| 10921 |
2021-08-05 10:18
|
 .audiodg.exe 79d9e8caedc00b08bc562a535fe5f3f0
PWS Loki[b] Loki[m] .NET framework RAT Generic Malware UPX Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx - rule_id: 2584
|
1
185.227.139.18 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
15.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10922 |
2021-08-05 10:23
|
 new.exe c1599712d6b112f70b9da4aa73f37a0b
Generic Malware Themida Packer Anti_VM Malicious Library PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware Cryptographic key Software crashed |
2
http://yonicathal.xyz/ - rule_id: 3357
https://api.ip.sb/geoip
|
4
yonicathal.xyz(91.235.129.135) - mailcious
api.ip.sb(104.26.13.31)
91.235.129.135 - mailcious
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10923 |
2021-08-05 10:23
|
 nympholepsies 106b947aa2e8101bff6e3ff0f82bfe95
Generic Malware Malicious Packer UPX Malicious Library DNS Socket Escalate priviledges AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware Code Injection buffers extracted unpack itself malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check |
|
|
|
|
7.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10924 |
2021-08-05 10:25
|
 Clickerman.exe 3adb093ea2754209be59a1a0f29b60ee
PWS .NET framework RAT Generic Malware Malicious Packer Anti_VM UPX PE File OS Processor Check .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger WMI unpack itself Windows utilities Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
8.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10925 |
2021-08-05 10:28
|
 d.wbk c7e44f1faf0f6f5c9e08fd8323d7f39a
RTF File doc AntiDebug AntiVM FormBook Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed |
3
http://192.3.122.133/dubem/win22.exe
http://www.lzcxkj888.com/d6b4/?iN=uPVo0pzI0ArH7X144sNYCwKddg947NU05e9iK1uMCjx4rBqU+bHxotmYz5U69MC02jCRFKsM&lH5d=YTChiXcp6fKlAhF
http://www.lkprimeusa.com/d6b4/?iN=07EUc8qASaG/3VfQRg4EEw3YL+3tn2VFwz036mivi72SnUpvja52lyVORGrcG9Bm3ip+G+Yj&lH5d=YTChiXcp6fKlAhF
|
5
www.lkprimeusa.com(34.80.190.141)
www.lzcxkj888.com(23.226.67.245)
192.3.122.133 - mailcious
23.226.67.245
34.80.190.141 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10926 |
2021-08-05 10:34
|
 2.pdf de2a8a728f81d44562bfd3e91c95f002
PDF VirusTotal Malware Check memory Java |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
2
swupmf.adobe.com(23.201.36.139)
23.40.44.138
|
|
|
2.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10927 |
2021-08-05 10:35
|
 1.pdf a0c7e9dc69e439cb431e6dea9f0d5930
PDF VirusTotal Malware Check memory unpack itself |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
3
swupmf.adobe.com(104.109.240.143)
23.40.44.138
23.212.12.57
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10928 |
2021-08-05 10:44
|
 4913.dll c00e0917372861f279731776738ce2f3
Generic Malware Malicious Packer UPX PE64 PE File DLL VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10929 |
2021-08-05 10:45
|
제4기AMP 안내자료.pdf 70294ac8b61bfb936334bcb6e6e8cc50
PDF VirusTotal Malware Check memory unpack itself |
2
http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
|
3
swupmf.adobe.com(23.201.36.139)
23.201.36.139
23.40.44.138
|
|
|
2.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10930 |
2021-08-05 10:51
|
 both123.exe 58a63044fe092b8c6e525cc920c04bc1
Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware |
|
|
|
|
1.0 |
M |
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10931 |
2021-08-05 10:54
|
 Enq.xll.exe 8fa502b4a09f8f304b267f9c70e18de5
Generic Malware UPX Malicious Library PE64 PE File OS Processor Check DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10932 |
2021-08-05 10:57
|
Stolen Images Evidence.js 6208a326b847e3e9c1e342dfda5d356f
Antivirus AntiDebug AntiVM PE64 PE File DLL VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key crashed |
2
http://moigoran.space/333g100/index.php
http://moigoran.space/333g100/main.php
|
2
moigoran.space(104.21.95.9) - mailcious
172.67.142.124 - mailcious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
10.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10933 |
2021-08-05 10:57
|
ADGMP-EC-AGB-June21.jpg.lnk 6ef8991c1fef9c553e7cc9b2ba4517bd
AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Interception |
1
https://bsnlplots.com/css/css/b/l/i2.php
|
2
bsnlplots.com(172.67.221.235) - mailcious
104.21.54.4
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10934 |
2021-08-05 10:57
|
 ERFORDERLICH.exe a707637624c53b312b0300f16ff41f73
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
2
https://cdn.discordapp.com/attachments/866595431462993932/872311226670153769/nxj.exe
https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10935 |
2021-08-05 10:57
|
PURCHASE ORDER AZAS112.xls.xll 4ebc548df517cae4c7e3122e9c75ede6
Generic Malware UPX Malicious Library PE64 PE File OS Processor Check DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|