| 13201 |
2021-10-07 11:06
|
 palingo.exe 5e58e1e3a97f41b316b0c6f741437957
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
11.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13202 |
2021-10-07 11:07
|
 new.exe 09aca0174709b01f57cfa3a0a354dd92
PWS Loki[b] Loki.m Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=491 - rule_id: 5135
|
1
136.243.159.53 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://136.243.159.53/~element/page.php
|
12.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13203 |
2021-10-07 11:09
|
 vbc.exe 6e095f0e6bbdce41509ccf3dcdc44daa
NSIS Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://136.243.159.53/~element/page.php?id=493 - rule_id: 5135
|
2
136.243.159.53 - mailcious
20.43.94.199
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://136.243.159.53/~element/page.php
|
11.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13204 |
2021-10-07 11:10
|
 vbc.exe 96bd7548ea9c202bf6add33886f45ddb
UPX Malicious Library PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Tofsee Windows Remote Code Execution crashed |
13
http://www.moyue27.com/rqan/?ATRlddq=+TqAOEONCPJUJSnFrnPpRXI/OAAPmI2ScBE7Ik0F+IdHCDjx385zAg9GOBgk6UUD1+VchaMA&DxoTK=VDKTtFOxV2WL8tH
http://www.haferssippe.quest/rqan/?ATRlddq=nFD+tckPtQIgQGQeciUNqkCJ8CDb8RQ3Hc2bC2BXacngwVvSVsoOUWgxvZcvhlu4kTcNykfE&DxoTK=VDKTtFOxV2WL8tH
http://www.15dgj.xyz/rqan/?ATRlddq=L/JXrSYEbYVz+Zr+hdnNufTLXvurW4Cign4jUf9qCp/G8GoUAf71AaygvLGg/JPSI1lXLouM&DxoTK=VDKTtFOxV2WL8tH
http://www.thelocksmithtradeshow.com/rqan/?ATRlddq=l024+3ZD/MMtYAimPvceCx2mX2pxaBq1zlsxSU83YzhgdyxMZckScAoxySy9Gng2X/4IOs9V&DxoTK=VDKTtFOxV2WL8tH
http://www.claggs.com/rqan/?ATRlddq=8qJ/WnfN2Dsdt3vQdCIYENwUXvQ2fP0y4NNfqJHjhObiKvv0YjB/Xn2+M1Rdb7LfvORaQTC7&DxoTK=VDKTtFOxV2WL8tH
http://www.buratacoin.com/rqan/?ATRlddq=Jt/jULqvuHmFHTQHoInL/hgvG9NOCzgC+ifeqw8dEamPSAWqFa2LRIXLynF/lbhL2qE+xTiF&DxoTK=VDKTtFOxV2WL8tH
http://www.abasketofwords.com/rqan/?ATRlddq=+S1kQ2PT5fjUCuwrbY1xCKK84VEzmjTIH4aw6YwLG0KBcWdxm+CFKoDK+Dq48ZQ8nc9VjOLV&DxoTK=VDKTtFOxV2WL8tH
http://www.tokofebri.store/rqan/?ATRlddq=bkTXLZuWQMSQcwGJ7R0aOlt20uLYpPHtJJJLiW4usy6BqC1mRs4efAWLwAB/Z2acqV9T3m6J&DxoTK=VDKTtFOxV2WL8tH
http://www.comercialjyv.com/rqan/?ATRlddq=Rtey7j6o/6NPBerA7EpwrG4H/co8GZ/3Plt045JmCspN4s9ulysKZ35pRYVs1dFdUUjH8mSJ&DxoTK=VDKTtFOxV2WL8tH
http://www.marionkgregory.store/rqan/?ATRlddq=VNXAiSIfyRM8OhL2EWzAO1fi5NRrcw8msq2SrTaCNLqA/2hjQ8/reY1ha2pEjv6UWdZEd9WI&DxoTK=VDKTtFOxV2WL8tH
https://5wzqug.am.files.1drv.com/y4mTZZw0eJpvhrmvXl_fo8anex-VNAuRJCgRkrJiCNfKEseve3BiEFE0eVrSult2T8e-jsKcLLJgywa69qFWouFk89DWCXtzQt_ietEzDP5cA6NBC0v5YeBT1NjCuh6NQ1_d9TqoU13RPK4oy5WmF4pXBJK8fbVWmuW-QNz1cF84zYNnJ_wsTCUdwUwDqhVuYLppy7o583rgdrZxaPalaGakA/Voutohtjmdjzsdtpvrgxomfqdmmrfda?download&psid=1
https://5wzqug.am.files.1drv.com/y4m6VJMWw0J61zJl2alhe5XVS_0tMm5H1tpXUlMZ-KmfdjLNElLVJVahAIukV4I4W4pwo_Rbp9D91qN0jJu0fvZ0sklmnqovdV8ZXHIlovbK-aiBqeWkmenc-W5xgmvS1o9U_Bf1dUERlx2YbjpXTQx2qX4xLeVpcbuSiwnXqbTfZ8_rwlXMjEXBWEnFCMHQy1h01hEg4bo48fz9HjCTfV7zA/Voutohtjmdjzsdtpvrgxomfqdmmrfda?download&psid=1
https://onedrive.live.com/download?cid=4697057C65B5346F&resid=4697057C65B5346F%21536&authkey=AASDOjncAUJWfks
|
24
www.15dgj.xyz(23.224.235.100)
onedrive.live.com(13.107.42.13) - mailcious
5wzqug.am.files.1drv.com(13.107.42.12)
www.haferssippe.quest(37.123.118.150)
www.claggs.com(34.102.136.180)
www.cambabez.xyz()
www.tokofebri.store(216.58.220.115)
www.thelocksmithtradeshow.com(34.102.136.180)
www.marionkgregory.store(172.67.153.94)
www.sergomosta.com()
www.moyue27.com(34.102.136.180)
www.comercialjyv.com(166.62.110.60)
www.abasketofwords.com(118.27.122.216)
www.buratacoin.com(54.39.107.28)
54.39.107.28
37.123.118.150 - mailcious
142.250.157.121
13.107.42.13 - mailcious
13.107.42.12 - malware
104.21.88.208
34.102.136.180 - mailcious
118.27.122.216
23.224.235.100
166.62.110.60 - phishing
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13205 |
2021-10-07 11:11
|
 mpomzx.exe 86d0a0cbb77b6157d2da7ab7b5d1c2be
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.geektranslate.com/vngb/?w0G=Q4CGzn1VncUUPAEFqsK/pHj8DKtg7vyclW3zJ4058Xxlika/T9k0LuqOpNqWt8Dck45MXS4C&uFQh=XP7HHZ_8 - rule_id: 5771
http://www.globalshadowboards.com/vngb/?w0G=KPrbGzghvZNvTyZpOyNwD4oNs+nNTQwlMkn+w+C5zVmTeKE6F2OgttsIs1tzyq0XpIVfg3Y3&uFQh=XP7HHZ_8
|
4
www.globalshadowboards.com(34.102.136.180)
www.geektranslate.com(104.21.88.45) - mailcious
34.102.136.180 - mailcious
172.67.172.138 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.geektranslate.com/vngb/
|
9.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13206 |
2021-10-07 11:14
|
 rer.exe 2d22112d700c43db2b3baa6b2e38d625
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
9
http://www.conquershirts.store/ef6c/?v6=95iB74+m3m1QSa2Yie21q98JT48wC3F76MvrX9tv4DSLixTQWiFMLp60PgPoHI6cr/owSd7w&1b=V6ALdRqPe - rule_id: 5846
http://www.gaminghallarna.net/ef6c/?v6=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&1b=V6ALdRqPe - rule_id: 5824
http://www.fis.photos/ef6c/?v6=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&1b=V6ALdRqPe - rule_id: 5835
http://www.gicaredocs.com/ef6c/?v6=dQ8jXmGBocPwA167SrVCKSfe9kfjfwf5Y/UytJXCMDqauGkqvJ/2eQvfbvtaR0w7HyB9eXq/&1b=V6ALdRqPe - rule_id: 5816
http://www.govusergroup.com/ef6c/?v6=N5yAIzzPvIdqoqJ3aV/wdndIILsjG1yD75IcTmUgg2IU59G+YJKqbdhtrw9qqSyAgMIiKVbn&1b=V6ALdRqPe - rule_id: 5847
http://www.stopmoshenik.online/ef6c/?v6=AItpU6mQCC6s81rj7necuGYpWrqi0PbHxxDMCTfv5nDjvQQMu+peq6WH+jA65E1HrZKOBeeG&1b=V6ALdRqPe - rule_id: 5858
http://www.sensorypantry.com/ef6c/?v6=cw2PwNl+5NOQItrLnKllT2tGwrd+rdd5UTQlQyS8ptLSIxj973nGji9KRlDOdanBBwTAA2mM&1b=V6ALdRqPe - rule_id: 5819
http://www.apricitee.com/ef6c/?v6=KSHN/72BZOSNcoSkGOIXNFBSZoOhZSSqcZXlNpA3fA8LE+ARMJMD6XqqXDR03XtMsLmcqmrd&1b=V6ALdRqPe - rule_id: 5837
http://www.yeyelm744.com/ef6c/?v6=py3wLkMjkCQUnrtMjMuweSzljtf41F1OQ4vI/gne8vtV4RQAg2yAGXyPfsj9FUUfcHu/E+eO&1b=V6ALdRqPe
|
21
www.conquershirts.store(195.110.124.133) - mailcious
www.docomoau.xyz() - mailcious
www.sensorypantry.com(34.102.136.180)
www.gaminghallarna.net(194.9.94.86)
www.xzq585858.net() - mailcious
www.narbaal.com(198.54.117.212)
www.gicaredocs.com(208.91.197.27)
www.apricitee.com(172.65.227.72)
www.govusergroup.com(216.239.136.99)
www.fis.photos(192.0.78.24)
www.stopmoshenik.online(194.58.112.174)
www.yeyelm744.com(154.208.173.238)
154.208.173.238
195.110.124.133 - mailcious
208.91.197.27 - mailcious
34.102.136.180 - mailcious
216.239.136.99 - mailcious
194.58.112.174 - mailcious
192.0.78.24 - mailcious
172.65.227.72 - mailcious
194.9.94.85 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.conquershirts.store/ef6c/
http://www.gaminghallarna.net/ef6c/
http://www.fis.photos/ef6c/
http://www.gicaredocs.com/ef6c/
http://www.govusergroup.com/ef6c/
http://www.stopmoshenik.online/ef6c/
http://www.sensorypantry.com/ef6c/
http://www.apricitee.com/ef6c/
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13207 |
2021-10-07 11:23
|
 1006_2966063104581.doc 67b70c2d6a5191471273ee016ed9bb64
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13208 |
2021-10-07 11:24
|
 3QN~34590987654345-09876544567... b48603e4ed26dfa441131ae8c057ee70
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
15.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13209 |
2021-10-07 11:26
|
 BASDL_093876533683-39876353678... 5bbb68e81d7777d72512c1e848e67d4c
Generic Malware Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
1116.hopto.org(185.140.53.9) - mailcious
185.140.53.9 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
16.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13210 |
2021-10-07 11:26
|
 rer-01.exe 413c530908571f9abfc506f6d5e988a3
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.craftsbylarissa.com/shjn/?wP9=7XtlbeaCYcdehaLb0z2401FWfWY9l43GxZy2q65FPT/WlkEnCgoiNTHCXPPGJfsIvYVCsoGW&lZN=7nbLpdaHS
http://www.ingodwetrustdaycare.com/shjn/?wP9=YvK8QVrFWpbqY2CcI6cCCNSNfzrdnwhpHE2vaSNg7RhXv6rRQeaRrRg1wZS+Acv+t5XahaOC&lZN=7nbLpdaHS
http://www.watchyellow.space/shjn/?wP9=jz6aPNGv49op0Ivwvr1Oq3XKOP2vReFvWuOkKdE2zbLgaSoUP9HsDPtXSkS/8lu8IqEbKTJa&lZN=7nbLpdaHS
|
6
www.craftsbylarissa.com(136.144.219.158)
www.ingodwetrustdaycare.com(75.2.115.196)
www.watchyellow.space(34.102.136.180)
136.144.219.158
34.102.136.180 - mailcious
75.2.115.196 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13211 |
2021-10-07 11:42
|
 doc-751250025.xls 91652fe058d53d5089a87faaf85807b6
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
http://allencogradingtractorservice.com/597GdUFKMK/alfa.html
https://allencodemo.com/SANCT9lmT6k/alfa.html
https://benidicion.in/PcKuF9EUVjoD/alfa.html
|
5
benidicion.in(192.185.129.7)
allencogradingtractorservice.com(148.72.79.97)
allencodemo.com(148.72.79.97)
148.72.79.97 - mailcious
192.185.129.7
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13212 |
2021-10-07 11:44
|
 doc-749589359.xls 1ea1149661a2dae426377277fb4889f5
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
http://allencogradingtractorservice.com/597GdUFKMK/alfa.html
https://allencodemo.com/SANCT9lmT6k/alfa.html
https://benidicion.in/PcKuF9EUVjoD/alfa.html
|
5
benidicion.in(192.185.129.7)
allencogradingtractorservice.com(148.72.79.97)
allencodemo.com(148.72.79.97)
148.72.79.97 - mailcious
192.185.129.7
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13213 |
2021-10-07 11:45
|
 DG673246572985.JPG.scr d0306e1fbf67885a13a8bcfdd9de2873
Gen2 Gen1 Generic Malware Malicious Library Malicious Packer DNS AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
2
strongodss.ddns.net() - mailcious
185.19.85.175 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
16.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13214 |
2021-10-07 11:47
|
 doc-749666189.xls 4b097e46c6a899b3c8f002cdeb700d12
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
http://allencogradingtractorservice.com/597GdUFKMK/alfa.html
https://allencodemo.com/SANCT9lmT6k/alfa.html
https://benidicion.in/PcKuF9EUVjoD/alfa.html
|
5
benidicion.in(192.185.129.7)
allencogradingtractorservice.com(148.72.79.97)
allencodemo.com(148.72.79.97)
148.72.79.97 - mailcious
192.185.129.7
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13215 |
2021-10-07 11:47
|
 IMG-20210406-DOC0302738YJ5452.... 922eba1e37279113831e9f14b44ad5fa
UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS crashed |
1
https://cdn.discordapp.com/attachments/801950567039500292/895172454232768552/Fnwlzvdaodnqoebwkvrakuppdhlszpt
|
5
www.deltatradings-eg.com(185.140.53.230)
cdn.discordapp.com(162.159.133.233) - malware
185.140.53.230 - mailcious
185.19.85.175 - mailcious
162.159.130.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|