| 7651 |
2021-04-28 09:44
|
reg.dot dbd4eec520900e9ae109ee7a1ab2494b
LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://amrp.tw/kayo/gate.php - rule_id: 1177
http://amrp.tw/kayo/gate.php
|
3
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
107.173.219.80 - malware
|
14
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://amrp.tw/kayo/gate.php
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7652 |
2021-04-28 09:44
|
presentation.dll 3bbac698f5c61fdd41a04d6b47d46b5c
VirusTotal Malware PDB MachineGuid unpack itself suspicious process WriteConsoleW ComputerName DNS |
1
http://app3.maintorna.com/G30qB58Kk2/BU_2BdgootvFojVON/GZxWNJv1w2ZM/4TW3i3gbDXc/os7U_2B8OYn6Dx/FEJ4_2BXEIYp_2BEtAMOP/FkcnRwmFEGGLN6fE/En2P_2FLKoUyhE5/TcKe5GQI9jDgWmXX7z/9599_2BX4/OH7farLhbSxl3_2BzF7h/akWBEFH1XsZFliYBlra/6GWzvwhnXBMUJdDpd9lvat/nm8MP0jcJ6aC8/MERMX3tw/AT58JGbkfHN7cwZMJmYhvz9/RfVzMTVDXH/Gu_2FcyyAGu1Hwffc/7P_2BbsrgTm0/byY8mc1tE0Q/LLbpnzIiY_2FqI/X3m2IGAM39NOMPW7DXGQM/EAgQMq3
|
2
app3.maintorna.com(34.73.201.12)
34.73.201.12
|
1
SURICATA HTTP unable to match response to request
|
|
3.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7653 |
2021-04-28 09:47
|
-....-.-.......dot 1d32e49469b4dc0cd7f5608fc668ac46
Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://192.3.22.5/ch/vbc.exe
|
2
192.3.22.5 - mailcious
194.5.98.208
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7654 |
2021-04-28 09:47
|
 vbc.exe ea4f3cbb2f990be8628145b8e7970880
FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself |
4
http://www.sparetimr.net/pmc/?Ez=AlQ1RzJ/kwnlpQLinP/2GByIkuZWaj6fbRJnek0eZ1YVl3+ZWM7od8C6qhD96Nb7SsHk40GT&lhud=Txol_2I
http://www.rwproducedeliveryknoxville.com/pmc/?Ez=mnj0FNt3a7nl1Ql0YoriOJf4cAinzVMKSi3j+C+aJnvhp8rA6ZNo2qczZQeE2eLS4QZ4NBwe&lhud=Txol_2I
http://www.cheikh-faye.com/pmc/?Ez=45Jbv0zHXhCFcWB5cyZRlvCJJu0mHxT7nLQ17GVtdzGeB18Y8Ww2I3k3rk2swPMbwEwxbWWO&lhud=Txol_2I
http://www.theaccountableteamscoach.com/pmc/?Ez=gVzqDSSmhDwCcbrvrqFyqNa496pKegJJtCWYCwkmBn7L/f0dBhMWKcgRHIa8WjOwOWR88Fy0&lhud=Txol_2I
|
9
www.sparetimr.net(198.54.117.211)
www.cheikh-faye.com(154.86.221.17)
www.theaccountableteamscoach.com(34.102.136.180)
www.abbbbha13.art()
www.rwproducedeliveryknoxville.com(198.49.23.145)
154.86.221.17
198.185.159.144 - mailcious
34.102.136.180 - mailcious
198.54.117.210 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7655 |
2021-04-28 09:49
|
svch.exe 20f6c10325735459625ad37b0cfea696
VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
14.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7656 |
2021-04-28 09:49
|
cc.dot c10fba3ded1f5c313d83ac9f7ff82961
FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
5
http://www.adecquo.com/pmc/?RRH=vjDla05s3BwYir9AIyM9qtJMEH6ykGoQMvqSGth8Nv/9Pw1B8DxUB3DqZFlnRD+swTMkapVO&rVBxDv=S0Ghq4
http://23.95.122.25/cc/vbc.exe
http://www.coolblue.digital/pmc/?RRH=vUAXos/W3FKdVA5hdlCIKF5pzGKq7f7QtJqJhVwRzw7HIwgr+5PWnKVzXZj3kVyxMQr8Z77l&rVBxDv=S0Ghq4
http://www.15slotozlo.site/pmc/?RRH=JFva54IOlKVnlpYoc1RFuL3mKqtDw0bOy0bUZ/qRd+Wy0jUa0JT0k3ufM/C3GMX4A5VkykN2&rVBxDv=S0Ghq4
http://www.zuisyoraku.com/pmc/?RRH=4l6fyKTFHDaHe1GcRTEUPSwbRJmK3jvlIAQWbuZctk+ctcpozhtelOPFUCnZPaeJbIh2wtV5&rVBxDv=S0Ghq4
|
9
www.coolblue.digital(198.54.117.211)
www.15slotozlo.site(172.67.178.12)
www.zuisyoraku.com(183.90.250.91)
www.adecquo.com(154.81.19.216)
23.95.122.25 - mailcious
198.54.117.212 - mailcious
104.21.40.63
154.81.19.216
183.90.250.91
|
7
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7657 |
2021-04-28 09:51
|
vbc.exe a931122aaa867ed9767d67823cb8e6a8
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7658 |
2021-04-28 09:52
|
presentation.jar 33b584062b5559c747cc526ced0c33dd
VirusTotal Malware Check memory heapspray unpack itself Java DNS |
|
|
|
|
2.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7659 |
2021-04-28 09:54
|
uDUxwumDrV.dll ee03a7aafeaa2e4b937066e5efe8016f
VirusTotal Malware Checks debugger DNS crashed |
|
|
|
|
2.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7660 |
2021-04-28 09:54
|
vbc.exe c78b71720eb0358b7d47ad306eb5e900
VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
14.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7661 |
2021-04-28 09:56
|
vbc.dot 6458c805d50cf972547cc610807a5076
LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://eyecos.ga/chang/gate.php
http://107.172.130.145/sa/vbc.exe
|
3
eyecos.ga(35.247.234.230) - mailcious
107.172.130.145 - malware
35.247.234.230 - mailcious
|
16
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7662 |
2021-04-28 09:57
|
 vbc.exe cd4a716b2886b9d6609b4e00c97964f0
VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7663 |
2021-04-28 10:00
|
c.dot 8c953304a94209a33f4b63d71605d816
FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
24
http://www.forrealmodels.com/qjnt/ - rule_id: 872
http://www.warriornotesgolbalprayer.com/qjnt/?5j=NZEjDeTbQWI4t+jLVj6ckcPfHkTvqBwW1gJjjcociDWZiHYNHkrr42q5Qu5MGWq/DbzHTKzP&vTdDF=LJBx - rule_id: 787
http://www.buckhead-meat.com/qjnt/ - rule_id: 871
http://www.forrealmodels.com/qjnt/?5j=/8UA4kKoPYWid4Wy4SiZil89tJjdT7ic7hTrtZ5fAe41kMJ49sOOTLg7IOgO80aghp25g4RJ&vTdDF=LJBx - rule_id: 872
http://www.rivcodevelopment.com/qjnt/?5j=8NBAzZEp5T2EoF9wMDQ69YhjG3fhuSs/Y3qkwEtmFVQU29n+5biQRN67qVAa42W8gpsiaP+Q&vTdDF=LJBx - rule_id: 798
http://www.xn--jpr220deud640b.com/qjnt/
http://www.frotaconceitos.com/qjnt/?5j=SklQbBNIGDp60jmvc81YaO0+TakJjqFF7kfS9N7pp+kjm4De+jDioVGollGezL8QEhW81teu&vTdDF=LJBx - rule_id: 878
http://www.graniteinaminute.com/qjnt/ - rule_id: 875
http://www.relaxxation.com/qjnt/ - rule_id: 880
http://www.startrekepisode.com/qjnt/ - rule_id: 786
http://www.buckhead-meat.com/qjnt/?5j=/eERDYDYg8Pjpk/w148+Jv3JxRRGqAllXY9DrwYjMBHW71fIc6WywKuPNHthuS6BfUUI+/zo&vTdDF=LJBx - rule_id: 871
http://www.thebluefishhotel.net/qjnt/
http://www.relaxxation.com/qjnt/?5j=mxaFhsYpdbWAcRjreClqDIL9OHFKPqnw/WaD4R8v0Y7MiHTOLhCg3x68N9MAlpNWynvCyQkZ&vTdDF=LJBx - rule_id: 880
http://www.gailrichardson.com/qjnt/?5j=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&vTdDF=LJBx - rule_id: 797
http://www.akerii.com/qjnt/?5j=kSZZl6jWs3Sc3KX4sFYto2o1JEu4hGi+VMhwGPIJktQ5K/I5FgrvGI5WQKi2EBcGxzW2rAmT&vTdDF=LJBx
http://www.rivcodevelopment.com/qjnt/ - rule_id: 798
http://www.warriornotesgolbalprayer.com/qjnt/ - rule_id: 787
http://www.thebluefishhotel.net/qjnt/?5j=QMUGPevhnI2Yp74JHEVzH6HtR6H2zoEQzpkVeMV2m2AjEhovI/wxUE2mGeKCbnOUy7J9Z//U&vTdDF=LJBx
http://www.akerii.com/qjnt/
http://www.frotaconceitos.com/qjnt/ - rule_id: 878
http://www.gailrichardson.com/qjnt/ - rule_id: 797
http://www.startrekepisode.com/qjnt/?5j=5+BnPckFTRrJGxaMVUv0BF1FKPa8eJDIfTmAxOSqxwEOI5f2tl64h5cJxkg2lQOsq3TBX7Br&vTdDF=LJBx - rule_id: 786
http://www.xn--jpr220deud640b.com/qjnt/?5j=jCTS+G1v0GO0ffaNHB4bN1x+uxcHkkGvZyQiwKE+/XJ/MeCy3/lhGRbiqne2xOkH/Blgq97x&vTdDF=LJBx
http://www.graniteinaminute.com/qjnt/?5j=Kc40ChrvGMsz5sDUgJdI1Tm80ndRwqOobrZe5CnH/KVtq0OHhWuXcnL+C6x+hGBLT8rXGqGg&vTdDF=LJBx - rule_id: 875
|
24
www.forrealmodels.com(188.93.150.60)
www.frotaconceitos.com(23.227.38.74)
www.pds-navi.com()
www.bhcsva.com() - mailcious
www.akerii.com(72.251.224.90)
www.startrekepisode.com(34.102.136.180)
www.thebluefishhotel.net(198.185.159.145)
www.xn--jpr220deud640b.com(129.226.160.219)
www.buckhead-meat.com(34.102.136.180)
www.relaxxation.com(52.58.78.16)
www.halostreams.net() - mailcious
www.rivcodevelopment.com(182.50.132.242)
www.graniteinaminute.com(182.50.132.242)
www.gailrichardson.com(52.58.78.16)
www.warriornotesgolbalprayer.com(34.102.136.180)
23.95.122.25 - mailcious
188.93.150.60 - mailcious
72.251.224.90
129.226.160.219
52.58.78.16 - mailcious
34.102.136.180 - mailcious
182.50.132.242 - mailcious
23.227.38.74 - mailcious
198.185.159.145 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
18
http://www.forrealmodels.com/qjnt/
http://www.warriornotesgolbalprayer.com/qjnt/
http://www.buckhead-meat.com/qjnt/
http://www.forrealmodels.com/qjnt/
http://www.rivcodevelopment.com/qjnt/
http://www.frotaconceitos.com/qjnt/
http://www.graniteinaminute.com/qjnt/
http://www.relaxxation.com/qjnt/
http://www.startrekepisode.com/qjnt/
http://www.buckhead-meat.com/qjnt/
http://www.relaxxation.com/qjnt/
http://www.gailrichardson.com/qjnt/
http://www.rivcodevelopment.com/qjnt/
http://www.warriornotesgolbalprayer.com/qjnt/
http://www.frotaconceitos.com/qjnt/
http://www.gailrichardson.com/qjnt/
http://www.startrekepisode.com/qjnt/
http://www.graniteinaminute.com/qjnt/
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7664 |
2021-04-28 10:01
|
uDUxwumDrV.dll ee03a7aafeaa2e4b937066e5efe8016f
VirusTotal Malware Checks debugger DNS crashed |
|
|
|
|
2.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7665 |
2021-04-28 10:05
|
mazx.exe 342d651660cf2b0587d25f343aff786f
packer Cuckoo Rule KeyBase Keylogger OSCheck File format AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html - rule_id: 1176
|
2
ldvamlwhdpetnyn.ml(172.67.208.174) - mailcious
104.21.85.176 - mailcious
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
13.2 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|