| 7771 |
2021-04-30 18:01
|
 regasm.exe 37207e8bd9430777ab0e27cf4a4fc26a
PWS Loki AsyncRAT backdoor Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://kushikushi.us/chief/kev/fre.php
|
2
kushikushi.us(185.29.127.141)
185.29.127.141
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7772 |
2021-04-30 18:01
|
 winlog.exe bab5165b972f2416ae964d7b79bd5ecf
Glupteba OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7773 |
2021-04-30 18:03
|
 vbc.exe 396fedf9bcc0ad02b69510c986131fd2
AsyncRAT backdoor PWS .NET framework Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
12.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7774 |
2021-04-30 18:03
|
 in6-4.doc ba4afb8bb89f4a8f103780c416ecdbdd
VBA_macro Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key Downloader |
1
http://84.200.4.102/dwpc.exe
|
1
|
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7775 |
2021-04-30 18:06
|
 templex.exe c37d480d603a248b0e230a1c15590266
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7776 |
2021-04-30 18:08
|
 svch.exe 3722c9a2efe69886e53ef37bebcee669
Loki PE File PE32 DLL OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName Software |
1
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
|
2
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7777 |
2021-04-30 18:10
|
 Szakur.exe 6293b2f51ac52c926cfc5f87775a21fa
PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://209.141.50.70/PV/300/pin.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7778 |
2021-04-30 18:12
|
 IMG_0540001825.exe fd0e7153869bad651ae4ae4f1dbef3da
AsyncRAT backdoor AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed |
|
1
|
|
|
3.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7779 |
2021-04-30 18:14
|
 vbc.exe 877d8424f6d09301998cf3840c42dcb9
AsyncRAT backdoor Malicious Library .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
2.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7780 |
2021-05-01 08:53
|
 catalog-1539950969.xlsm fbd50cca96787817cc8ec7c5895da104VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7781 |
2021-05-01 08:53
|
 catalog-1536346655.xlsm 7e36921c2e411e6147b1e12c6e9abd37Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7782 |
2021-05-01 08:55
|
 catalog-1539992454.xlsm 410e5e1cf304e1801620b3f27b078fbfVirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7783 |
2021-05-01 08:56
|
 catalog-1540397044.xlsm 04de5ae69091df8ce43365a05e19765bVirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7784 |
2021-05-01 08:58
|
 catalog-1545817548.xlsm 93918297824a5244fb9bf405e3879ef4VirusTotal Malware unpack itself Tofsee DNS |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7785 |
2021-05-01 09:16
|
 catalog-1546008837.xlsm 37b83bacfc6b313270f925e32e5fde4dVirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|