| 11761 |
2021-08-25 09:14
|
 CD.exe ae03778cf368977eea85419acfc768d9
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
141.95.23.41 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11762 |
2021-08-25 09:15
|
 1.exe a1e0aa315c2caf13f0f7edacea3e9aea
RAT Generic Malware Malicious Library Antivirus Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE6 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe
|
4
ocsp.digicert.com(117.18.237.29)
cdn.discordapp.com(162.159.134.233) - malware
117.18.237.29
162.159.129.233 - malware
|
|
|
10.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11763 |
2021-08-25 09:16
|
 vbc.exe 5ba5c0d5ca760b500600849aad55ffec
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/mbg7yLEpVUXfM - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://65.21.223.84/~t/i.html
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11764 |
2021-08-25 09:16
|
 can.exe 941ffbcc54a5826dde6e2d35f2fc761d
PE File PE32 VirusTotal Malware WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11765 |
2021-08-25 09:18
|
 nbfile.exe c75ba05218d933731e55edf937460b86
UPX Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11766 |
2021-08-25 09:19
|
 fdseventeenzx.exe 19240f4b0efd2c8ed2f7fcc0835fad17
Loki PWS Loki[b] Loki.m RAT Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key Software |
1
http://manvim.co/fd17/fre.php - rule_id: 4252
|
2
manvim.co(45.156.24.6) - mailcious
45.156.24.6
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://manvim.co/fd17/fre.php
|
13.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11767 |
2021-08-25 09:21
|
 v2.exe b42512d71c3f14e98719d6036148f8f9
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
195.2.78.163
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11768 |
2021-08-25 09:21
|
 vbc.exe 88edb353bbf9259f0e5eb0830df37086
RAT Generic Malware Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.wrg-referrals.com/b6cu/?Tj=fPxRTLMEZqSgZG8FNoOWfqBucxYqhmqN1pK96IwIV9bSZwvtX5xjyugxBOQeybrPpWmy7szm&6l=s8eTzlAXATylM
http://www.freedownloadbiz.info/b6cu/?Tj=jXWkHSc2ZyHJS3BmNHN6MvtQCT40AMmKDINV4DjTDfuj9RfOhNLCD9USSIKdul+56GiADOwV&6l=s8eTzlAXATylM
|
8
www.freedownloadbiz.info(188.72.236.136)
www.wrg-referrals.com(40.76.50.119)
www.styleandsoulshift.com()
www.mgm2348543.com(91.195.240.94)
www.tiantianhanju.com()
188.72.236.136
91.195.240.94 - phishing
40.76.50.119
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11769 |
2021-08-25 09:23
|
 1.exe 8ed30c6c10b4ce0567bd443935666e7b
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
138.124.186.42
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11770 |
2021-08-25 09:23
|
 arasholit.exe 353ad3cb7e6b9237e7e7bb96e2b0e5a4
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.13.31
51.254.69.209
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11771 |
2021-08-25 09:58
|
 can.exe 941ffbcc54a5826dde6e2d35f2fc761d
Generic Malware PE File PE32 VirusTotal Malware WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11772 |
2021-08-25 10:01
|
 vbc.exe 5ba5c0d5ca760b500600849aad55ffec
Generic Malware PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/mbg7yLEpVUXfM - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.2 |
M |
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11773 |
2021-08-25 10:09
|
 lv.exe f1b4d4902447ce5caab448a1ceea1279
Gen1 Gen2 Themida Packer Generic Malware Malicious Library Malicious Packer PE File PE32 GIF Format DLL OS Processor Check VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare AppData folder AntiVM_Disk VMware anti-virtualization VM Disk Size Check human activity check Windows ComputerName Firmware crashed |
|
1
|
|
|
9.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11774 |
2021-08-25 10:09
|
 vbc.exe d48fbec5c6a2edf4893023951dd6c021
RAT Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
6
http://www.toniconnerskincare.com/ars4/?nflpdH=U5uSb6Wf/Orn2X36u30TAzTep9EEJbmgsA6FRh+xAmndl5C3XazwDI7hszE8DY3b5UFzxdNE&v2Jx4=3f-PJvLh7TaL-4D0
http://www.loansuvidahcendar.com/ars4/?nflpdH=QuvpKXmZGmCeUfgrsNY6MFwHNWt7PO5iErW0bGwBVlopLLZak+nU6B2Rv20ubhmpLvP5+9M2&v2Jx4=3f-PJvLh7TaL-4D0
http://www.prizevipforu.xyz/ars4/?nflpdH=sJo4DuSkVFkPhc0NXJdkJpigcFowV9+JtreJGGn9pXw3N8sclVWzfzFD8Yz5Lt6ouVf7NNlw&v2Jx4=3f-PJvLh7TaL-4D0
http://www.weelinked.com/ars4/?nflpdH=GTHaRcvuJVgH66YOjWxoyyOxpJQa/jbcd5dHHBj46gOXgvOgqPFlJs86IfdHkbMHPgCJdJBa&v2Jx4=3f-PJvLh7TaL-4D0
http://www.dhruvdhing.com/ars4/?nflpdH=3TTuzfoOGQ/ZUvJaXTHhqJnJRIjtMiOjlRvtsN7fHayofq2cQFGemuK9JCeegPBM6chVGc49&v2Jx4=3f-PJvLh7TaL-4D0
http://www.126020cp.com/ars4/?nflpdH=j0S2aw9Lyphb4Lf5G7ZbWu2J7qE5Z+C257pLquSeqd5Bv4YKvkozLvCFLxqtCxDBQLbdbruT&v2Jx4=3f-PJvLh7TaL-4D0
|
17
www.jetboard.center()
www.126020cp.com(154.90.33.98)
www.weelinked.com(2.57.90.16)
www.smileyon.com()
www.toniconnerskincare.com(182.50.132.242)
www.loansuvidahcendar.com(199.59.242.153)
www.320915.com()
www.prizevipforu.xyz(3.37.137.87)
www.limagedesigns.com()
www.dhruvdhing.com(198.24.151.139)
www.bigboreenterprises.com()
2.57.90.16 - mailcious
199.59.242.153 - mailcious
182.50.132.242 - mailcious
198.24.151.139
154.90.33.98
15.164.147.227
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
11.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11775 |
2021-08-25 10:11
|
 file.exe 03903dd6bc470a44ed1cb27e4e965854
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|