10156 |
2021-07-16 18:14
|
vbc.exe 90fb352389fdc0d6c18802eb806ef91a Loki PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://adminserver.xyz/Bn4/fre.php - rule_id: 2716
|
2
adminserver.xyz(104.21.80.157) - mailcious 104.21.80.157
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://adminserver.xyz/Bn4/fre.php
|
11.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10157 |
2021-07-16 18:15
|
.svchost.exe 72fe87cb4fd41cf172a9caecbdc6887f Generic Malware UPX Malicious Packer PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10158 |
2021-07-16 18:17
|
.wininit.exe 3c8e2a9bf62c852038be35360b5e491e RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
8
http://www.nutrasweetlnatural.com/7bun/ http://www.greatestmomentsin.com/7bun/?nRYDC0P=0laNTudaqqT+5+FwSLEkhSrJ1HyCXapOF5l7Jx5bAAK3nwV89rSGaiGxhKjIJyHd0Bor7O2Q&D8Oph=AR5xWBD0kB-8sxap http://www.contex33.xyz/7bun/?nRYDC0P=vm15/YKwQBjn5KwvqhcuPTXD8ovCUGiOlyhUhNgwE4MayV+CDRFeG92s+Sdv0nhI7bQxDfWW&D8Oph=AR5xWBD0kB-8sxap http://www.contex33.xyz/7bun/ http://www.nutrasweetlnatural.com/7bun/?nRYDC0P=Yw7yj5TLZ/voFdaxn1VArozRX4rskTfHOWgy6SMO1E9WHRPJ1ZfqFuNRyId9Z5T3RIVwFhaV&D8Oph=AR5xWBD0kB-8sxap http://www.newenglandingenuity.com/7bun/?nRYDC0P=/HcguLuAtTmZaKKFtIIXIAmAx55yt5h2UljwW/uno2PiRSYG+6OCEcPfh5LBeSKtYc7fbRGW&D8Oph=AR5xWBD0kB-8sxap http://www.newenglandingenuity.com/7bun/ http://www.greatestmomentsin.com/7bun/
|
11
www.hm-refnd.com() www.greatestmomentsin.com(94.136.40.51) www.notsmedia.info() www.contex33.xyz(162.0.223.226) www.jobjiihnb.club() www.newenglandingenuity.com(34.102.136.180) www.nutrasweetlnatural.com(52.58.78.16) 52.58.78.16 - mailcious 162.0.223.226 34.102.136.180 - mailcious 94.136.40.51 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10159 |
2021-07-16 18:18
|
app.exe 3bf4787dfdfd09d16433a12f0d9cf83f UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10160 |
2021-07-16 18:21
|
vbc.exe 815b463709afb4f88615449674fc2f74 PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://ibmcloud.tk/BN1/fre.php
|
2
ibmcloud.tk(104.21.42.7) 104.21.42.7
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to a *.tk domain ET DNS Query to a .tk domain - Likely Hostile ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response
|
|
11.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10161 |
2021-07-17 11:01
|
eft.js d9179cb5ade5cf82d886234afe1aaec8 AgentTesla browser info stealer Google Chrome User Data Antivirus Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Downloader AntiDebug AntiVM Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows Java ComputerName DNS Cryptographic key keylogger |
1
http://192.227.158.111/jon.jpg
|
5
google.com(172.217.175.46) twistednerd.dvrlists.com(213.152.187.215) - mailcious 213.152.187.215 142.250.204.46 192.227.158.111 - malware
|
2
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
17.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10162 |
2021-07-17 11:01
|
Rkfptszekvzzkfszsixzgcxwmkzusp... f976eb9842d206b69aa1da8a50ef51cd PWS Loki[b] Loki[m] Admin Tool (Sysinternals etc ...) UPX DNS AntiDebug AntiVM PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
2
http://bnbrokenhead.tk/prof4/fre.php https://cdn.discordapp.com/attachments/796082188809404421/865501487831711754/Cvrqdpngyxjevfidpnjmsaixgcluvpm
|
4
bnbrokenhead.tk(104.21.74.182) cdn.discordapp.com(162.159.130.233) - malware 172.67.161.55 162.159.133.233 - malware
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a .tk domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to a *.tk domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10163 |
2021-07-17 11:02
|
rollerkind2.exe 28927b939bac2f1c6b0aac8c08ab740a UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10164 |
2021-07-17 11:03
|
old-2.exe 1c0bd992f70d9c9a195c20ec2df4cf75 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
8
http://www.hk6628.com/wufn/?LXxP=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&tTrt=ndfHUnBht http://www.theroseofsharonsalon.com/wufn/?LXxP=OadTn2uJtzT8oubefSjMAoLtzsAZKEPGGNEB1Q92m5bHHV2MxPvD7WU/WfzEYQpZzBC6ZQgQ&tTrt=ndfHUnBht http://www.cuadorcoast.com/wufn/?LXxP=kYzY+WOATOJvl0LGKoTI9L4ky9M8/RXPaPgWsg9EorAZ9N2DAW9xe5TyjlQCxAJLBvRqjfNR&tTrt=ndfHUnBht http://www.craftbychristians.com/wufn/?LXxP=rclXbN+KSBSlJsrhYTkKU4x5e2l7eFQRzjtsLZ0wIslBHruFqS+r6dHnex4dI2ICZk3527X7&tTrt=ndfHUnBht http://www.mimortgageexpert.com/wufn/?LXxP=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&tTrt=ndfHUnBht http://www.iqpt.info/wufn/?LXxP=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&tTrt=ndfHUnBht http://www.martabaroagency.com/wufn/?LXxP=r0PGHSY2SUcZB8VeRTqckmU+v7wbtMF1fJATAoKMkp5jXhuYZ6C7mu0EbtSkXg+d4UfDPRR1&tTrt=ndfHUnBht http://www.gaigoilaocai.com/wufn/?LXxP=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&tTrt=ndfHUnBht
|
16
www.martabaroagency.com(185.14.56.84) www.theroseofsharonsalon.com(198.49.23.144) www.mimortgageexpert.com(35.172.94.1) www.cuadorcoast.com(156.231.25.88) www.iqpt.info(67.199.248.13) www.gaigoilaocai.com(172.67.187.204) www.hk6628.com(34.102.136.180) www.rizqebooks.com() www.craftbychristians.com(34.102.136.180) 156.231.25.88 198.49.23.145 - mailcious 34.102.136.180 - mailcious 185.14.56.84 - mailcious 35.172.94.1 - phishing 67.199.248.12 - mailcious 172.67.187.204
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10165 |
2021-07-17 11:05
|
dllhost.exe c93bd6dd85c48cd49dc182d2613a150c PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10166 |
2021-07-17 11:05
|
lv.exe e812e01d1bac0e579d9758e61383efd8 NPKI Gen1 Gen2 UPX Malicious Library Malicious Packer PE File PE32 DLL OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows |
|
1
UTTHxeXMrRzwq.UTTHxeXMrRzwq()
|
|
|
6.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10167 |
2021-07-17 11:08
|
d.exe 3437bbb0a6be653c667b3091671af69a RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.26.36) 13.107.21.200 172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10168 |
2021-07-17 11:08
|
dhs.exe 3e400b3ef10d9805b1fb22cee2d474c2 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
14
http://www.leonardocarrillo.com/p2io/ - rule_id: 1541 http://www.procircleacademy.com/p2io/?xVJtB4hp=tgVoMP8jv8oJh0LH0MPWwDnGYGbnfEGTJ+yRL/Ijcc1+MHyU0MyQxKIFLUwq3WzUPcz2/uvN&1bw=L6Adp6nXjbjt2B4P http://www.69-1hn7uc.net/p2io/ - rule_id: 1695 http://www.centergolosinas.com/p2io/?xVJtB4hp=r2GsjHfE9bHmJvLFmfqM84hqAY3LnZYXU2evLvxsfUtrrcQFCKudTC+PxzRKMZm48G9NrLWy&1bw=L6Adp6nXjbjt2B4P http://www.fuhaitongxin.com/p2io/?xVJtB4hp=CqJktM7UGR26O9R1i2rMnV6ue2YAEq5Rd3PPV6e4Hl6CDdUsDohA0iBr0JiOXGWnot9DaOMs&1bw=L6Adp6nXjbjt2B4P http://www.centergolosinas.com/p2io/ http://www.procircleacademy.com/p2io/ http://www.fuhaitongxin.com/p2io/ http://www.bigplatesmallwallet.com/p2io/?xVJtB4hp=O674xtRxkGNoF6c3kGCKbVIXJyLg/Uv1kE5kvfYRu46mJjBrOhkzeBS5wyL3I0uQtRm1X0si&1bw=L6Adp6nXjbjt2B4P - rule_id: 1563 http://www.bigplatesmallwallet.com/p2io/ - rule_id: 1563 http://www.xzklrhy.com/p2io/ - rule_id: 1696 http://www.xzklrhy.com/p2io/?xVJtB4hp=70ecI/ncpkHOSi0flTewaEcUZYi2Zuic/rep+FdHbBVzX/KX7wn20wp4g3+obFTQrlclm+RQ&1bw=L6Adp6nXjbjt2B4P - rule_id: 1696 http://www.leonardocarrillo.com/p2io/?xVJtB4hp=Z8FkwwkotLBkQtrDqM/eMJCTIQtJD+6S4GTF4HzAZ8KQRsKSHf3+L+a292aesc2eaUyoVCup&1bw=L6Adp6nXjbjt2B4P - rule_id: 1541 http://www.69-1hn7uc.net/p2io/?xVJtB4hp=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&1bw=L6Adp6nXjbjt2B4P - rule_id: 1695
|
14
www.leonardocarrillo.com(172.107.55.6) - mailcious www.bigplatesmallwallet.com(66.235.200.147) www.procircleacademy.com(104.16.14.194) www.69-1hn7uc.net(163.43.122.100) www.fuhaitongxin.com(156.237.130.173) www.xzklrhy.com(156.255.140.216) www.centergolosinas.com(192.169.223.13) 172.107.55.6 163.43.122.100 66.235.200.147 - phishing 156.255.140.216 - mailcious 104.16.12.194 192.169.223.13 - mailcious 156.237.130.173
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.leonardocarrillo.com/p2io/ http://www.69-1hn7uc.net/p2io/ http://www.bigplatesmallwallet.com/p2io/ http://www.bigplatesmallwallet.com/p2io/ http://www.xzklrhy.com/p2io/ http://www.xzklrhy.com/p2io/ http://www.leonardocarrillo.com/p2io/ http://www.69-1hn7uc.net/p2io/
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10169 |
2021-07-17 11:10
|
e68e7b5d9ccf157181e6e798b3b10e... a93beabc7854b9ba828eb77edbd2b613 Gen2 Gen1 Generic Malware UPX PE File OS Processor Check PE32 DLL VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder sandbox evasion IP Check ComputerName |
3
http://ol.gamegame.info/report7.4.php - rule_id: 1518 http://ip-api.com/json/?fields=8198 http://by.dirfgame.com/report7.4.php
|
8
ip-api.com(208.95.112.1) ol.gamegame.info(104.21.21.221) - mailcious by.dirfgame.com(104.21.78.28) google.vrthcobj.com(34.97.69.225) - mailcious 34.97.69.225 - mailcious 208.95.112.1 172.67.200.215 172.67.215.92
|
1
ET POLICY External IP Lookup ip-api.com
|
1
http://ol.gamegame.info/report7.4.php
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10170 |
2021-07-17 11:12
|
cluton.exe 173cc49904c607c514e2f4a2054aaca0 PWS Loki[b] Loki[m] Malicious Library DNS AntiDebug AntiVM PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://bauxx.xyz/mtk1/w2/fre.php
|
2
bauxx.xyz(104.21.23.10) 172.67.208.68
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
11.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|