| 13891 |
2021-10-21 18:06
|
status.png fcb53acd5fd1637a2ac1bc69f396e92c
Malicious Packer UPX PE File OS Processor Check PE32 DLL VirusTotal Malware |
|
|
|
|
1.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13892 |
2021-10-21 18:12
|
 5_SMSvcHost.resources.dll 49b0e4b2386c4c7f9b0d3f8748bd34e8
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13893 |
2021-10-21 18:12
|
 vbc.exe fd382a67a32410c901fe41f842abbf4b
Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13894 |
2021-10-21 18:13
|
 vbc.exe 188a0c1b3179c00fa189e73b772dcd72
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
18
http://www.disparandose.com/wogm/?iB=D+dBJmHY0wozFnPZdCJ4P8bOFjqjhTfeEm7Gt4gWTY8DpYdmkmVs15CXjColLDNDB8AsfAZ+&lH2h=VTRlddqP-4lHE0U
http://www.javaportal.info/wogm/ - rule_id: 6537
http://www.muescabynes.quest/wogm/ - rule_id: 6556
http://www.sinagropuree.com/wogm/?iB=nwMgSNojV35EyJ9hphk06is8J3BDs4E1a66hewTnIuP7M3cS+zLeGjThioYS1Y8r0L7sYBrx&lH2h=VTRlddqP-4lHE0U - rule_id: 6548
http://www.sub-dude.net/wogm/?iB=HxVwAaJzGBuX51Vt0nB5o9utW3dns44lKcItqqvpL1NB6Qdbdk/VIjjOHsgxAu6US9jFqwsH&lH2h=VTRlddqP-4lHE0U
http://www.workospbit.space/wogm/ - rule_id: 6549
http://www.yourhomestimate.com/wogm/?iB=OiSf9jV3Npz/RZJgbb0bKL9e2athsvXRQV6jCPdiTUSk124+vr4+cLKhD6dZYTypWjoW5Nc5&lH2h=VTRlddqP-4lHE0U - rule_id: 6554
http://www.eygtogel021.com/wogm/?iB=OLfsUZOZM89huaQ2Rhq4Iq6vg35ZMytgB5JTmZSEOAiHvxtp6AgRBdz2Ob59YcBboWHm0lh9&lH2h=VTRlddqP-4lHE0U - rule_id: 6550
http://www.weeklywars.com/wogm/ - rule_id: 6552
http://www.sinagropuree.com/wogm/ - rule_id: 6548
http://www.sub-dude.net/wogm/
http://www.disparandose.com/wogm/
http://www.javaportal.info/wogm/?iB=lSKsitiyws6CV1iMLxhrahVtvrIwWCHcUDACNSJ1QCT90EZMnOuQMhpHp/9WWeYlZFWK0aAa&lH2h=VTRlddqP-4lHE0U - rule_id: 6537
http://www.muescabynes.quest/wogm/?iB=Cp2YzvgLUfohnHjhVFBNosoQ2J5qGB8UGxOLTRa7K8nkaGFbF9DyFpQO+4Qxvwo23h3ZSf7z&lH2h=VTRlddqP-4lHE0U - rule_id: 6556
http://www.eygtogel021.com/wogm/ - rule_id: 6550
http://www.workospbit.space/wogm/?iB=tAL4F5NLH4VmvVC1AGtDqpAVgb8tD+i+qrKuhbccqAXskllAguOxxUH0apD5Y6EEQuKJRsNk&lH2h=VTRlddqP-4lHE0U - rule_id: 6549
http://www.weeklywars.com/wogm/?iB=4vPo1SJ4QXujYzlw76fQXs7HvlTQbV0+0txMnGRghQaMN633jA6UZgSWswdwEnRAOgPWuZC1&lH2h=VTRlddqP-4lHE0U - rule_id: 6552
http://www.yourhomestimate.com/wogm/ - rule_id: 6554
|
19
www.workospbit.space(185.215.4.14)
www.disparandose.com(118.27.122.214)
www.yourhomestimate.com(198.54.117.244)
www.sub-dude.net(34.102.136.180)
www.javaportal.info(217.70.184.50)
www.goodspaz.com() - mailcious
www.eygtogel021.com(104.21.21.225)
www.sinagropuree.com(154.23.109.132)
www.zpahura.com()
www.weeklywars.com(34.102.136.180)
www.muescabynes.quest(37.123.118.150)
37.123.118.150 - mailcious
172.67.200.237 - mailcious
154.23.109.132 - mailcious
217.70.184.50 - mailcious
34.102.136.180 - mailcious
198.54.117.244 - phishing
118.27.122.214
185.215.4.14 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
14
http://www.javaportal.info/wogm/
http://www.muescabynes.quest/wogm/
http://www.sinagropuree.com/wogm/
http://www.workospbit.space/wogm/
http://www.yourhomestimate.com/wogm/
http://www.eygtogel021.com/wogm/
http://www.weeklywars.com/wogm/
http://www.sinagropuree.com/wogm/
http://www.javaportal.info/wogm/
http://www.muescabynes.quest/wogm/
http://www.eygtogel021.com/wogm/
http://www.workospbit.space/wogm/
http://www.weeklywars.com/wogm/
http://www.yourhomestimate.com/wogm/
|
9.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13895 |
2021-10-21 18:14
|
 vbc.exe df43d260e856d3e2ea964c33fc173bbb
Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
1
|
|
|
2.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13896 |
2021-10-21 18:17
|
 vbc.exe 51cd4ea4c20552f51824b13af3a93360
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution crashed |
3
https://p0c2ma.by.files.1drv.com/y4m1moWRm8KBm2Df5D46fhmSd3GREuKhuZP76EyAsPFxoDGIqFUaOpEzYEFrm-zFIRL8KpLxtVz9MKndlCbOeS3Rcita7qooptFOwWNjuCjvb1KfljTe5c0fBwaGMQJOZPEVoabUZRrY6pfwu-6TfUSoC1Lg1-wEqqHWQ6250dGJP37XBtB2QQohxAyJ2-InAqEDxro5MbxQPXg7ebMs8pOaA/Qhscwobprgsxvobamipciqxojusxxig?download&psid=1
https://onedrive.live.com/download?cid=1836E41CA02A0786&resid=1836E41CA02A0786%21126&authkey=ANFamCUBM6-04tU
https://p0c2ma.by.files.1drv.com/y4mmyhU1VrBAgkllz-s5JeRByJdOQxGYg1hvoXvVZiM1PWaIOYatItKGJbNzzXj7QjFKQ0Og2aMblVgkjvO0cgXcvwspTLdKo-qmEG3lXBVZBsx6vIO6zi-7Mobco7-eXUxsnSSy4DkYHGkhDzbIIfvKpt9E42rK1vModTBEOGH-sj9d6Kmie_enBwOkKYj7TtJx_4AA1dWhfO-hZwiiflDOw/Qhscwobprgsxvobamipciqxojusxxig?download&psid=1
|
4
onedrive.live.com(13.107.42.13) - mailcious
p0c2ma.by.files.1drv.com(13.107.42.12)
13.107.42.13 - mailcious
13.107.42.12 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13897 |
2021-10-21 18:17
|
 vbc.exe 2da4313d81184d2c0063b445600a8625
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://checkvim.com/ga17/fre.php
|
1
checkvim.com() - mailcious
|
|
|
12.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13898 |
2021-10-21 18:19
|
 file.exe 201e9ae321377c18400c09ff75c9aee6
Gen2 Gen1 Generic Malware Malicious Library UPX Anti_VM DNS AntiDebug AntiVM PE File OS Processor Check PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself sandbox evasion human activity check Windows ComputerName Remote Code Execution DNS DDNS crashed |
|
2
newme122.3utilities.com(23.105.131.228) - mailcious
23.105.131.228 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
13.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13899 |
2021-10-21 18:21
|
 vbc.exe b1ed59d8b5aa3dd544e3ec56e260b484
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
23.105.131.228 - mailcious
|
|
|
13.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13900 |
2021-10-21 18:22
|
 vbc.exe 939580a7f4148b93d390b055e51eb224
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga17/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13901 |
2021-10-21 18:23
|
invc_0000560001.wbk e569cf93ee6733d55657ada351f94c34
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
http://103.167.84.138/explorer90/vbc.exe
|
2
103.167.84.138 - malware
63.250.40.204 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13902 |
2021-10-21 18:23
|
 7_Microsoft.Data.Entity.Build.... aba5b0df02c421887cd5899a1e3ee976
Malicious Library PE File PE32 DLL VirusTotal Malware |
|
|
|
|
1.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13903 |
2021-10-21 18:24
|
 iso-77002387418602.exe 3446b3427eb52e09af7b7424d8bd6dc3
RAT Generic Malware UPX SMTP KeyLogger AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
172.67.188.154
132.226.247.73
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13904 |
2021-10-21 18:24
|
 vbc.exe 05d6732ff73403961d2b131ac1237393
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13905 |
2021-10-21 18:25
|
 cortana.exe 6c11f38adec40c226ba26d9d0d505b45
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|