| 13186 |
2021-10-06 18:20
|
 doc-1445313213.xls cf0908b4d734a5e78588b73410a25a3a
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
5
http://access-cs.com/WH0dOuF31Vjo/sep.html - rule_id: 6075
http://access-cs.com/WH0dOuF31Vjo/sep.html
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html - rule_id: 6074
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html
https://dreamonvibes.gr/PH5NmKjhY7js/sep.html
|
5
access-cs.com(198.46.82.18)
proflizbowles.com(198.46.82.18)
dreamonvibes.gr(192.185.35.74)
192.185.35.74 - mailcious
198.46.82.18
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
http://access-cs.com/WH0dOuF31Vjo/sep.html
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13187 |
2021-10-07 09:17
|
 fd.wbk 6ce9da18e576af395cf59dd98ec43ea1
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://checkvim.com/fd4/fre.php - rule_id: 5139
http://103.167.90.177/0789/vbc.exe
|
3
checkvim.com(82.202.194.8) - mailcious
82.202.194.8
103.167.90.177
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13188 |
2021-10-07 09:32
|
 vbc.exe 40cdcc9d27361a0721fc24e5a74107ed
Lokibot PWS Loki[b] Loki.m Generic Malware DNS Socket AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
2
checkvim.com(82.202.194.8) - mailcious
82.202.194.8
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd4/fre.php
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13189 |
2021-10-07 10:53
|
 egsoft.exe fae9f9b8491a6b3bf60a63b10290f4c4
RAT AgentTesla(IN) Generic Malware Malicious Packer UPX Malicious Library PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
8.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13190 |
2021-10-07 10:55
|
 rer-0.exe 76f67f41dc9f6809977866b724424c87
Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
16
http://www.ahljsm.com/ef6c/ - rule_id: 5838
http://www.fis.photos/ef6c/ - rule_id: 5835
http://www.discovercotswoldcottages.com/ef6c/?Jdvd=BIDo9GBbq26+tRTULeHAa20kRn4DZ7/ZgIW2IC+7vRIIeELykZIx4inPOl/SIZLSvHjtcUe3&nbiHFd=R2Mxt
http://www.satellitphonestore.com/ef6c/?Jdvd=2HQYiK3SqCAOAD8t1I4UDgwc9i5WnuBSVk/U/jy+BINbcOU7l/xUqscit0kTEHSPOQww5Ion&nbiHFd=R2Mxt - rule_id: 5834
http://www.discovercotswoldcottages.com/ef6c/
http://www.narbaal.com/ef6c/?Jdvd=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&nbiHFd=R2Mxt - rule_id: 5815
http://www.vngc.xyz/ef6c/?Jdvd=wSkjLUNz9KMnKLEpTJsPicKZ1kuS/lhbyPtlijpm6RS6Gnr6JEITfVGplX7ZAvxV+33Wr+ZN&nbiHFd=R2Mxt - rule_id: 5828
http://www.narbaal.com/ef6c/ - rule_id: 5815
http://www.satellitphonestore.com/ef6c/ - rule_id: 5834
http://www.vngc.xyz/ef6c/ - rule_id: 5828
http://www.gaminghallarna.net/ef6c/?Jdvd=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&nbiHFd=R2Mxt - rule_id: 5824
http://www.ahljsm.com/ef6c/?Jdvd=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&nbiHFd=R2Mxt - rule_id: 5838
http://www.redelirevearyseuiop.xyz/ef6c/?Jdvd=+zggs108Zt88mF3I15I6Vl7MIKEVgTDkllssvVc7oGo+vC3UJFm7tcArJeeO3BpO4YdkYwbo&nbiHFd=R2Mxt - rule_id: 5826
http://www.gaminghallarna.net/ef6c/ - rule_id: 5824
http://www.redelirevearyseuiop.xyz/ef6c/ - rule_id: 5826
http://www.fis.photos/ef6c/?Jdvd=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&nbiHFd=R2Mxt - rule_id: 5835
|
19
www.redelirevearyseuiop.xyz(198.54.117.244)
www.softandcute.store()
www.csspadding.com() - mailcious
www.ahljsm.com(45.39.212.162)
www.brondairy.com()
www.gaminghallarna.net(194.9.94.85)
www.fis.photos(192.0.78.25)
www.narbaal.com(198.54.117.218)
www.discovercotswoldcottages.com(91.136.8.131)
www.vngc.xyz(216.58.220.115)
www.satellitphonestore.com(35.186.238.101)
35.186.238.101 - mailcious
198.54.117.211 - phishing
198.54.117.244 - phishing
91.136.8.131
192.0.78.24 - mailcious
194.9.94.85 - mailcious
142.250.204.83
45.39.212.162 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.ahljsm.com/ef6c/
http://www.fis.photos/ef6c/
http://www.satellitphonestore.com/ef6c/
http://www.narbaal.com/ef6c/
http://www.vngc.xyz/ef6c/
http://www.narbaal.com/ef6c/
http://www.satellitphonestore.com/ef6c/
http://www.vngc.xyz/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.ahljsm.com/ef6c/
http://www.redelirevearyseuiop.xyz/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.redelirevearyseuiop.xyz/ef6c/
http://www.fis.photos/ef6c/
|
8.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13191 |
2021-10-07 10:55
|
 predismzx.exe 0201b32e81d74909c85df1354dda706c
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself |
|
|
|
|
7.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13192 |
2021-10-07 10:56
|
 documentk.exe 1797df3d5611c8edee16bba956eea44f
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13193 |
2021-10-07 10:58
|
 haitianzx.exe 694bfd7e3c03e08e4cdd7cd7318f1d06
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13194 |
2021-10-07 10:58
|
 tempzx.exe 4f95aa292f894da510a3dbb5c072e110
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.faks-allied-health.com(107.180.56.180)
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
107.180.56.180 - malware
216.146.43.71
172.67.188.154
|
5
SURICATA Applayer Detect protocol only one direction
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13195 |
2021-10-07 11:00
|
 hussanzx.exe f9923769fbfc6e53e114b6a862e8882f
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(158.101.44.242)
216.146.43.71
104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
15.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13196 |
2021-10-07 11:00
|
 rundll32.exe 9613b774d57281142329a01e031b8e34
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
7.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13197 |
2021-10-07 11:02
|
 vbc.exe da19a523623dccfc4592bdc4c774e914
RAT Generic Malware Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
textbin.net(51.79.99.124)
apps.identrust.com(52.216.110.82)
54.231.120.209
51.79.99.124
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13198 |
2021-10-07 11:04
|
 obn.exe d343d044f30fcbd7c0cb9b3a6fd53123
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13199 |
2021-10-07 11:05
|
 mtz_ami_vyber.exe b9b0a03d3102e82d508253665b5c1ccd
Emotet RAT Gen1 Malicious Library UPX PE File PE32 OS Processor Check PE64 VirusTotal Malware Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check human activity check ComputerName |
|
|
|
|
3.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13200 |
2021-10-07 11:05
|
 bluezx.exe 01f516207e77d9bccbadfd9d5deee8a6
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
172.67.188.154
158.101.44.242
|
3
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|