| 39976 |
2021-10-29 09:14
|
 pub3.exe dc0d13a11537c91ee0436e1cdaaef2ed
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39977 |
2021-10-29 09:13
|
 maxi.exe 1bcd242e21181da424e62eba71f13e1d
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.skinpromelaka.com/dyh6/?tXU=r1WEwJI6U+VJeP6bM+vVAjaf5cE+e2ck5sKejeK8Jz1UX1ZVwLVUK5qASeGYHxK/W/J+g9Ox&UlSp=GVgT1hY8x6yXQt
http://www.klhcn.com/dyh6/?tXU=QJfkTbwg0uEmySK3KrbdDchdupippK/2Is82vyMjuQlTN9/UWGf/9z/norFUEOTmO+iBC3Fh&UlSp=GVgT1hY8x6yXQt
http://www.4pxshop.com/dyh6/?tXU=ntm2ZTI4g5cQhbWRMk1O8xwmxYBvjw0fH58qVVLRtQQKF9nwB6i3bkwWoo+tGLEMnprQxBoF&UlSp=GVgT1hY8x6yXQt
|
7
www.4pxshop.com(35.163.64.160)
www.bonitacandle.com()
www.klhcn.com(154.26.211.192)
www.skinpromelaka.com(142.250.196.115)
35.163.64.160
172.217.31.243
154.26.211.192
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39978 |
2021-10-29 09:13
|
 crocin.exe db030d5044011041bfb6d1a919337459
Themida Packer PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39979 |
2021-10-29 09:11
|
 .csrss.exe 0a7a0226b591a93d521911b140c0ba11
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
14.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39980 |
2021-10-29 09:10
|
 Mfile.exe 674fb73b1fd08e6778e47debcb1c3a6c
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.entyrcrypto.com/btn2/?Bh=ACPkNsXTo6dilfq45Lra3uW/+TPD4AUv4Am4UzDI5UY8j0ej46TPxke+wVsBoD1KjZrSje0k&SzulsJ=9rV872vP_0fDj
http://www.greatdesigns.net/btn2/?Bh=ahXCd/GvrCToH6QNgUAz2eOIJc+aa9K5tSOdXWaZwg3Pe+PdCCKDxsMmVKTkbvQ4mmwbxnMF&SzulsJ=9rV872vP_0fDj
http://www.fluttermixtures.com/btn2/?Bh=RbtSph0VL15EBLRPHmyYLGfYbVcQX3SOUU6PUyI4zaQw+Nl5dejQmqICrMIftnxcgscMpiXv&SzulsJ=9rV872vP_0fDj
|
6
www.fluttermixtures.com(130.211.40.170)
www.greatdesigns.net(198.54.117.210)
www.entyrcrypto.com(64.68.200.44)
130.211.40.170 - mailcious
64.68.200.44
198.54.117.212 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39981 |
2021-10-29 09:08
|
 .wininit.exe 4f811d4d3659bf698a270ebea91dd3ed
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/fd3/fre.php
|
12.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39982 |
2021-10-29 09:08
|
 oit9ql.jpg 0cfb719775ab7f2be4454602e6a51d90
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39983 |
2021-10-29 09:06
|
 c8u1msi.jpg 2215b04e57387c4925aff75b65ce2fca
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39984 |
2021-10-29 09:06
|
 .lsass.exe f6741a7f14669cbb4dffc16029381a91
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process AppData folder WriteConsoleW VMware anti-virtualization Windows ComputerName Cryptographic key Software crashed |
2
http://www.bookanyclick.com/hs3h/?JjUdE2=N2wrYjy29kSOT4NGIPQyaCDlzJzAe5M9Os8Vy9dsMfLAOBFmOT1VxF5pVFIYJ9imXQ6clAqp&lzul=z8oHnHbh3L
http://www.kagawa-rentacar.com/hs3h/?JjUdE2=MUcuOaoaWzdiqsc041tkxtCPxCWBE2NvTm+WO+dxYC+JZdi3iYXCypXvjqYhOL988ujoI2pK&lzul=z8oHnHbh3L
|
5
www.kagawa-rentacar.com(133.130.64.128)
www.bookanyclick.com(94.136.40.51)
www.torgetmc.xyz()
133.130.64.128 - mailcious
94.136.40.51 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
16.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39985 |
2021-10-29 07:56
|
 vbc.exe 8341a43885eb6960bd658ba5a1c8b84d
Malicious Library UPX PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS DDNS crashed |
3
https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
https://pkc5hq.by.files.1drv.com/y4mvzsRcwXGDSbbaIRnJHJoy7rydv1mvZGvUJpoUdNzrZxzT50L19Wph96_2DA6hfmyi-su6AGdLXSBndNqYJz_bklxD9wT9Qe_mvrcJZ-C8AGVNG3aKny2ZgeSOtfCH9den21Vwp_cdPKF7UXwGbE2IyXXt6S5DmG3q9HkkhkX0pLOtVgKl_IEz6NUVlS3o_qvkRvDIt1nAEb6EcNkJUm-KQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
https://pkc5hq.by.files.1drv.com/y4mDWdC-H4D_BoPjpW5tZZG5TPbFf0FF-zxaibY2r4d7dPuPlTLE6jXIfMJrUs-VZ6Y2nxcu7AhEOjd0ZsCwKVF09E5Kw6lNiIQHALwKH7ZaGvuZVl1jJAeZP6y7-KCKXu-pARqtbA_1CgvSXhuQH_8JBEEghb1NCPjI35isq6BbLdHAohzji8w6f-jDMLvSrHWblDkH_UUsgPu_rgx-fOADg/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
|
9
onedrive.live.com(13.107.42.13) - mailcious
sheilabeltagy4m.hopto.org(23.105.131.236)
micheal3m.hopto.org(23.105.131.236)
johnie3m.hopto.org(23.105.131.236)
pkc5hq.by.files.1drv.com(13.107.42.12)
sugarcane.hopto.org()
13.107.42.13 - mailcious
13.107.42.12 - malware
23.105.131.236
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39986 |
2021-10-29 07:43
|
 InvoicePO102IndexLtdParamout.e... dc738e765ddc4e0a9663ca40239b7df9
RAT PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39987 |
2021-10-29 07:43
|
 rundll32.exe ad0e9142963cac524f3474d8f9b90a4f
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
18
http://www.weeden.xyz/fqiq/ - rule_id: 6603
http://www.clinicscluster.com/fqiq/?jrTDmX=woKSgF6PWqdOVJ+XqLECyRzWT6gfRe7mgXg/479saEs9am2OBdXx0181fBs2SDsh/Ug2MjSj&p0D=QfrHnNSxqR0PU4N
http://www.healthyweekendtips.com/fqiq/?jrTDmX=nFNrhldW1G3Iuc6NBw1UbSwwpktYb/50pHeyo/0a7tjLnrEnAw7KG36PTjcGJ5KEduXnU9Wd&p0D=QfrHnNSxqR0PU4N - rule_id: 6446
http://www.srofkansas.com/fqiq/ - rule_id: 6445
http://www.hillcresthomegroup.com/fqiq/?jrTDmX=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&p0D=QfrHnNSxqR0PU4N - rule_id: 7070
http://www.hillcresthomegroup.com/fqiq/?jrTDmX=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&p0D=QfrHnNSxqR0PU4N
http://www.seal-brother.com/fqiq/ - rule_id: 6601
http://www.cotchildcare.com/fqiq/
http://www.cotchildcare.com/fqiq/?jrTDmX=OmCJUEnXV7P0Uz61PKp9U0DomyEu2+yoRYW3e87DTGJYrESr+zJ/zO0cOkjAwmwmSmwGprfn&p0D=QfrHnNSxqR0PU4N
http://www.hartfulcleaning.com/fqiq/?jrTDmX=uHvuYmjit4fallNp1Ej7vtyQWzU3HFRSMqXztfeWYNDOTP1U0scGwGT4FHCGKhM8svXnQnS7&p0D=QfrHnNSxqR0PU4N
http://www.srofkansas.com/fqiq/?jrTDmX=wFDpWBcybTtkZf6rJwxG8GxnrXCHdVwe5dpvC2P+G/35kvGl/Iz1QduPYt3eFaCRSD2mr4cI&p0D=QfrHnNSxqR0PU4N - rule_id: 6445
http://www.healthyweekendtips.com/fqiq/ - rule_id: 6446
http://www.seal-brother.com/fqiq/?jrTDmX=mnFbYCr+AW78Kl2ulk1rPiA6Of2qOAThWlvrEIJbjMlKOtQ7tqTA3v+J7YK2FP1KSWelWkwc&p0D=QfrHnNSxqR0PU4N - rule_id: 6601
http://www.clinicscluster.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/ - rule_id: 7070
http://www.hillcresthomegroup.com/fqiq/
http://www.hartfulcleaning.com/fqiq/
http://www.weeden.xyz/fqiq/?jrTDmX=USYLug/oA1YO3zHhBpyf49MelhMmknrjwB+F0T6I7p0aWr8Ic8GlSHHjxu6xNcH2bdjI/bcO&p0D=QfrHnNSxqR0PU4N - rule_id: 6603
|
16
www.healthyweekendtips.com(172.67.216.2)
www.hartfulcleaning.com(34.80.190.141)
www.clinicscluster.com(34.102.136.180)
www.srofkansas.com(199.59.242.153)
www.seal-brother.com(59.106.13.53)
www.hillcresthomegroup.com(3.33.152.147)
www.cotchildcare.com(199.59.242.153)
www.controldatasa.com()
www.weeden.xyz(192.185.5.49)
172.67.216.2
15.197.142.173
34.102.136.180 - mailcious
192.185.5.49 - mailcious
199.59.242.153 - mailcious
59.106.13.53 - mailcious
34.80.190.141 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.weeden.xyz/fqiq/
http://www.healthyweekendtips.com/fqiq/
http://www.srofkansas.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/
http://www.seal-brother.com/fqiq/
http://www.srofkansas.com/fqiq/
http://www.healthyweekendtips.com/fqiq/
http://www.seal-brother.com/fqiq/
http://www.hillcresthomegroup.com/fqiq/
http://www.weeden.xyz/fqiq/
|
8.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39988 |
2021-10-29 07:36
|
invc_0070032233.wbk cf62058e0e077981fa8535c0d47f12ea
RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS DDNS crashed Downloader |
4
http://23.106.223.27/vbc.exe
https://onedrive.live.com/download?cid=4DFB187F341EBACF&resid=4DFB187F341EBACF%21164&authkey=AB6vf_RpiS-BZkA
https://pkc5hq.by.files.1drv.com/y4mXHvA4annmU58YyoOm5IbUsOjHQkt8q8czhufn7SvhH_9ENeZ-hZCEVtU8HfJcyZqybwtJhT99lOdljmUKIJV6mEDjvRJN7qaSuTHjHe0P1Uks0H3eThDcBWxr_GDuW5ssjF1L07fN6gOidautQhhbxAbZRDoxBKxbzH3LFBtezqfaA5PtN-orcz2O8r_j7cZsCvccczTmxYMdT99EAN2XQ/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
https://pkc5hq.by.files.1drv.com/y4mbAoLripoDP3gbIunXf6AhB9wxgfIIoSbjKMJfKMtjRD33rmLjnaP5rsqgnEP1T6_Bdb2MUO_hsDTIM1sHFVa3ef8ahu_e_3RkXt2wnnhpDIEFjkcRXiurYGt-QnwFtyGNWMEdG4wfsEmrYjQkmSI7A3RWRn5ab-Q2d9vhvXn9hv63QOUhRmJ_nqqZ6NNjqH_lhDWSLFYs9j6TXFBQCTb8w/Wavmshxufsmxmzgeagkcmionbjxpadt?download&psid=1
|
10
onedrive.live.com(13.107.42.13) - mailcious
sheilabeltagy4m.hopto.org(23.105.131.236)
micheal3m.hopto.org(23.105.131.236)
johnie3m.hopto.org(23.105.131.236)
pkc5hq.by.files.1drv.com(13.107.42.12)
sugarcane.hopto.org()
13.107.42.13 - mailcious
13.107.42.12 - malware
23.106.223.27
23.105.131.236
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39989 |
2021-10-29 07:36
|
 vbc.exe 1b4af97e5bb29267e445511854e12b87
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php - rule_id: 6744
|
2
bobbyelectronics.xyz(104.21.92.21) - mailcious
104.21.92.21 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobbyelectronics.xyz/five/fre.php
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39990 |
2021-10-28 18:26
|
Payment_Receipt_ 1791.xls c2889891f65e5dec8038d662a03bb2a5
VBA_macro Generic Malware KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|