8716 |
2021-06-09 16:26
|
s.dot 6d89cdd32590a17b8e856eb600edb34e RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
6
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe http://manvim.co/bo/fre.php http://103.156.91.50/fresh/svch.exe http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1623222978&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:4208837802&cup2hreq=a8595f3f15a9f9264a7e2fc326617e9a1bd12d2773bac8acd5ad3ca2700f8536
|
5
manvim.co(34.152.14.118) r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 211.114.66.77 103.156.91.50 34.152.14.118
|
15
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8717 |
2021-06-09 16:32
|
k.doc 6748863e5c9e3dbda83e81885b96c784 RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://eyecos.ga/kung/gate.php - rule_id: 937 http://103.140.251.225/kung444/bin.exe
|
3
eyecos.ga(34.118.106.49) - mailcious 34.118.106.49 103.140.251.225
|
17
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET INFO Executable Download from dotted-quad Host ET MALWARE Possible MalDoc Payload Download Nov 11 2014 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/kung/gate.php
|
4.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8718 |
2021-06-09 21:37
|
PathCopyCopy19.0.exe 92c260a6b5d92ae46a580f77f8a6f411 Emotet AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Generic Malware PE File OS Processor Check PE32 DLL .NET DLL .NET EXE PE64 GIF Format AutoRuns Checks debugger Creates shortcut Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName |
|
|
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8719 |
2021-06-09 21:49
|
bin.exe b72c51bdd3489176cc6da5496d2542cb PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Cryptographic key Software |
1
http://eyecos.ga/kung/gate.php - rule_id: 937
|
2
eyecos.ga(34.118.106.49) - mailcious 34.118.106.49
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO DNS Query for Suspicious .ga Domain
|
1
http://eyecos.ga/kung/gate.php
|
13.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8720 |
2021-06-09 21:51
|
svch.exe 6e32cd4a3fac5e6b0b5f1c5659182f9e loki bot PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://manvim.co/bo/fre.php - rule_id: 1896
|
2
manvim.co(34.152.14.118) - mailcious 34.152.14.118 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/bo/fre.php
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8721 |
2021-06-09 22:06
|
vbc.exe f91a59d752971b133ff68b550ff847fb PWS Loki[b] Loki[m] AsyncRAT backdoor .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library DNS Socket AntiDebug AntiVM PE File .NET EXE OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
173.208.204.37 - mailcious
|
|
|
13.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8722 |
2021-06-09 22:06
|
eSZhus81sRHwOek.exe 383470069d167d1fc6d1aec6251a0c1f AsyncRAT backdoor PWS .NET framework Antivirus Anti_VM Malicious Packer Escalate priviledges Hijack Network AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Kovter Windows ComputerName DNS |
|
1
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
12.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8723 |
2021-06-09 22:08
|
YURklmRKB31uyhW.exe 8996d57c093fcd99bc32e440a5ba425f Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
2
198.46.177.119 - mailcious 66.154.113.12
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8724 |
2021-06-09 22:09
|
svchoster.exe 9750dee05b47f072e5975895dcf61ae5 PWS .NET framework Malicious Packer DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
|
|
15.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8725 |
2021-06-09 22:10
|
razi.exe f86b14c90a4eabc844a257abebd8a614 PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8726 |
2021-06-09 22:11
|
EmmyCrypted.exe d2090d6b03c4c37de4e1e8e615d578b2 PWS .NET framework Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
1
|
|
|
13.2 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8727 |
2021-06-09 22:13
|
7fYvnvBMhaKg62g.exe 97be1a66adc40eb9c11f8cb78748d0d0 AsyncRAT backdoor PWS .NET framework Malicious Packer AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
1
|
|
|
12.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8728 |
2021-06-09 22:16
|
UUuYyduOHD0ru0s.exe 6f0557c816b9b28c1d1ad3958d14bda3 AsyncRAT backdoor PWS .NET framework Malicious Packer ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
1
198.46.177.119 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8729 |
2021-06-09 22:16
|
AsyncCrypted.exe ffc89b7469181d83e38f14b3493528ee PWS .NET framework Malicious Packer PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
|
|
|
|
9.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8730 |
2021-06-09 22:18
|
8RZ6O2l7a2yZNGp.exe 2e51adab57d3572ffe81c9cfbc65c86a AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kovter Windows ComputerName DNS |
|
2
198.46.177.119 - mailcious 66.154.113.12
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|