9541 |
2021-07-01 08:44
|
EOU907665787754.COM.exe b70e5ba1d460943683b625756ca68d64 PWS Loki[b] Loki[m] RAT .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE32 MSOffice File PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://pakilogs2020.xyz/t/e/cos.php
|
2
pakilogs2020.xyz(104.21.36.131) 172.67.194.109
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response
|
|
13.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9542 |
2021-07-01 08:47
|
PDF.exe cdcdbe253da2dfdf3792f26681bbd14e PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9543 |
2021-07-01 08:53
|
United_States_Project_for_Prom... e05468aaa0c436e953116989ccf9703b Anti_VM AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Interception DNS |
1
https://dadsasoa.in/font/js/images/files/United-States_Project_for_Promise/css
|
2
dadsasoa.in(31.220.106.229) 31.220.106.229
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9544 |
2021-07-01 13:17
|
start.wll b913ed9e030cc8fff0633815b65bab5b Anti_VM DLL OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9545 |
2021-07-01 13:18
|
start.wll b913ed9e030cc8fff0633815b65bab5b Anti_VM DLL OS Processor Check PE32 PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9546 |
2021-07-01 13:24
|
deed contract_06.30.2021.doc f14841089a09d6759e2f0859b3f4a8e8 VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://caseytackleg.com/adda/97989/L1gilQRdZq/69162/21769/92295/LDaP53s4jS/xmbPmbPLTBgcHiQBTvpV3/FiRpMcV1KQoZvQXF/jaki5?ref=QMM2RoYUyJaRoSyKnsQTWwia3HAT&id=Vmd8BZgkL2LfL0Q6rP5E90A4IuV6uK&=L3nxZvx0pbc&bxwa6j=W1JDNxusaKQ52ftR&cid=CEY1IPTRZnuRMLPgWYwL&EAebOs=D7BBL9IK3Z2O
|
2
caseytackleg.com() 45.84.0.206 - mailcious
|
|
|
7.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9547 |
2021-07-01 13:24
|
documents 06.30.2021.doc 97b1bb23455fb9a9607f37df266459fc VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception DNS |
1
http://testmahoneyd.com/adda/ZkgMceY0duMWvbVq3U6NjMyVfmZ7lMCfzAbEoVSbLlq9a/rzm/rEUMKp42XJbX2eYUsY/jaki1?zWK=72PYbHirT716P1j&C2=eExppjEub&user=DVBfo&kwdDlCQ=MNWvACcxddQXF9A4pxFK&Nj5vbCtMy0=S7&time=CVUofDJvJNzOi&q=EnIS1Ysk8q6lbxCwUFuXwGEeKTBt
|
2
testmahoneyd.com(45.84.0.215) 45.84.0.215
|
|
|
7.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9548 |
2021-07-01 13:26
|
facts_06.21.doc 3d678e9da2f9b1c8385a923138a06dd7 VBA_macro AntiDebug AntiVM Vulnerability VirusTotal Malware Code Injection Check memory RWX flags setting unpack itself suspicious process Interception |
1
http://caseytackleg.com/adda/y6m5/acFY0verQBAz9zXaT14Bx27I3dQRVEsR6VG429Jl/92011/F/ULVwowS3iTI1ZmzCiT2zyXb6BwCVO2qg1/Qym5RgBB4uG/jaki4?id=vkoKAlfaGp0iVJv7T3&Fy=cRZnSzyg8mYCp&q=G8MzqN5mC&cid=HD7iEvMCXCkOyBudWvtF5X0wr2iBYl&aYyn=vsfT3ZJRcSbm2lrma7Pj&page=d8UWwGRP&=fIRw22b9xEW6zvJ6w4EmckjBYKM3Fh&q=p3VI6xhfOdI6wGXAI1cz&ref=nQf7SfN
|
2
caseytackleg.com(45.84.0.206) 45.84.0.206 - mailcious
|
|
|
7.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9549 |
2021-07-01 13:28
|
...........wbk 977b5b5c00f487c20f4689ba43a6d3ef RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://103.133.106.144/rtpc/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9550 |
2021-07-01 13:30
|
Dn2BawZf.php 10eeac6d1588d51ee5495b70b45abad2 AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9551 |
2021-07-01 13:34
|
Bo7TjX1L2.php 2680d519097273ace671daf7ac0f9e8d Emotet UPX OS Processor Check PE32 PE File VirusTotal Malware Malicious Traffic DNS |
1
http://160.20.147.250/j.ad
|
1
|
|
|
2.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9552 |
2021-07-01 13:34
|
7GPtF4bk.php 61a09af0df7259bf97a656b8a4d34338 Emotet UPX OS Processor Check PE32 PE File VirusTotal Malware Malicious Traffic DNS |
1
|
1
|
|
|
2.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9553 |
2021-07-01 13:54
|
file2.exe be23958ce4cb7c999dddca276120d276 PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
|
|
|
3.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9554 |
2021-07-01 13:54
|
vbc.exe 082f43edde28a07af52951f8e2e43628 PWS Loki[b] Loki[m] .NET framework Generic Malware DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd6/fre.php
|
2
manvim.co(165.227.225.62) - mailcious 165.227.225.62 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9555 |
2021-07-01 13:58
|
file4.exe b5571f25836cd41445aa42574af4b736 Generic Malware PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|