9661 |
2021-07-03 10:15
|
.wininit.exe f8f5b3bad883e0b62fed5af138449db6 PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://detectportal.firefox.com/success.txt?ipv4 http://manvim.co/fd3/fre.php
|
6
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) manvim.co(165.227.225.62) - mailcious mozilla.org(44.236.48.31) detectportal.firefox.com(34.107.221.82) 165.227.225.62 - mailcious 34.107.221.82
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9662 |
2021-07-03 10:15
|
Explorer.exe f52a7f9c3814cc82a7ca86db6f2c8934 Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9663 |
2021-07-03 10:19
|
1820789375.exe 0f4dd44174516703ee52802eec6f49fc NPKI Gen1 Gen2 Generic Malware Anti_VM UPX PE File PE32 PNG Format DLL OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Tofsee Browser ComputerName DNS |
4
http://iplogger.org/1ZnPa7
https://iplogger.org/1ZnPa7
https://bitbucket.org/veronk3/host1/downloads/GPU.zip
https://bitbucket.org/veronk3/host1/downloads/CPU.zip
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious 88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
7.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9664 |
2021-07-03 18:24
|
10d.html b26ecf73579c8a01d1024920d21bfdf2 Antivirus AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9665 |
2021-07-03 18:27
|
cred.dll 83ac47cec47d494f4fe62878f545f1a7 PWS Loki[b] Loki[m] PE File DLL PE32 FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.79//g5FcvUgw/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 26
|
|
5.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9666 |
2021-07-03 18:29
|
preloader.exe 9ef7986267bda788fec22557df41e6f1 PE File OS Processor Check PE32 Malware download VirusTotal Malware MachineGuid Malicious Traffic Creates executable files unpack itself AppData folder Tofsee Trojan Downloader |
1
|
6
fikerty.info(104.21.76.249) - malware fackerty.info(104.21.89.3) - malware touchook.info(172.67.145.198) 172.67.155.53 172.67.145.198 - mailcious 172.67.202.130
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9667 |
2021-07-03 18:33
|
longearthgrinch.png 3adbcd5aca263146322d0a21e54a1c47 Emotet PE File DLL PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
5
https://185.56.76.108/cookiechecker?uri=/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/ - rule_id: 2485 https://80.15.2.105/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/ https://185.56.76.108/login.cgi?uri=/index.html https://185.56.76.108/index.html - rule_id: 2487 https://185.56.76.28/login.cgi?uri=/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/
|
12
185.56.76.28 38.110.103.113 60.51.47.65 154.58.23.192 - mailcious 204.138.26.60 45.36.99.184 68.69.26.182 38.110.103.124 185.56.76.108 - mailcious 80.15.2.105 38.110.100.104 24.162.214.166
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
2
https://185.56.76.108/cookiechecker https://185.56.76.108/index.html
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9668 |
2021-07-04 11:03
|
windef.exe a1e165e1926c0c83123c89fce6b1af56 Antivirus PE File PE32 Malware download VirusTotal Malware IoC powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://diamond.serivice.com/panel/gate.php?ct=1 - rule_id: 2398
|
2
diamond.serivice.com(195.133.40.146) - mailcious 195.133.40.146 - mailcious
|
2
ET MALWARE Generic gate[.].php GET with minimal headers ET HUNTING Suspicious GET To gate.php with no Referer
|
1
http://diamond.serivice.com/panel/gate.php
|
7.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9669 |
2021-07-04 11:04
|
SLAC-Setup.exe 27352c5e2e0505c4a1bd198ed094915f PWS .NET framework RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9670 |
2021-07-04 11:05
|
cred.dll 41b6d9d1610bfd9497db3091dfc84b88 PWS Loki[b] Loki[m] PE File DLL PE32 FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.55//t5BnOoke2/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 26
|
|
5.8 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9671 |
2021-07-04 11:06
|
paypall.exe 66b4e1480891e217a8d38d63db386ca4 NPKI Malicious Library UPX DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proces Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check SectopRAT Windows ComputerName DNS |
|
2
WgGnnhrntxyQKwJWVBICcYJsRl.WgGnnhrntxyQKwJWVBICcYJsRl() 185.173.39.166
|
1
ET MALWARE Win32/1xxbot CnC Checkin
|
|
13.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9672 |
2021-07-04 11:08
|
build.exe f41fd95f121782d8d2f4689ef056d293 Malicious Library DGA DNS Socket Http API Internet API ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns PDB Code Injection Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs suspicious TLD Tofsee Windows ComputerName Remote Code Execution DNS crashed |
2
http://dgos.top/dl/build2.exe http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
|
6
astdg.top(179.38.56.56) dgos.top(8.209.113.181) api.2ip.ua(77.123.139.190) 179.38.56.56 8.209.113.181 77.123.139.190
|
10
ET POLICY External IP Address Lookup DNS Query SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET DNS Query to a *.top domain - Likely Hostile ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET INFO HTTP Request to a *.top domain ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible EXE Download From Suspicious TLD
|
|
12.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9673 |
2021-07-04 11:10
|
msiexec.exe c67b1ffb63818072eb4cc935b3f51ed5 Cryptocurrency_miner RAT Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Auto service Check virtual network interfaces suspicious process sandbox evasion Windows Browser DNS |
3
http://45.144.225.135/csrss.exe - rule_id: 1141 http://45.144.225.135/config.txt - rule_id: 641 http://45.144.225.135/notepad.exe - rule_id: 1142
|
3
xmr-us-east1.nanopool.org(144.217.14.109) - mailcious 142.44.243.6 45.144.225.135 - malware
|
7
ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious csrss.exe in URI ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Cryptocurrency Miner Checkin
|
3
http://45.144.225.135/csrss.exe http://45.144.225.135/config.txt http://45.144.225.135/notepad.exe
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9674 |
2021-07-04 11:12
|
build2.exe c89fda6449e697936fe56fc265f82731 Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
1
|
|
|
3.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9675 |
2021-07-04 11:14
|
app.exe b83641ae5dfeb4aec3517a5770c9bce5 PE File PE32 PDB unpack itself Remote Code Execution DNS |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|