| 9526 |
2021-07-01 06:57
|
 vbc.exe 41f28ba9d94721b4397b1d4a170123a4
Lokibot PWS Loki[b] Loki[m] RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://manvim.co/fd5/fre.php - rule_id: 2435
http://manvim.co/fd5/fre.php
|
2
manvim.co(165.227.225.62) - mailcious
165.227.225.62
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd5/fre.php
|
13.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9527 |
2021-07-01 08:08
|
 105.dll fcc006d52996cd0eb65b33914045ef17
DLL PE32 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
|
|
|
1.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9528 |
2021-07-01 08:08
|
 ojhvxcgdfsd.exe 995bf66e1305d116167f598cffb872a9
PWS .NET framework Generic Malware Malicious Packer .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9529 |
2021-07-01 08:10
|
 un.exe f72c2ec4d30ac2255660c50ad4f3cb5f
OS Processor Check PE32 PE File VirusTotal Malware DNS |
|
|
|
|
2.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9530 |
2021-07-01 08:10
|
 un.exe f72c2ec4d30ac2255660c50ad4f3cb5f
OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9531 |
2021-07-01 08:13
|
 catx.exe 5398c6db0ce70c200ecad76511baccf1
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DNS AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
tzitziklishop.ddns.net(103.133.106.117)
37.235.1.174
103.133.106.117
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9532 |
2021-07-01 08:15
|
 ujunkwerex.exe 6fc65c14ff61433c356bfda77e0c6e41
RAT Generic Malware UPX Antivirus DNS AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1235E527CC34D56F5639DB569338CB90.html - rule_id: 2406
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE44F55B90FB18A2A4452FA478F7245A.html - rule_id: 2406
|
3
kakosidobrosam.gq(104.21.67.197) - mailcious
172.67.180.37 - mailcious
79.134.225.87
|
3
ET INFO DNS Query for Suspicious .gq Domain
ET INFO Suspicious Domain (*.gq) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/
https://kakosidobrosam.gq/liverpool-fc-news/
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9533 |
2021-07-01 08:15
|
 tele.exe d9a00e83e1274fafbb08ffac114e7b10
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9534 |
2021-07-01 08:17
|
 vbc.exe b8b983659cce2f715b3a81d650c80df7
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 MSOffice File PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9535 |
2021-07-01 08:18
|
 CE_Agent_Funding_Advice_pdf.js dadca572b4e524d5f03a2a4f9b25a050WMI ComputerName DNS DDNS |
|
2
dilideanter.zapto.org(185.19.85.169)
185.19.85.169 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.zapto .org
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9536 |
2021-07-01 08:20
|
 som.exe 296f369decd12d95360b63edc2353eca
RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9537 |
2021-07-01 08:25
|
 vbc.exe 8f0c1dbed9264aecc9a8ef0efd0ea494
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows DNS Cryptographic key |
21
http://www.quiala.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=Z+7x/WJIGnA0RXKqKJRi9i839shjEJQ6Yf3hDVZ9yB3OoUANi/ZyWn5pi+rP+hKw+QjS65jU
http://www.newccosecurity.net/usur/?BZ=E2J4tNWxrVn&JDK8bDY=5rBcWCgqvOVrIDrLA9uQDjq/SKABVFk84iiuqEN7/IORZIcA0aKwb/pmvw4zdiDTTOz+++vb
http://www.sumbadriftresort.com/usur/
http://www.purpopup.com/usur/
http://www.pandemiccraftee.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F - rule_id: 2438
http://www.pandemiccraftee.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F
http://www.onlyinwallkill.com/usur/?JDK8bDY=QrKbGKjqE+t08CM5N6gER8iqNbxBkdl9jNcaGwmKfAiC0iJP4j0kA8PmhlSobSCL8ve+F6l7&BZ=E2J4tNWxrVn
http://www.etnttcil.com/usur/?JDK8bDY=JvY7W1FeSuYbAUL2/q5iwKEKGzXlAsPSGOndNHeCD3yYpbxt+qh6+PdGCHM1fo+vQX6WbpwS&BZ=E2J4tNWxrVn
http://www.quiala.com/usur/
http://www.titlecollective.net/usur/?JDK8bDY=kJF4Jtp5k8LoVWy47VXOAdAqPUYq6G6AN63iTpQP0Qwk36BUVeL93nWRvwdfXnlRZI+1UJ/h&BZ=E2J4tNWxrVn
http://www.newccosecurity.net/usur/
http://www.sumbadriftresort.com/usur/?JDK8bDY=xxkVHo3IjqpJGJ1rPnvVuxZTgxSetVC9N6T2Q5zu2fSJdoJLdo3ewFDAGekmiIZzUG0fXYbA&BZ=E2J4tNWxrVn
http://www.pandemiccraftee.com/usur/ - rule_id: 2438
http://www.pandemiccraftee.com/usur/
http://www.titlecollective.net/usur/
http://www.purpopup.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=UaeGZx2hOMCIKxVUnr5KBVoJEEIbTNEM5fEJkd/cI27UHzIGahgsDrRjNepVDUeghdO8bVkU
http://www.onlyinwallkill.com/usur/
http://www.etnttcil.com/usur/
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:2629063817&cup2hreq=4cdaf22df66d73664bc8039655b9fe86814a70f8afd58fab1e40c15d1673ac69
|
17
edgedl.me.gvt1.com(34.104.35.123)
www.purpopup.com(23.224.206.46)
www.onlyinwallkill.com(198.49.23.144)
www.quiala.com(52.58.78.16)
www.titlecollective.net(35.169.40.107)
www.newccosecurity.net(34.102.136.180)
www.pandemiccraftee.com(34.102.136.180)
www.sumbadriftresort.com(34.102.136.180)
www.etnttcil.com(103.20.127.61)
52.58.78.16 - mailcious
103.20.127.61
198.185.159.145 - mailcious
35.169.40.107
34.102.136.180 - mailcious
34.104.35.123
23.224.206.46
142.250.66.67
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
2
http://www.pandemiccraftee.com/usur/
http://www.pandemiccraftee.com/usur/
|
9.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9538 |
2021-07-01 08:32
|
 idu567.tmp 18c3793f2df5ae48b55a9a1825b1c1fb
Generic Malware DLL PE32 PE File VirusTotal Malware PDB Check memory unpack itself ComputerName DNS |
|
1
172.241.27.226 - mailcious
|
|
|
2.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9539 |
2021-07-01 08:35
|
 SignerLib.exe 796b3e4674b68b33c906ce32c3275d83
Generic Malware OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9540 |
2021-07-01 08:40
|
 iduD8A5.tmp fcc006d52996cd0eb65b33914045ef17
DLL PE32 PE File VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|