| 10696 |
2021-07-30 10:55
|
 .svchost.exe 1f563d126e328d5f75a96738a3bfdedd
Generic Malware Malicious Packer UPX PE32 PE File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10697 |
2021-07-30 10:56
|
 @worker2005.exe bed15058430acaf20567fba8f287dd4c
PWS .NET framework RAT Generic Malware UPX PE32 OS Processor Check .NET EXE PE File Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://45.82.179.116:10425/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
45.82.179.116
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
6.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10698 |
2021-07-30 10:59
|
 gjfkd.exe 0c81dd2088368b16444a770d8e76ecf8
NPKI Generic Malware Malicious Packer UPX Malicious Library PE64 PE File VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
|
2
2no.co(88.99.66.31) - mailcious
88.99.66.31 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10699 |
2021-07-30 11:01
|
 askinstall40.exe ef07bdb06bb72802df7cc3e7ebb13014
Gen2 Trojan_PWS_Stealer NPKI Emotet RAT Credential User Data Generic Malware Malicious Packer UPX Malicious Library SQLite Cookie Admin Tool (Sysinternals etc ...) Anti_VM Antivirus ASPack PE32 OS Processor Check PE File ELF PNG Format PE64 DLL MSOffic Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution crashed |
4
http://www.fcnbycy.xyz/Home/Index/lkdinl - rule_id: 3329
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1TBch7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.fcnbycy.xyz(188.225.87.175) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.fcnbycy.xyz/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
11.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10700 |
2021-07-30 11:03
|
 GOP.dotm fb729836049f0bb0c5afffc34ada717a
VBA_macro Antivirus Malware download Malware Malicious Traffic unpack itself Windows DNS |
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10701 |
2021-07-30 11:05
|
 askinstall53.exe ffdc29b48cf5cd228193a668583fe8b3
Gen2 Trojan_PWS_Stealer NPKI Emotet RAT Credential User Data Generic Malware Malicious Packer UPX Malicious Library SQLite Cookie Admin Tool (Sysinternals etc ...) Anti_VM Antivirus ASPack PE32 OS Processor Check PE File ELF PNG Format PE64 DLL MSOffic Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution crashed |
4
http://www.fcnbycy.xyz/Home/Index/lkdinl - rule_id: 3329
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1Z7qd7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.fcnbycy.xyz(188.225.87.175) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.fcnbycy.xyz/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
11.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10702 |
2021-07-30 11:06
|
 vbc.exe c85ee9fe0a4d346432307651cb4357a1
PE32 PE File VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
2.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10703 |
2021-07-30 11:06
|
 WUpdate.exe 22e4972a8a73e90a38f379ff527759dc
Generic Malware PowerShell MZ UPX Malicious Library Escalate priviledges KeyLogger Code injection HTTP Internet API ScreenShot Http API AntiDebug AntiVM PE64 OS Processor Check PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities Disables Windows Security AppData folder sandbox evasion WriteConsoleW Windows Remote Code Execution crashed |
|
|
|
|
8.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10704 |
2021-07-30 11:07
|
 vbc.exe aa86ca00a2b4f285e61136d91e838fcc
Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
10.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10705 |
2021-07-30 11:08
|
 vbc.exe af4ec0bc13149037006f88effdbd7643
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10706 |
2021-07-30 11:10
|
 PROT00LS.exe b55fcd2c05c42a62f04f967cb25130fc
Generic Malware PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10707 |
2021-07-30 11:11
|
 vbc.exe 90091c8c9c69b12fe47cee45e5090bf9
Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/LF04hVta
|
3
pastebin.com(104.23.98.190) - mailcious
104.23.98.190 - mailcious
79.134.225.16
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10708 |
2021-07-30 11:12
|
 .smss.exe 0392453270a71b5a7a29b8c8d415978f
Loki PWS Loki[b] Loki[m] .NET framework RAT Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://manvim.co/fd14/fre.php - rule_id: 3531
|
3
manvim.co(31.40.251.182) - mailcious
31.40.251.182
79.134.225.16
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd14/fre.php
|
14.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10709 |
2021-07-30 11:14
|
 chim.exe b71262d7af92b5dcff86aa485d58c1cb
Generic Malware Malicious Library PE64 PE File VirusTotal Malware unpack itself |
|
|
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10710 |
2021-07-30 11:15
|
 askinstall52.exe 2bedc5cb582ef4a9f879790910ebc5a0
Gen2 Trojan_PWS_Stealer NPKI BitCoin Credential User Data Generic Malware Malicious Packer UPX Malicious Library SQLite Cookie Anti_VM DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenS Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution crashed |
4
http://www.fcnbycy.xyz/Home/Index/lkdinl - rule_id: 3329
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1G7Sc7
https://www.listincode.com/ - rule_id: 2327
|
8
www.listincode.com(144.202.76.47) - mailcious
www.fcnbycy.xyz(188.225.87.175) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
188.225.87.175 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://www.fcnbycy.xyz/Home/Index/lkdinl
http://www.iyiqian.com/
https://www.listincode.com/
|
11.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|