9526 |
2021-07-01 06:57
|
vbc.exe 41f28ba9d94721b4397b1d4a170123a4 Lokibot PWS Loki[b] Loki[m] RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DNS Socket AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://manvim.co/fd5/fre.php - rule_id: 2435 http://manvim.co/fd5/fre.php
|
2
manvim.co(165.227.225.62) - mailcious 165.227.225.62
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd5/fre.php
|
13.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9527 |
2021-07-01 08:08
|
105.dll fcc006d52996cd0eb65b33914045ef17 DLL PE32 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
|
|
|
1.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9528 |
2021-07-01 08:08
|
ojhvxcgdfsd.exe 995bf66e1305d116167f598cffb872a9 PWS .NET framework Generic Malware Malicious Packer .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9529 |
2021-07-01 08:10
|
un.exe f72c2ec4d30ac2255660c50ad4f3cb5f OS Processor Check PE32 PE File VirusTotal Malware DNS |
|
|
|
|
2.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9530 |
2021-07-01 08:10
|
un.exe f72c2ec4d30ac2255660c50ad4f3cb5f OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9531 |
2021-07-01 08:13
|
catx.exe 5398c6db0ce70c200ecad76511baccf1 Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DNS AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
tzitziklishop.ddns.net(103.133.106.117) 37.235.1.174 103.133.106.117
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9532 |
2021-07-01 08:15
|
ujunkwerex.exe 6fc65c14ff61433c356bfda77e0c6e41 RAT Generic Malware UPX Antivirus DNS AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1235E527CC34D56F5639DB569338CB90.html - rule_id: 2406 https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE44F55B90FB18A2A4452FA478F7245A.html - rule_id: 2406
|
3
kakosidobrosam.gq(104.21.67.197) - mailcious 172.67.180.37 - mailcious 79.134.225.87
|
3
ET INFO DNS Query for Suspicious .gq Domain ET INFO Suspicious Domain (*.gq) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://kakosidobrosam.gq/liverpool-fc-news/ https://kakosidobrosam.gq/liverpool-fc-news/
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9533 |
2021-07-01 08:15
|
tele.exe d9a00e83e1274fafbb08ffac114e7b10 RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
12.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9534 |
2021-07-01 08:17
|
vbc.exe b8b983659cce2f715b3a81d650c80df7 RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 MSOffice File PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9535 |
2021-07-01 08:18
|
CE_Agent_Funding_Advice_pdf.js dadca572b4e524d5f03a2a4f9b25a050WMI ComputerName DNS DDNS |
|
2
dilideanter.zapto.org(185.19.85.169) 185.19.85.169 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.zapto .org
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9536 |
2021-07-01 08:20
|
som.exe 296f369decd12d95360b63edc2353eca RAT Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
11.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9537 |
2021-07-01 08:25
|
vbc.exe 8f0c1dbed9264aecc9a8ef0efd0ea494 RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows DNS Cryptographic key |
21
http://www.quiala.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=Z+7x/WJIGnA0RXKqKJRi9i839shjEJQ6Yf3hDVZ9yB3OoUANi/ZyWn5pi+rP+hKw+QjS65jU http://www.newccosecurity.net/usur/?BZ=E2J4tNWxrVn&JDK8bDY=5rBcWCgqvOVrIDrLA9uQDjq/SKABVFk84iiuqEN7/IORZIcA0aKwb/pmvw4zdiDTTOz+++vb http://www.sumbadriftresort.com/usur/ http://www.purpopup.com/usur/ http://www.pandemiccraftee.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F - rule_id: 2438 http://www.pandemiccraftee.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=2h0bYSOLWKJZVFqi4XM1zBZtpybL/Vkf3dH4AB0YLLHCu3yNIwyy+69rYUnST0Hda20Oy8/F http://www.onlyinwallkill.com/usur/?JDK8bDY=QrKbGKjqE+t08CM5N6gER8iqNbxBkdl9jNcaGwmKfAiC0iJP4j0kA8PmhlSobSCL8ve+F6l7&BZ=E2J4tNWxrVn http://www.etnttcil.com/usur/?JDK8bDY=JvY7W1FeSuYbAUL2/q5iwKEKGzXlAsPSGOndNHeCD3yYpbxt+qh6+PdGCHM1fo+vQX6WbpwS&BZ=E2J4tNWxrVn http://www.quiala.com/usur/ http://www.titlecollective.net/usur/?JDK8bDY=kJF4Jtp5k8LoVWy47VXOAdAqPUYq6G6AN63iTpQP0Qwk36BUVeL93nWRvwdfXnlRZI+1UJ/h&BZ=E2J4tNWxrVn http://www.newccosecurity.net/usur/ http://www.sumbadriftresort.com/usur/?JDK8bDY=xxkVHo3IjqpJGJ1rPnvVuxZTgxSetVC9N6T2Q5zu2fSJdoJLdo3ewFDAGekmiIZzUG0fXYbA&BZ=E2J4tNWxrVn http://www.pandemiccraftee.com/usur/ - rule_id: 2438 http://www.pandemiccraftee.com/usur/ http://www.titlecollective.net/usur/ http://www.purpopup.com/usur/?BZ=E2J4tNWxrVn&JDK8bDY=UaeGZx2hOMCIKxVUnr5KBVoJEEIbTNEM5fEJkd/cI27UHzIGahgsDrRjNepVDUeghdO8bVkU http://www.onlyinwallkill.com/usur/ http://www.etnttcil.com/usur/ http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:2629063817&cup2hreq=4cdaf22df66d73664bc8039655b9fe86814a70f8afd58fab1e40c15d1673ac69
|
17
edgedl.me.gvt1.com(34.104.35.123) www.purpopup.com(23.224.206.46) www.onlyinwallkill.com(198.49.23.144) www.quiala.com(52.58.78.16) www.titlecollective.net(35.169.40.107) www.newccosecurity.net(34.102.136.180) www.pandemiccraftee.com(34.102.136.180) www.sumbadriftresort.com(34.102.136.180) www.etnttcil.com(103.20.127.61) 52.58.78.16 - mailcious 103.20.127.61 198.185.159.145 - mailcious 35.169.40.107 34.102.136.180 - mailcious 34.104.35.123 23.224.206.46 142.250.66.67
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
2
http://www.pandemiccraftee.com/usur/ http://www.pandemiccraftee.com/usur/
|
9.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9538 |
2021-07-01 08:32
|
idu567.tmp 18c3793f2df5ae48b55a9a1825b1c1fb Generic Malware DLL PE32 PE File VirusTotal Malware PDB Check memory unpack itself ComputerName DNS |
|
1
172.241.27.226 - mailcious
|
|
|
2.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9539 |
2021-07-01 08:35
|
SignerLib.exe 796b3e4674b68b33c906ce32c3275d83 Generic Malware OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9540 |
2021-07-01 08:40
|
iduD8A5.tmp fcc006d52996cd0eb65b33914045ef17 DLL PE32 PE File VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|