| 8716 |
2021-06-09 16:26
|
 s.dot 6d89cdd32590a17b8e856eb600edb34e
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
6
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
http://manvim.co/bo/fre.php
http://103.156.91.50/fresh/svch.exe
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1623222978&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:4208837802&cup2hreq=a8595f3f15a9f9264a7e2fc326617e9a1bd12d2773bac8acd5ad3ca2700f8536
|
5
manvim.co(34.152.14.118)
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
211.114.66.77
103.156.91.50
34.152.14.118
|
15
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8717 |
2021-06-09 16:32
|
 k.doc 6748863e5c9e3dbda83e81885b96c784
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://eyecos.ga/kung/gate.php - rule_id: 937
http://103.140.251.225/kung444/bin.exe
|
3
eyecos.ga(34.118.106.49) - mailcious
34.118.106.49
103.140.251.225
|
17
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible MalDoc Payload Download Nov 11 2014
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/kung/gate.php
|
4.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8718 |
2021-06-09 21:37
|
 PathCopyCopy19.0.exe 92c260a6b5d92ae46a580f77f8a6f411
Emotet AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Generic Malware PE File OS Processor Check PE32 DLL .NET DLL .NET EXE PE64 GIF Format AutoRuns Checks debugger Creates shortcut Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName |
|
|
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8719 |
2021-06-09 21:49
|
 bin.exe b72c51bdd3489176cc6da5496d2542cb
PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/kung/gate.php - rule_id: 937
|
2
eyecos.ga(34.118.106.49) - mailcious
34.118.106.49
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
|
1
http://eyecos.ga/kung/gate.php
|
13.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8720 |
2021-06-09 21:51
|
 svch.exe 6e32cd4a3fac5e6b0b5f1c5659182f9e
loki bot PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://manvim.co/bo/fre.php - rule_id: 1896
|
2
manvim.co(34.152.14.118) - mailcious
34.152.14.118 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/bo/fre.php
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8721 |
2021-06-09 22:06
|
 vbc.exe f91a59d752971b133ff68b550ff847fb
PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
173.208.204.37 - mailcious
|
|
|
13.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8722 |
2021-06-09 22:06
|
 eSZhus81sRHwOek.exe 383470069d167d1fc6d1aec6251a0c1f
AsyncRAT backdoor PWS .NET framework Antivirus Anti_VM Malicious Packer Escalate priviledges Hijack Network AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Kovter Windows ComputerName DNS |
|
1
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
12.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8723 |
2021-06-09 22:08
|
 YURklmRKB31uyhW.exe 8996d57c093fcd99bc32e440a5ba425f
Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
2
198.46.177.119 - mailcious
66.154.113.12
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8724 |
2021-06-09 22:09
|
 svchoster.exe 9750dee05b47f072e5975895dcf61ae5
PWS .NET framework Malicious Packer DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
|
|
15.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8725 |
2021-06-09 22:10
|
 razi.exe f86b14c90a4eabc844a257abebd8a614
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8726 |
2021-06-09 22:11
|
 EmmyCrypted.exe d2090d6b03c4c37de4e1e8e615d578b2
PWS .NET framework Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
1
|
|
|
13.2 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8727 |
2021-06-09 22:13
|
 7fYvnvBMhaKg62g.exe 97be1a66adc40eb9c11f8cb78748d0d0
AsyncRAT backdoor PWS .NET framework Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
1
|
|
|
12.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8728 |
2021-06-09 22:16
|
 UUuYyduOHD0ru0s.exe 6f0557c816b9b28c1d1ad3958d14bda3
AsyncRAT backdoor PWS .NET framework Malicious Packer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
1
198.46.177.119 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8729 |
2021-06-09 22:16
|
 AsyncCrypted.exe ffc89b7469181d83e38f14b3493528ee
PWS .NET framework Malicious Packer PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
|
|
|
9.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8730 |
2021-06-09 22:18
|
 8RZ6O2l7a2yZNGp.exe 2e51adab57d3572ffe81c9cfbc65c86a
AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
2
198.46.177.119 - mailcious
66.154.113.12
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|