| 7786 |
2021-05-01 09:17
|
 catalog-1546823173.xlsm 150432fc909c60362eda2dcc1a0d1140
VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7787 |
2021-05-01 09:18
|
 catalog-1546258442.xlsm 23fa95e52e98c3f1b25c0f2aa1d0ac16
VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7788 |
2021-05-01 09:20
|
 catalog-1539992454.xlsm 410e5e1cf304e1801620b3f27b078fbf
VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious
dentistelmhurstny.com(192.185.5.2) - mailcious
192.185.20.98 - phishing
192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7789 |
2021-05-01 09:29
|
 ds2.exe 3cdb00a25552429b06fb3be209614149
PWS .NET framework Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7790 |
2021-05-01 09:29
|
 ds1.exe 5af92f78e6b00eff95b14018a5dda8fc
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself DNS |
|
|
|
|
8.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7791 |
2021-05-01 09:31
|
 ................................. 99c2fe84cae1eebcd17075b2e2db2d96
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.46.132.163/w/vbc.exe
|
1
198.46.132.163 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7792 |
2021-05-01 09:32
|
 vbc.exe 1d0d4b1031abf4a7e6da58d81bc98d6b
PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself Remote Code Execution DNS crashed |
|
|
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7793 |
2021-05-01 09:34
|
 regasm.dot 12bb879b0c7646fcd44b80e19c16d158
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed |
2
http://amrp.tw/kayo/gate.php - rule_id: 1177
http://107.173.219.80/prf/regasm.exe
|
3
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
107.173.219.80 - malware
|
13
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://amrp.tw/kayo/gate.php
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7794 |
2021-05-01 09:34
|
 regasm.exe 16b0a44545b16aea4333dc824ab02199
PWS Loki .NET framework Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php - rule_id: 1177
|
2
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://amrp.tw/kayo/gate.php
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7795 |
2021-05-01 09:36
|
 mena.exe d20e703cb462af7eb09f6d0010e09e71
AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7796 |
2021-05-01 09:37
|
 ellawealthx.exe c433ce03b07fac08216a58911f927365
AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7797 |
2021-05-01 09:38
|
 ac.exe 6a61a028d6282029c5899a3ffcc84e60
PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
3
icacxndo.ac.ug() - suspicious
icando.ug(194.5.98.107) - suspicious
194.5.98.107
|
|
|
11.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7798 |
2021-05-01 09:40
|
 azflkjgfkldsad.exe eb6c0ff23c01dd3528789c8142890547
PWS Loki .NET framework Gen1 Malicious Packer DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check ENERGETIC BEAR VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs Windows ComputerName DNS |
8
http://185.215.113.77/ozflkjgfkldsad.exe
http://macakslcaq.ug/index.php
http://malcacnba.ac.ug/freebl3.dll
http://malcacnba.ac.ug/mozglue.dll
http://malcacnba.ac.ug/softokn3.dll
http://malcacnba.ac.ug/msvcp140.dll
http://malcacnba.ac.ug/nss3.dll
http://malcacnba.ac.ug/sqlite3.dll
|
3
macakslcaq.ug(185.215.113.77) - malware
malcacnba.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7799 |
2021-05-01 09:40
|
 Oijhsqdo.exe 5e947ca9bbb479131f613b845c742afb
AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware malicious URLs ComputerName DNS |
|
1
203.159.80.206 - mailcious
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7800 |
2021-05-01 09:44
|
 AazrkIaOnf.dll 4ea2c49920dfc1dbcc1ffb5a7300c441
PE64 DLL OS Processor Check PE File VirusTotal Malware Checks debugger crashed |
|
|
|
|
1.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|