| 9661 |
2021-07-03 10:15
|
 .wininit.exe f8f5b3bad883e0b62fed5af138449db6
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://detectportal.firefox.com/success.txt?ipv4
http://manvim.co/fd3/fre.php
|
6
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
manvim.co(165.227.225.62) - mailcious
mozilla.org(44.236.48.31)
detectportal.firefox.com(34.107.221.82)
165.227.225.62 - mailcious
34.107.221.82
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9662 |
2021-07-03 10:15
|
 Explorer.exe f52a7f9c3814cc82a7ca86db6f2c8934
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9663 |
2021-07-03 10:19
|
 1820789375.exe 0f4dd44174516703ee52802eec6f49fc
NPKI Gen1 Gen2 Generic Malware Anti_VM UPX PE File PE32 PNG Format DLL OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Tofsee Browser ComputerName DNS |
4
http://iplogger.org/1ZnPa7
https://iplogger.org/1ZnPa7
https://bitbucket.org/veronk3/host1/downloads/GPU.zip
https://bitbucket.org/veronk3/host1/downloads/CPU.zip
|
4
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
7.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9664 |
2021-07-03 18:24
|
 10d.html b26ecf73579c8a01d1024920d21bfdf2
Antivirus AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9665 |
2021-07-03 18:27
|
 cred.dll 83ac47cec47d494f4fe62878f545f1a7
PWS Loki[b] Loki[m] PE File DLL PE32 FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.79//g5FcvUgw/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 26
|
|
5.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9666 |
2021-07-03 18:29
|
 preloader.exe 9ef7986267bda788fec22557df41e6f1
PE File OS Processor Check PE32 Malware download VirusTotal Malware MachineGuid Malicious Traffic Creates executable files unpack itself AppData folder Tofsee Trojan Downloader |
1
|
6
fikerty.info(104.21.76.249) - malware
fackerty.info(104.21.89.3) - malware
touchook.info(172.67.145.198)
172.67.155.53
172.67.145.198 - mailcious
172.67.202.130
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9667 |
2021-07-03 18:33
|
 longearthgrinch.png 3adbcd5aca263146322d0a21e54a1c47
Emotet PE File DLL PE32 Dridex TrickBot Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
5
https://185.56.76.108/cookiechecker?uri=/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/ - rule_id: 2485
https://80.15.2.105/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/
https://185.56.76.108/login.cgi?uri=/index.html
https://185.56.76.108/index.html - rule_id: 2487
https://185.56.76.28/login.cgi?uri=/rob102/TEST22-PC_W617601.33715B34B330B01BAE9FB711D913F2BB/5/file/
|
12
185.56.76.28
38.110.103.113
60.51.47.65
154.58.23.192 - mailcious
204.138.26.60
45.36.99.184
68.69.26.182
38.110.103.124
185.56.76.108 - mailcious
80.15.2.105
38.110.100.104
24.162.214.166
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
2
https://185.56.76.108/cookiechecker
https://185.56.76.108/index.html
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9668 |
2021-07-04 11:03
|
 windef.exe a1e165e1926c0c83123c89fce6b1af56
Antivirus PE File PE32 Malware download VirusTotal Malware IoC powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://diamond.serivice.com/panel/gate.php?ct=1 - rule_id: 2398
|
2
diamond.serivice.com(195.133.40.146) - mailcious
195.133.40.146 - mailcious
|
2
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
|
1
http://diamond.serivice.com/panel/gate.php
|
7.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9669 |
2021-07-04 11:04
|
 SLAC-Setup.exe 27352c5e2e0505c4a1bd198ed094915f
PWS .NET framework RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9670 |
2021-07-04 11:05
|
 cred.dll 41b6d9d1610bfd9497db3091dfc84b88
PWS Loki[b] Loki[m] PE File DLL PE32 FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software |
1
http://185.215.113.55//t5BnOoke2/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 26
|
|
5.8 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9671 |
2021-07-04 11:06
|
 paypall.exe 66b4e1480891e217a8d38d63db386ca4
NPKI Malicious Library UPX DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PE File PE32 OS Proces Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check SectopRAT Windows ComputerName DNS |
|
2
WgGnnhrntxyQKwJWVBICcYJsRl.WgGnnhrntxyQKwJWVBICcYJsRl()
185.173.39.166
|
1
ET MALWARE Win32/1xxbot CnC Checkin
|
|
13.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9672 |
2021-07-04 11:08
|
 build.exe f41fd95f121782d8d2f4689ef056d293
Malicious Library DGA DNS Socket Http API Internet API ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns PDB Code Injection Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs suspicious TLD Tofsee Windows ComputerName Remote Code Execution DNS crashed |
2
http://dgos.top/dl/build2.exe
http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
|
6
astdg.top(179.38.56.56)
dgos.top(8.209.113.181)
api.2ip.ua(77.123.139.190)
179.38.56.56
8.209.113.181
77.123.139.190
|
10
ET POLICY External IP Address Lookup DNS Query
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET INFO HTTP Request to a *.top domain
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
|
|
12.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9673 |
2021-07-04 11:10
|
 msiexec.exe c67b1ffb63818072eb4cc935b3f51ed5
Cryptocurrency_miner RAT Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Auto service Check virtual network interfaces suspicious process sandbox evasion Windows Browser DNS |
3
http://45.144.225.135/csrss.exe - rule_id: 1141
http://45.144.225.135/config.txt - rule_id: 641
http://45.144.225.135/notepad.exe - rule_id: 1142
|
3
xmr-us-east1.nanopool.org(144.217.14.109) - mailcious
142.44.243.6
45.144.225.135 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious csrss.exe in URI
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Cryptocurrency Miner Checkin
|
3
http://45.144.225.135/csrss.exe
http://45.144.225.135/config.txt
http://45.144.225.135/notepad.exe
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9674 |
2021-07-04 11:12
|
 build2.exe c89fda6449e697936fe56fc265f82731
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution DNS crashed |
|
1
|
|
|
3.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9675 |
2021-07-04 11:14
|
 app.exe b83641ae5dfeb4aec3517a5770c9bce5
PE File PE32 PDB unpack itself Remote Code Execution DNS |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|