| 39961 |
2021-10-29 09:38
|
 ens.exe e38e18c6b8fc1f9abd0ed7ce9aa45fda
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39962 |
2021-10-29 09:37
|
 EgAXWEL.exe a21083e3799762685013f624ef688c60
Emotet NPKI Malicious Library UPX Anti_VM Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File Browser Info Stealer Malware download VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName RCE DNS Cryptographic key crashed |
1
|
4
eth0.me(5.132.162.27)
MhwAjjBLPUoogFMX.MhwAjjBLPUoogFMX()
195.2.93.45
5.132.162.27
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
16.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39963 |
2021-10-29 09:36
|
 A540bo3mQDlYqpH30620D.exe 781fb23a988efab21e4ab321aa932b09
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39964 |
2021-10-29 09:34
|
 bin.exe cf7c842dfbf541a670dc5bc914516847
RAT Generic Malware UPX PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
1
https://cdn.discordapp.com/attachments/893177342426509335/903191029929361409/D39069DB.jpg
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39965 |
2021-10-29 09:34
|
 pd.exe c7b844578dca69166f414ea0c28e0384
PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
4.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39966 |
2021-10-29 09:34
|
 out.exe 671eb2b7682de507f36f6d57ca812b1c
RAT Generic Malware UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself ComputerName |
18
http://www.lsurpriseremix.com/n8cr/
http://www.darbodrum.com/n8cr/
http://www.faceandco.clinic/n8cr/?BRjh4D=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/
http://www.dellmoor.com/n8cr/
http://www.dellmoor.com/n8cr/?BRjh4D=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&J46Tz=ARm8z0bxQhIX40p0
http://www.darbodrum.com/n8cr/?BRjh4D=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/?BRjh4D=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/?BRjh4D=4bZxzaC+6Rb3KtW25UC3MyfmF9MiGl1RBuRXSALb6XsaDdV8S10uPqd/+3Q9Cm1C2PxTwzjc&J46Tz=ARm8z0bxQhIX40p0
http://www.isearchpartner.agency/n8cr/?BRjh4D=dcLZxWQ2Dmoyk8mqq6WD24qjgh46lJJJRLC+7rDi3CpeHO6n9MooORgZ9Lo+BmkGFEyIoRDx&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/?BRjh4D=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&J46Tz=ARm8z0bxQhIX40p0
http://www.lsurpriseremix.com/n8cr/?BRjh4D=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/
http://www.isearchpartner.agency/n8cr/
http://www.faceandco.clinic/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.pharmasolutionspr.net/n8cr/?BRjh4D=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/
|
20
www.isearchpartner.agency(34.102.136.180)
www.darbodrum.com(52.58.78.16)
www.equityreleaseshelpukweb.com(185.53.179.93)
www.istesdesv.xyz()
www.radiesn.store()
www.mistikistapp.xyz()
www.karasevda-jor.com(151.101.130.199)
www.twdesignacreation.com()
www.recifetopschoolteacher.com()
www.faceandco.clinic(34.102.136.180)
www.lbsp3.xyz()
www.lsurpriseremix.com(3.64.163.50)
www.godigitalwithpavitra.com(34.102.136.180)
www.dellmoor.com(34.102.136.180)
www.pharmasolutionspr.net(34.102.136.180)
185.53.179.93
52.58.78.16 - mailcious
34.102.136.180 - mailcious
3.64.163.50 - mailcious
151.101.130.199
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39967 |
2021-10-29 09:32
|
 kon.exe d013f086c852f0855b884b09d6273894
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39968 |
2021-10-29 09:31
|
 ss.exe be4f9863a63917e9e55cf5350c617363
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
16
http://www.lsurpriseremix.com/n8cr/
http://www.hotdog-dsk.com/n8cr/?MZkp=Z32XtU2gJD8QlYHCpGU25AoHfOj1Vai+ydW2dyi6BZYO/QaiHIKk0xLuZohE2ORJnmFcb6fb&U4kp=Ntx0ULGP4BTDMV0
http://www.darbodrum.com/n8cr/
http://www.dellmoor.com/n8cr/
http://www.dellmoor.com/n8cr/?MZkp=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&U4kp=Ntx0ULGP4BTDMV0
http://www.189montreal.com/n8cr/?MZkp=fudlFknPfRUBIPges38R/P7W6JXx2qm+9H/4l6uL9UhaDiAq0zFN72YOPos0aTmlI8/mdbxG&U4kp=Ntx0ULGP4BTDMV0
http://www.pharmasolutionspr.net/n8cr/?MZkp=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&U4kp=Ntx0ULGP4BTDMV0
http://www.faceandco.clinic/n8cr/?MZkp=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&U4kp=Ntx0ULGP4BTDMV0
http://www.189montreal.com/n8cr/
http://www.darbodrum.com/n8cr/?MZkp=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&U4kp=Ntx0ULGP4BTDMV0
http://www.karasevda-jor.com/n8cr/?MZkp=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&U4kp=Ntx0ULGP4BTDMV0
http://www.hotdog-dsk.com/n8cr/
http://www.lsurpriseremix.com/n8cr/?MZkp=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&U4kp=Ntx0ULGP4BTDMV0
http://www.faceandco.clinic/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.karasevda-jor.com/n8cr/
|
21
www.karasevda-jor.com(151.101.194.199)
www.makeithappenshow.com()
www.istesdesv.xyz()
www.mistikistapp.xyz()
www.faceandco.clinic(34.102.136.180)
www.twdesignacreation.com()
www.darbodrum.com(52.58.78.16)
www.lbsp3.xyz()
www.javcricket.com()
www.dangkytrasauviettel360.club()
www.hotdog-dsk.com(185.182.56.12)
www.dellmoor.com(34.102.136.180)
www.lsurpriseremix.com(3.64.163.50)
www.pharmasolutionspr.net(34.102.136.180)
www.189montreal.com(3.33.152.147)
52.58.78.16 - mailcious
15.197.142.173
34.102.136.180 - mailcious
151.101.66.199
3.64.163.50 - mailcious
185.182.56.12
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39969 |
2021-10-29 09:29
|
 trze3v.tar 8c6258bd9f567fed899aeb3f68aaa861
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39970 |
2021-10-29 09:27
|
 vbc.exe cb37241bc90fefcc0d61becffbe4d1ce
Loki NSIS Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq() - mailcious
104.21.62.32 - mailcious
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39971 |
2021-10-29 09:27
|
 ss.exe b2ae544b04a0936cd1ac3ca6783cf134
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://lokich.xyz/icecobe/so/ui.php
|
3
lokich.xyz(172.67.149.73) - mailcious
45.36.99.184 - mailcious
104.21.79.226 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39972 |
2021-10-29 09:24
|
 pig.dll 5adaaad9852f8358aeeb367f1cd26b76
Emotet Gen1 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://45.36.99.184/rob137/TEST22-PC_W617601.D16DDEB5BBD8D1502A3365011B6BB3B6/5/file/
|
5
128.201.76.252 - mailcious
46.99.175.149 - mailcious
216.166.148.187 - mailcious
45.36.99.184 - mailcious
185.56.175.122 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
8.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39973 |
2021-10-29 09:21
|
 vbc.exe 0c8a26b69495724a46d7299ed9a8dd69
RAT PWS .NET framework Generic Malware DNS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39974 |
2021-10-29 09:19
|
 vbc.exe 1d03eee90db5e3881e7111490bd0d76d
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://gridnetworks.xyz/five/fre.php
|
2
gridnetworks.xyz(172.67.209.118)
104.21.16.10
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39975 |
2021-10-29 09:17
|
 dllhost.exe fdebcac35105439faeecb9658e617a8c
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.libertyquartermaster.com/kzk9/?1bxdAHD=lQWMBkwrhmWz63jtUzXLTMN6LJKSSp5MpzhCN2bai0hlUDGE91c1O/aLF41w75q/inmarkMn&LZa0=kJEXUjV
|
3
www.forschungsraumtheater.com()
www.libertyquartermaster.com(199.34.228.164)
199.34.228.164
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|