| 39931 |
2021-10-29 18:20
|
 PE.txt.ps1 964c031b3cca7673f0af28adf461f2b3
PowerShell MZ Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39932 |
2021-10-29 18:11
|
 .csrss.exe c2c509a61a1d811d29ade6067e54c011
PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39933 |
2021-10-29 18:02
|
 vbc.exe 8980a24aeb5d63283add48c1391ebc40
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS crashed |
15
http://www.joy1263.com/ht08/?wP9=5zTHw+cMQysQB01avDS62dEk0lc83/+ymY2tuhZYuDPhhCZOWQyRnsgLnjpjzHaWki+k6UdA&lZQ=7nbLpdZHS
http://www.angyfoods.com/ht08/?wP9=i+WDIm9jHC82FUdEypgqNiotqHRMt1GHvUM0F97kEGeCHK0nEcPd7ey+L8ZvA9C8LXWvmksm&lZQ=7nbLpdZHS
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS - rule_id: 6848
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS
http://www.timothyschmallrealt.com/ht08/?wP9=67tCic8sYzV3es+kuEWGJwm1Ye4iZ5Z2e1jXvgEPi6twS6Q6g6gUEXBuqD/zm8ihdyV9/0Vz&lZQ=7nbLpdZHS
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS - rule_id: 6852
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS
http://www.centercodebase.com/ht08/?wP9=/+0I8Ix2qwnmm99cJTV+asIBU4YhAk3i42qpadk7iBPvfU/iuBCITxOCE2i7jfepiW74eJH1&lZQ=7nbLpdZHS
http://www.progettogenesi.cloud/ht08/?wP9=GSCIKY2MiKJRQQFt3aZ/9xy11Q2rDBmxaZZvlmLuIp/PfjM3dG+vVKQyviZHcQzjsXYyybP/&lZQ=7nbLpdZHS
http://www.kalaraskincare.com/ht08/?wP9=VdZobeFV+7zDZ4W6RO8SoxUhXPNifKLPEeijVGSeVjZRWgaL88Xeqi3CusAoM82Kcv2du8+8&lZQ=7nbLpdZHS
http://www.coachingbywatson.com/ht08/?wP9=mAxcwESmkYSGCUCaLnGm/zT/JlgVo9zog7cKgoc53e0EkOLj0DO/YWNBWe36QgFLCczpzj83&lZQ=7nbLpdZHS
http://www.huakf.com/ht08/?wP9=lRq/YKJ/q1c7pbxstH5R510zK5E/jMlHWkiKB6bNw1tOje7FFb/Ec3t87aIL9cVe6vCoPnf2&lZQ=7nbLpdZHS
https://mpdtiw.am.files.1drv.com/y4mJYrNKi50QwA_4D2kFQ1obXvJGvka4_Aepi3gF9xIwvSduItdBQbjKsurMtjJwmEqon-FEWclF2tawlL_getvIRqrD7PGWwtpszBvM64c2z4g5jNuam15AXG5t-ks8HcXwers3rC2Zu_QeSB0SPd0zd-nV4osRn8fC9pvguJOqfWHgvaOaAgep8VT4XAuwS8PQL450gMztpxEvjWE6u4qZQ/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
https://onedrive.live.com/download?cid=5495F48E1F7898E3&resid=5495F48E1F7898E3%21116&authkey=AP3RqWxF2H8Kmj4
https://mpdtiw.am.files.1drv.com/y4mJOoxPJribiJ-aSEneiHMYI3MTo8oKXFvAh3BnPfhB133CpfLraTAQRbykpPnKOfUF_ySNijPlCdzBXfAOry3_pYrx4iwYP6nhEhxFKVVZE5bw_4qWDRBV04siT86HHgf1OPGJdWjiojOeivhllaSWbkdCwZ4A7HQwioUSleEaX1FLAdv9h77_aB5Ma-13sYSNmZQxrVUN8qGhsSr-Exu7w/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
|
26
www.coachingbywatson.com(35.204.59.57)
www.istanbulemlakgalerisi.online()
www.digipoint-entertainment.com()
www.angyfoods.com(77.68.118.64)
www.progettogenesi.cloud(34.80.190.141)
www.centercodebase.com(137.184.99.236)
www.huakf.com(154.208.173.82)
mpdtiw.am.files.1drv.com(13.107.42.12)
www.kalaraskincare.com(34.102.136.180)
www.timothyschmallrealt.com(34.68.234.4)
onedrive.live.com(13.107.42.13) - mailcious
www.joy1263.com(45.116.161.174)
www.septemberstockevent200.com(172.67.188.247)
www.trashwasher.com(151.101.66.159)
35.204.59.57
34.68.234.4
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
61.4.115.183
172.67.188.247
77.68.118.64
34.80.190.141 - mailcious
154.208.173.82
137.184.99.236
151.101.66.159 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.septemberstockevent200.com/ht08/
http://www.trashwasher.com/ht08/
|
8.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39934 |
2021-10-29 18:00
|
 awsa.exe d23ca1a68c0067ad0bd32dda2109c7db
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.bikingforbalance.com/pufi/
http://www.bikingforbalance.com/pufi/?lZB=UFQL6PspYVB8cBA&mfsl7bO=Fr21o2VXwBHdUIjOGFad3q3JfXi6eFqQm7z8TVFYWCMh3a0MtFC07bKzhrbkd9snJ3U+/qpR
http://www.keepkalmm.com/pufi/
http://www.keepkalmm.com/pufi/?mfsl7bO=jpp0dRjJ7WPRoxr8J+a3vnsmVYkdai/17tP3ql/CPwKNulj4w8lUkhnoLA0Uff//tgaFGZrE&lZB=UFQL6PspYVB8cBA
|
8
www.keepkalmm.com(75.2.48.238)
www.visionaryking83.com()
www.northfacemall.online()
www.rescueandrestoreministries.net(51.210.64.36)
www.bikingforbalance.com(185.201.10.135)
75.2.48.238
51.210.64.36
185.201.10.135
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39935 |
2021-10-29 17:55
|
 awsa.exe d23ca1a68c0067ad0bd32dda2109c7db
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
|
2
www.foreverphotos0910.net(216.239.36.21)
www.course2millions.com()
|
|
|
7.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39936 |
2021-10-29 17:50
|
 .csrss.exe c2c509a61a1d811d29ade6067e54c011
PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga14/fre.php
|
1
secure01-redirect.net(94.142.141.221)
|
|
|
12.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39937 |
2021-10-29 16:53
|
 23410028317313.exe f6b2bced4580a167eae96eb2c8501670
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.8 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39938 |
2021-10-29 16:40
|
23410028317313.tgz 00ec9a97b93697a509ef1123e0b5704cVirusTotal Malware |
|
|
|
|
0.6 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39939 |
2021-10-29 15:03
|
 temp.dll cd3e23cddeb92b7397eaf960da34c237
TA551 BazarLoader PE64 PE File DLL VirusTotal Malware Check memory ICMP traffic unpack itself Windows utilities WriteConsoleW Windows |
|
|
|
|
3.4 |
|
14 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39940 |
2021-10-29 14:16
|
 pop-up_excel_calendar_setup.ex... aa1966419284a4a503c101bd7db7a2a0
RAT PWS .NET framework Gen1 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 .NET EXE PE64 DLL GIF Format VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Browser ComputerName |
|
|
|
|
7.0 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39941 |
2021-10-29 11:06
|
 stash-266976238.xls 9c6aa1a04e32f40f6f0c0206a5f9a0b1
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ini-ippatmajalengka.com/9dv886HWC/l.html
https://merwedding.com.tr/vckdH4zr1/l.html
https://prestigeldnservices.co.uk/71RgP1QoL/l.html
|
6
ini-ippatmajalengka.com(103.253.212.91)
prestigeldnservices.co.uk(204.11.59.195)
merwedding.com.tr(78.142.209.142)
78.142.209.142 - malware
204.11.59.195 - mailcious
103.253.212.91 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39942 |
2021-10-29 11:04
|
 stash-266322727.xls 6ad4c6c9e7f2a68596dc2c7cc7af10a8
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ini-ippatmajalengka.com/9dv886HWC/l.html
https://merwedding.com.tr/vckdH4zr1/l.html
https://prestigeldnservices.co.uk/71RgP1QoL/l.html
|
6
ini-ippatmajalengka.com(103.253.212.91)
prestigeldnservices.co.uk(204.11.59.195)
merwedding.com.tr(78.142.209.142)
78.142.209.142 - malware
204.11.59.195 - mailcious
103.253.212.91 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39943 |
2021-10-29 10:50
|
 hta.hta d12cde9ca145f75251c08af9cef0b7f3
NPKI AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39944 |
2021-10-29 10:10
|
 hta.hta d12cde9ca145f75251c08af9cef0b7f3
NPKI AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
4.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39945 |
2021-10-29 10:08
|
 temp.dll 1788ff60c96f28ec0386a838edaa48fb
Malicious Library UPX PE64 PE File OS Processor Check DLL VirusTotal Malware unpack itself |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|