| 45616 |
2021-04-30 09:11
|
 v.dot c9c4c73fb74dc85539d7cc51b2d2b9c6
AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://107.172.130.145/bh/vbc.exe
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
3
eyecos.ga(35.247.234.230) - mailcious
107.172.130.145 - malware
35.247.234.230 - mailcious
|
16
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45617 |
2021-04-29 22:34
|
 IMG_8401_302_1076.exe ef8bf0e0c08418ed74b33120185fd044
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed Password |
12
http://205.185.120.57/3.jpg
http://205.185.120.57/1.jpg
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
http://205.185.120.57/2.jpg
http://205.185.120.57/6.jpg
http://205.185.120.57/4.jpg
http://205.185.120.57/7.jpg
http://205.185.120.57/main.php
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1619702178&mv=m&mvi=2&pl=18&shardbypass=yes
http://205.185.120.57/5.jpg
http://205.185.120.57/
https://update.googleapis.com/service/update2?cup2key=10:14166197&cup2hreq=20c1416b2a2f82aac11ca40fe5c42a5b84b2cf5a3833cc39ca852275cd0d3e53
|
4
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
205.185.120.57
211.114.66.77
142.250.199.67
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45618 |
2021-04-29 22:28
|
 .......dot befeeec69e0be81ba319c172e8f266d5
AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed Downloader |
4
http://amrp.tw/chud/gate.php
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
|
5
edgedl.me.gvt1.com(34.104.35.123)
amrp.tw(35.247.234.230) - mailcious
34.104.35.123
35.247.234.230 - mailcious
103.147.184.209 - malware
|
18
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45619 |
2021-04-29 22:28
|
 download.blog 509ddf0357ba0d4a11f09629e068f9f1
PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder sandbox evasion |
|
|
|
|
3.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45620 |
2021-04-29 22:26
|
 Cjedeld.exe 0c2525c34d612a6e6592c019032850e1
PWS .NET framework AgentTesla AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45621 |
2021-04-29 22:26
|
 CleanApex.exe c58d5a146655600ac6ecfa5a779b437b
Gen2 PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic WMI Creates executable files Windows utilities AppData folder WriteConsoleW Tofsee Ransomware Windows ComputerName DNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b
|
3
edgedl.me.gvt1.com(34.104.35.123)
34.104.35.123
142.250.199.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45622 |
2021-04-29 22:23
|
 vbc.exe 346cf0402aa3f87e686a16da0d73e419
PE File OS Processor Check PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45623 |
2021-04-29 22:23
|
 mena.exe 91e4eac5a3c25fa30d7fdce558515975
PWS .NET framework AsyncRAT backdoor Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
|
|
|
3.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45624 |
2021-04-29 22:21
|
 Producto.exe 964bd83c36b8ec52a37dc9dc4b5a457e
PWS .NET framework Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45625 |
2021-04-29 22:21
|
 download.blog 0e65369ce84e7693c3a2bad17fdc1a57
Gen2 PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder DNS crashed |
|
|
|
|
3.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45626 |
2021-04-29 16:23
|
 cccc.dot a29a9ab928e578957fed4fb8c67b1e4dMalware download Vulnerability VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://23.95.122.25/cccc/vbc.exe
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
31 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45627 |
2021-04-29 16:21
|
 IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839
RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious
45.61.136.72 - mailcious
|
|
|
3.4 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45628 |
2021-04-29 15:48
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839
RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious
45.61.136.72 - mailcious
|
|
|
3.8 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45629 |
2021-04-29 15:44
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839
RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious
45.61.136.72 - mailcious
|
|
|
3.8 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45630 |
2021-04-29 10:52
|
 Pkstfvgdp.exe 13a8ca17d4b77f65052f928f39ef46b8
AgentTesla AsyncRAT backdoor Gen1 AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Discord Browser Email ComputerName DNS Cryptographic key crashed Password |
11
http://5llion.com/5.jpg
http://5llion.com/main.php
http://5llion.com/7.jpg
http://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
http://5llion.com/1.jpg
http://5llion.com/3.jpg
http://5llion.com/2.jpg
http://5llion.com/
http://5llion.com/6.jpg
http://5llion.com/4.jpg
https://cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
|
4
5llion.com(31.210.20.99)
cdn.discordapp.com(162.159.135.233) - malware
31.210.20.99
162.159.129.233 - malware
|
6
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET POLICY EXE File Downloaded from Discord
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
17.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|