| 38626 |
2021-11-18 14:13
|
 sqlservr.exe 3412c25937783c5151f42c1576b6bbbc
Lokibot PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php - rule_id: 8026
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php
|
1
188.40.209.107 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://188.40.209.107/~main/.j3a1Ljs5WUZih/fre.php
|
14.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38627 |
2021-11-18 14:11
|
 mypc.exe 5ca007dbd88522738eab36ecbf8cc230
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB WMI ComputerName |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38628 |
2021-11-18 14:09
|
http://etherx.jabber.org/strea...
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://etherx.jabber.org/streams
|
7
etherx.jabber.org(208.68.163.210)
xmpp.org(104.248.10.4)
apps.identrust.com(119.207.65.74)
208.68.163.210
104.248.10.4
121.254.136.27
121.254.136.57
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38629 |
2021-11-18 14:09
|
 vbc.exe 186ee2b0fbae609d44351da0241dd0ec
PWS .NET framework Emotet Gen2 Gen1 RAT Formbook Generic Malware NSIS UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus ASPack Anti_VM KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs installed browsers check Windows Browser |
|
|
|
|
10.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38630 |
2021-11-18 14:09
|
 file.exe 3e2ac75c37deb5eaf3d253581c436ba2
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38631 |
2021-11-18 14:07
|
 UnletDeejay1500.exe 3e88c11d9b4cbdf2e30c039521a3ba7d
UltraVNC Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
6.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38632 |
2021-11-18 14:05
|
 .csrss.exe 48230cc4b335325066ecf05f69c021da
PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/gb8/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38633 |
2021-11-18 14:03
|
 Client300US.exe 50cca6dcc4b8820bc69b0fdd79a9effc
RAT PWS .NET framework Generic Malware Malicious Packer Antivirus Malicious Library UPX PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder |
1
|
2
www.google.com(142.250.196.132)
142.250.204.100
|
|
|
5.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38634 |
2021-11-18 14:01
|
 winbox.exe d6b53ece8c20cf28f16303c1e79bd51c
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 Check memory Checks debugger unpack itself Check virtual network interfaces RCE |
|
|
|
|
1.4 |
|
|
C0d3_22
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38635 |
2021-11-18 14:01
|
 vbc.exe 0a770b1e9cad5b9c83a9514bc4083aee
Loki Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
2
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php - rule_id: 6875
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
2
74f26d34ffff049368a6cff8812f86ee.ml(104.21.22.146)
104.21.22.146
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38636 |
2021-11-18 14:00
|
 XUBS bef026b729256d39132f096b48001494
Emotet Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot Malware Report Checks debugger unpack itself Kovter ComputerName DNS |
|
28
81.0.236.90
195.154.133.20
104.251.214.46
138.185.72.26
185.184.25.237
103.75.201.2
94.177.248.64
176.104.106.96
212.237.5.209
207.38.84.195
158.69.222.101
51.68.175.8
210.57.217.132
178.79.147.66
103.8.26.103
103.8.26.102
110.232.117.186
45.142.114.231
91.200.186.228
216.158.226.206
107.182.225.142
66.42.55.5
58.227.42.236
212.237.56.116
212.237.17.99
45.118.135.203
50.116.54.215
191.252.196.221
|
5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38637 |
2021-11-18 13:58
|
 winlogon.exe 295acb5c48efe1c1e6c57889667737bd
Malicious Library UPX PE File PE32 OS Processor Check DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38638 |
2021-11-18 13:56
|
 .winlogon.exe bdecfbc4b9c5903f3aed22d53243d223
Generic Malware Admin Tool (Sysinternals etc ...) UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
14.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38639 |
2021-11-18 13:56
|
 vbc.exe 26e5c50888216d7043a917cd84b4a5f4
Loki PWS Loki[b] Loki.m .NET framework Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/gb3/fre.php - rule_id: 8005
http://secure01-redirect.net/gb3/fre.php
|
2
secure01-redirect.net(193.109.78.71)
193.109.78.71
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/gb3/fre.php
|
12.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38640 |
2021-11-18 13:54
|
 vbc.exe 60dcceaab4c8bc1cb2ae40251a8c392c
PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.boja.us/g2fg/?t8rL=Uvpera99IV2OzBgAl3mMHF7BadqhtVwIukChDce3tyGtvQmPDA41NDQvG4CGoBtKBH2+mXS4&1bVHT=mzrd
http://www.pointman.us/g2fg/?t8rL=1ZbWzwWDL2ZiH2u1e82kp5544c8o4bU6/Cno46UvU9Ov/ThGKN6gBzPIzbuqtbHMhKvUbk0K&1bVHT=mzrd
|
5
www.pointman.us(172.67.157.76)
www.boja.us(104.21.31.223)
www.5gmalesdf.sbs()
104.21.31.223
172.67.157.76
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|