| 40636 |
2021-10-14 17:22
|
 ETH2.exe 13003cbfb6d2adfeea85952f8172c4f7
PE64 PE File VirusTotal Malware |
|
|
|
|
1.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40637 |
2021-10-14 17:20
|
 vbc.exe 70d177abc7455c709ae9710630b9ea49
Loki NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq(104.21.62.32) - mailcious
104.21.62.32 - mailcious
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40638 |
2021-10-14 17:19
|
 dow.exe 481cc004b81afcb1ec10bb9985cc402b
Malicious Packer Malicious Library PE64 PE File VirusTotal Malware Code Injection buffers extracted |
|
|
|
|
3.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40639 |
2021-10-14 16:57
|
 WT_03986354356-39876354533.exe ca49afc18eb80ac0e4c784b3d093767d
PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE Possible NanoCore C2 60B
|
|
13.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40640 |
2021-10-14 16:55
|
 UFC~0398763535603876534536789.... c1bd58337e98aec86544e0dd33924e61
PWS .NET framework Generic Malware UPX DNS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
2
ET MALWARE Possible NanoCore C2 60B
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
13.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40641 |
2021-10-14 16:54
|
 Ord20211310570045368964AL.exe 0cb1c28aaae7fb100c41281e5c9b6c2b
RAT PWS .NET framework Generic Malware task schedule Antivirus AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
2
aliensoldier.duckdns.org(194.127.178.3)
194.127.178.3
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40642 |
2021-10-14 16:53
|
 Ord20211310570045368963AC.exe f6fde8532e45bb49f3220e64c10d11a1
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
5
http://www.partnerbebefits.com/gab8/?GPJ=V0qvKrnMUJDi81wWgfCGXFlKI9Inm7hsI52w8XiW782EdtYgyy70qnkOHaG3FEy6fk+0RrrY&oX=Txo8nZfhzrhh
http://www.boraeresici.com/gab8/?GPJ=C6SAXr8o/G/VasXP2qBsDB1rn5jVEpLr3WZGajDPG/enBmYnBlFkkW82TIheSrxSSIWa+io/&oX=Txo8nZfhzrhh
http://www.royzoom.com/gab8/?GPJ=ZIawR5WdNK8LsYg64y/ZuRppdufcVyCLEEhqXcgQhf+tR4phV0yge9w0mkSWMgIPzVTRYdnK&oX=Txo8nZfhzrhh
http://www.happyklikshop.com/gab8/?GPJ=mENu3k3BXCWZ2Tc/aQbax23yXM1wufSrwsbmwarZbMNjditOASquAUrBwrS1LEID6g38HMxw&oX=Txo8nZfhzrhh
http://www.aucoeurducadeau.com/gab8/?GPJ=5qlSZ+6CVF2mMX6CKg0IqzY1EC3Y5wWy7JN18ATTVTS3aqcQwyHFrUSTTu0cVUImGKaDUota&oX=Txo8nZfhzrhh
|
13
www.boraeresici.com(92.223.73.24)
www.royzoom.com(184.168.131.241)
www.aucoeurducadeau.com(213.186.33.5)
www.fullamodatoptan.com()
www.happyklikshop.com(109.106.253.204)
www.babyfloki.tech()
www.schnurrgallery.com()
www.partnerbebefits.com(103.224.182.242)
184.168.131.241 - mailcious
213.186.33.5 - mailcious
109.106.253.204
92.223.73.24
103.224.182.242 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
|
8.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40643 |
2021-10-14 16:52
|
 New Order.exe 76ce20e50cfef6b8e5397b581105ba95
PWS .NET framework Generic Malware UPX Antivirus DNS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Malware download Nanocore Malware c&c powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
luf.ddns.net(79.134.225.71) - mailcious
79.134.225.71 - mailcious
37.235.1.174 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40644 |
2021-10-14 16:50
|
 IMG.00000201419.PNG.scr 664d73b23eddfcd0227786b9d0f5d022
Gen2 Gen1 Generic Malware UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName RCE DNS DDNS crashed |
|
3
strongodss.ddns.net(197.210.84.249) - mailcious
185.19.85.175 - mailcious
197.210.84.249
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
16.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40645 |
2021-10-14 16:50
|
 KRSEL0000056286.JPG.scr d6f040b4d7d217b8525dff843feba635
Gen2 Gen1 Generic Malware UPX Malicious Library DNS AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName RCE crashed |
|
|
|
|
13.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40646 |
2021-10-14 16:47
|
 EXPORT DOCUMENTS_CMR_INVOICE_I... 0a3212c04eeaed201c4038ab6dd3631b
Generic Malware UPX Antivirus DNS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
3
accept.ddns.net(197.210.55.106) - mailcious
197.210.55.106
37.235.1.174 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40647 |
2021-10-14 16:47
|
 1.dll a3dfaa6badd480c93af825510e7cd1d2
UPX Malicious Library PE64 PE File OS Processor Check DLL VirusTotal Malware Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check crashed |
|
|
|
|
2.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40648 |
2021-10-14 16:45
|
 Advice from Standard Chartered... 57b0ad14b76c30bdaef9b5c06028a746
RAT PWS .NET framework Generic Malware Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE Malware download Nanocore VirusTotal Malware c&c powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
3
tochi.ddns.net(194.5.98.11)
37.235.1.174 - mailcious
194.5.98.11 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40649 |
2021-10-14 16:45
|
Documents.lnk db8f42a798dd65d9bd8398c3e2564f06
Generic Malware AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Creates shortcut unpack itself crashed |
|
|
|
|
2.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40650 |
2021-10-14 16:16
|
 art-718184786.xls a9e51062b4512cfb98065c71ce7b2605
Downloader MSOffice File ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
4
http://x1.i.lencr.org/
https://bostonavenue.org/zunSJE0UYwbJ/sunise.html
https://pmqdermatology.com.au/0aafNmAW9/suraise.html
https://funzy.id/0KICC3zxK2nT/sunraie.html
|
8
pmqdermatology.com.au(101.0.119.207)
x1.i.lencr.org(104.76.75.146)
funzy.id(194.233.72.245)
bostonavenue.org(216.172.187.35)
101.0.119.207 - mailcious
194.233.72.245
104.74.211.103
216.172.187.35
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|