| 10606 |
2021-07-29 09:46
|
 Edge.js 8a005a721fcf3972456cb12e0a4f3fa0
VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
|
2
fe1eaf89.office.drpease.com(195.189.96.41)
195.189.96.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10607 |
2021-07-29 09:51
|
 joinpornhub.pdf.exe e136a977901a98fb11493370926cfcf6
Malicious Packer PE32 DLL PE File Dridex TrickBot VirusTotal Malware Report suspicious privilege MachineGuid Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
4
https://138.34.28.219/login.cgi?uri=/index.html - rule_id: 2674
https://38.110.103.18/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
https://138.34.28.219/index.html - rule_id: 2677
https://138.34.28.219/cookiechecker?uri=/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/ - rule_id: 2675
|
9
154.58.23.192 - mailcious
45.36.99.184 - mailcious
68.69.26.182 - mailcious
217.115.240.248 - mailcious
38.110.103.124 - mailcious
74.85.157.139 - mailcious
38.110.103.18 - mailcious
185.56.76.94 - mailcious
138.34.28.219 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 19
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 22
|
3
https://138.34.28.219/login.cgi
https://138.34.28.219/index.html
https://138.34.28.219/cookiechecker
|
7.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10608 |
2021-07-29 09:51
|
 logo_7gawc.png cc5daf8c69346182af1acbeba7677b90
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10609 |
2021-07-29 09:52
|
 empty_jquz.png 170822d36f3cbb28faf8e87dec8c1e4d
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10610 |
2021-07-29 09:53
|
 taroch.exe 4bd029fab2e1855b65f19af615d5af49
PE32 PE File VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10611 |
2021-07-29 09:54
|
 ahsleyzx.exe dfcca1c0512fb60c55bc167340b8e653
Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10612 |
2021-07-29 09:55
|
 file.exe 6cac30135f4d5639c81e29e7d32d95e0
UPX Malicious Library PE32 PE File Dridex TrickBot VirusTotal Malware Malicious Traffic RWX flags setting unpack itself Kovter ComputerName DNS |
2
https://45.140.17.74/cx
https://45.140.17.74/aPr9
|
1
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10613 |
2021-07-29 09:56
|
 dllhost.exe faa036cbca3230e8df524875427c41fd
Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10614 |
2021-07-29 09:58
|
 empty_7wz0.png 25dbc4e228927bea3d145caae5a5d842
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10615 |
2021-07-29 09:58
|
 .smss.exe 0f061f64b9c001f53f851abb1ba06a28
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd14/fre.php
|
2
manvim.co(31.40.251.175) - mailcious
31.40.251.175
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10616 |
2021-07-29 09:58
|
 apwxc.exe ddde6fc0ce346b0ab7bb0c8c02a09d33
PWS .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10617 |
2021-07-29 09:59
|
 empty_lfqcu.png a8def6da313d520cb2e19654a3194c13
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10618 |
2021-07-29 10:00
|
 button_umlnxz.png b5a761c473bd2c4f816ef518b44a559e
Generic Malware Malicious Library PE32 DLL PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10619 |
2021-07-29 10:00
|
 vbc.exe a584c1efdc2d5911278ab43d1fc671af
UPX Malicious Library PE32 OS Processor Check PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself |
3
http://www.hybrid-sol.com/dd2v/?5jrDZDS=QU76MMVDaEalz7inlspnMh66/1hVeZvVrtBx8jpddEDRMVGqwAVNDg/Yi8GXR76xKGaxYqiQ&kxl0db=LhH8
http://www.q99f.com/dd2v/?5jrDZDS=zjDRxF5X1wZRPIzYbdlYAg34k3BLnyx0cmez+iV0Xc8ymW4mETi0Mumbu1nv3zHBsM04IXAc&kxl0db=LhH8
http://www.fortmyerscruisevacation.com/dd2v/?5jrDZDS=nhj7AeJneWpfdej/qaMWIItsPR9NP5l0GvNSoiv+0Olc+IAL+00AVB05K12uB4NevRRrPgK/&kxl0db=LhH8
|
8
www.lotusinplay247.com(3.108.71.249)
www.hybrid-sol.com(95.216.102.241)
www.fortmyerscruisevacation.com(34.102.136.180)
www.q99f.com(134.122.133.171)
134.122.133.171
3.108.71.249
34.102.136.180 - mailcious
95.216.102.241 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10620 |
2021-07-29 10:11
|
 taroch.exe 4bd029fab2e1855b65f19af615d5af49
Formbook PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName Software |
1
http://arku.xyz/tkrr/T1/w2/fre.php
|
2
arku.xyz(172.67.173.58)
104.21.30.161
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
7.8 |
M |
32 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|