| 11281 |
2021-08-13 10:02
|
 nnv.exe af2ee0b683302aedb51ba90fde89e947
PWS Loki[b] Loki.m RAT Gen1 Gen2 Generic Malware Malicious Packer UPX Malicious Library DNS Socket KeyLogger HTTP Internet API ScreenShot Http API AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Browser Email ComputerName DNS Software |
1
http://37.0.10.99/PL341/index.php
|
1
|
2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.3 Server Response M3
|
|
16.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11282 |
2021-08-13 10:02
|
 xds.exe 9192c2363847689ba2d28c05c4c04c6c
RAT PWS .NET framework Generic Malware .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.31.164)
13.107.21.200
172.217.161.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11283 |
2021-08-13 10:04
|
 bin.exe.bin fe8953e299b378a06e2345d0ee75f710
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
1
|
|
|
2.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11284 |
2021-08-13 10:19
|
 b4cfc49d647ebeffb99579dbd4be2a... b594afc619b7f19b04c125b093ddb099
CobaltStrike Generic Malware Malicious Packer UPX Malicious Library PE File PE64 VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
|
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11285 |
2021-08-13 20:03
|
 wvieedr.exe 06a029882deabf229f62728afe3baf4f
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
7.6 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11286 |
2021-08-13 20:04
|
 .dllhost.exe a6ddea61a510a4df6968fcfc929150a4
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd3/fre.php - rule_id: 2518
|
2
manvim.co(46.173.214.209) - mailcious
46.173.214.209
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd3/fre.php
|
12.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11287 |
2021-08-13 20:07
|
 312321312312_.exe 733546d80cc58bf61df0f32cd9f78bec
RAT PWS .NET framework BitCoin Generic Malware UPX Malicious Library AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Cryptographic key Software crashed |
2
http://verecalina.xyz/ - rule_id: 2140
https://api.ip.sb/geoip
|
4
api.ip.sb(172.67.75.172)
verecalina.xyz(141.136.0.96) - mailcious
104.26.12.31
141.136.0.96 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
1
|
11.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11288 |
2021-08-13 20:08
|
 .svchost.exe a1c4645815d0ab06831f62042cfa0da0
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process VMware anti-virtualization Windows ComputerName Cryptographic key Software |
1
http://www.oubacm.com/nff/?YVMpBHt0=kOxlMsEhw03d2uVAXOQvqY0Z9Dr8MJKVGpE1ntbYQyc+dfdbIt8ZzdDOAXb/KtdGaagqSSjC&BvI=BR-4Xr
|
3
www.automotivevita.com()
www.oubacm.com(45.193.166.57)
45.193.166.57
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11289 |
2021-08-13 20:10
|
 runtimebroker.exe fcce9e904debca11888ba8898e9dca46
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11290 |
2021-08-13 20:12
|
 %E8%BD%AF%E4%BB%B6%E6%8E%88%E6... ca0bfb0e149468f828793f18cd1db393
Generic Malware UPX Malicious Library PE File PE32 Malware download VirusTotal Open Directory Malware AutoRuns Check memory Creates executable files RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Windows Exploit Browser DNS |
1
http://144.48.240.173:29106/services.exe
|
2
103.229.126.73
144.48.240.173 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
6.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11291 |
2021-08-13 20:12
|
 GetFile2 bebccbf007e6833633716dd855003acf
RAT Generic Malware UPX DLL .NET DLL PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11292 |
2021-08-13 20:14
|
 refno.exe 2c886fae28caeeeb3b0ada64f64abfb9
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11293 |
2021-08-13 20:17
|
 .csrss.exe 9de20bb57302eb4bd57152d375e2f826
Lokibot PWS Loki[b] Loki.m .NET framework Generic Malware Admin Tool (Sysinternals etc ...) DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd5/fre.php - rule_id: 2435
|
2
manvim.co(46.173.214.209) - mailcious
46.173.214.209
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd5/fre.php
|
14.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11294 |
2021-08-13 20:20
|
 vbc.exe a258ac40b5c62c1ac1124ace071c69dd
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.3503322.com/o9pi/?JR-=mIG2xLW65f/VY2T7w/n5w3CohzNjrv59+Q+RRLKIWVzRM3IbGYEkjA8oEFQSpfhxI62o55rd&ob30qv=R2JDx2
http://www.ypassociatesfue.com/o9pi/?JR-=vJomEIO82ceFaeQdGLXRxUlnCwW32HRBD6KZ4caxEoTRh0t+XtMFapojsRpKLHNlWhKIhEvP&ob30qv=R2JDx2
http://www.triplerb.net/o9pi/?JR-=8LaaYBm3TSp0+Dsx63LIWRHbTa3sjACgPwATmM7mqou8RBHT8Uw6M3CNCc2vcCxOxjhGpp/k&ob30qv=R2JDx2
http://www.ambientcommunity.com/o9pi/?JR-=y3S9oTK7ZTucHHHaCr+21MXTMaess5Kpzx7PDWAO8SVqgAMxhMAouzFjMrnVr8YtRm2uWSCI&ob30qv=R2JDx2
http://www.xn--u9jy72gkoryg6abnb.com/o9pi/?JR-=dw42vcc5H4cJtOS2xFTuvaFHfjF2n7qc0CL/kbiqYyrqDrRUwY25eQioZqzEDrHsyKZ/3+Jp&ob30qv=R2JDx2
http://www.natjurals.com/o9pi/?JR-=7gA2nshU5oHcBaZY+ijQuPNpnYwMStAdL6cHORIxWU958uWY5q/GQE3Q+KIcK4hDlf6TgzHT&ob30qv=R2JDx2
http://www.rimanchallenge.com/o9pi/?JR-=Ryj/ZHe86eGzdfhYpxxiW1EUL3bgOORdifsAzXuDJZVsJm+RzRFHhoTWBkx5uSPCD90XO6NN&ob30qv=R2JDx2
http://www.facilmkt.com/o9pi/?JR-=U2rBSRZonOR8QiGC5jupmy09eLApZ5QLMo35m9jcydH8ukRQYzN10iXvj8MOBJVycEsRfwTX&ob30qv=R2JDx2
http://www.cityedirectory.com/o9pi/?JR-=z/X5Ze4UBjOWalfkHW1NeAdw2uJ9YkKssi0Q0RRRmjAem/VT1deVvUmI69DgCb1bDTAfesF6&ob30qv=R2JDx2
|
18
www.ambientcommunity.com(34.102.136.180)
www.xn--u9jy72gkoryg6abnb.com(133.167.77.233)
www.triplerb.net(34.102.136.180)
www.signtosavelives.info()
www.cityedirectory.com(103.224.182.243)
www.facilmkt.com(145.239.189.1)
www.rimanchallenge.com(118.27.99.26)
www.3503322.com(154.91.194.130)
www.natjurals.com(162.241.216.125)
www.ypassociatesfue.com(66.235.200.146)
66.235.200.146 - malware
154.91.194.130
118.27.99.26 - mailcious
34.102.136.180 - mailcious
162.241.216.125
133.167.77.233
145.239.189.1
103.224.182.243 - suspicious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11295 |
2021-08-13 20:24
|
 bum.exe 24fa9768014a79d9193de95aebdd6e4f
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
8
http://www.shopihy.com/p2io/?Bb=Ei6RqbmvJXwd1KhoWyb/BZtLNDk4B448l51n8Zz8P/g/u3IBdZc5bHR/QCXBboISRM182550&uTg8S=yVCTVbEP - rule_id: 2198
http://www.micheldrake.com/p2io/?Bb=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw&uTg8S=yVCTVbEP - rule_id: 1550
http://www.trendbold.com/p2io/?Bb=YuHUVBROXCfg7aakNX6aejQt13LdGy2QNXOPqDJZQ0blgOG1Ou0e6o/Qymt+KddQAKm5B3Gq&uTg8S=yVCTVbEP - rule_id: 2197
http://www.ololmychartlogin.com/p2io/?Bb=2q6D4S4KFKmlXKAOo+dmfNOnFlWkohYFDzximTpdHsIuBKx0b3v/5p4ytrwsGJikHaDfqBb+&uTg8S=yVCTVbEP - rule_id: 1558
http://www.adultpeace.com/p2io/?Bb=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&uTg8S=yVCTVbEP - rule_id: 1554
http://www.thesoulrevitalist.com/p2io/?Bb=ywi4HDlC8ElSOMEyK6H+rd6B6cynTULkanOSXBUPYg06e2wPUHpv6wPun14JIO+5lIaxxIkr&uTg8S=yVCTVbEP - rule_id: 2157
http://www.malcorinmobiliaria.com/p2io/?Bb=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&uTg8S=yVCTVbEP - rule_id: 1719
http://www.myfavbutik.com/p2io/?Bb=dKp6rERBK113SD0GvHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqFHc7ZWN2qvn1fWpyoOF&uTg8S=yVCTVbEP - rule_id: 1552
|
19
www.malcorinmobiliaria.com(160.121.176.84)
www.adultpeace.com(163.44.239.73)
www.shopihy.com(160.153.137.40)
www.jonathan-mandt.com()
www.micheldrake.com(192.0.78.25)
www.myfavbutik.com(172.67.161.4)
www.pyithuhluttaw.net(103.91.67.83)
www.trendbold.com(64.190.62.111)
www.thesoulrevitalist.com(34.102.136.180) - mailcious
www.ololmychartlogin.com(104.237.196.117)
160.121.176.84 - mailcious
163.44.239.73 - mailcious
34.102.136.180 - mailcious
64.190.62.111 - mailcious
104.21.15.16 - mailcious
192.0.78.25 - mailcious
160.153.137.40 - mailcious
5.79.68.107 - suspicious
103.91.67.83 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
|
8
http://www.shopihy.com/p2io/
http://www.micheldrake.com/p2io/
http://www.trendbold.com/p2io/
http://www.ololmychartlogin.com/p2io/
http://www.adultpeace.com/p2io/
http://www.thesoulrevitalist.com/p2io/
http://www.malcorinmobiliaria.com/p2io/
http://www.myfavbutik.com/p2io/
|
8.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|