| 13801 |
2021-10-20 09:14
|
 sefile3.exe b45cf051beecc52e8b6ed4b09174d8cc
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13802 |
2021-10-20 09:14
|
 132.exe 97f8f7a08a23c4119347e1ac94b3fdaf
Themida Packer UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
2
wq.yollowstar.site()
135.181.92.149
|
|
|
11.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13803 |
2021-10-20 09:16
|
 loader%202.exe 117ac974bd16d21864eef01b22879284
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://63.250.40.204/~wpdemo/file.php?search=745675 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
10.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13804 |
2021-10-20 09:16
|
 130.exe 9d1173da73c0acb7741ffba92279ab6a
Themida Packer UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
2
bg.yollowstar.site()
65.21.94.84
|
|
|
11.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13805 |
2021-10-20 09:19
|
 askinstall59.exe 80dfcce79746fa5f6d6586963f2d0ea6
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Packer Malicious Library SQLite Cookie UPX PE File OS Processor Check PE32 PNG Format Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution |
3
http://www.iyiqian.com/ - rule_id: 2326
https://iplogger.org/1GWfv7
https://www.listincode.com/ - rule_id: 2327
|
6
www.listincode.com(144.202.76.47) - mailcious
www.iyiqian.com(103.155.92.58) - mailcious
iplogger.org(88.99.66.31) - mailcious
103.155.92.58 - mailcious
88.99.66.31 - mailcious
144.202.76.47 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://www.iyiqian.com/
https://www.listincode.com/
|
7.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13806 |
2021-10-20 09:35
|
 1922755485.exe 88c8a43e9f0d9635f1995352395d79a7
RAT PWS .NET framework Generic Malware UPX PE File OS Processor Check PE32 .NET EXE Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://zuu.drovtov.ru/
https://zuu.drovtov.ru/
|
5
apps.identrust.com(119.207.65.137)
zuu.drovtov.ru(81.177.141.85)
61.111.58.34 - malware
81.177.141.85 - mailcious
185.215.113.94
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13807 |
2021-10-20 09:37
|
 vbc.exe d4444398dcb1366ac99eb1074031d5db
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13808 |
2021-10-20 09:40
|
 vbc.exe f4cd57e3512cbf801352ea10c2225d4b
NPKI Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee Remote Code Execution crashed |
2
https://onedrive.live.com/download?cid=7B2ADE39B2F10F51&resid=7B2ADE39B2F10F51%21104&authkey=APQEHgzEMRRS19k
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
|
4
login.live.com(20.190.141.38)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
20.190.144.166
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13809 |
2021-10-20 09:41
|
 .csrss.exe e61e8fc9b052b9552bfe83657b84171a
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
61.111.58.34 - malware
136.243.159.53 - mailcious
|
|
|
13.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13810 |
2021-10-20 09:44
|
 vbc.exe a02e884712c9731ee810fb7dbe9cd270
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.137)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
61.111.58.34 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13811 |
2021-10-20 09:59
|
 vbc.exe 97ed6cddaa33543d22927f1aa6a2ec08
RAT PWS .NET framework Generic Malware SMTP KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13812 |
2021-10-20 11:09
|
 chrome.exe 88ef9621b800849bb2916f4d6654de32
RAT PWS .NET framework Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
|
3
www.google.com(142.251.42.132)
142.250.204.68
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13813 |
2021-10-20 11:09
|
inv_1_____-233000030000.wbk 8cb07df81d4c6d3798d05097c2af1a01
RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
13
http://www.gold2guide.art/mxnu/?bj=nooUTxpgyHI8Tmjtx/bEFedfCsCgFivtiLIHJ+Ou+u0gXSqijcRRlL1sEAr9C8C8DV1gd2HK&Rx=8pdDoFr0ubqhlt - rule_id: 6481
http://www.mortgagerates.solutions/mxnu/?bj=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&Rx=8pdDoFr0ubqhlt - rule_id: 6648
http://www.technichoffghosts.com/mxnu/?bj=/Fzie1hELeLn7MgSxS1T5SAjvZfamumVbzPuvONP0wKdG4fvdY2IoYOIDGhEOLvFBokHwHx6&Rx=8pdDoFr0ubqhlt
http://www.sattaking-gaziabad.xyz/mxnu/?bj=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&Rx=8pdDoFr0ubqhlt - rule_id: 6653
http://192.3.110.172/00880088/vbc.exe
http://www.265411.com/mxnu/?bj=25s1ERxOA1FsQEL58dsMzLXIm6T2LEHWrovGfnVbwWX5qUTqFcrkTCI5ju9rUaWf+2K12S96&Rx=8pdDoFr0ubqhlt
http://www.whitebot.xyz/mxnu/?bj=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&Rx=8pdDoFr0ubqhlt - rule_id: 6647
http://www.naplesconciergerealty.com/mxnu/?bj=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&Rx=8pdDoFr0ubqhlt - rule_id: 6394
http://www.tbrhc.com/mxnu/?bj=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&Rx=8pdDoFr0ubqhlt - rule_id: 6645
http://www.desongli.com/mxnu/?bj=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&Rx=8pdDoFr0ubqhlt - rule_id: 6643
http://www.normandia.pro/mxnu/?bj=kHN/hbjK4OzLmo333toUUHv3cKFKy5bivtfKIua2AYmutZDuFn6HD/HyblDUos2+bUTS6mEe&Rx=8pdDoFr0ubqhlt - rule_id: 6650
http://www.ingdalynnia.xyz/mxnu/?bj=pfZfepvuuXd3YdzLhx74JhtQE2ZsQUx19b2XlYunhcRs71ErzSq2ECWFO+pn1SXrM1L87AtC&Rx=8pdDoFr0ubqhlt - rule_id: 6654
http://www.funkidsroomdecor.com/mxnu/?bj=iFpbfMx0kR1NhQJhtaFPfzg8Nsy3dm+jXQd2Fi3YicbHa3sz/htfiB2IN3yla1aALZWfkU50&Rx=8pdDoFr0ubqhlt - rule_id: 6395
|
27
www.funkidsroomdecor.com(192.254.189.87)
www.naplesconciergerealty.com(34.102.136.180)
www.normandia.pro(103.224.212.222)
www.sattaking-gaziabad.xyz(185.28.21.80)
www.265411.com(192.249.80.207)
www.mortgagerates.solutions(64.190.62.111)
www.whitebot.xyz(172.104.153.244)
www.gold2guide.art(202.165.66.108)
www.desongli.com(108.186.180.79)
www.1sunsetgroup.com() - mailcious
www.taquerialoteria.com()
www.tbrhc.com(154.208.173.145)
www.technichoffghosts.com(45.156.25.115)
www.ingdalynnia.xyz(173.212.200.118)
45.156.25.115
108.186.180.79 - mailcious
185.28.21.80 - mailcious
172.104.153.244 - mailcious
34.102.136.180 - mailcious
192.249.80.207
173.212.200.118 - mailcious
154.208.173.145 - mailcious
192.254.189.87 - mailcious
202.165.66.108 - mailcious
192.3.110.172 - malware
103.224.212.222 - mailcious
64.190.62.111 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
10
http://www.gold2guide.art/mxnu/
http://www.mortgagerates.solutions/mxnu/
http://www.sattaking-gaziabad.xyz/mxnu/
http://www.whitebot.xyz/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.tbrhc.com/mxnu/
http://www.desongli.com/mxnu/
http://www.normandia.pro/mxnu/
http://www.ingdalynnia.xyz/mxnu/
http://www.funkidsroomdecor.com/mxnu/
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13814 |
2021-10-20 11:21
|
 chrome.exe 88ef9621b800849bb2916f4d6654de32
RAT PWS .NET framework Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName Cryptographic key crashed |
1
|
2
www.google.com(172.217.31.164)
142.250.204.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
29 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13815 |
2021-10-20 11:25
|
 loader1.exe 66a64f84f91c1dd2bc4b9f01faf15d40
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=723855 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
11.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|