| 45721 |
2021-04-28 09:28
|
 reg.exe 4223fe49bf944c3dcc33270c0ddf6033
PWS .NET framework Loki Malicious Library AsyncRAT backdoor Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs installed browsers check Windows Browser Email ComputerName Trojan Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php
|
2
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45722 |
2021-04-28 09:25
|
zabax.exe 5ad242aab1bad0f0128498aee4878c2f
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
7.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45723 |
2021-04-28 09:25
|
tret.exe ee1db7f0ad39df1af6eb5166447b1471VirusTotal Malware unpack itself RCE DNS crashed |
|
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45724 |
2021-04-28 09:13
|
vbc.exe 7dcb1f913eec25bc07aced21d9c1dc5d
PWS .NET framework Malicious Library AsyncRAT backdoor VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45725 |
2021-04-28 07:42
|
 195145.exe 5b5a730628dc9eba2c12530d225c2f70VirusTotal Malware Malicious Traffic RWX flags setting suspicious process ComputerName DNS |
2
http://dimentos.com/bg
http://dimentos.com/btn_bg
|
1
|
|
|
4.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45726 |
2021-04-27 17:39
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45727 |
2021-04-27 17:30
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45728 |
2021-04-27 17:19
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45729 |
2021-04-27 17:15
|
regasm.exe 4d1a1e438fee82fce40619bbb27f4209Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://superomline.com/chief/dv2/mcee/fre.php - rule_id: 1165
|
2
superomline.com(185.209.1.144) - mailcious
185.209.1.144 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://superomline.com/chief/dv2/mcee/fre.php
|
8.6 |
M |
35 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45730 |
2021-04-27 16:48
|
test.exe d2be9aab83d330520dbd61c621ffede3
PWS .NET framework Malicious Library AsyncRAT backdoor Dridex TrickBot VirusTotal Malware Kovter DNS |
|
2
2.tcp.ngrok.io(52.14.18.129) - mailcious
3.131.207.170
|
3
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
SURICATA Applayer Mismatch protocol both directions
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
1.2 |
M |
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45731 |
2021-04-27 16:46
|
http://union.jctrip.cn/wp-incl... 8d7c388e144427e46654e1f1d75de590
AgentTesla Vulnerability VirusTotal Malware MachineGuid Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://unimedunihealth.com/product/edysta/
https://lopika.buzz/?u=k8pp605&o=c9ewtnr&t=redn
|
10
astrologiaexistencial.com(31.22.4.229) - malware
www.dirgantaratuba.com(103.247.9.184) - mailcious
lopika.buzz(5.8.47.52)
union.jctrip.cn(8.131.69.203) - mailcious
unimedunihealth.com(104.21.60.205) - mailcious
5.8.47.52
8.131.69.203
31.22.4.229
103.247.9.184
172.67.201.73
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45732 |
2021-04-27 16:45
|
https://xixaoclothing.com/wp-a... 8d7c388e144427e46654e1f1d75de590
AgentTesla VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
xixaoclothing.com(202.43.110.171) - mailcious
202.43.110.171 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45733 |
2021-04-27 13:49
|
bef48b02864548b6b3f61136d7c2d0... e30f1b09ee4d0c8975c75f8a6f5ea0c5VirusTotal Malware |
|
|
|
|
1.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45734 |
2021-04-27 12:45
|
bef48b02864548b6b3f61136d7c2d0... e30f1b09ee4d0c8975c75f8a6f5ea0c5VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45735 |
2021-04-27 12:42
|
.......dot 646ddc4512acd5da2a2126bbc8440480Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed |
1
http://107.173.191.48/deck/chrome.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|