| 8551 |
2021-06-04 11:42
|
 file.exe ec250b7fcf58aae6f996e3ad512ac6c8
Generic Malware Malicious Packer Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
3.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8552 |
2021-06-04 11:43
|
 lv.exe 227da511d6e03d33bb9e1cbf18f957c8
Generic Malware Malicious Packer Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8553 |
2021-06-04 12:09
|
 tesy.scr 12b686d6b88ab3ece8f2cc13fed9cd91
PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://prometall-cm.com/Panel/five/fre.php
|
4
prometall-cm.com(172.67.181.37)
104.21.51.136
104.21.21.221 - mailcious
172.67.200.215
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
9.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8554 |
2021-06-04 12:09
|
 Invoice.exe 6d9d41b8c7b2019d513c52822c6b7a91
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
|
|
|
8.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8555 |
2021-06-04 12:09
|
 0b1.exe e7287f303c0b70b8f23c67c962a84f81
AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows DNS |
1
|
8
www.google.com(172.217.25.68)
88.99.66.31 - mailcious
208.95.112.1
172.217.24.68
88.218.92.148 - malware
157.240.215.35
198.13.62.186 - suspicious
172.217.26.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8556 |
2021-06-04 12:10
|
 file31s.exe 6a763fac0951021be4b351dddf62bb1d
PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 MSOffice File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
5
http://176.31.56.216:58181/
https://iplogger.org/12nXi7
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
https://bitbucket.org/mminminminmin05/testtest/downloads/5.exe
|
7
api.ip.sb(104.26.13.31)
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
176.31.56.216
172.67.75.172
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8557 |
2021-06-04 12:12
|
 flashplayer.exe c25218fcf7bce8f3b6431d8125e2e898
AsyncRAT backdoor Emotet Generic Malware VMProtect AntiDebug AntiVM PE File .NET EXE PE32 DLL GIF Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW IP Check Tofsee Ransomware Windows Browser DNS Cryptographic key crashed |
8
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://iw.gamegame.info/report7.4.php - rule_id: 1517
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=225691&key=326f32f218d7def7aba855b5cc3b5918 - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396
http://ip-api.com/json/?fields=8198
https://iplogger.org/18hh57
https://www.facebook.com/
|
15
www.facebook.com(157.240.215.35)
email.yg9.me(198.13.62.186) - suspicious
uyg5wye.2ihsfa.com(88.218.92.148) - mailcious
ol.gamegame.info(104.21.21.221) - mailcious
iplogger.org(88.99.66.31) - mailcious
ip-api.com(208.95.112.1)
iw.gamegame.info(104.21.21.221) - mailcious
news-systems.xyz() - mailcious
88.99.66.31 - mailcious
208.95.112.1
172.67.200.215
104.21.21.221 - mailcious
88.218.92.148 - malware
157.240.215.35
198.13.62.186 - suspicious
|
3
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/
|
17.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8558 |
2021-06-04 12:12
|
 covid.exe 0ac067f9a888d650d44d0f3c9cef21bf
Anti_VM Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
wekeepworking.sytes.net(79.134.225.90) - mailcious
79.134.225.90 - mailcious
|
|
|
14.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8559 |
2021-06-04 13:23
|
 5.exe 26c1fa9d93b8875b52d84e0e1b268d3e
AsyncRAT backdoor BitCoin KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.116:62665/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
185.215.113.116
172.67.75.172
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SURICATA HTTP unable to match response to request
|
|
12.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8560 |
2021-06-04 18:12
|
 vbc.exe 1d1e0caaf70abcc7ae285e98d04e2f31
PWS Loki[b] Loki[m] .NET framework Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
2
eyecos.ga(34.145.117.77) - mailcious
34.145.117.77
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
15.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8561 |
2021-06-04 18:13
|
 oxcxcvhgfc.exe f8e766e4d22bc299950f6a4d23c824cc
AsyncRAT backdoor Gen1 Malicious Packer KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName Password |
9
http://veronikaa.ac.ug/msvcp140.dll
http://veronikaa.ac.ug/nss3.dll
http://veronikaa.ac.ug/sqlite3.dll
http://veronikaa.ac.ug/main.php
http://veronikaa.ac.ug/freebl3.dll
http://veronikaa.ac.ug/mozglue.dll
http://veronikaa.ac.ug/softokn3.dll
http://veronikaa.ac.ug/vcruntime140.dll
http://veronikaa.ac.ug/
|
2
veronikaa.ac.ug(185.215.113.77)
185.215.113.77 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
16.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8562 |
2021-06-04 18:14
|
 cc.exe a366fb953227608061d99b578d6a31c1
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM PE File PE32 Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
1
https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.134.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8563 |
2021-06-04 18:15
|
 axcxcvhgfc.exe 2eb4f37816d7e7b632eecee6952f473f
PWS Loki[b] Loki[m] AsyncRAT backdoor Gen1 Malicious Packer KeyLogger DNS Socket HTTP Http API Internet API ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password |
10
http://veronikaa.ac.ug/msvcp140.dll
http://veronika.ac.ug/index.php
http://veronikaa.ac.ug/nss3.dll
http://veronikaa.ac.ug/sqlite3.dll
http://veronikaa.ac.ug/main.php
http://veronikaa.ac.ug/freebl3.dll
http://veronikaa.ac.ug/mozglue.dll
http://veronikaa.ac.ug/softokn3.dll
http://veronikaa.ac.ug/vcruntime140.dll
http://veronikaa.ac.ug/
|
3
veronikaa.ac.ug(185.215.113.77)
veronika.ac.ug(185.215.113.77) - malware
185.215.113.77 - malware
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8564 |
2021-06-04 18:16
|
 ac.exe a9bd3a038170c1a41212c8e320b68d5d
AsyncRAT backdoor Malicious Packer KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
3
icacxndo.ac.ug() - suspicious
icando.ug(194.5.98.107) - suspicious
194.5.98.107
|
|
|
12.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8565 |
2021-06-04 18:16
|
 ame.exe b06fa1b6d444fdfbdfdbd3d3330038d3
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
9.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|