| 11791 |
2021-08-26 08:33
|
 vbc.exe 7a2484277599f27801079f9bbda665c1
PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z - rule_id: 4356
|
2
51.89.96.41
65.21.223.84 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11792 |
2021-08-26 08:35
|
 Raz.exe c518288f75b3d5ee671193c32f88be3c
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces suspicious process WriteConsoleW ComputerName DNS |
11
http://www.georginagio.com/mo8t/?LhK0X=angZ+Y0u/w7Z/TuCpsmHRHDESCHOpIzBBxJ5COk5Kt3pehY0OULoSNEnB8HtWHzp2CF1TK7M&D8Ox3=zL04q8-8dVE
http://www.fuktup.club/mo8t/?LhK0X=/BULcWSIquHw8OnHYa1/+V07ppn/VY6rSam2XeNzI1+drEQXZIJrCmOjFwfk2jftDTnFLONn&D8Ox3=zL04q8-8dVE
http://www.calliejordan.com/mo8t/?LhK0X=gBVcGZ89JmLGng6bIzV4A8VInd6tGrNwPQJgNYnKPaAkz9RCsm77ZBEufIpMBFuq3u1hvwqi&D8Ox3=zL04q8-8dVE
http://185.215.150.75/vb/694
http://www.holosuitevrx.com/mo8t/?LhK0X=ZsW/3i1cHZI9pMd2tvhqDqMrI9K1cjHPdl7nqjwrKew66cBikxPL5QRBR2LLCc0YA0dDcQ3m&D8Ox3=zL04q8-8dVE
http://www.jty-ultrasic.com/mo8t/?LhK0X=ZqLP20hbuiuQErs99NpDE5oM9XDCPLJ0BVw/TWTcl/Gf5NbfSY4NUmmGLWCADMlxmT0NLMSF&D8Ox3=zL04q8-8dVE
http://www.richmassageinmotion.com/mo8t/?LhK0X=BuUfcB/+1IZ/Sf/SESafMakCEEDLABXjAOvgrdZxu5qT8Fo8YhfE4uWB0JtZeaj4cSpvF2Vp&D8Ox3=zL04q8-8dVE
http://www.nextspace1.com/mo8t/?LhK0X=6Z9QXWq/qq006lZcE85CxQscgOTgcQH2WDY+xfHfUnR9LV7ALlyoU1ax6AzcyM8q+mavW9CB&D8Ox3=zL04q8-8dVE
http://www.everythingrenovations.com/mo8t/?LhK0X=ovzwrDjk4I7ii8/Y6/7Qssa0VrTJ9YZURKwG7s1UGohjSlDFcB/GrJYNa7j2UjdZMxXvdOI/&D8Ox3=zL04q8-8dVE
http://www.cleanasbest.com/mo8t/?LhK0X=lmOg1M8cTGagr354ZA8MEH4ZvZLLrjFdZSILQauwX2JcQzcrfDJGddPH01G19MzW5SXAeemD&D8Ox3=zL04q8-8dVE
http://www.yizi.info/mo8t/?LhK0X=GvOD1CfQ6BrZ6OCdJ92aE8EB6DZf1GexsQ+RxqliISDVcz3cUK5DaTv6gS633/wIfEUjYB4U&D8Ox3=zL04q8-8dVE
|
23
www.georginagio.com(34.98.99.30)
www.ymh18.xyz(47.91.170.222)
www.nextspace1.com(34.80.190.141)
www.cleanasbest.com(213.186.33.5)
www.holosuitevrx.com(34.98.99.30)
www.everythingrenovations.com(198.185.159.145)
www.fuktup.club(51.68.212.133)
www.richmassageinmotion.com(216.239.38.21)
www.jty-ultrasic.com(156.237.128.77)
www.yizi.info(172.67.211.91)
www.calliejordan.com(208.91.197.46)
www.lunarpixelmon.com()
51.68.212.133
156.237.128.77
172.67.211.91
208.91.197.46 - mailcious
198.49.23.145 - mailcious
216.239.32.21 - mailcious
213.186.33.5 - mailcious
47.91.170.222 - mailcious
34.98.99.30 - phishing
34.80.190.141 - mailcious
185.215.150.75
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11793 |
2021-08-26 08:37
|
 bill.exe 27ee757d743631d49dcb3c6d7c90dfbe
Admin Tool (Sysinternals etc ...) Malicious Library PE File PE32 Emotet VirusTotal Malware Buffer PE Code Injection buffers extracted RWX flags setting unpack itself Tofsee |
3
https://nt6sqq.sn.files.1drv.com/y4mpp6wUwjjYpF4pJniIr2AqktLZQdVZPN-jgBBWBFh7P-N2J5U63HcpYSm4fKhAjnjkwoMYxNRz-4o9ZMAfl5d6jYdkP8kofLXfZ4ETyf86DYdlpvPQt1q8sXKXeD8AOON52ygaix7bOyQsYQLDW8IwcAGNctzDhNEOYScupe6bvC5WkYHiIsb1aUO4cU49ZgLxOd9GoFlIFka1neO_ecypA/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21131&authkey=AF_kkRi5NlE5DPw
https://nt6sqq.sn.files.1drv.com/y4mNVtGZzPYcR78EMlHGKNeHHQWKO_LnuQ1sDFBUs6Lj3A1RV9mR-XMaYq1uifSmbA5tl-PXhY-ytxbNy2KAAQ0BtrjOZPq4M9x-1FXOOgwySy0ztqS2CymrSFH8vBcnyeTC4Q-miXdvWUEuIF1YDSxr5FOCbL6s1gQplbX3KYtkLd_ijTY273zj85pzJPECKcJxDwW8qGCF7CeAamESQdJfw/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1
|
4
nt6sqq.sn.files.1drv.com(13.107.42.12)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11794 |
2021-08-26 08:38
|
 vbc.exe c1e872d6aea9f4c23401047114261837
RAT Generic Malware Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
https://pastebin.pl/view/raw/ae498e11
|
2
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11795 |
2021-08-26 08:41
|
 heloo.exe a803d6ca253630ad1c7d2d23623ce731
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(172.217.27.68)
216.58.220.132
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11796 |
2021-08-26 08:42
|
 dock.exe ba5199b37d013a27f8b20ae1d19545ab
RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11797 |
2021-08-26 08:44
|
 ppp.exe 570a3dc73ebd68dab57a9e3212cb0641
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
1
|
2
www.google.com(172.217.27.68)
172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11798 |
2021-08-26 08:45
|
 loader2.exe fbae05d8fbfbb56b2a96afabfcaab501
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/VcDkZic
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11799 |
2021-08-26 08:46
|
 vbc.exe f34f70137d2f8238d8525b2e6561623f
UPX PE File PE32 Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/RqsSvfuK
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11800 |
2021-08-26 08:47
|
 loader1.exe 6cd0a4f10dabb456456d0b7336f13116
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Tofsee |
1
https://a.uguu.se/CSkrqnLH
|
2
a.uguu.se(144.76.201.136) - malware
144.76.201.136 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11801 |
2021-08-26 08:49
|
 chekwazx.exe 6d31f5d6aed669946107e845c8037d9f
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Antivirus SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security Checks Bios Detects VirtualBox powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.manavgatgida.com(78.142.209.253)
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
78.142.209.253
132.226.247.73
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
21.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11802 |
2021-08-26 08:49
|
 7501.ps1 5480fceef4e5290938cb0a23955358df
Generic Malware Antivirus VirusTotal Malware powershell AutoRuns WMI Creates executable files unpack itself Windows ComputerName |
1
http://serv01.nerdpol.ovh:7501/Vre
|
2
serv01.nerdpol.ovh(185.81.157.187)
185.81.157.187
|
|
|
4.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11803 |
2021-08-26 08:51
|
 ebb.exe 92d6baf79e990130a1db2175731d4e46
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows Browser ComputerName DNS Cryptographic key DDNS crashed |
8
http://ck7.mooo.com/cgi-sys/suspendedpage.cgi
http://ck7.mooo.com/4.jpg
http://ck7.mooo.com/6.jpg
http://ck7.mooo.com/2.jpg
http://ck7.mooo.com/1.jpg
http://ck7.mooo.com/3.jpg
http://ck7.mooo.com/5.jpg
http://ck7.mooo.com/7.jpg
|
3
ck7.mooo.com(188.241.58.142)
188.241.58.142 - phishing
78.142.209.253
|
3
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
ET POLICY Data POST to an image file (jpg)
ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com
|
|
10.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11804 |
2021-08-26 08:52
|
 razi.exe b2a06b4fb1811354110a6ff29195744f
Generic Malware Malicious Library PE File .NET EXE PE32 VirusTotal Malware |
|
|
|
|
1.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11805 |
2021-08-26 09:16
|
 vbc.exe 7a2484277599f27801079f9bbda665c1
Dimnie PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z - rule_id: 4356
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://65.21.223.84/~t/i.html
|
8.6 |
M |
40 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|