| 10966 |
2021-08-06 09:20
|
 start.EXE aac2b6314988e0aea824fe0a53b917c1
Emotet Gen1 UPX Malicious Library Antivirus PE64 PE File VirusTotal Malware powershell AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
6.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10967 |
2021-08-06 09:22
|
 Ghazals500us.exe b6980e5e55804f4c149c2d5096a7fd68
RAT BitCoin Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.173.36.104:44030/ - rule_id: 2863
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
172.67.75.172
185.173.36.104 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.173.36.104:44030/
|
11.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10968 |
2021-08-06 09:22
|
 hWUsDVx5V2Kte0B.exe 44de2471096289379cf30cef69e2d35f
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10969 |
2021-08-06 09:24
|
 pdf_document_sw211222.html a30a7664820bee515dd5b191440aba0e
Antivirus AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10970 |
2021-08-06 09:24
|
 barorsunn.exe 74c0f41c711f0113e7a4e15916559950
Generic Malware UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://axz1.xyz/VTR/w2/fre.php
|
2
axz1.xyz(104.21.58.209) - mailcious
172.67.164.172
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
8.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10971 |
2021-08-06 09:26
|
 DBti7kFcOLHaK2z.exe a4579e15af982f864c88df0a1c1dbf0a
PWS .NET framework Generic Malware UPX .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10972 |
2021-08-06 09:26
|
 usermasabikzx.exe 53b546cb0d9e9e8a27a1317e55086eb2
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
10.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10973 |
2021-08-06 09:28
|
 Hlt9VTppbZE9UGs.exe 3aa98571fcb0f1d734605cc6e2d8adf0
RAT Generic Malware UPX .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10974 |
2021-08-06 09:30
|
 vbc.exe d07fd206bfadd24bc7e4939c7b24e098
Generic Malware UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://brokenethicalgod.ml/BN11/fre.php
|
2
brokenethicalgod.ml(172.67.206.219)
172.67.206.219
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10975 |
2021-08-06 09:30
|
 vbc.exe aa4b9c043e923952fee38447b9dd0b43
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
16
http://www.hibachiexpressnctogo.com/6mam/
http://www.trendyheld.com/6mam/?gf=E0pe+Y2v4UDt+w4IAz5H/oSd7jolrcEyLMhuwDlQLqgXY2i3h8ADuPLB2g4wdc2gmmszQyxl&WbJ=vFNt3
http://www.kykyryky.art/6mam/ - rule_id: 3577
http://www.bgpetty.com/6mam/
http://www.hanasugisaki.com/6mam/
http://www.scientiaxliv.com/6mam/
http://www.bgpetty.com/6mam/?gf=DVd1UroJa56TibiaZjHEwxXkZ0tEKWvQ6wjwLM6s02wKD9/hiFlWC8bXo6c3n9F1pHO/GanB&WbJ=vFNt3
http://www.hanasugisaki.com/6mam/?gf=jkvtMSvddI2VYlq0mp5CmeoamuID3EfQPD4PCCzv2+e72zsfqy8mt6+jtGJRzfNUMKA78SWG&WbJ=vFNt3
http://www.hibachiexpressnctogo.com/6mam/?gf=0HG4+iy4HM9z+nt9884ETIsw7S4XNgMIsS4SVeWydW0ESnQUZ/hCKdKQ9SnakUxepzgcXLa3&WbJ=vFNt3
http://www.kykyryky.art/6mam/?gf=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&WbJ=vFNt3 - rule_id: 3577
http://www.trendyheld.com/6mam/
http://www.scientiaxliv.com/6mam/?gf=BjPyK/gh05BndaRlxx73WDfQM5Dt6PhPoAEuUgvv1xovO5wVmySbhw6hu25djVRDujkCPznz&WbJ=vFNt3
https://www.hanasugisaki.com/6mam/
https://pxpura.sn.files.1drv.com/y4m8w-5fZ5LYe9NvVGuehLoV03XV3EjZKx4NG5hd09m24ST9gDlTm2Pa-Km4mTTC7Q7Beyz15BqxFhaTLmMe4oLSytmfOwepooZRHdsg484fbqDCfa2Y7LI5MFnkvBtX4hFVimoAiiwVVwYt1z0CaG3TepVkT1NCz34co9aNrbAg4vM0IdJjZKsHKKek2lcjZnWtot_ri4C5lKlxcM7drBzVQ/Ibbuwegvliephobtwakpuytjburrfsv?download&psid=1
https://pxpura.sn.files.1drv.com/y4mTqQTnzr4pGog1oK2eUPWO2zTo_rsFVTPrpApe4AHExcxal8onplEHYAAHWZNuE9mQhEnNg9mAhgaH0pBJMGNkXeaGGjPLQpFd_j-WYlkCZkVMaTJvVVJjW_SKqjQMixM8CLUN84M--myYDNmTgV_V3qzQm-iqfWRzhMNFnAhWkZySZurqkZI9uWlpe74bVG0ncBzFZPMFBkPTrVXY5kkcw/Ibbuwegvliephobtwakpuytjburrfsv?download&psid=1
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21116&authkey=AC5XLhzUJFsHZoI
|
18
onedrive.live.com(13.107.42.13) - mailcious
www.bgpetty.com(142.93.181.240)
www.trendyheld.com(23.227.38.74)
pxpura.sn.files.1drv.com(13.107.42.12)
www.shkanghong.com(104.221.198.133)
www.hibachiexpressnctogo.com(54.230.62.115)
www.scientiaxliv.com(34.102.136.180)
www.hanasugisaki.com(91.195.240.94)
www.kykyryky.art(194.58.112.174)
54.230.169.48
104.221.198.133
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
194.58.112.174 - mailcious
23.227.38.74 - mailcious
142.93.181.240
91.195.240.94 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.kykyryky.art/6mam/
http://www.kykyryky.art/6mam/
|
11.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10976 |
2021-08-06 09:31
|
 dwn.exe a22ae90aeac4eecc7448b7d96a55b774
Generic Malware UPX Malicious Packer .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName |
|
2
ioxg.ix.tc(203.159.80.70)
203.159.80.70 - malware
|
|
|
10.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10977 |
2021-08-06 09:33
|
 .audiodg.exe 4a21a7f7fa4c1ce05c8c1a7e10eb73dc
PWS Loki[b] Loki[m] .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx - rule_id: 2584
|
1
185.227.139.18 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.18/dsaicosaicasdi.php
|
13.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10978 |
2021-08-06 09:33
|
 butolin.exe 15fe7395ede733429881ca065f9e9cc3
Loki Generic Malware UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName Software |
1
http://lushbb.xyz/tker3/w2/fre.php - rule_id: 3369
|
2
lushbb.xyz(172.67.190.159) - mailcious
172.67.190.159
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://lushbb.xyz/tker3/w2/fre.php
|
7.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10979 |
2021-08-06 09:35
|
 benu.exe 7576d0cf0b60965127fbe253a599c2ac
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10980 |
2021-08-06 09:35
|
 EgVhr9cVP2SFBEU.exe bfdc6b9626ebc50042b3aaa98f9e4b28
Generic Malware UPX .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|