| 9541 |
2021-07-01 08:44
|
 EOU907665787754.COM.exe b70e5ba1d460943683b625756ca68d64
PWS Loki[b] Loki[m] RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE32 MSOffice File PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://pakilogs2020.xyz/t/e/cos.php
|
2
pakilogs2020.xyz(104.21.36.131)
172.67.194.109
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9542 |
2021-07-01 08:47
|
 PDF.exe cdcdbe253da2dfdf3792f26681bbd14e
PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9543 |
2021-07-01 08:53
|
United_States_Project_for_Prom... e05468aaa0c436e953116989ccf9703b
Anti_VM AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Interception DNS |
1
https://dadsasoa.in/font/js/images/files/United-States_Project_for_Promise/css
|
2
dadsasoa.in(31.220.106.229)
31.220.106.229
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9544 |
2021-07-01 13:17
|
 start.wll b913ed9e030cc8fff0633815b65bab5b
Anti_VM DLL OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9545 |
2021-07-01 13:18
|
 start.wll b913ed9e030cc8fff0633815b65bab5b
Anti_VM DLL OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9546 |
2021-07-01 13:24
|
deed contract_06.30.2021.doc f14841089a09d6759e2f0859b3f4a8e8
VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://caseytackleg.com/adda/97989/L1gilQRdZq/69162/21769/92295/LDaP53s4jS/xmbPmbPLTBgcHiQBTvpV3/FiRpMcV1KQoZvQXF/jaki5?ref=QMM2RoYUyJaRoSyKnsQTWwia3HAT&id=Vmd8BZgkL2LfL0Q6rP5E90A4IuV6uK&=L3nxZvx0pbc&bxwa6j=W1JDNxusaKQ52ftR&cid=CEY1IPTRZnuRMLPgWYwL&EAebOs=D7BBL9IK3Z2O
|
2
caseytackleg.com()
45.84.0.206 - mailcious
|
|
|
7.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9547 |
2021-07-01 13:24
|
documents 06.30.2021.doc 97b1bb23455fb9a9607f37df266459fc
VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception DNS |
1
http://testmahoneyd.com/adda/ZkgMceY0duMWvbVq3U6NjMyVfmZ7lMCfzAbEoVSbLlq9a/rzm/rEUMKp42XJbX2eYUsY/jaki1?zWK=72PYbHirT716P1j&C2=eExppjEub&user=DVBfo&kwdDlCQ=MNWvACcxddQXF9A4pxFK&Nj5vbCtMy0=S7&time=CVUofDJvJNzOi&q=EnIS1Ysk8q6lbxCwUFuXwGEeKTBt
|
2
testmahoneyd.com(45.84.0.215)
45.84.0.215
|
|
|
7.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9548 |
2021-07-01 13:26
|
 facts_06.21.doc 3d678e9da2f9b1c8385a923138a06dd7
VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://caseytackleg.com/adda/y6m5/acFY0verQBAz9zXaT14Bx27I3dQRVEsR6VG429Jl/92011/F/ULVwowS3iTI1ZmzCiT2zyXb6BwCVO2qg1/Qym5RgBB4uG/jaki4?id=vkoKAlfaGp0iVJv7T3&Fy=cRZnSzyg8mYCp&q=G8MzqN5mC&cid=HD7iEvMCXCkOyBudWvtF5X0wr2iBYl&aYyn=vsfT3ZJRcSbm2lrma7Pj&page=d8UWwGRP&=fIRw22b9xEW6zvJ6w4EmckjBYKM3Fh&q=p3VI6xhfOdI6wGXAI1cz&ref=nQf7SfN
|
2
caseytackleg.com(45.84.0.206)
45.84.0.206 - mailcious
|
|
|
7.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9549 |
2021-07-01 13:28
|
 ...........wbk 977b5b5c00f487c20f4689ba43a6d3ef
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.133.106.144/rtpc/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9550 |
2021-07-01 13:30
|
Dn2BawZf.php 10eeac6d1588d51ee5495b70b45abad2
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9551 |
2021-07-01 13:34
|
 Bo7TjX1L2.php 2680d519097273ace671daf7ac0f9e8d
Emotet UPX OS Processor Check PE32 PE File VirusTotal Malware Malicious Traffic DNS |
1
http://160.20.147.250/j.ad
|
1
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9552 |
2021-07-01 13:34
|
 7GPtF4bk.php 61a09af0df7259bf97a656b8a4d34338
Emotet UPX OS Processor Check PE32 PE File VirusTotal Malware Malicious Traffic DNS |
1
|
1
|
|
|
2.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9553 |
2021-07-01 13:54
|
 file2.exe be23958ce4cb7c999dddca276120d276
PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
|
|
|
3.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9554 |
2021-07-01 13:54
|
 vbc.exe 082f43edde28a07af52951f8e2e43628
PWS Loki[b] Loki[m] .NET framework Generic Malware DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd6/fre.php
|
2
manvim.co(165.227.225.62) - mailcious
165.227.225.62 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9555 |
2021-07-01 13:58
|
 file4.exe b5571f25836cd41445aa42574af4b736
Generic Malware PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|