| 8101 |
2023-10-02 08:49
|
 chinazx.exe 9d5e7753334bb508fb29a34122099524
LokiBot UPX .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://china.dhabigroup.top/_errorpages/china/five/fre.php
|
2
china.dhabigroup.top(172.67.132.61)
172.67.132.61
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8102 |
2023-10-02 08:47
|
1E.pdf.lnk 9d539da1e51f4527f812b0a79c7bd6bc
Generic Malware AntiDebug AntiVM Lnk Format GIF Format Malware Code Injection Malicious Traffic Check memory Creates shortcut suspicious process WriteConsoleW DNS crashed |
1
http://155.138.160.67/fYYQ0/1J
|
1
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8103 |
2023-10-02 08:44
|
 Rules.doc 316e3ee9229e0b06a6a7b9bf890bdbda
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
2.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8104 |
2023-10-02 08:43
|
SHV.pdf.lnk 6474f6c0ce3a9c295c45a612d40d4d7e
Generic Malware AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware Code Injection Malicious Traffic Check memory Creates shortcut unpack itself suspicious process WriteConsoleW DNS crashed |
1
http://155.138.164.116/RfOhPtl/JaZ
|
1
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
5.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8105 |
2023-10-02 08:42
|
 ed1.exe d1906fd8d9e6b18ee8a134e81982e23a
RedLine stealer Generic Malware UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
http://162.244.93.4/~rubin/redlol.exe
|
2
193.58.147.147
162.244.93.4 - malware
|
10
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8106 |
2023-10-02 08:41
|
 8742db7e5aaa5b29b16efd1396c7a2... 8742db7e5aaa5b29b16efd1396c7a273
PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8107 |
2023-10-02 08:41
|
 afkjo.txt.exe fface24ac296a898cca3f46bc0abcd58
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check Check memory unpack itself Remote Code Execution crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8108 |
2023-10-02 08:39
|
 Wemhwwlidxivdd.scr af833c8bae12203ce03858314816a871
Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware RWX flags setting unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8109 |
2023-10-02 08:38
|
afkjo.vbs ace68031816b590f740f60db507faa88
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/afkjo.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.32.56.80
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8110 |
2023-10-02 08:38
|
goatedinvagina.vbs 312944bf58416a6acb26529b860332e9
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/apamaaktivozebas364.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.33 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8111 |
2023-10-02 08:37
|
 lu47821.txt.exe ed55b32151792a117b9c9bfe439734cc
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8112 |
2023-10-02 08:33
|
ngtow.vbs a09d3cecc62af216cb921bbfc0ff19e3
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/ngtw.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8113 |
2023-10-02 08:33
|
ndert.vbs 257a418a423d9f27a2e40b896651bd3a
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/nde.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.67.53.27
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8114 |
2023-10-02 08:32
|
LUG.vbs f82f969d6d77eb0a86acc15645eb66c8
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://94.156.161.167/tl/lu47821.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.67.53.17
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8115 |
2023-10-01 17:21
|
smito.vbs 59680b2a16554cb985039efea24eda81
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/smit.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.67.53.17
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|