| 12916 |
2023-05-25 09:33
|
ijijijijijijijijijijiji%23%23%... d251d3dc70ec562e6e92ac28c05f1aa9
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://23.95.122.242/271/CK_CACHE.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12917 |
2023-05-25 09:31
|
 hussanzx.exe b40484b0048fc319745734e99446d4d5
Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://161.35.102.56/~nikol/?p=74818831363
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12918 |
2023-05-25 09:31
|
 Otisdssd.exe f89e45ac209d202a8f38df822afbd71c
RAT .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12919 |
2023-05-25 09:29
|
 INT_CACHE.exe 2fedad2f88722142df214c3f34e00708
Loki_b Loki_m Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.164/fresh1/five/fre.php
|
1
171.22.30.164 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12920 |
2023-05-25 09:29
|
 INT_CACHE.exe 0be154b22d831552551fc0bc74aae9dc
Loki Loki_b Loki_m Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12921 |
2023-05-25 08:17
|
 IE_NETWORK.exe 25d283fc68f2c655fa23ad84525e7f20
Formbook Generic Malware Antivirus PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
12
http://www.towfire.life/f619/ - rule_id: 33475
http://www.towfire.life/f619/?gj9u2D2b=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&hTOD1=q06upvjv_ghP_ - rule_id: 33475
http://www.smartinnoventions.com/f619/?gj9u2D2b=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&hTOD1=q06upvjv_ghP_ - rule_id: 33493
http://www.gospelfy.online/f619/?gj9u2D2b=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&hTOD1=q06upvjv_ghP_ - rule_id: 33496
http://www.gospelfy.online/f619/ - rule_id: 33496
http://www.smartinnoventions.com/f619/ - rule_id: 33493
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
http://www.sockmomma.com/f619/ - rule_id: 33498
http://www.queenkidul.com/f619/?gj9u2D2b=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&hTOD1=q06upvjv_ghP_ - rule_id: 33497
http://www.intake-tree.com/f619/?gj9u2D2b=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&hTOD1=q06upvjv_ghP_ - rule_id: 33494
http://www.queenkidul.com/f619/ - rule_id: 33497
http://www.intake-tree.com/f619/ - rule_id: 33494
|
13
www.towfire.life(67.223.117.160) - mailcious
www.queenkidul.com(45.130.230.191) - mailcious
www.smartinnoventions.com(5.157.87.204) - mailcious
www.gospelfy.online(185.27.134.115) - mailcious
www.sockmomma.com(154.94.121.119) - mailcious
www.intake-tree.com(34.201.80.84) - mailcious
45.130.230.191 - mailcious
154.94.121.119 - mailcious
67.223.117.160 - mailcious
185.27.134.115 - mailcious
45.33.6.223
54.91.6.89
5.157.87.204 - mailcious
|
3
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE FormBook CnC Checkin (GET)
|
11
http://www.towfire.life/f619/
http://www.towfire.life/f619/
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/
http://www.gospelfy.online/f619/
http://www.smartinnoventions.com/f619/
http://www.sockmomma.com/f619/
http://www.queenkidul.com/f619/
http://www.intake-tree.com/f619/
http://www.queenkidul.com/f619/
http://www.intake-tree.com/f619/
|
11.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12922 |
2023-05-25 07:52
|
ijijijijiijijijiiji%23%23%23%2... 475d254427357e852f35dee44ff69d57
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
12
http://www.queenkidul.com/f619/?DCc2aufU=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&gC7=anralcBZD - rule_id: 33497
http://www.towfire.life/f619/ - rule_id: 33475
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
http://46.183.221.116/125/IE_NETWORK.exe
http://www.gospelfy.online/f619/ - rule_id: 33496
http://www.smartinnoventions.com/f619/ - rule_id: 33493
http://www.towfire.life/f619/?DCc2aufU=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&gC7=anralcBZD - rule_id: 33475
http://www.intake-tree.com/f619/?DCc2aufU=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&gC7=anralcBZD - rule_id: 33494
http://www.smartinnoventions.com/f619/?DCc2aufU=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&gC7=anralcBZD - rule_id: 33493
http://www.gospelfy.online/f619/?DCc2aufU=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&gC7=anralcBZD - rule_id: 33496
http://www.queenkidul.com/f619/ - rule_id: 33497
http://www.intake-tree.com/f619/ - rule_id: 33494
|
12
www.towfire.life(67.223.117.160) - mailcious
www.queenkidul.com(45.130.230.191) - mailcious
www.smartinnoventions.com(5.157.87.204) - mailcious
www.gospelfy.online(185.27.134.115) - mailcious
www.intake-tree.com(34.201.80.84) - mailcious
45.130.230.191 - mailcious
67.223.117.160 - mailcious
185.27.134.115 - mailcious
54.157.4.65 - mailcious
45.33.6.223
46.183.221.116 - malware
5.157.87.204 - mailcious
|
9
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
|
10
http://www.queenkidul.com/f619/
http://www.towfire.life/f619/
http://www.gospelfy.online/f619/
http://www.smartinnoventions.com/f619/
http://www.towfire.life/f619/
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/
http://www.queenkidul.com/f619/
http://www.intake-tree.com/f619/
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12923 |
2023-05-25 07:45
|
 a0UFMZnC6ltxphw.dat 9c62d0040b9577c8484377357f673dc6
UPX Malicious Library AntiDebug AntiVM OS Processor Check DLL PE File PE32 Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself sandbox evasion Browser ComputerName crashed |
|
|
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12924 |
2023-05-24 19:38
|
 IE_CACHES.exe 0b7de5ae22b768e277f8d6be97291ce0
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12925 |
2023-05-24 19:06
|
 IE_NET_CACHE.exe ddbead253591c7f1106ac6ad48367df9
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12926 |
2023-05-24 18:52
|
 po-docs-may24.exe 14d2501921d7cf94f36f5deb78c93982
UPX Malicious Library Admin Tool (Sysinternals etc ...) MZP Format PE File PE32 VirusTotal Malware RWX flags setting unpack itself Check virtual network interfaces Tofsee crashed |
2
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
http://onedrive.live.com/download?cid=4FE79169F14FE906&resid=4FE79169F14FE906%21197&authkey=AJx2lN6RUxuMay0
|
4
cacerts.digicert.com(152.195.38.76)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
152.195.38.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12927 |
2023-05-24 18:43
|
File.7z 6eaee08cad156f12d3c3fbe4329c5d81
MPRESS PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself IP Check Tofsee DNS |
5
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://www.maxmind.com/geoip/v2.1/city/me
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
13
api.db-ip.com(104.26.5.15)
db-ip.com(172.67.75.166)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
172.67.75.166
104.26.4.15
104.17.215.67
85.208.136.10 - mailcious
34.117.59.81
104.26.5.15
94.142.138.113 - mailcious
208.67.104.60 - mailcious
104.17.214.67
|
2
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://85.208.136.10/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
4.2 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12928 |
2023-05-24 18:34
|
Install.7z a44c305a1e65c789d98af4ac9821cd3b
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
5
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
11
api.db-ip.com(104.26.4.15)
db-ip.com(104.26.4.15)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.215.67)
104.26.4.15
104.17.215.67
94.142.138.131 - mailcious
34.117.59.81
104.26.5.15
208.67.104.60 - mailcious
104.17.214.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
2
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12929 |
2023-05-24 18:28
|
 build2.exe 2a232439bc6ecde0d0c5e85aa3ad04fc
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
1
91.235.128.141 - mailcious
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12930 |
2023-05-24 18:26
|
 smithempirezx.exe 25641d1ceaa404b8ec80748246ac767d
SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
cp5ua.hyperhost.ua(91.235.128.141) - mailcious
91.235.128.141 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|