| 12361 |
2021-09-14 07:36
|
 recp_21000989.wbk d22ba5af380fe520c038a458e12483fa
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.155.80.150/ssl/vbc.exe
http://checkvim.com/fd4/fre.php
|
3
checkvim.com(164.132.216.38) - mailcious
164.132.216.38
103.155.80.150
|
12
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12362 |
2021-09-14 07:48
|
 ipc.jsp acbc478e9703c3cadde882dd8e8258e3
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12363 |
2021-09-14 07:59
|
 ipc.jsp acbc478e9703c3cadde882dd8e8258e3
Generic Malware Antivirus DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell AutoRuns Code Injection Malicious Traffic Check memory Checks debugger WMI unpack itself Windows utilities powershell.exe wrote suspicious process suspicious TLD WriteConsoleW Firewall state off IP Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
15
http://t.ouler.cc/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
http://d.js88.ag/?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*583755988
http://t.ouler.cc/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1953334123
http://t.jusanrihua.com/a.jsp?rep_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*232384097
http://t.ss700.co/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*1723852997
http://t.qq88.ag/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
http://t.qq88.ag/a.jsp?ipc_20210914?TEST22-PC*TEST22-PC$*2C43E82A-4640-204B-882F-B25EE182DD03*700217562
http://t.ss700.co/report.jsp?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74&
http://d.js88.ag/if.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
http://d.js88.ag/knil.bin?v=6f06ca&r=2
http://d.js88.ag/m6.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
http://d.js88.ag/kr.bin?&TEST22-PC&2C43E82A-4640-204B-882F-B25EE182DD03&94:DE:27:8C:32:74
http://d.js88.ag/mimi.dat?v=6f06ca&r=3
https://api.ipify.org/
|
14
api.ipify.org(23.21.76.7)
api.890.la(1.117.58.154)
t.jusanrihua.com(172.67.135.182)
t.ouler.cc(172.67.134.190)
d.js88.ag(104.21.28.20)
t.qq88.ag(172.67.162.73) - mailcious
t.ss700.co(172.67.157.180)
104.21.7.40
104.21.28.20
50.16.244.183
1.117.58.154
172.67.162.73 - mailcious
104.21.6.109
104.21.14.39
|
3
ET DNS Query for .cc TLD
ET POLICY Cryptocurrency Miner Checkin M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12364 |
2021-09-14 09:09
|
AP Payout Report.jar 277697dfa8824470aa492cdb6a4e9d5a
NPKI Malicious Packer Malicious Library OS Processor Check PE File DLL PE32 Malware download NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Windows Java Email ComputerName DNS DDNS crashed |
1
|
10
github-releases.githubusercontent.com(185.199.108.154)
github.com(15.164.81.167) - mailcious
ip-api.com(208.95.112.1)
stracc1.ddnsking.com(79.134.225.104) - mailcious
repo1.maven.org(199.232.196.209)
79.134.225.104 - mailcious
151.101.196.209
52.78.231.108 - malware
185.199.111.154
208.95.112.1
|
4
ET JA3 Hash - Possible Malware - Java Based RAT
ET POLICY DNS Query to DynDNS Domain *.ddnsking .com
ET POLICY External IP Lookup ip-api.com
ET MALWARE STRRAT CnC Checkin
|
|
8.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12365 |
2021-09-14 09:30
|
RVSD PO 2021090120.docx 5eb18f6228962f4303e189cd382446f4
Lokibot RTF File doc Word 2007 file format(docx) LokiBot Malware download VirusTotal Malware c&c Malicious Traffic RWX flags setting exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://103.155.80.150/ssl/vbc.exe - rule_id: 5138
http://cml.lol/
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
5
checkvim.com(164.132.216.38) - mailcious
cml.lol(52.138.218.121) - mailcious
164.132.216.38 - mailcious
103.155.80.150 - malware
52.138.218.121 - mailcious
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Checkin
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Possible RTF File With Obfuscated Version Header
|
2
http://103.155.80.150/ssl/vbc.exe
http://checkvim.com/fd4/fre.php
|
4.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12366 |
2021-09-14 09:55
|
 mimi.dat a66953b8a3eeee7d5057ddf80b8be962
NPKI Generic Malware AntiDebug AntiVM OS Processor Check VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12367 |
2021-09-14 09:56
|
 Re_904656001200037xls.exe bc2b9bca947ae4fa75b70d0ee7ebf69e
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic RWX flags setting unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
4
www.youtube.com(172.217.175.46)
www.google.com(142.250.196.132)
142.250.207.78
142.250.66.132
|
|
|
12.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12368 |
2021-09-14 09:57
|
 vbc.exe 5aa59f1c07762000eb9c7fe832a65765
Malicious Library PE File OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Remote Code Execution Software |
3
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://dhlglobalexpress.shop/BN22/fre.php
|
2
dhlglobalexpress.shop(104.21.65.249)
104.21.65.249 - malware
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12369 |
2021-09-14 09:57
|
 vbc.exe a227e41467a232fb75b017d4c123db84
Malicious Library PE File OS Processor Check PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory unpack itself installed browsers check Browser Email ComputerName Remote Code Execution Software |
3
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://dhlglobalexpress.shop/BN22/fre.php
|
2
dhlglobalexpress.shop(172.67.195.209)
104.21.65.249 - malware
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
8.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12370 |
2021-09-14 09:59
|
 56afd74a-093d-4e33-be73-90d768... 01facf799579f792de63f54ba8dd1627
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
http://179.43.176.44/ - rule_id: 5070
|
1
|
|
1
|
7.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12371 |
2021-09-14 10:00
|
 re_85412000040631.exe 2c0b0eefba55c2f87d69a6bf911393ee
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key crashed |
5
http://www.blackboardlearner.com/wdhc/?t8r8=TBF4QF9io4sSEQmCaBQoZ+5gW212XRfd7333SE9A7ljtF1YvNAZ7G85Xeo7ZifkM4xIsMZPi&9r4P-=J4k0
http://www.vz183.com/wdhc/?t8r8=dP5g+++wT75Jt3/cY7q9jIHsNYxd3EvZpJ+2BwK6sR70h/TJSvWUFQgeFwX3dpAq0q6prhJP&9r4P-=J4k0
http://www.voicemytee.com/wdhc/?t8r8=zpZhyM68unR/dn3W++GZFm0vSNLYQKlzt1iU/GG0JzJMoZEEO2+nJXmHVsreE2sZlyW9Q7MC&9r4P-=J4k0
http://www.mbiflhomes.com/wdhc/?t8r8=6X6gv0jEg76ASOBM1UkoKcsElCgy8dCWXCUxkH+5gzcTQlMUKHIC+4bLc3oH4yv61qQbxYm1&9r4P-=J4k0
http://www.mariguanamexico.com/wdhc/?t8r8=IK+H3nEtbKVHI9tawXjAeQb5d9H9tD4CP46R62AD6egfawQ/s52exRcKhVKUDRoX73kchjTB&9r4P-=J4k0
|
16
www.google.com(172.217.31.164)
www.vz183.com(34.102.136.180)
www.youtube.com(172.217.175.46)
www.idchords.com(154.222.227.25)
www.voicemytee.com(23.227.38.74)
www.mbiflhomes.com(162.241.244.121)
www.blackboardlearner.com(72.14.178.174)
www.mariguanamexico.com(209.99.40.222)
72.14.185.43
209.99.40.222 - mailcious
34.102.136.180 - mailcious
154.222.227.25
142.250.199.78
142.250.66.36
23.227.38.74 - mailcious
162.241.244.121
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12372 |
2021-09-14 10:01
|
 sefile3.exe 3258c73b3aec32a97022a3af6f602ad8
Malicious Library PE File PE32 PDB unpack itself DNS |
|
1
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12373 |
2021-09-14 10:02
|
 LithiumFloodmark_.exe 47e27edcb9be738259f5c3d81423c613
Admin Tool (Sysinternals etc ...) Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12374 |
2021-09-14 10:04
|
 downloadmanager.exe 5268264a61103d13b13afc16f6ddb4af
Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
185.215.113.107 - mailcious
172.67.75.172 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12375 |
2021-09-14 10:04
|
 New_592108806100xls.exe 9721889aa569e1cfd50d9578572d514c
RAT PWS .NET framework Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut ICMP traffic unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
4
www.youtube.com(142.250.199.110)
www.google.com(172.217.175.68)
142.250.199.68
142.250.66.110
|
|
|
8.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|