| 41446 |
2021-09-17 10:00
|
 ftp.exe 6e50112832160134bc11782d9fe9cadc
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41447 |
2021-09-17 09:59
|
 MVTT.exe 7bc69f6fac0d853781b1a72cba8c770f
Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41448 |
2021-09-17 09:57
|
 .audiodg.exe b89f8038f53ffc8982d8e25a420dd29e
PWS Loki[b] Loki.m .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=484 - rule_id: 5135
|
2
185.251.89.230
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
13.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41449 |
2021-09-17 09:56
|
 vbc.exe be72c9c102de48a6b9158380af41e609
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41450 |
2021-09-17 09:54
|
 invoice.wbk dba69da87a497561022dff1ec7b1631c
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious
185.251.89.230
103.155.80.150 - malware
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd4/fre.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41451 |
2021-09-17 09:54
|
 lmao.exe f8fdcd124427dfb121cc885083977607
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
raw.githubusercontent.com(185.199.108.133) - malware
185.199.110.133 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41452 |
2021-09-17 09:53
|
 VHGVC-4.exe 422280cacdf29241ea5342cbf43721d5
PWS .NET framework Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
2
Google.com(142.250.196.110)
142.250.66.142
|
|
|
8.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41453 |
2021-09-17 09:52
|
 dsf.wbk b173278a101f7c26ea90d923613fcbba
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://103.155.80.150/kfc/vbc.exe
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious
185.251.89.230
103.155.80.150 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41454 |
2021-09-17 09:51
|
 Anye.exe 16e153201be41825d56aaeac47183efd
Gen1 UPX Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiV Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName RCE DNS crashed Password |
10
http://103.141.138.110/p2//1.jpg
http://103.141.138.110/p2//3.jpg
http://103.141.138.110/p2/
http://103.141.138.110/p2//4.jpg
http://103.141.138.110/p2//6.jpg
http://103.141.138.110/p2//main.php
http://103.141.138.110/p2//2.jpg
http://103.141.138.110/p2//5.jpg
http://103.141.138.110/p2//7.jpg
https://cdn.discordapp.com/attachments/780223158832988201/887956878448005120/Ymwqrsxzevnppmpppdsvbqpnbpgrjoj
|
3
cdn.discordapp.com(162.159.133.233) - malware
103.141.138.110
162.159.134.233 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41455 |
2021-09-17 09:50
|
 vbc.exe 50f9407000cb612b401aaddd94cfda0b
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
2
checkvim.com(185.251.89.230) - mailcious
185.251.89.230
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41456 |
2021-09-17 09:47
|
 SJFIIEESD-6.exe efa7b4d2183d6e526cf2b9bc57e4fda5
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces suspicious TLD Tofsee DNS |
|
2
greencodeteam.top(179.43.140.185)
179.43.140.185
|
2
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41457 |
2021-09-17 09:47
|
 11.html f0afc8b55366e5ef6483bfb76429b44b
Antivirus AntiDebug AntiVM MSOffice File PNG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
22
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://fonts.googleapis.com/css?family=Open+Sans:300
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.google-analytics.com/analytics.js
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ftupalamagaytalullamyra.blogspot.com%2Fp%2F11.html&type=blog&bpli=1
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
https://www.google.com/css/maia.css
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://tupalamagaytalullamyra.blogspot.com/p/11.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://tupalamagaytalullamyra.blogspot.com/p/11.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=6774392999284712153&zx=925ee028-4325-412f-b69e-173d5765dd73
https://www.blogger.com/blogin.g?blogspotURL=https://tupalamagaytalullamyra.blogspot.com/p/11.html&type=blog
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
|
16
resources.blogblog.com(172.217.175.41)
www.google.com(142.250.199.100)
www.gstatic.com(172.217.175.35)
fonts.googleapis.com(216.58.197.234)
accounts.google.com(142.250.196.109)
www.google-analytics.com(142.250.196.142)
fonts.gstatic.com(216.58.220.99)
www.blogger.com(172.217.175.41)
142.250.204.141
216.58.200.78
216.58.200.68
142.250.204.105
142.250.66.35
142.250.66.74
142.250.66.73
142.250.66.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41458 |
2021-09-17 09:47
|
 aje.exe e4ddcfa1589fd52face01d5c9d76a527
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41459 |
2021-09-17 09:45
|
 vbc.exe 7789bd4d79ad897126a68bf3e74f4e1b
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41460 |
2021-09-17 09:25
|
Проверка Сотрудников.docx... 41dacae2a33ee717abcc8011b705f2cb
Word 2007 file format(docx) VirusTotal Malware MachineGuid Check memory RWX flags setting unpack itself GameoverP2P Zeus ComputerName Trojan Banking |
1
http://trendparlye.com/wiki0509.html
|
1
|
|
|
4.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|