| 12706 |
2021-09-23 09:06
|
 nd.exe 04b038bcd154d89ee1e7758d734c0766
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12707 |
2021-09-23 09:08
|
 vbc.exe a4906a4f5ece9910c5d49e2cfea35ee3
PWS .NET framework Generic Malware PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
5.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12708 |
2021-09-23 09:19
|
 vbc.exe 78655ced01a57dc43915294cc1e5d887
Malicious Library PE File OS Processor Check PE32 PDB unpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12709 |
2021-09-23 09:19
|
 sdf.wbk 5a90386e6f0f0e9b7f60409fdcfcb597
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://checkvim.com/fd11/fre.php - rule_id: 4723
http://103.140.251.93/swim/vbc.exe
|
3
checkvim.com(5.180.136.169) - mailcious
103.140.251.93 - mailcious
5.180.136.169
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd11/fre.php
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12710 |
2021-09-23 09:32
|
0922_2541267277276.doc 93cf89d232b8e35b0de0b11d1b99f680
VBA_macro Generic Malware MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
3
http://houniant.ru/8/forum.php
http://armerinin.com/8/forum.php
http://api.ipify.org/
|
5
houniant.ru(65.108.20.39)
api.ipify.org(50.19.104.221)
armerinin.com(65.108.20.39) - mailcious
65.108.20.39 - mailcious
23.23.137.115
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12711 |
2021-09-23 09:32
|
 specification-1114748542.xls bcf85cb453a5827d672791aa29c7f398
KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12712 |
2021-09-23 09:34
|
 specification-1115180443.xls fd6cc864407f1dbd7e1bb73100f7fd58
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ricardopiresfotografia.com/RpuaNlWy/host.html
https://keysite.com.co/IQ3mbS6EF/host.html
https://colegiobilinguepioxii.com.co/SYqvKoF4/host.html
|
5
ricardopiresfotografia.com(94.126.169.140)
keysite.com.co(50.116.92.246)
colegiobilinguepioxii.com.co(50.116.92.246)
50.116.92.246 - malware
94.126.169.140 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12713 |
2021-09-23 10:10
|
file6.exe a92ecf7fef1451c1ebd6f7886a9e22d5
MPRESS PE File PE32 VirusTotal Malware Malicious Traffic unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows Firmware crashed |
1
https://telete.in/uispolarkins2
|
2
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
31 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12714 |
2021-09-23 15:41
|
kinsing 648effa354b3cbaad87b45f48d59c616
Generic Malware Malicious Packer Anti_VM ELF VirusTotal Malware crashed |
|
|
|
|
1.2 |
M |
38 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12715 |
2021-09-23 15:55
|
 specification-1114748542.xls bcf85cb453a5827d672791aa29c7f398
MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://ricardopiresfotografia.com/RpuaNlWy/host.html - rule_id: 5379
https://keysite.com.co/IQ3mbS6EF/host.html
https://colegiobilinguepioxii.com.co/SYqvKoF4/host.html
|
5
ricardopiresfotografia.com(94.126.169.140) - mailcious
keysite.com.co(50.116.92.246) - mailcious
colegiobilinguepioxii.com.co(50.116.92.246) - mailcious
50.116.92.246 - malware
94.126.169.140 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://ricardopiresfotografia.com/RpuaNlWy/host.html
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12716 |
2021-09-23 16:21
|
 sss.exe 86e23a23cfe74c3076103ae580c0621c
RAT Generic Malware Antivirus Malicious Packer PE64 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12717 |
2021-09-23 17:12
|
 rundll32.exe cf830ea1d8bb5b8e007a18559f626a8c
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12718 |
2021-09-23 17:13
|
 vbc.exe 1c3047465bb31dd2ac45101680301992
PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
9
http://www.talkingpoint.tours/arup/?o2=2Bor36X4yMIxjbsNw9nIp5JqVEJ42O++igCdDW+bLrYPiTD/F7oXSRDD+M1zQEcm+TanyebS&wR=BDKh2baXl4PtG
http://www.mezonpezon.com/arup/
http://www.cupecoysuites.com/arup/
http://www.gzwqpsyj.com/arup/
http://www.cupecoysuites.com/arup/?o2=RwnhE8KYKqsc5MSZ6w7FRLZ4FQLQ/7KQra0CoHItoXR0D3A2SypYSixvdgQRpZ3QFM6Mzxlq&wR=BDKh2baXl4PtG
http://www.royaltortoisecookieco.online/arup/?o2=xicXbxHz/T/GJ6xhDm1KxNKS1jpnVDDPGy0hKxh11bForUynj74u7eHQ98aodg6MscVdd2su&wR=BDKh2baXl4PtG
http://www.talkingpoint.tours/arup/
http://www.mezonpezon.com/arup/?o2=UNxFnBumKBpgK3E6newINllmoiRNFeGsN9mFY9q/k3SwkriE4cKly4sUG2g85kP3rxM+0vbe&wR=BDKh2baXl4PtG
http://www.royaltortoisecookieco.online/arup/
|
12
www.talkingpoint.tours(192.0.78.24)
www.penhal.com()
www.cupecoysuites.com(34.102.136.180)
www.royaltortoisecookieco.online(209.17.116.163)
www.gzwqpsyj.com(209.141.38.71)
www.xn--2kr800ab2z.group()
www.mezonpezon.com(185.4.31.82)
209.17.116.163
34.102.136.180 - mailcious
192.0.78.24 - mailcious
107.161.23.204
185.4.31.82 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12719 |
2021-09-23 17:14
|
 root.exe 57b36fc1682e874793dd47a47abf3ccb
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12720 |
2021-09-23 17:18
|
 Explore.exe 430dbfc5a121697ed066809cbf1ed3a3
RAT PWS .NET framework AgentTesla(IN) Generic Malware Admin Tool (Sysinternals etc ...) Malicious Packer UPX Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW human activity check Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
5
www.google.com(172.217.161.36)
142.250.204.36
13.107.21.200
142.250.66.68
185.140.53.52
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Possible NanoCore C2 60B
|
|
16.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|