| 11251 |
2021-08-12 09:27
|
 sufile.exe 5cde664f12547b26f2f59237c49b9acf
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11252 |
2021-08-12 09:27
|
 pdf_r34567888.html ee3ae3fe9474fecf7c86d4e4acd283f1
Antivirus AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11253 |
2021-08-12 09:29
|
 .dllhost.exe b34575c36f5e24cd748b8cac361f7009
Loki PWS Loki[b] Loki[m] Formbook .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd3/fre.php - rule_id: 2518
|
2
manvim.co(147.182.245.83) - mailcious
147.182.245.83
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd3/fre.php
|
14.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11254 |
2021-08-12 09:32
|
 sefile.exe 9008fe6b62bc7b920591cf8cb77d6f85
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11255 |
2021-08-12 09:36
|
 3.php 26a5a30af2a8f19775fb79d1679052e6
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11256 |
2021-08-12 09:36
|
 s1TTNviXUaN2.exe 2caaab498a0de0953706637fd3eb7c89
BitCoin Generic Malware AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://2.56.59.35:43636/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
2.56.59.35
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11257 |
2021-08-12 09:37
|
 refno.exe 13baeeeb8178269bd06665b3eda11aa6
RAT PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) Socket AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AppData folder Windows Cryptographic key |
8
http://www.69-1hn7uc.net/p2io/?lDKpx8o=V9Q6YNEu7TOfvwp76j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+Qw1L4Mcx+Q4bIGaE8v/&Kzux=PnjtQf7hih - rule_id: 1695
http://www.alfenas.info/p2io/?lDKpx8o=qSqSgno9cBloRqN5VLtR5zfvl4qKeuO7jrdOV5f2r4ZX0X85kelskx3YtL4YRmLXGzhxb6Nv&Kzux=PnjtQf7hih - rule_id: 1547
http://www.fuhaitongxin.com/p2io/?lDKpx8o=CqJktM7UGR26O9R1i2rMnV6ue2YAEq5Rd3PPV6e4Hl6CDdUsDohA0iBr0JiOXGWnot9DaOMs&Kzux=PnjtQf7hih - rule_id: 2907
http://www.adultpeace.com/p2io/?lDKpx8o=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Kzux=PnjtQf7hih - rule_id: 1554
http://www.hfjxhs.com/p2io/?lDKpx8o=DTtQlm+Z53HZQQxwVrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0OsIpqJyOE0lLdOWa4eE&Kzux=PnjtQf7hih - rule_id: 1561
http://www.dreamcashbuyers.com/p2io/?lDKpx8o=H0m9fF/7YLmrrfUIC4653EpAABAppk+gPA36EdDaEoCMlE2zCVYj52aQtiOQLLDBcMq8ZjGa&Kzux=PnjtQf7hih - rule_id: 3710
http://www.newmopeds.com/p2io/?lDKpx8o=bSK1RxPLajIrf62nOJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN0cIL5FJcRS/4igqPa1G&Kzux=PnjtQf7hih - rule_id: 1717
http://www.3cheer.com/p2io/?lDKpx8o=hDwxgnCzatE5+wdV9NFToL98ekU0apx9FaU6+ccHPOP6vOP89MFb32Jn1B2/14jOCK3bXPvO&Kzux=PnjtQf7hih
|
15
www.adultpeace.com(163.44.239.73)
www.alfenas.info(34.102.136.180)
www.dreamcashbuyers.com(54.69.66.227)
www.newmopeds.com(52.58.78.16)
www.hfjxhs.com(156.241.53.161)
www.69-1hn7uc.net(163.43.122.119)
www.3cheer.com(34.102.136.180)
www.fuhaitongxin.com(156.237.130.173) - mailcious
52.58.78.16 - mailcious
163.44.239.73 - mailcious
156.241.53.161 - mailcious
163.43.122.119 - mailcious
34.102.136.180 - mailcious
18.236.1.157
156.237.130.173 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
7
http://www.69-1hn7uc.net/p2io/
http://www.alfenas.info/p2io/
http://www.fuhaitongxin.com/p2io/
http://www.adultpeace.com/p2io/
http://www.hfjxhs.com/p2io/
http://www.dreamcashbuyers.com/p2io/
http://www.newmopeds.com/p2io/
|
10.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11258 |
2021-08-12 09:37
|
 refno1.exe c8ca6a9423c0c873479cf9a884725497
Formbook RAT PWS .NET framework Generic Malware UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
17
http://www.yunlimall.com/p2io/?vh=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&Sj=CpCLU6p - rule_id: 1551
http://www.3cheer.com/p2io/?vh=hDwxgnCzatE5+wdV9NFToL98ekU0apx9FaU6+ccHPOP6vOP89MFb32Jn1B2/14jOCK3bXPvO&Sj=CpCLU6p
http://www.lucytime.com/p2io/?vh=Ymn5WmwLC00z4pVZK6ihuPaaOKCT+v+tuyygdx+oVo/PHq8Kcnnt5pAnbMy7+QY4AB/111t7&Sj=CpCLU6p - rule_id: 3881
http://www.adultpeace.com/p2io/ - rule_id: 1554
http://www.lucytime.com/p2io/ - rule_id: 3881
http://www.ruhexuangou.com/p2io/ - rule_id: 1557
http://www.aideliveryrobot.com/p2io/ - rule_id: 1727
http://www.3cheer.com/p2io/
http://www.iotcloud.technology/p2io/?vh=L/l9chWQ9dl2ZFWb8vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+eskSv5sG7vGkNeAZDxwTr&Sj=CpCLU6p - rule_id: 3879
http://www.ruhexuangou.com/p2io/?vh=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&Sj=CpCLU6p - rule_id: 1557
http://www.iotcloud.technology/p2io/ - rule_id: 3879
http://www.adultpeace.com/p2io/?vh=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Sj=CpCLU6p - rule_id: 1554
http://www.balloon-artists.com/p2io/ - rule_id: 3885
http://www.balloon-artists.com/p2io/?vh=/DMwn9vRv8pPZran9syYwdBt6sFcRXVvVa9RfefW4qtbzd0YMa9UIXTiu4mlEuUVWx6wVl8M&Sj=CpCLU6p - rule_id: 3885
http://www.essentiallyourscandles.com/p2io/?vh=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&Sj=CpCLU6p - rule_id: 1553
http://www.yunlimall.com/p2io/ - rule_id: 1551
http://www.essentiallyourscandles.com/p2io/ - rule_id: 1553
|
17
www.aideliveryrobot.com(52.20.84.62)
www.adultpeace.com(163.44.239.73)
www.lucytime.com(160.124.11.194)
www.essentiallyourscandles.com(23.227.38.74)
www.3cheer.com(34.102.136.180)
www.ruhexuangou.com(23.82.57.32)
www.yunlimall.com(142.111.47.2)
www.iotcloud.technology(34.102.136.180)
www.balloon-artists.com(147.255.162.204)
163.44.239.73 - mailcious
52.20.84.62 - mailcious
147.255.162.204 - mailcious
160.124.11.194 - mailcious
34.102.136.180 - mailcious
23.82.57.32 - mailcious
23.227.38.74 - mailcious
142.111.47.2 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
15
http://www.yunlimall.com/p2io/
http://www.lucytime.com/p2io/
http://www.adultpeace.com/p2io/
http://www.lucytime.com/p2io/
http://www.ruhexuangou.com/p2io/
http://www.aideliveryrobot.com/p2io/
http://www.iotcloud.technology/p2io/
http://www.ruhexuangou.com/p2io/
http://www.iotcloud.technology/p2io/
http://www.adultpeace.com/p2io/
http://www.balloon-artists.com/p2io/
http://www.balloon-artists.com/p2io/
http://www.essentiallyourscandles.com/p2io/
http://www.yunlimall.com/p2io/
http://www.essentiallyourscandles.com/p2io/
|
8.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11259 |
2021-08-12 09:38
|
 pdf_rg234999233.html 173908860f96edf15b0c592c7dad07bb
Antivirus AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11260 |
2021-08-12 09:41
|
 vbc.exe da8a93ada0a33e6df7f52f8a7c1726b1
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.227.139.5/sxisodifntose.php/B0MWbknI2Z7T2 - rule_id: 3949
|
1
185.227.139.5 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.5/sxisodifntose.php
|
9.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11261 |
2021-08-12 09:43
|
 vbc.exe cfdbd2b514b9d9b09e0c52c21c972385
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.227.139.5/sxisodifntose.php/XjjuWy0TVqjre - rule_id: 3949
|
1
185.227.139.5 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.227.139.5/sxisodifntose.php
|
8.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11262 |
2021-08-12 09:45
|
 Shapeless.exe 69e5b67145f3dd4879642cb809a413bc
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11263 |
2021-08-12 09:45
|
JavaE.dll 309661983ec46afb1868c9b8954d6b5e
Malicious Packer Malicious Library DLL PE File PE32 VirusTotal Malware |
|
|
|
|
0.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11264 |
2021-08-12 09:49
|
 cd20abfd34fb6042d0c7450da9e61a... 067c339dcdcb526383f64a591eca6d97
UPX Malicious Library PE File PE32 VirusTotal Malware Check memory Windows crashed |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11265 |
2021-08-12 10:50
|
12.msi 300db1ac0bba0b2e9904738e1607f279
MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Tofsee ComputerName DNS |
1
https://netcbin.info/August_lpIeHgg240.bin
|
3
netcbin.info(185.225.19.137)
185.225.19.137
179.43.173.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|