| 10156 |
2021-07-16 18:14
|
 vbc.exe 90fb352389fdc0d6c18802eb806ef91a
Loki PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://adminserver.xyz/Bn4/fre.php - rule_id: 2716
|
2
adminserver.xyz(104.21.80.157) - mailcious
104.21.80.157
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://adminserver.xyz/Bn4/fre.php
|
11.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10157 |
2021-07-16 18:15
|
 .svchost.exe 72fe87cb4fd41cf172a9caecbdc6887f
Generic Malware UPX Malicious Packer PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10158 |
2021-07-16 18:17
|
 .wininit.exe 3c8e2a9bf62c852038be35360b5e491e
RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
8
http://www.nutrasweetlnatural.com/7bun/
http://www.greatestmomentsin.com/7bun/?nRYDC0P=0laNTudaqqT+5+FwSLEkhSrJ1HyCXapOF5l7Jx5bAAK3nwV89rSGaiGxhKjIJyHd0Bor7O2Q&D8Oph=AR5xWBD0kB-8sxap
http://www.contex33.xyz/7bun/?nRYDC0P=vm15/YKwQBjn5KwvqhcuPTXD8ovCUGiOlyhUhNgwE4MayV+CDRFeG92s+Sdv0nhI7bQxDfWW&D8Oph=AR5xWBD0kB-8sxap
http://www.contex33.xyz/7bun/
http://www.nutrasweetlnatural.com/7bun/?nRYDC0P=Yw7yj5TLZ/voFdaxn1VArozRX4rskTfHOWgy6SMO1E9WHRPJ1ZfqFuNRyId9Z5T3RIVwFhaV&D8Oph=AR5xWBD0kB-8sxap
http://www.newenglandingenuity.com/7bun/?nRYDC0P=/HcguLuAtTmZaKKFtIIXIAmAx55yt5h2UljwW/uno2PiRSYG+6OCEcPfh5LBeSKtYc7fbRGW&D8Oph=AR5xWBD0kB-8sxap
http://www.newenglandingenuity.com/7bun/
http://www.greatestmomentsin.com/7bun/
|
11
www.hm-refnd.com()
www.greatestmomentsin.com(94.136.40.51)
www.notsmedia.info()
www.contex33.xyz(162.0.223.226)
www.jobjiihnb.club()
www.newenglandingenuity.com(34.102.136.180)
www.nutrasweetlnatural.com(52.58.78.16)
52.58.78.16 - mailcious
162.0.223.226
34.102.136.180 - mailcious
94.136.40.51 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10159 |
2021-07-16 18:18
|
 app.exe 3bf4787dfdfd09d16433a12f0d9cf83f
UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10160 |
2021-07-16 18:21
|
 vbc.exe 815b463709afb4f88615449674fc2f74
PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://ibmcloud.tk/BN1/fre.php
|
2
ibmcloud.tk(104.21.42.7)
104.21.42.7
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET DNS Query to a .tk domain - Likely Hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
11.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10161 |
2021-07-17 11:01
|
 eft.js d9179cb5ade5cf82d886234afe1aaec8
AgentTesla browser info stealer Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows Java ComputerName DNS Cryptographic key keylogger |
1
http://192.227.158.111/jon.jpg
|
5
google.com(172.217.175.46)
twistednerd.dvrlists.com(213.152.187.215) - mailcious
213.152.187.215
142.250.204.46
192.227.158.111 - malware
|
2
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
17.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10162 |
2021-07-17 11:01
|
 Rkfptszekvzzkfszsixzgcxwmkzusp... f976eb9842d206b69aa1da8a50ef51cd
PWS Loki[b] Loki[m] Admin Tool (Sysinternals etc ...) UPX DNS AntiDebug AntiVM PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
2
http://bnbrokenhead.tk/prof4/fre.php
https://cdn.discordapp.com/attachments/796082188809404421/865501487831711754/Cvrqdpngyxjevfidpnjmsaixgcluvpm
|
4
bnbrokenhead.tk(104.21.74.182)
cdn.discordapp.com(162.159.130.233) - malware
172.67.161.55
162.159.133.233 - malware
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a .tk domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to a *.tk domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10163 |
2021-07-17 11:02
|
 rollerkind2.exe 28927b939bac2f1c6b0aac8c08ab740a
UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10164 |
2021-07-17 11:03
|
 old-2.exe 1c0bd992f70d9c9a195c20ec2df4cf75
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
8
http://www.hk6628.com/wufn/?LXxP=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&tTrt=ndfHUnBht
http://www.theroseofsharonsalon.com/wufn/?LXxP=OadTn2uJtzT8oubefSjMAoLtzsAZKEPGGNEB1Q92m5bHHV2MxPvD7WU/WfzEYQpZzBC6ZQgQ&tTrt=ndfHUnBht
http://www.cuadorcoast.com/wufn/?LXxP=kYzY+WOATOJvl0LGKoTI9L4ky9M8/RXPaPgWsg9EorAZ9N2DAW9xe5TyjlQCxAJLBvRqjfNR&tTrt=ndfHUnBht
http://www.craftbychristians.com/wufn/?LXxP=rclXbN+KSBSlJsrhYTkKU4x5e2l7eFQRzjtsLZ0wIslBHruFqS+r6dHnex4dI2ICZk3527X7&tTrt=ndfHUnBht
http://www.mimortgageexpert.com/wufn/?LXxP=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&tTrt=ndfHUnBht
http://www.iqpt.info/wufn/?LXxP=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&tTrt=ndfHUnBht
http://www.martabaroagency.com/wufn/?LXxP=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&tTrt=ndfHUnBht
http://www.gaigoilaocai.com/wufn/?LXxP=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&tTrt=ndfHUnBht
|
16
www.martabaroagency.com(185.14.56.84)
www.theroseofsharonsalon.com(198.49.23.144)
www.mimortgageexpert.com(35.172.94.1)
www.cuadorcoast.com(156.231.25.88)
www.iqpt.info(67.199.248.13)
www.gaigoilaocai.com(172.67.187.204)
www.hk6628.com(34.102.136.180)
www.rizqebooks.com()
www.craftbychristians.com(34.102.136.180)
156.231.25.88
198.49.23.145 - mailcious
34.102.136.180 - mailcious
185.14.56.84 - mailcious
35.172.94.1 - phishing
67.199.248.12 - mailcious
172.67.187.204
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10165 |
2021-07-17 11:05
|
 dllhost.exe c93bd6dd85c48cd49dc182d2613a150c
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10166 |
2021-07-17 11:05
|
 lv.exe e812e01d1bac0e579d9758e61383efd8
NPKI Gen1 Gen2 UPX Malicious Library Malicious Packer PE File PE32 DLL OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
UTTHxeXMrRzwq.UTTHxeXMrRzwq()
|
|
|
6.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10167 |
2021-07-17 11:08
|
 d.exe 3437bbb0a6be653c667b3091671af69a
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.26.36)
13.107.21.200
172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10168 |
2021-07-17 11:08
|
 dhs.exe 3e400b3ef10d9805b1fb22cee2d474c2
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
14
http://www.leonardocarrillo.com/p2io/ - rule_id: 1541
http://www.procircleacademy.com/p2io/?xVJtB4hp=tgVoMP8jv8oJh0LH0MPWwDnGYGbnfEGTJ+yRL/Ijcc1+MHyU0MyQxKIFLUwq3WzUPcz2/uvN&1bw=L6Adp6nXjbjt2B4P
http://www.69-1hn7uc.net/p2io/ - rule_id: 1695
http://www.centergolosinas.com/p2io/?xVJtB4hp=r2GsjHfE9bHmJvLFmfqM84hqAY3LnZYXU2evLvxsfUtrrcQFCKudTC+PxzRKMZm48G9NrLWy&1bw=L6Adp6nXjbjt2B4P
http://www.fuhaitongxin.com/p2io/?xVJtB4hp=CqJktM7UGR26O9R1i2rMnV6ue2YAEq5Rd3PPV6e4Hl6CDdUsDohA0iBr0JiOXGWnot9DaOMs&1bw=L6Adp6nXjbjt2B4P
http://www.centergolosinas.com/p2io/
http://www.procircleacademy.com/p2io/
http://www.fuhaitongxin.com/p2io/
http://www.bigplatesmallwallet.com/p2io/?xVJtB4hp=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&1bw=L6Adp6nXjbjt2B4P - rule_id: 1563
http://www.bigplatesmallwallet.com/p2io/ - rule_id: 1563
http://www.xzklrhy.com/p2io/ - rule_id: 1696
http://www.xzklrhy.com/p2io/?xVJtB4hp=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&1bw=L6Adp6nXjbjt2B4P - rule_id: 1696
http://www.leonardocarrillo.com/p2io/?xVJtB4hp=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&1bw=L6Adp6nXjbjt2B4P - rule_id: 1541
http://www.69-1hn7uc.net/p2io/?xVJtB4hp=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&1bw=L6Adp6nXjbjt2B4P - rule_id: 1695
|
14
www.leonardocarrillo.com(172.107.55.6) - mailcious
www.bigplatesmallwallet.com(66.235.200.147)
www.procircleacademy.com(104.16.14.194)
www.69-1hn7uc.net(163.43.122.100)
www.fuhaitongxin.com(156.237.130.173)
www.xzklrhy.com(156.255.140.216)
www.centergolosinas.com(192.169.223.13)
172.107.55.6
163.43.122.100
66.235.200.147 - phishing
156.255.140.216 - mailcious
104.16.12.194
192.169.223.13 - mailcious
156.237.130.173
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.leonardocarrillo.com/p2io/
http://www.69-1hn7uc.net/p2io/
http://www.bigplatesmallwallet.com/p2io/
http://www.bigplatesmallwallet.com/p2io/
http://www.xzklrhy.com/p2io/
http://www.xzklrhy.com/p2io/
http://www.leonardocarrillo.com/p2io/
http://www.69-1hn7uc.net/p2io/
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10169 |
2021-07-17 11:10
|
 e68e7b5d9ccf157181e6e798b3b10e... a93beabc7854b9ba828eb77edbd2b613
Gen2 Gen1 Generic Malware UPX PE File OS Processor Check PE32 DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder sandbox evasion IP Check ComputerName |
3
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://ip-api.com/json/?fields=8198
http://by.dirfgame.com/report7.4.php
|
8
ip-api.com(208.95.112.1)
ol.gamegame.info(104.21.21.221) - mailcious
by.dirfgame.com(104.21.78.28)
google.vrthcobj.com(34.97.69.225) - mailcious
34.97.69.225 - mailcious
208.95.112.1
172.67.200.215
172.67.215.92
|
1
ET POLICY External IP Lookup ip-api.com
|
1
http://ol.gamegame.info/report7.4.php
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10170 |
2021-07-17 11:12
|
 cluton.exe 173cc49904c607c514e2f4a2054aaca0
PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://bauxx.xyz/mtk1/w2/fre.php
|
2
bauxx.xyz(104.21.23.10)
172.67.208.68
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
11.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|