| 40501 |
2021-10-18 18:01
|
 lkki.exe f3301d2cf11d1d4884f4922ff204042b
Loki PWS Loki[b] Loki.m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://arku.xyz/w2/fre.php - rule_id: 6435
|
2
arku.xyz(104.21.30.161) - mailcious
172.67.173.58 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://arku.xyz/w2/fre.php
|
7.4 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40502 |
2021-10-18 17:58
|
invc_009030009.wbk ea27c453801a76553e850c260b6a288b
RTF File doc FormBook Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
31
http://www.safebookkeeping.com/mxnu/?ytsDIrP=Dinuu19hFboSFju1K0HZ6EbcdDMO+ZnQ9sDSjm9DAS1j/pnpew28zT8+4dAfvZHXXiVk+x1O&JlM=tnt48PpXYxvL
http://www.tbrhc.com/mxnu/
http://www.normandia.pro/mxnu/?ytsDIrP=kHN/hbjK4OzLmo333toUUHv3cKFKy5bivtfKIua2AYmutZDuFn6HD/HyblDUos2+bUTS6mEe&JlM=tnt48PpXYxvL
http://www.whitebot.xyz/mxnu/?ytsDIrP=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&JlM=tnt48PpXYxvL
http://www.jellyice-tr.com/mxnu/?ytsDIrP=2jYCrBsbpe7TX9aPhZM9pCxr75im0gQU84tPJTFdoXWJ8jmtmSvNbVsQgFqr9XIl+R+lpCoE&JlM=tnt48PpXYxvL - rule_id: 6480
http://www.revgeek.com/mxnu/?ytsDIrP=LFHT7yJDHTG5j2x991585jkXyYBkZkjzIUaPFc8bTKfmXG7pnxx1T4PiHIQyjDj8X+wed1XV&JlM=tnt48PpXYxvL
http://www.historyofcambridge.com/mxnu/
http://www.whitebot.xyz/mxnu/
http://www.normandia.pro/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/ - rule_id: 6478
http://www.naplesconciergerealty.com/mxnu/ - rule_id: 6394
http://www.onehigh.club/mxnu/ - rule_id: 6391
http://www.onehigh.club/mxnu/?ytsDIrP=52TJ8f0Vxw2BzXpbfWSfaWlDTRlua2mq3mQuHpcP7nL3PE2hO33OHCZ6ItQZVKuqvI9FSTzz&JlM=tnt48PpXYxvL - rule_id: 6391
http://www.naplesconciergerealty.com/mxnu/?ytsDIrP=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&JlM=tnt48PpXYxvL - rule_id: 6394
http://www.brandonhistoryandinfo.com/mxnu/?ytsDIrP=TBa+b5mpCdI4y/h180Pl2gJXBklETz7DPBwfCQzHJDv5/wBYQn0JU1W1LmmZ4xHxKrhvcr9L&JlM=tnt48PpXYxvL - rule_id: 6478
http://www.desongli.com/mxnu/
http://www.safebookkeeping.com/mxnu/
http://www.sattaking-gaziabad.xyz/mxnu/?ytsDIrP=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&JlM=tnt48PpXYxvL
http://www.historyofcambridge.com/mxnu/?ytsDIrP=83rAwycDMUEJxLGVulxgJoLHCAQKcanhrm8XweUEKHeaWBLa77jLvzg0UgbAuk5RNaMObh69&JlM=tnt48PpXYxvL
http://www.tbrhc.com/mxnu/?ytsDIrP=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&JlM=tnt48PpXYxvL
http://www.desongli.com/mxnu/?ytsDIrP=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&JlM=tnt48PpXYxvL
http://www.mortgagerates.solutions/mxnu/?ytsDIrP=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&JlM=tnt48PpXYxvL
http://www.ingdalynnia.xyz/mxnu/
http://www.mortgagerates.solutions/mxnu/
http://www.closetu.com/mxnu/?ytsDIrP=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&JlM=tnt48PpXYxvL
http://www.sattaking-gaziabad.xyz/mxnu/
http://www.revgeek.com/mxnu/
http://www.jellyice-tr.com/mxnu/ - rule_id: 6480
http://www.closetu.com/mxnu/
http://www.ingdalynnia.xyz/mxnu/?ytsDIrP=pfZfepvuuXd3YdzLhx74JhtQE2ZsQUx19b2XlYunhcRs71ErzSq2ECWFO+pn1SXrM1L87AtC&JlM=tnt48PpXYxvL
http://192.3.110.172/006600066/vbc.exe
|
29
www.jellyice-tr.com(104.21.30.231)
www.safebookkeeping.com(208.113.163.16)
www.closetu.com(3.223.115.185)
www.naplesconciergerealty.com(34.102.136.180)
www.normandia.pro(70.32.1.32)
www.historyofcambridge.com(3.223.115.185)
www.onehigh.club(209.99.64.33)
www.brandonhistoryandinfo.com(34.102.136.180)
www.mortgagerates.solutions(64.190.62.111)
www.whitebot.xyz(172.104.153.244)
www.desongli.com(108.186.180.79)
www.sattaking-gaziabad.xyz(185.28.21.80)
www.tbrhc.com(154.208.173.145)
www.revgeek.com(156.234.138.23)
www.ingdalynnia.xyz(173.212.200.118)
104.21.30.231
108.186.180.79
170.178.168.203
208.113.163.16
185.28.21.80
173.212.200.118
156.234.138.23
172.104.153.244
34.102.136.180 - mailcious
154.208.173.145
192.3.110.172 - malware
3.223.115.185 - mailcious
64.190.62.111 - mailcious
209.99.64.33 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
8
http://www.jellyice-tr.com/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.onehigh.club/mxnu/
http://www.onehigh.club/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/
http://www.jellyice-tr.com/mxnu/
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40503 |
2021-10-18 17:54
|
 RunPE.dll ef4602191703199ba701c12b66971c73
RAT Generic Malware Malicious Packer PE File PE32 .NET DLL DLL VirusTotal Malware PDB |
|
|
|
|
1.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40504 |
2021-10-18 17:52
|
 EU-Business-Register (1).pdf ad93c19fcd03385c359be007ee7631f8
PDF VirusTotal Malware unpack itself Windows utilities Windows |
|
|
|
|
1.8 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40505 |
2021-10-18 17:52
|
 PO-15102021.xlsx 3649a4e4e640017f163b9f1f164a63b7VirusTotal Malware Malicious Traffic RWX flags setting exploit crash unpack itself Exploit DNS crashed |
1
http://2.56.59.250/PHJ.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.4 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40506 |
2021-10-18 16:12
|
 vbc.exe 081964c37b284b77cd71ce356461d1a4
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
182.162.106.26
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40507 |
2021-10-18 15:55
|
 vbc.exe 081964c37b284b77cd71ce356461d1a4
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40508 |
2021-10-18 10:05
|
 Update-KB4524143.ps1 ef3cff5072eb2e63a67c32f6ff699afb
Generic Malware Antivirus VirusTotal Malware Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
2.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40509 |
2021-10-18 10:02
|
 questioneer-pdf.js 93b27733d5e46b676eca9cf990652070VirusTotal Malware WMI ComputerName |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40510 |
2021-10-18 09:53
|
 e8084ec4de8c64eabd3169cee9ac27... 1c58be0a33997195e1e9dbc5b9298ec6
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware Check memory Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(222.122.182.200)
t.gogamec.com(172.67.204.112)
172.67.204.112
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40511 |
2021-10-18 09:52
|
 lv.exe e8719fad9816c40755e1c4821650e14b
Themida Packer PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40512 |
2021-10-18 09:49
|
 aa.exe 4be25332520b26fccaf19093613142a8
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40513 |
2021-10-18 09:47
|
 customer8.exe 0d00d5fc759ec02252080b3906e3f1cf
Gen2 Gen1 ASPack Malicious Packer Malicious Library UPX PE64 PE File VirusTotal Malware PDB RCE |
|
|
|
|
1.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40514 |
2021-10-18 09:47
|
 file.exe 137dd682930e7c176439f7ce3a614b6a
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40515 |
2021-10-18 09:45
|
 cust9.exe 22f5d12116ee1c11f3173f977bafc744
Gen2 Gen1 ASPack Malicious Packer Malicious Library UPX PE64 PE File VirusTotal Malware PDB RCE |
|
|
|
|
2.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|