| 13501 |
2021-10-13 17:47
|
New Profits Distributions.docx dec25c57bdc8c945ba975d0f693243cb
MSOffice File VirusTotal Malware RWX flags setting |
|
|
|
|
1.6 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13502 |
2021-10-13 17:48
|
Password.txt.lnk c44d866adf8c6845b7dda742c59c6b59
Generic Malware DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process malicious URLs Tofsee Interception |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=
|
4
apps.identrust.com(119.207.65.74)
www.onlinedocpage.org(149.28.162.113)
149.28.162.113
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13503 |
2021-10-13 17:59
|
Bank-Details.xlsx 69edca098ec730f1aa9302c24923fcff
MSOffice File Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.158.101/09008/vbc.exe
|
1
192.227.158.101 - malware
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
3.8 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13504 |
2021-10-13 18:04
|
inv_orders.xlsx 69edca098ec730f1aa9302c24923fcff
MSOffice File Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.158.101/09008/vbc.exe - rule_id: 6433
|
1
192.227.158.101 - malware
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
1
http://192.227.158.101/09008/vbc.exe
|
3.8 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13505 |
2021-10-13 18:04
|
 arku.exe f3301d2cf11d1d4884f4922ff204042b
PWS Loki[b] Loki.m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://arku.xyz/w2/fre.php
|
2
arku.xyz(104.21.30.161) - mailcious
172.67.173.58 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
7.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13506 |
2021-10-13 18:07
|
invc_0098008.wbk 18a942800e19f651c6b2b047fcd96f54
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.167.90.177/008008/vbc.exe
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(45.9.73.172) - mailcious
45.9.73.172
103.167.90.177 - mailcious
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13507 |
2021-10-13 18:16
|
 vbc.exe 33b0088b3c388e0685e28644215acd17
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13508 |
2021-10-13 19:45
|
 lol.exe 57d14b0c79cc490a7c5511b6600976dc
UPX PE64 PE File VirusTotal Malware |
|
|
|
|
2.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13509 |
2021-10-13 19:45
|
 svchost.exe 340d0f2a160733b307bbe9434dd8b701
VMProtect UPX Malicious Library PE64 PE File VirusTotal Malware Checks debugger crashed |
|
|
|
|
2.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13510 |
2021-10-13 19:50
|
 install.exe 3ce561ff43324e120f554a04926948e2
VMProtect UPX Malicious Library PE64 PE File VirusTotal Malware Checks debugger DNS crashed |
|
1
|
|
|
2.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13511 |
2021-10-13 19:51
|
 dc.exe 0a50081a6cd37aea0945c91de91c5d97
Gen2 Generic Malware PowerShell MZ UPX Malicious Library Malicious Packer Escalate priviledges KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Disables Windows Security sandbox evasion human activity check Tofsee Windows Browser crashed |
4
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.6402.0&asdelta=1.95.191.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.351.314.0/1.1.18600.4/amd64/mpas-fe.exe
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.351.331.0/1.1.18600.4/amd64/mpas-fe.exe
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x64&eng=1.1.6402.0&asdelta=1.95.191.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
5
definitionupdates.microsoft.com(23.40.44.112)
www.microsoft.com(104.109.241.178)
23.40.45.184 - mailcious
23.201.37.168
23.40.44.112
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13512 |
2021-10-14 07:55
|
 bdxloc.jpg 07c2dc7047771b92bca28914cdfb4dad
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB Check memory unpack itself crashed |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13513 |
2021-10-14 09:28
|
 tzrbl2uzp.tar 43ec996a5509ec8fc3251f51ec06abe2
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13514 |
2021-10-14 09:32
|
 updatewin-21H2.exe 1c978ed3ed7b3f6c428792697d5fade4
RAT Generic Malware PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(96.16.99.43)
store2.gofile.io(31.14.69.10) - mailcious
61.111.58.34 - malware
31.14.69.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13515 |
2021-10-14 09:33
|
 jzgrc7.jpg 40dde8c0b67c468ab9c25e03c0953f22
Gen2 Gen1 Malicious Library PE File PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|