| 44356 |
2024-05-17 09:16
|
 sharzx.scr 4eabadc99a3505b71e02e73c43bcddab
LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://193.238.153.15/evie1/five/fre.php
|
1
|
|
|
15.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44357 |
2024-05-17 09:17
|
 loudd.scr aab1d3c0633ee5a766395a51c4b4cf66
LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://rocheholding.top/evie3/five/fre.php
|
2
rocheholding.top(104.21.65.180) - malware
104.21.65.180
|
8
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44358 |
2024-05-17 09:17
|
beautifulthingshappeningonbeau... a75f66170a17551071949b1188489af1
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/Rpug4
http://107.173.4.20/todaywegobeautifulgirl.vbs
|
4
paste.ee(104.21.84.67) - mailcious
104.21.84.67 - malware
107.173.4.20 - malware
45.33.6.223
|
3
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44359 |
2024-05-17 09:17
|
 815abba63691f5311f254f757bad8b... e83ada5bc4a70e0802b8f35186758c81
Malicious Library Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself ComputerName |
|
|
|
|
2.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44360 |
2024-05-17 09:18
|
becauseofflowerwecantgivesucha... e050b72bd8f7f3c5a79af85cb1a1bd73
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.172.130.130/grace.exe
|
3
api.ipify.org(104.26.13.205)
104.26.13.205
107.172.130.130 - malware
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44361 |
2024-05-17 09:19
|
todaywegobeautifulgirl.vbs 8ebbcf9f93c0c88b68945c48415f6d98VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
|
2
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44362 |
2024-05-17 09:20
|
evengwalkreallynicetodoforheal... 8c2e6ab3fa1fe129f426869952a3a1d8
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted ICMP traffic RWX flags setting exploit crash Tofsee Exploit DNS DDNS crashed |
2
http://equalizerrr.duckdns.org/eveningdatingforeveryone.js
https://paste.ee/d/6gQs6
|
4
equalizerrr.duckdns.org(107.173.4.20) - malware
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
107.173.4.20 - malware
|
5
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44363 |
2024-05-17 09:22
|
 pappayaicecreamisreallysweeett... 82a5c6f30b627b675e1443db29fc4401
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://paste.ee/d/9Z62y
http://45.33.50.155/70001/creamicecreamHDpicture.bmp
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
45.33.50.155 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44364 |
2024-05-17 09:23
|
 droidbase64controlfire.txt.exe 62407e6f5de13fbf40c50cfb124be93d
AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44365 |
2024-05-17 09:26
|
 build.exe c616f203d102449f4f786727edd6db3f
Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE64 PE File DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself DNS |
|
1
|
|
|
3.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44366 |
2024-05-17 09:27
|
 adminstor.exe 7578696faca7162febce592ab3c4c67b
Generic Malware Malicious Library Malicious Packer UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS crashed |
|
1
|
|
|
4.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44367 |
2024-05-17 09:30
|
 vpn-1002.exe 7282845f442c81d8f609bcc1a2853308
NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://apps.identrust.com/roots/dstrootcax3.p7c
http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt
https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1002
https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1002
https://cdn-edge-node.com/online_security_mkl.exe
https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1002
https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1002
|
12
cdn-edge-node.com(172.67.165.254)
240429000936002.mjt.kqri92.top(94.156.35.76)
d2iv78ooxaijb6.cloudfront.net(54.192.60.53)
adblock2024.shop(172.67.176.247)
d295fdouc92v9n.cloudfront.net(13.225.129.184)
172.67.165.254
54.192.60.39
104.21.43.83
13.225.129.128
101.42.35.39 - mailcious
179.43.158.2
121.254.136.9
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
|
12.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44368 |
2024-05-17 09:31
|
sheismybeautifulwifewholovedal... 9f23ffeb82b74830c9c26f7dd0a4f231
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://5.206.227.248/23009/smss.exe
|
1
5.206.227.248 - mailcious
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious smss.exe in URI
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44369 |
2024-05-17 09:33
|
morning_wednesdaydatingmango.v... 67173407dd0195a835a2e0b7f76df411VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://paste.ee/d/ougGo - rule_id: 39671
|
2
paste.ee(104.21.84.67) - mailcious
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
10.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44370 |
2024-05-17 09:38
|
 ms.exe da982330a3e82337e9a2aacae9b285ba
PE64 PE File VirusTotal Malware unpack itself DNS crashed |
|
1
|
|
|
4.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|