| 12661 |
2021-09-22 22:30
|
 10.exe 29f6d019b55cd3ab946ca70651a2bd8c
RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 PE64 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
4
http://f0581959.xsph.ru/sss.exe
http://ping.pushmon.com/pushmon/ping/eaFnY
http://pshmn.com/eaFnY
https://api.ip.sb/geoip
|
8
ping.pushmon.com(69.197.158.18)
f0581959.xsph.ru(141.8.192.151)
pshmn.com(69.197.158.18)
api.ip.sb(172.67.75.172)
141.8.192.151 - malware
104.26.12.31
185.213.209.36
69.197.158.18
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
15.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12662 |
2021-09-22 22:32
|
 vbc.exe f865e60134bf6774d24e03d2907c9791
PWS Loki[b] Loki.m .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://checkvim.com/ga11/fre.php
|
3
checkvim.com(5.180.136.169) - mailcious
141.8.192.151 - malware
5.180.136.169
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12663 |
2021-09-22 22:32
|
 18.exe 5389b036dc60417f5d0df36e82131b63
Gen1 Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check Stealer Windows Browser Email ComputerName DNS |
8
http://87.98.153.120/JWFiKu9bjC.php
http://87.98.153.120/public/vcruntime140.dll
http://87.98.153.120/public/nss3.dll
http://87.98.153.120/public/sqlite3.dll
http://87.98.153.120/public/freebl3.dll
http://87.98.153.120/public/softokn3.dll
http://87.98.153.120/public/msvcp140.dll
http://87.98.153.120/public/mozglue.dll
|
1
|
4
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
|
|
11.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12664 |
2021-09-22 22:33
|
 21061736.exe 24a83981517c299c8b10b9dd5ca2620f
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
8.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12665 |
2021-09-22 22:34
|
 PublicDwlBrowser1100.exe 94c17903ebb08d6e352dccce353d95d4
RAT Generic Malware Malicious Packer PE File .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12666 |
2021-09-22 22:35
|
 new.exe e1c271fec5a9b690482b700d4ed8316b
PWS Loki[b] Loki.m Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=491 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://136.243.159.53/~element/page.php
|
13.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12667 |
2021-09-22 22:36
|
 buildcpils.exe 26b9716419a2eac7f4b367e6cc06a946
RAT Generic Malware PE64 PE File OS Processor Check PNG Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS |
|
3
api.telegram.org(149.154.167.220)
104.26.12.31
149.154.167.220
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12668 |
2021-09-22 22:38
|
 vbc.exe d362ffc6b594c617852f20b87ab4bbef
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
8
http://www.youcanaskmeto.review/nthe/?sXUXkXC=ctP9xmzI7lxydl9Y/YLT6bX/j9MPsOdNwwipT7HjIg8o+wS2Lz1BcfNN8PnCTvuZYgy3g6FL&C8bDp=9rCl-NqhJxSHIVX
http://www.overseaexpert.com/nthe/?sXUXkXC=adxOK3g9xsmhNSl6zOCArJK3IjARKLYzTcZUoFouid4O6Rc3eBhLcBKKwAzfnZ9D6vACWWi7&C8bDp=9rCl-NqhJxSHIVX
http://www.groundedheavens.com/nthe/?sXUXkXC=jMh6XVcpP4sc/0PftgVatAqq1KiqQ/Stgmq51Wal6sqYysHl9H3jG9aEYQHs+6lqbRvbBIdu&C8bDp=9rCl-NqhJxSHIVX
http://www.omelhorcurso-online.com/nthe/?sXUXkXC=+G+47tg96cSZsPTY4vQ6+M2bANvEiiHc3iFTamgPVtuV9OX9HGHgOIGgcb7RmpWuhV230ped&C8bDp=9rCl-NqhJxSHIVX
http://www.dindigulvysya.com/nthe/?sXUXkXC=+/hswLtkVvxszb1LNJLvqPb4ftc8Z6fRWBGZvwAoEVOzYphMk7n88H70z+5DzUEh7x+oQhg1&C8bDp=9rCl-NqhJxSHIVX
http://www.authorjameswshepherdonline.com/nthe/?sXUXkXC=enVshZ5pBP6SFOr7VKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKpqOeleCJ7dZ6IlpMeU4S&C8bDp=9rCl-NqhJxSHIVX
http://www.hiphopventuresllc.com/nthe/?sXUXkXC=51bJujFLc20tCGhu7cUDilKkV4KkFhJHHXn1Y5i26+oUR3M5D54rlSoo8Sdfyw6fYNd6zl42&C8bDp=9rCl-NqhJxSHIVX
http://www.yourdoor.pro/nthe/?sXUXkXC=Dq5BsXUmPYRXCS8xthBTWjkRhfDO71d0Wvsss7JChqmMe/U7sfw/yBC80fv6eqyp12jevQhj&C8bDp=9rCl-NqhJxSHIVX
|
17
www.hiphopventuresllc.com(184.168.131.241)
www.indianajones.club()
www.groundedheavens.com(45.84.204.115)
www.authorjameswshepherdonline.com(34.102.136.180)
www.omelhorcurso-online.com(108.179.193.173)
www.overseaexpert.com(34.98.99.30)
www.youcanaskmeto.review(99.83.154.118) - mailcious
www.urfavvpimp.com()
www.dindigulvysya.com(142.111.57.185)
www.yourdoor.pro(34.98.99.30)
108.179.193.173 - mailcious
184.168.131.241 - mailcious
34.102.136.180 - mailcious
99.83.154.118 - mailcious
142.111.57.185
45.84.204.115 - mailcious
34.98.99.30 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12669 |
2021-09-22 22:38
|
 PBrowFile11.exe 4a0f9d7e858b278ed038fc3b303d61f7
RAT Generic Malware Malicious Packer PE File OS Processor Check .NET EXE PE32 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12670 |
2021-09-22 22:40
|
 243234193.exe 358af97491dd7d9191744789b0f9e87f
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
80.87.192.137
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12671 |
2021-09-22 22:41
|
 softedont.exe 271dd1b7b71a59842bac41e1be96b697
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12672 |
2021-09-22 22:42
|
 download.php f00246dd362f2c57a69b82099bf4e4eaVirusTotal Malware |
|
|
|
|
0.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12673 |
2021-09-22 22:43
|
 6.exe 4688225e63fefcf0b95378bd013589f7
RAT PWS .NET framework Generic Malware PE File OS Processor Check .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
45.137.190.170 - mailcious
|
|
|
3.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12674 |
2021-09-22 22:45
|
 rgo.exe c4f267cb881e0a7f999b3e639772b351
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12675 |
2021-09-23 08:25
|
 vbc.exe 014c2e92efa4666879aa2bfae030be10
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd7/fre.php - rule_id: 5250
|
2
checkvim.com(5.180.136.169) - mailcious
5.180.136.169
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd7/fre.php
|
13.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|