03-29 18:21
|
 vbc.exe e579a1039eb1d5be440cff7422fe4a14
ASProtect PE32 PE File FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic buffers extracted ICMP traffic unpack itself sandbox evasion ComputerName DNS |
13
http://www.rawscrubshop.com/gqav/?w8l=YwP8DMBe5/rmJG95YgGihBM1KzBUq87WaYVjnncD++dAF6gcSZhseSzZ37/rRu2xi7vMiK3p&Mfg=lHND
http://www.christiancoachingforkids.com/gqav/?w8l=EVqLcoO3Ktu4gKE4vYfE1W389p1DmIcrenmbPohMemECVJmUXwFyKUJ57YHeR4rhbK7zQR5p&YBZL=lxldV
http://www.rawscrubshop.com/gqav/?w8l=YwP8DMBe5/rmJG95YgGihBM1KzBUq87WaYVjnncD++dAF6gcSZhseSzZ37/rRu2xi7vMiK3p&YBZL=lxldV
http://www.yzhuce.com/gqav/?w8l=hBw8Uj/NA2bqFcHreWUEj7g9Bvp0abz+79c/8etS8/VcXOYsLq/CKl/CUvvfOyNirptrUSaU&YBZL=lxldV
http://www.schonketaaan.quest/gqav/?w8l=94z5NolAFO1MPGxsX+pxyAN2h8zBjgks1VYBh/H3dA96zIfLRTHmv3W+KyK4piD9CKd6YW3E&Mfg=lHND
http://www.deerpath.partners/gqav/?w8l=DUmR/jEBU3ELfam2JvcjWMZB4sIYfk0gzUSWuB/JIkxYulx9esbq/eM0g5W2Sgl3fcP8V8gY&YBZL=lxldV
http://www.schonketaaan.quest/gqav/?w8l=94z5NolAFO1MPGxsX+pxyAN2h8zBjgks1VYBh/H3dA96zIfLRTHmv3W+KyK4piD9CKd6YW3E&YBZL=lxldV
http://www.flotents.com/gqav/?w8l=SjbrgNqJ/HEN2Z0votqlpk/lG9W7D6H0oBKo5NJWd5/cZgMjS006fXyWTfZbdwLf49eB8Pa5&YBZL=lxldV
http://www.elite-hc.com/gqav/?w8l=LubgTmLVtPJ1+bl1c+t0vvqacqngwFtU0dRJk0ggXDQ8DHyEiRyDAZzmj93q2CKtM5lTBABt&YBZL=lxldV
http://www.chicoliftassist.com/gqav/?w8l=VNwuY5WLqvkkRqjTz1qDqprqe7aUvlhQzMVTSeIH8ShPcV12iRMXJ6u3qrd+432pYmj7qtEQ&YBZL=lxldV
http://www.hybig.com/gqav/?w8l=UP4b9BEPDzxTEXv/uwzCWzvCu8AhNXhYwa+NKC5TD6BeBhb0t7w/2yyvTvD49K3ZNEyg+1/D&YBZL=lxldV
http://www.gv5rm.com/gqav/?w8l=0nHchrn11GR6s/LoubAtNFvblzgYL4aXg6r7t0yOJiWiOSUfoEUVXhXmo5IJ0MpB8diMGN3j&YBZL=lxldV
http://www.ohiomarkets.com/gqav/?w8l=sp0HhzoSHnIYbHhxsD+iSu94jW21T7oKHtMam15DOpZ+N/wzFYsZkEG3yhh0HDsuKwKS88JK&YBZL=lxldV
|
26
www.flotents.com(34.102.136.180)
www.gv5rm.com(66.42.99.154)
www.hybig.com(156.245.126.43)
www.schonketaaan.quest(37.123.118.150)
www.rawscrubshop.com(23.227.38.74)
www.ohiomarkets.com(198.54.117.212)
www.yzhuce.com(154.80.135.41)
www.elite-hc.com(182.50.132.242)
www.cretavibes.com()
www.christiancoachingforkids.com(198.54.117.212)
www.armorsealonline.com()
www.sukidict.com()
www.theslowtravelco.com()
www.deerpath.partners(209.17.116.163)
www.chicoliftassist.com(162.241.253.30)
198.54.117.218 - mailcious
37.123.118.150 - mailcious
209.17.116.163 - mailcious
156.245.126.43
34.102.136.180 - mailcious
154.80.135.41
182.50.132.242 - mailcious
162.241.253.30 - malware
66.42.99.154
160.153.132.203
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33013 |
2022-03-29 18:19
|
 vbc.exe 0af11be93fd49bde3f5dc03a3b92cbb9
RAT .NET EXE PE32 PE File VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces suspicious process WriteConsoleW ComputerName |
1
http://sinhviendien.com/wp-content/themes/virtue/Mztawel_Swlusoeg.jpg
|
2
sinhviendien.com(194.59.164.176)
194.59.164.176
|
|
|
3.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33014 |
2022-03-29 18:17
|
 vbc.exe b469a2fa7fe936cdbea6fa2c8696c259
PWS[m] PWS .NET framework Generic Malware UPX Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
webmail.escueladeseguridadmaritima.com(160.153.132.203)
160.153.132.203
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
12.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33015 |
2022-03-29 18:17
|
 data64_4.exe 44190ba0aca367c665844c7b35c416cf
Obsidium protector UPX .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Collect installed applications sandbox evasion installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.20 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
|
|
11.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|