| 13816 |
2021-10-20 11:27
|
 TDL_011560751103011IMG.exe 637c0a1232a65aba8a98acb8ec9787af
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(158.101.44.242)
193.122.130.0
104.21.19.200
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
15.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13817 |
2021-10-20 11:28
|
 dby33.exe d576c9dc10e4705d5ee7a2d75349f45e
PWS Loki[b] Loki.m Malicious Packer PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13818 |
2021-10-20 11:30
|
 .rundll32.exe 2ff83d3323dc8b30d6d346e5a5bbdac8
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13819 |
2021-10-20 11:31
|
 vbc.exe 2c426a574c85912e2fb7033c980ade76
Loki NSIS Malicious Library UPX PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
3
74f26d34ffff049368a6cff8812f86ee.gq(172.67.219.104) - mailcious
104.21.62.32 - mailcious
104.21.19.200
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13820 |
2021-10-20 11:33
|
 128.exe 72bc361dc77ea1fd40bd6c2e542c0d38
Emotet NPKI Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File PE32 OS VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution DNS Cryptographic key |
|
2
PmrBxPSReszuseiOU.PmrBxPSReszuseiOU()
46.161.27.74
|
|
|
12.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13821 |
2021-10-20 11:34
|
 .vbc.exe 9261cdcf86933da34b74afa3da380bc3
NPKI Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee Remote Code Execution crashed |
3
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634697084&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DE97110434470423E%26resid%3DE97110434470423E%2521396%26authkey%3DAMSfkm3AUupwnz8&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634697082&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DE97110434470423E%26resid%3DE97110434470423E%2521396%26authkey%3DAMSfkm3AUupwnz8&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=E97110434470423E&resid=E97110434470423E%21396&authkey=AMSfkm3AUupwnz8
|
4
login.live.com(40.126.13.9)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
40.126.16.167
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13822 |
2021-10-20 11:38
|
 rundll32.exe 4d10925c2d52223135b1a2e069bc5ab0
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.driventow.com/fqiq/?v4=WJEXqHgS+1w7jYZxj6bk2V/X0M1eNxv0v3Pq27u1m9Xixx6h0OkNhZFzEpcOyr0h54ejSKl9&nt=V48Hzvcp
http://www.doggycc.com/fqiq/?v4=tdw/kGidBWNf5mG6fHQmMwAAiMBNQnR2khavRofMnKaLgi1yozi7+GTgpK8KzEDZt5zoAAfd&nt=V48Hzvcp
http://www.tablescaperendezvous4two.com/fqiq/
http://www.sanlifalan.com/fqiq/
http://www.tablescaperendezvous4two.com/fqiq/?v4=6JOAu55ahQuW4nGm3x3zF3lJbu5eEm2HTNrnzqBc/qIL0noTMPzpzXdnuN9xnnUaregthFw6&nt=V48Hzvcp
http://www.sanlifalan.com/fqiq/?v4=prTEVkQv/aIuaJ5tknUsCYHPcHrUQSHWro/2zNHeF4wHPtFNVSB8ZmBi9ORqDWcgPylN7lnN&nt=V48Hzvcp
http://www.driventow.com/fqiq/
http://www.doggycc.com/fqiq/
http://www.wolmoda.com/fqiq/ - rule_id: 6688
http://www.wolmoda.com/fqiq/?v4=S+cpy0umECTwuTE52eQvldFGZ7uWQHdiwg92XpTlC9HPK4+x2Wa76IO+IolmVoAcN8bu+dPq&nt=V48Hzvcp - rule_id: 6688
|
9
www.shenjiclass.com()
www.sanlifalan.com(104.165.34.6)
www.wolmoda.com(75.2.115.196)
www.driventow.com(34.102.136.180)
www.doggycc.com(34.102.136.180)
www.tablescaperendezvous4two.com(34.102.136.180)
104.165.34.6
34.102.136.180 - mailcious
75.2.115.196 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.wolmoda.com/fqiq/
http://www.wolmoda.com/fqiq/
|
9.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13823 |
2021-10-20 11:39
|
 TDH_1366621005IMG.exe 6c616b75c178cecf679cd9b01c628c7a
PWS Loki[b] Loki.m RAT Generic Malware UPX DNS AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Remote Code Execution |
|
|
|
|
10.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13824 |
2021-10-20 13:20
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13825 |
2021-10-20 13:55
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13826 |
2021-10-20 15:20
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.0 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13827 |
2021-10-20 15:24
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.0 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13828 |
2021-10-20 15:47
|
 biz-14302409.xls 0b87d22eedbc86e0209de18c85c079ac
Downloader MSOffice File RWX flags setting unpack itself suspicious process suspicious TLD Tofsee DNS |
4
http://x1.i.lencr.org/
https://meettrust.in/aMZID8gQ/u.html
https://aqissarafood.com.my/eAu610rn3w8V/u.html
https://radiocaca.top/RVDXQ4D7cWU6/u.html
|
8
meettrust.in(192.185.129.109)
aqissarafood.com.my(103.27.74.73)
x1.i.lencr.org(104.74.168.254)
radiocaca.top(103.221.220.15)
104.76.75.146
192.185.129.109 - malware
103.27.74.73
103.221.220.15 - mailcious
|
5
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13829 |
2021-10-20 15:49
|
 biz-1431840176.xls b0cca0af3bbafeae72288f34a065de04
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee DNS |
4
http://x1.i.lencr.org/
https://meettrust.in/aMZID8gQ/u.html
https://aqissarafood.com.my/eAu610rn3w8V/u.html
https://radiocaca.top/RVDXQ4D7cWU6/u.html
|
8
meettrust.in(192.185.129.109)
aqissarafood.com.my(103.27.74.73)
x1.i.lencr.org(104.74.211.103)
radiocaca.top(103.221.220.15)
104.76.75.146
103.27.74.73
208.91.197.91 - mailcious
103.221.220.15 - mailcious
|
4
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13830 |
2021-10-20 15:51
|
 vbc.exe b1e98b432deb419643d81c167fe0dc37
NSIS Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
18
http://www.marshconstructions.com/mxnu/?XPc=uB6FNWC1vglbwwU+7YteY23vBejkvhe7mk/RqFXU3Cya7UnEdrryWwDyi3W4l929SCCXGUg+&Hpq=V6ALd0O0q6LdXt
http://www.mortgagerates.solutions/mxnu/ - rule_id: 6648
http://www.clarityflux.com/mxnu/?XPc=F/DQFsF8RrKr1Us+nbLEKgHaq+2wJ3tNOSMfcadHp0CfgflqiGoqX7CzLYRNT9boMuwgDpVY&Hpq=V6ALd0O0q6LdXt
http://www.marshconstructions.com/mxnu/
http://www.yama-nkok.com/mxnu/?XPc=WYJTyQzBI/Nfv2zZ2IpqJP889AEH3D6sBeTTWnIrEjDNSTb8YjAN+mBSNE5Irdq8z4aXa8oH&Hpq=V6ALd0O0q6LdXt
http://www.scottjasonfowler.com/mxnu/?XPc=bxnsXBk3/zFzprLliJ6DLuiWEz+4gG+eISCnZHlxGigaq53fO8LGUUflcVDMmN9mi3cjEVdh&Hpq=V6ALd0O0q6LdXt
http://www.yama-nkok.com/mxnu/
http://www.mortgagerates.solutions/mxnu/?XPc=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&Hpq=V6ALd0O0q6LdXt - rule_id: 6648
http://www.clarityflux.com/mxnu/
http://www.029atk.xyz/mxnu/ - rule_id: 6486
http://www.insightmyhome.com/mxnu/ - rule_id: 6661
http://www.historyofcambridge.com/mxnu/?XPc=83rAwycDMUEJxLGVulxgJoLHCAQKcanhrm8XweUEKHeaWBLa77jLvzg0UgbAuk5RNaMObh69&Hpq=V6ALd0O0q6LdXt - rule_id: 6655
http://www.historyofcambridge.com/mxnu/ - rule_id: 6655
http://www.naplesconciergerealty.com/mxnu/?XPc=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&Hpq=V6ALd0O0q6LdXt - rule_id: 6394
http://www.scottjasonfowler.com/mxnu/
http://www.insightmyhome.com/mxnu/?XPc=/jfKiAqxBAHgqOulmGtRlW5n/Sqdafb78dllJBhjnK66Sxf6eS8KxZUn5zSBqfmdUZv1jy8Z&Hpq=V6ALd0O0q6LdXt - rule_id: 6661
http://www.naplesconciergerealty.com/mxnu/ - rule_id: 6394
http://www.029atk.xyz/mxnu/?XPc=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&Hpq=V6ALd0O0q6LdXt - rule_id: 6486
|
24
www.promovart.com() - mailcious
www.1sunsetgroup.com() - mailcious
www.naplesconciergerealty.com(34.102.136.180)
www.historyofcambridge.com(3.223.115.185)
www.marshconstructions.com(51.77.52.109)
www.clarityflux.com(198.54.117.217)
www.mortgagerates.solutions(64.190.62.111)
www.blue-ivy-boutique-au.com()
www.029atk.xyz(23.225.30.171)
www.ecommerceplatform.xyz(164.90.156.79)
www.scottjasonfowler.com(23.227.38.74)
www.insightmyhome.com(5.79.70.98)
www.yama-nkok.com(118.27.122.218)
www.megapollice.online() - mailcious
23.224.179.3 - mailcious
164.90.156.79
198.54.117.211 - phishing
34.102.136.180 - mailcious
51.77.52.109
64.190.62.111 - mailcious
5.79.70.98 - mailcious
3.223.115.185 - mailcious
23.227.38.74 - mailcious
118.27.122.218 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.mortgagerates.solutions/mxnu/
http://www.mortgagerates.solutions/mxnu/
http://www.029atk.xyz/mxnu/
http://www.insightmyhome.com/mxnu/
http://www.historyofcambridge.com/mxnu/
http://www.historyofcambridge.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.insightmyhome.com/mxnu/
http://www.naplesconciergerealty.com/mxnu/
http://www.029atk.xyz/mxnu/
|
7.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|