| 13096 |
2021-10-05 09:42
|
 arioriginlogg.exe 964ecfcb2d909a8d942058e28bf621a3
AgentTesla(IN) Generic Malware Malicious Packer UPX Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13097 |
2021-10-05 09:45
|
 vbc.exe d0a5f37532a8e86b5790e628193c1bd2
Loki PWS Loki[b] Loki.m .NET framework Generic Malware DNS Socket AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga11/fre.php - rule_id: 5418
|
2
checkvim.com(85.192.56.106) - mailcious
85.192.56.106
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/ga11/fre.php
|
13.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13098 |
2021-10-05 09:45
|
 vbc.exe 189b5fb512ac70ee220a527a22ab0950
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(52.217.168.221)
52.217.99.219
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13099 |
2021-10-05 09:47
|
 winxplorer.exe 1b68afffad286bd909572d959b9a2e5c
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(52.216.154.179)
52.216.145.82
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13100 |
2021-10-05 09:47
|
 ugopoundzx.exe 1454d63297f54fac97a7cc7d69cfaf2c
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(132.226.8.169)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13101 |
2021-10-05 09:50
|
 bin.exe e78a8c49a3846c8224702bdfe143d6b9
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.tanzibkarate.quest/n092/?Bld=mM5Ml+T6RzjtHa1ctXPWFZx/OlR+qTO/DcYgr0w797fzZ94DEcy52GQaH8JrHCfhd5GgPpkF&r6A=G6c0dRzHq - rule_id: 5448
http://www.fortydaysaesthetic.com/n092/?Bld=oQleJmaEgzKBDTBqICtlcFk4YEVTqAB2/ulKEkHAuuts8gGI0nMMNBIi4FmXfO/4TD1x4YF7&r6A=G6c0dRzHq
http://www.cnywocean.com/n092/?Bld=/iG1qSKtWehTQk0BcTPY57A0JXytml7b+CiV37SpW7iWmJYPe6fol6cil6+9AZT+ADYdHKgv&r6A=G6c0dRzHq
http://www.lvchicagoclassics.com/n092/?Bld=40VGfea9o5HEcvYxXrDTdfjExwAdRd60b7YBvmnO5EvPWhqtg/z/Mdt8wZ15apwBNhY8hU34&r6A=G6c0dRzHq
http://www.thymoscorp.com/n092/?Bld=T476+wLGEd5ymNxjzDgnd+i8GD3CeHIKKZSLKnXvKVH5vFDAeKtYM8iDaahIlbm47koDTk9n&r6A=G6c0dRzHq
http://www.roomit.online/n092/?Bld=320mOof0bRSLF7suSFGyfMRvVLkn70OEI+2OAx+BFW1qZaF56Imc9aojKXFtjY1iUEJsabad&r6A=G6c0dRzHq
http://www.weddinglevel.com/n092/?Bld=iiZBT6x2rSiecBVmMckqU43/6M1WUZeIGD58atROw+hzxHFeaTP0YTcq+2l+ZwiFzGrqh2cm&r6A=G6c0dRzHq
|
17
www.tanzibkarate.quest(37.123.118.150)
www.roomit.online(23.227.38.74)
www.weddinglevel.com(136.144.230.43)
www.boss-investor.com()
www.cnywocean.com(216.18.205.254)
www.fortydaysaesthetic.com(35.186.245.55)
www.pleasantpixels.art(137.184.130.125)
www.thymoscorp.com(208.91.197.27)
www.lvchicagoclassics.com(192.185.225.2)
192.185.225.2
216.18.205.254
37.123.118.150 - mailcious
136.144.230.43
137.184.130.125
208.91.197.27 - mailcious
35.186.245.55 - phishing
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.tanzibkarate.quest/n092/
|
9.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13102 |
2021-10-05 09:51
|
 updata.exe 505ce88a771d4e5a65dac0d3f1a83757
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(52.217.174.13)
52.216.200.170
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13103 |
2021-10-05 09:51
|
 RunPE.dll d3bc492a710280c56d5d77c8438e179c
RAT Generic Malware Malicious Packer PE File .NET DLL DLL PE32 PDB |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13104 |
2021-10-05 09:55
|
 shakitizx.exe 6400dc23f9782463ff5777f866aa67d8
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName crashed |
|
|
|
|
2.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13105 |
2021-10-05 09:55
|
 vbc.exe 5a320540eeef00b5020c8dd42557ab2f
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13106 |
2021-10-05 09:57
|
 mexz.exe b0fdc1d5d662600356931895750433e3
NSIS Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13107 |
2021-10-05 09:57
|
 vbc.exe 013d4cb9c83ba31bfb0c9041f565acbb
UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13108 |
2021-10-05 09:59
|
 abx.exe 72e7c1c354f2680beb148df6723b10ed
NSIS Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13109 |
2021-10-05 09:59
|
 VAL.exe bba5e41c8053bbd991b08057036666a4
AgentTesla(IN) RAT Generic Malware Malicious Packer UPX Malicious Library PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13110 |
2021-10-05 10:01
|
 vbc.exe cb1aa8895db7b5598823e583102f9fc6
Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|