| 13711 |
2021-10-18 17:52
|
 PO-15102021.xlsx 3649a4e4e640017f163b9f1f164a63b7
VirusTotal Malware Malicious Traffic RWX flags setting exploit crash unpack itself Exploit DNS crashed |
1
http://2.56.59.250/PHJ.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.4 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13712 |
2021-10-18 17:52
|
 EU-Business-Register (1).pdf ad93c19fcd03385c359be007ee7631f8
PDF VirusTotal Malware unpack itself Windows utilities Windows |
|
|
|
|
1.8 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13713 |
2021-10-18 17:54
|
 RunPE.dll ef4602191703199ba701c12b66971c73
RAT Generic Malware Malicious Packer PE File PE32 .NET DLL DLL VirusTotal Malware PDB |
|
|
|
|
1.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13714 |
2021-10-18 17:58
|
invc_009030009.wbk ea27c453801a76553e850c260b6a288b
RTF File doc FormBook Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
31
http://www.safebookkeeping.com/mxnu/?ytsDIrP=Dinuu19hFboSFju1K0HZ6EbcdDMO+ZnQ9sDSjm9DAS1j/pnpew28zT8+4dAfvZHXXiVk+x1O&JlM=tnt48PpXYxvL
http://www.tbrhc.com/mxnu/
http://www.normandia.pro/mxnu/?ytsDIrP=kHN/hbjK4OzLmo333toUUHv3cKFKy5bivtfKIua2AYmutZDuFn6HD/HyblDUos2+bUTS6mEe&JlM=tnt48PpXYxvL
http://www.whitebot.xyz/mxnu/?ytsDIrP=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&JlM=tnt48PpXYxvL
http://www.jellyice-tr.com/mxnu/?ytsDIrP=2jYCrBsbpe7TX9aPhZM9pCxr75im0gQU84tPJTFdoXWJ8jmtmSvNbVsQgFqr9XIl+R+lpCoE&JlM=tnt48PpXYxvL - rule_id: 6480
http://www.revgeek.com/mxnu/?ytsDIrP=LFHT7yJDHTG5j2x991585jkXyYBkZkjzIUaPFc8bTKfmXG7pnxx1T4PiHIQyjDj8X+wed1XV&JlM=tnt48PpXYxvL
http://www.historyofcambridge.com/mxnu/
http://www.whitebot.xyz/mxnu/
http://www.normandia.pro/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/ - rule_id: 6478
http://www.naplesconciergerealty.com/mxnu/ - rule_id: 6394
http://www.onehigh.club/mxnu/ - rule_id: 6391
http://www.onehigh.club/mxnu/?ytsDIrP=52TJ8f0Vxw2BzXpbfWSfaWlDTRlua2mq3mQuHpcP7nL3PE2hO33OHCZ6ItQZVKuqvI9FSTzz&JlM=tnt48PpXYxvL - rule_id: 6391
http://www.naplesconciergerealty.com/mxnu/?ytsDIrP=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&JlM=tnt48PpXYxvL - rule_id: 6394
http://www.brandonhistoryandinfo.com/mxnu/?ytsDIrP=TBa+b5mpCdI4y/h180Pl2gJXBklETz7DPBwfCQzHJDv5/wBYQn0JU1W1LmmZ4xHxKrhvcr9L&JlM=tnt48PpXYxvL - rule_id: 6478
http://www.desongli.com/mxnu/
http://www.safebookkeeping.com/mxnu/
http://www.sattaking-gaziabad.xyz/mxnu/?ytsDIrP=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&JlM=tnt48PpXYxvL
http://www.historyofcambridge.com/mxnu/?ytsDIrP=83rAwycDMUEJxLGVulxgJoLHCAQKcanhrm8XweUEKHeaWBLa77jLvzg0UgbAuk5RNaMObh69&JlM=tnt48PpXYxvL
http://www.tbrhc.com/mxnu/?ytsDIrP=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&JlM=tnt48PpXYxvL
http://www.desongli.com/mxnu/?ytsDIrP=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&JlM=tnt48PpXYxvL
http://www.mortgagerates.solutions/mxnu/?ytsDIrP=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&JlM=tnt48PpXYxvL
http://www.ingdalynnia.xyz/mxnu/
http://www.mortgagerates.solutions/mxnu/
http://www.closetu.com/mxnu/?ytsDIrP=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&JlM=tnt48PpXYxvL
http://www.sattaking-gaziabad.xyz/mxnu/
http://www.revgeek.com/mxnu/
http://www.jellyice-tr.com/mxnu/ - rule_id: 6480
http://www.closetu.com/mxnu/
http://www.ingdalynnia.xyz/mxnu/?ytsDIrP=pfZfepvuuXd3YdzLhx74JhtQE2ZsQUx19b2XlYunhcRs71ErzSq2ECWFO+pn1SXrM1L87AtC&JlM=tnt48PpXYxvL
http://192.3.110.172/006600066/vbc.exe
|
29
www.jellyice-tr.com(104.21.30.231)
www.safebookkeeping.com(208.113.163.16)
www.closetu.com(3.223.115.185)
www.naplesconciergerealty.com(34.102.136.180)
www.normandia.pro(70.32.1.32)
www.historyofcambridge.com(3.223.115.185)
www.onehigh.club(209.99.64.33)
www.brandonhistoryandinfo.com(34.102.136.180)
www.mortgagerates.solutions(64.190.62.111)
www.whitebot.xyz(172.104.153.244)
www.desongli.com(108.186.180.79)
www.sattaking-gaziabad.xyz(185.28.21.80)
www.tbrhc.com(154.208.173.145)
www.revgeek.com(156.234.138.23)
www.ingdalynnia.xyz(173.212.200.118)
104.21.30.231
108.186.180.79
170.178.168.203
208.113.163.16
185.28.21.80
173.212.200.118
156.234.138.23
172.104.153.244
34.102.136.180 - mailcious
154.208.173.145
192.3.110.172 - malware
3.223.115.185 - mailcious
64.190.62.111 - mailcious
209.99.64.33 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
8
http://www.jellyice-tr.com/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.onehigh.club/mxnu/
http://www.onehigh.club/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.brandonhistoryandinfo.com/mxnu/
http://www.jellyice-tr.com/mxnu/
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13715 |
2021-10-18 18:01
|
 lkki.exe f3301d2cf11d1d4884f4922ff204042b
Loki PWS Loki[b] Loki.m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://arku.xyz/w2/fre.php - rule_id: 6435
|
2
arku.xyz(104.21.30.161) - mailcious
172.67.173.58 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://arku.xyz/w2/fre.php
|
7.4 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13716 |
2021-10-18 18:02
|
 vbc.exe 4c7f75dbea906c8bac51094411dd5467
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13717 |
2021-10-18 18:03
|
 vbc.exe f769e91b05ea8c5cd73c26b2c047fb50
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga18/fre.php
|
2
checkvim.com(109.107.190.6) - mailcious
109.107.190.6
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13718 |
2021-10-18 18:07
|
004109043806_4.xls f64066fff51a9027fdcc09cc945348f1
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13719 |
2021-10-18 18:14
|
 vbc.exe d5f480d1d4cf7902094668a09856c79a
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
27
http://www.877961.com/mxnu/ - rule_id: 6477
http://www.procurovariedades.com/mxnu/
http://www.closetu.com/mxnu/?FF=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&llsp=fTRHzt4pzn4XCX - rule_id: 6644
http://www.closetu.com/mxnu/?FF=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&llsp=fTRHzt4pzn4XCX
http://www.digisor.com/mxnu/?FF=UVMBiiaCgBTVCfU1vNNEq08V9m7XAvZZglUNdI143I2X7Zl4GMtYquItbp7SrE/Ljcqvb/Ed&llsp=fTRHzt4pzn4XCX
http://www.gatescres.com/mxnu/?FF=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&llsp=fTRHzt4pzn4XCX - rule_id: 6387
http://www.verifiedpaypal.net/mxnu/ - rule_id: 6476
http://www.procurovariedades.com/mxnu/?FF=e63Yw596e9MjmhIdNsSN67oqb96/kwQ/AvXQ3UsARMy+g2BaAqseTyVnaYCqY6LOFgU8MBS4&llsp=fTRHzt4pzn4XCX
http://www.gatescres.com/mxnu/ - rule_id: 6387
http://www.closetu.com/mxnu/ - rule_id: 6644
http://www.closetu.com/mxnu/
http://www.029atk.xyz/mxnu/ - rule_id: 6486
http://www.insightmyhome.com/mxnu/
http://www.insightmyhome.com/mxnu/?FF=/jfKiAqxBAHgqOulmGtRlW5n/Sqdafb78dllJBhjnK66Sxf6eS8KxZUn5zSBqfmdUZv1jy8Z&llsp=fTRHzt4pzn4XCX
http://www.naplesconciergerealty.com/mxnu/ - rule_id: 6394
http://www.desongli.com/mxnu/?FF=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&llsp=fTRHzt4pzn4XCX - rule_id: 6643
http://www.desongli.com/mxnu/?FF=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&llsp=fTRHzt4pzn4XCX
http://www.877961.com/mxnu/?FF=aHYJt+cF3uKE/jjIR1o9yP3wzE0OqMGB2AjKuxgiPGP7v0vlkCnn7S+a/Vapc30Z99lnekHH&llsp=fTRHzt4pzn4XCX - rule_id: 6477
http://www.verifiedpaypal.net/mxnu/?FF=9Cb2F83H4cu3Wi3E/V06Uw+puzMd5mOCrt6x5BN8Ai+3jQ1IwCanO4QWCELETp3SVj+UiXzw&llsp=fTRHzt4pzn4XCX - rule_id: 6476
http://www.desongli.com/mxnu/ - rule_id: 6643
http://www.desongli.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/?FF=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&llsp=fTRHzt4pzn4XCX - rule_id: 6394
http://www.safebookkeeping.com/mxnu/ - rule_id: 6652
http://www.safebookkeeping.com/mxnu/
http://www.safebookkeeping.com/mxnu/?FF=Dinuu19hFboSFju1K0HZ6EbcdDMO+ZnQ9sDSjm9DAS1j/pnpew28zT8+4dAfvZHXXiVk+x1O&llsp=fTRHzt4pzn4XCX - rule_id: 6652
http://www.safebookkeeping.com/mxnu/?FF=Dinuu19hFboSFju1K0HZ6EbcdDMO+ZnQ9sDSjm9DAS1j/pnpew28zT8+4dAfvZHXXiVk+x1O&llsp=fTRHzt4pzn4XCX
http://www.029atk.xyz/mxnu/?FF=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&llsp=fTRHzt4pzn4XCX - rule_id: 6486
|
25
www.gatescres.com(184.168.131.241)
www.ashramseries.com()
www.closetu.com(3.223.115.185)
www.naplesconciergerealty.com(34.102.136.180)
www.safebookkeeping.com(208.113.163.16)
www.877961.com(1.32.254.106)
www.029atk.xyz(23.225.30.171)
www.verifiedpaypal.net(158.69.52.184)
www.qlfa8gzk8f.com() - mailcious
www.desongli.com(108.186.180.79)
www.1sunsetgroup.com()
www.digisor.com()
www.procurovariedades.com(192.185.131.238)
www.insightmyhome.com(5.79.70.98)
108.186.180.79
208.113.163.16
52.58.78.16 - mailcious
34.102.136.180 - mailcious
184.168.131.241 - mailcious
192.185.131.238
1.32.254.106 - mailcious
172.247.0.172
5.79.70.98 - mailcious
158.69.52.184 - mailcious
3.223.115.185 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
16
http://www.877961.com/mxnu/
http://www.closetu.com/mxnu/
http://www.gatescres.com/mxnu/
http://www.verifiedpaypal.net/mxnu/
http://www.gatescres.com/mxnu/
http://www.closetu.com/mxnu/
http://www.029atk.xyz/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.desongli.com/mxnu/
http://www.877961.com/mxnu/
http://www.verifiedpaypal.net/mxnu/
http://www.desongli.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.safebookkeeping.com/mxnu/
http://www.safebookkeeping.com/mxnu/
http://www.029atk.xyz/mxnu/
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13720 |
2021-10-18 18:16
|
 csrss.exe b1d25fccfa3bac61c224dee5ac4da7c9
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13721 |
2021-10-19 07:40
|
 soleApp11.exe be89eef16c6bff3aeba20d44c6fdd929
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
store2.gofile.io(31.14.69.10) - mailcious
61.111.58.34 - malware
31.14.69.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13722 |
2021-10-19 09:20
|
 star.exe 3e9ad03497178a5b4d170acc379fae62
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13723 |
2021-10-19 09:21
|
 101.exe 4ca6ef20b73800f2c9e596f430b70456
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
1.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13724 |
2021-10-19 09:23
|
 vbc.exe d5221f463d6fe2799e405236513610cb
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13725 |
2021-10-19 09:23
|
 bll_3605800091212.exe 8a5336e1f45a85b04b3b8930a714a7b0
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.81)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
23.59.72.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|