| 45586 |
2021-05-01 08:53
|
 catalog-1536346655.xlsm 7e36921c2e411e6147b1e12c6e9abd37
Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45587 |
2021-05-01 08:53
|
 catalog-1539950969.xlsm fbd50cca96787817cc8ec7c5895da104
VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45588 |
2021-04-30 18:14
|
 vbc.exe 877d8424f6d09301998cf3840c42dcb9
AsyncRAT backdoor Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
2.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45589 |
2021-04-30 18:12
|
 IMG_0540001825.exe fd0e7153869bad651ae4ae4f1dbef3da
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45590 |
2021-04-30 18:10
|
 Szakur.exe 6293b2f51ac52c926cfc5f87775a21fa
PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/PV/300/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45591 |
2021-04-30 18:08
|
 svch.exe 3722c9a2efe69886e53ef37bebcee669
Loki PE File PE32 DLL OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
|
2
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45592 |
2021-04-30 18:06
|
 templex.exe c37d480d603a248b0e230a1c15590266
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45593 |
2021-04-30 18:03
|
 in6-4.doc ba4afb8bb89f4a8f103780c416ecdbdd
VBA_macro Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key Downloader |
1
http://84.200.4.102/dwpc.exe
|
1
|
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45594 |
2021-04-30 18:03
|
 vbc.exe 396fedf9bcc0ad02b69510c986131fd2
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45595 |
2021-04-30 18:01
|
 winlog.exe bab5165b972f2416ae964d7b79bd5ecf
Glupteba OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Windows RCE crashed |
|
|
|
|
3.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45596 |
2021-04-30 18:01
|
 regasm.exe 37207e8bd9430777ab0e27cf4a4fc26a
PWS Loki AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://kushikushi.us/chief/kev/fre.php
|
2
kushikushi.us(185.29.127.141)
185.29.127.141
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45597 |
2021-04-30 17:59
|
 kayx.exe 129e1d37b93430b4bd894b16c53cd6bc
AsyncRAT backdoor AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows crashed |
3
http://www.wirebeevehicles.com/bwk/?EDK8gDR=VOL7UDcQYRljSosxQOYPJG6yJtUQAld58UNriPOjT+IDxU4HyvwawJh1yPzk3AG9OprqJGoe&BZ=E2M4oNPx_Ln
http://www.fragrancecollector.com/bwk/?EDK8gDR=LZ0Uj0vFRx/4vDVTGDC73qa8DXiw0WGVyXki5dqgklz7zfTX+bG4IBE0uelYToudE5/XdoAX&BZ=E2M4oNPx_Ln
https://www.bing.com/
|
7
www.lovenfys.com()
www.wirebeevehicles.com(148.66.138.166)
www.fragrancecollector.com(74.208.236.213)
www.google.com(172.217.174.100)
74.208.236.213 - mailcious
148.66.138.166 - mailcious
172.217.163.228
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45598 |
2021-04-30 17:58
|
 s.dot f62c1d955d66e2f33ed7f3abe9a44690
Loki RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
http://107.172.130.145/bh/svch.exe
|
3
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
107.172.130.145 - malware
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45599 |
2021-04-30 17:56
|
Project Korvus.exe e4cb6177f54802a8eb50817353622056
Ave Maria WARZONE RAT Antivirus OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName RCE DNS Cryptographic key |
|
2
rosesfn-49817.portmap.host(193.161.193.99)
193.161.193.99 - mailcious
|
1
ET POLICY DNS Query to a Reverse Proxy Service Observed
|
|
10.8 |
|
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45600 |
2021-04-30 12:04
|
 RaptoreumDigger.exe ddf9bb04a39bd8b450d6fb90a146df9c
AsyncRAT backdoor PE File OS Processor Check PE64 PDB MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|