7786 |
2021-05-01 09:17
|
catalog-1546823173.xlsm 150432fc909c60362eda2dcc1a0d1140 VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious dentistelmhurstny.com(192.185.5.2) - mailcious 192.185.20.98 - phishing 192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7787 |
2021-05-01 09:18
|
catalog-1546258442.xlsm 23fa95e52e98c3f1b25c0f2aa1d0ac16 VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious dentistelmhurstny.com(192.185.5.2) - mailcious 192.185.20.98 - phishing 192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7788 |
2021-05-01 09:20
|
catalog-1539992454.xlsm 410e5e1cf304e1801620b3f27b078fbf VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
|
4
legalopspr.com(192.185.20.98) - mailcious dentistelmhurstny.com(192.185.5.2) - mailcious 192.185.20.98 - phishing 192.185.5.2 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7789 |
2021-05-01 09:29
|
ds2.exe 3cdb00a25552429b06fb3be209614149 PWS .NET framework Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7790 |
2021-05-01 09:29
|
ds1.exe 5af92f78e6b00eff95b14018a5dda8fc PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself DNS |
|
|
|
|
8.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7791 |
2021-05-01 09:31
|
................................. 99c2fe84cae1eebcd17075b2e2db2d96 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.46.132.163/w/vbc.exe
|
1
198.46.132.163 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7792 |
2021-05-01 09:32
|
vbc.exe 1d0d4b1031abf4a7e6da58d81bc98d6b PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself Remote Code Execution DNS crashed |
|
|
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7793 |
2021-05-01 09:34
|
regasm.dot 12bb879b0c7646fcd44b80e19c16d158 RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed |
2
http://amrp.tw/kayo/gate.php - rule_id: 1177 http://107.173.219.80/prf/regasm.exe
|
3
amrp.tw(35.247.234.230) - mailcious 35.247.234.230 - mailcious 107.173.219.80 - malware
|
13
ET MALWARE Trojan Generic - POST To gate.php with no referer ET INFO Executable Download from dotted-quad Host ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://amrp.tw/kayo/gate.php
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7794 |
2021-05-01 09:34
|
regasm.exe 16b0a44545b16aea4333dc824ab02199 PWS Loki .NET framework Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://amrp.tw/kayo/gate.php - rule_id: 1177
|
2
amrp.tw(35.247.234.230) - mailcious 35.247.234.230 - mailcious
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://amrp.tw/kayo/gate.php
|
13.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7795 |
2021-05-01 09:36
|
mena.exe d20e703cb462af7eb09f6d0010e09e71 AsyncRAT backdoor Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7796 |
2021-05-01 09:37
|
ellawealthx.exe c433ce03b07fac08216a58911f927365 AsyncRAT backdoor PWS .NET framework Malicious Library Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
|
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7797 |
2021-05-01 09:38
|
ac.exe 6a61a028d6282029c5899a3ffcc84e60 PWS .NET framework Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
3
icacxndo.ac.ug() - suspicious icando.ug(194.5.98.107) - suspicious 194.5.98.107
|
|
|
11.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7798 |
2021-05-01 09:40
|
azflkjgfkldsad.exe eb6c0ff23c01dd3528789c8142890547 PWS Loki .NET framework Gen1 Malicious Packer DNS Socket HTTP KeyLogger Http API Internet API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check ENERGETIC BEAR VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs Windows ComputerName DNS |
8
http://185.215.113.77/ozflkjgfkldsad.exe http://macakslcaq.ug/index.php http://malcacnba.ac.ug/freebl3.dll http://malcacnba.ac.ug/mozglue.dll http://malcacnba.ac.ug/softokn3.dll http://malcacnba.ac.ug/msvcp140.dll http://malcacnba.ac.ug/nss3.dll http://malcacnba.ac.ug/sqlite3.dll
|
3
macakslcaq.ug(185.215.113.77) - malware malcacnba.ac.ug(185.215.113.77) 185.215.113.77 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7799 |
2021-05-01 09:40
|
Oijhsqdo.exe 5e947ca9bbb479131f613b845c742afb AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware malicious URLs ComputerName DNS |
|
1
203.159.80.206 - mailcious
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7800 |
2021-05-01 09:44
|
AazrkIaOnf.dll 4ea2c49920dfc1dbcc1ffb5a7300c441 PE64 DLL OS Processor Check PE File VirusTotal Malware Checks debugger crashed |
|
|
|
|
1.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|