10261 |
2021-07-20 20:38
|
vbc.exe 7d9449743fa1c1388181e9c05b9425e1 Loki PWS Loki[b] Loki[m] Malicious Library UPX DNS AntiDebug AntiVM PE32 PE File OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files AppData folder malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://adminserver.xyz/Bn4/fre.php - rule_id: 2716
|
2
adminserver.xyz(172.67.151.89) - mailcious 104.21.80.157
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://adminserver.xyz/Bn4/fre.php
|
11.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10262 |
2021-07-20 20:40
|
jap.exe 47a34d84c74352e6d5eb9466cc15fd4c Generic Malware UPX PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10263 |
2021-07-20 20:43
|
neww.exe 928ec247e6f6cd246851bfab7a7154fb AntiDebug AntiVM PE32 OS Processor Check PE File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself ComputerName crashed |
|
|
|
|
5.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10264 |
2021-07-20 20:45
|
file.exe 4b475a6d16ac0c8cc332710648807d1b UPX PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10265 |
2021-07-20 20:49
|
vbc.exe 12c0a846f4c2eec8f6c87a94cc10f305 UPX PE32 PE File FormBook Emotet Malware download VirusTotal Malware Buffer PE Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself Tofsee Remote Code Execution |
17
http://www.brightimewatches.com/bsk9/ http://www.mycupofteainnovations.com/bsk9/ http://www.brightimewatches.com/bsk9/?lZB=UFQL6bspOrB8cl2&mfsl7bH=kaXVI8mGssjTav/La5mnkdXKeQWIgX/VfzBlfkVGxIFVCgMTzil3/n4Sv05bj+iGu4kpHiKs http://www.sadilife.com/bsk9/?mfsl7bH=e7xbgmFucb3mdAvb4fSTdlOSkKtl9DU+7Qe1LIct23kRzCNm5wrZnz/YbkM+Dr2zouZgWplA&lZB=UFQL6bspOrB8cl2 http://www.bearbrickstore.com/bsk9/?lZB=UFQL6bspOrB8cl2&mfsl7bH=F8I0aIDGCGBq2whRgk2XMNl34uSRt0uGMjnhBei8AqXOzZlQETWPQNAMTWJDuI5RtHKplAfZ http://www.artstudio888.com/bsk9/ http://www.roofingcompanyinchattanooga.com/bsk9/?lZB=UFQL6bspOrB8cl2&mfsl7bH=nLXzO5PdSIbrwmRcbaBFCArbb+KwtybsjgwImfMqe3tK/h27Y3PH5/2IC1jLatmdAQANQwkU http://www.artstudio888.com/bsk9/?mfsl7bH=X84Ry8had4YxQ/T2QK5DBF/b7OIVfEo6YjoPwop5Iv2YOgMXp7ZjkoZU38GrqWivtnrSaPl1&lZB=UFQL6bspOrB8cl2 http://www.hptproof.com/bsk9/ http://www.mycupofteainnovations.com/bsk9/?lZB=UFQL6bspOrB8cl2&mfsl7bH=Si5ZJRft9DXQG2cDg3004meRUKMojHlA9AsgkzbvAOzWsE4N89OHu/2KBDAzoyeOENkp7ks8 http://www.66eebb.com/bsk9/?mfsl7bH=bUHdXy5wC8eyO+X16+6v1Mm+gl0juCFc0kDnmYHnf9TpzBxtxY2Y+jWJw/kfKOIqTQhzZbWz&lZB=UFQL6bspOrB8cl2 http://www.hptproof.com/bsk9/?lZB=UFQL6bspOrB8cl2&mfsl7bH=YFdrvYIjjYlcgmxiKpqmgps4nzJ8KKG+JPLtKtmBeTHFNnSnHUZzGEwBZ5uCZPZg0GHgKcfj http://www.66eebb.com/bsk9/ http://www.roofingcompanyinchattanooga.com/bsk9/ http://www.bearbrickstore.com/bsk9/ http://www.sadilife.com/bsk9/ https://cdn.discordapp.com/attachments/858233811639861291/865462995328696320/Acerirmidzgnrebaxvunjfwykhuislq
|
19
www.bearbrickstore.com(172.67.200.233) www.nandedzilla.com() www.mycupofteainnovations.com(182.50.132.242) www.artstudio888.com(34.102.136.180) www.hptproof.com(154.204.153.147) www.brightimewatches.com(64.34.75.141) www.sadilife.com(185.224.137.66) www.roofingcompanyinchattanooga.com(35.231.24.51) cdn.discordapp.com(162.159.135.233) - malware www.66eebb.com(104.165.140.36) 154.204.153.147 35.231.24.51 64.34.75.141 172.67.200.233 34.102.136.180 - mailcious 182.50.132.242 - mailcious 104.165.140.36 162.159.135.233 - malware 185.224.137.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10266 |
2021-07-21 07:22
|
converter.dot 0ee305b1227290547ef61c8c1588e528 VBA_macro MSOffice File unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10267 |
2021-07-21 08:39
|
gut.exe af64a7df92d3f72407194dd17b013c86 UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 PE File Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName |
1
https://cdn.discordapp.com/attachments/857209250014167043/867060366416936981/Kxojjlwczyhqbgtipcqvfxyhsdorxpz
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10268 |
2021-07-21 08:40
|
vbc.exe c8feb9d53b567cd1bfb0e59cf7d26bc2 PE32 PE File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10269 |
2021-07-21 08:41
|
redik.exe ff361121c102c043c2c4b5c6a6b4410c Themida Packer PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Windows Firmware DNS Cryptographic key crashed |
1
http://194.226.139.106:43188/ - rule_id: 2242
|
1
194.226.139.106 - mailcious
|
|
1
http://194.226.139.106:43188/
|
6.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10270 |
2021-07-21 08:41
|
lovemetertok.png a7ae4c7ec052486bbaa04a21c00fe5b8 Emotet Gen1 UPX PE32 OS Processor Check DLL PE File Dridex TrickBot Malware Report suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName Remote Code Execution DNS crashed |
1
https://217.115.240.248/rob109/TEST22-PC_W617601.B56E55BABF7F857F791CBB1FFDD5B03B/5/file/
|
9
185.56.76.28 - mailcious 154.58.23.192 - mailcious 45.36.99.184 - mailcious 217.115.240.248 - mailcious 185.56.76.108 - mailcious 74.85.157.139 60.51.47.65 - mailcious 138.34.28.219 - mailcious 24.162.214.166 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 19 ET CNC Feodo Tracker Reported CnC Server group 22 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 16
|
|
7.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10271 |
2021-07-21 08:43
|
vbc.exe e0efe365b3b8e5bddf535420d2d50bf1 PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
9.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10272 |
2021-07-21 08:44
|
dmwa.jpg dc71ed81724056f7ee199d098356e155 UPX DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE32 PE File Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS DDNS |
3
https://onedrive.live.com/download?cid=D416D1B64F12090C&resid=D416D1B64F12090C%21117&authkey=APjyEsMkjUCRkZ0 https://76kepq.dm.files.1drv.com/y4mFTaP51U3rC0HJcbA2cI21raIOulHjXqxfH10b0w34Q1YOkvmGH9y7fEJeO9us7YjzJfhwKntULyFVxYkrxV1a6cQ6UpV2_Rrg5YW8cF8Wn4-hMhP3aVvkKgEtW-xJK6VTsiFgAr8Cpoc9Qx8JYgIfqeo_xT2cdBpNpliN_3dOcfiv7aCKrN4IPTSln-FMYW-Vk8ayZl_HcOFjLwGpBrLlA/Ouioeespyllwrovblhytdqoivltnmwm?download&psid=1 https://76kepq.dm.files.1drv.com/y4mVA-4T5BSRNr6EI3wX5yvZIcKR7593xArBkZIIWMjcax89V8byQvS1IIur9LidSZAxY8ta-ks_TmybV4m395RmQqYiEOkPhyg6LvZQlmJXs2H44Av-vGlThjLZDDQiHVjobgLdxX9xXZ_eQ-iAPYt10VFl5ifzVxhb4FFebSpYzHaKUGsTTWJZQM-s1YMitU0R6l_8ygKtNKct1mXLoPe0Q/Ouioeespyllwrovblhytdqoivltnmwm?download&psid=1
|
9
jahblessrtd4ever.home-webserver.de(79.134.225.104) - mailcious grace2021.duckdns.org(31.220.4.59) onedrive.live.com(13.107.42.13) - mailcious grace2020.home-webserver.de(31.220.4.59) 76kepq.dm.files.1drv.com(13.107.42.12) 79.134.225.104 - mailcious 13.107.42.13 - mailcious 13.107.42.12 - malware 31.220.4.59
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10273 |
2021-07-21 08:46
|
Premiere_Pro_Set-Up.exe 24e83aecd38d651f87c6f4fe78b42e3e PE64 PE File Browser Info Stealer AutoRuns MachineGuid Check memory buffers extracted Creates executable files Windows Browser |
1
http://clients3.google.com/generate_204
|
4
clients3.google.com(172.217.26.14) api.telegram.org(149.154.167.220) 142.250.204.78 149.154.167.220
|
1
ET USER_AGENTS Go HTTP Client User-Agent
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10274 |
2021-07-21 08:48
|
can.exe 3763f091a074d72561b02c9c02e7bafc Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10275 |
2021-07-21 08:53
|
Stolen Images Evidence.js 120099cbae988c35eca1c64668ea92ec Generic Malware UPX Malicious Packer Antivirus AntiDebug AntiVM PE64 DLL PE File VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key crashed |
|
2
menoiras.space(172.67.156.238) - mailcious 172.67.156.238 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
10.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|