| 13906 |
2021-10-21 18:26
|
 vbc.exe d4a99da8dad738056893d74202045a0a
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
3
74f26d34ffff049368a6cff8812f86ee.ml(104.21.22.146)
172.67.205.83
172.67.188.154
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
11.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13907 |
2021-10-21 18:27
|
 csrss.exe 0929fb7f0a76cd563c16ba1b3303dcb4
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13908 |
2021-10-21 18:28
|
 reza123reza.ps1 2c2a464ee3cbac261020d096df5b3d15
Generic Malware Antivirus Check memory unpack itself Windows Cryptographic key |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13909 |
2021-10-21 18:31
|
 dictate 010.21.doc 3128a1aa061355d275cd323336148c4a
VBA_macro Malicious Library UPX Word 2007 file format(docx) GIF Format PE64 PE File OS Processor Check DLL Malware download VirusTotal Malware Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself suspicious process AntiVM_Disk VM Disk Size Check Interception Windows |
1
http://carwaded.com/cbfsd/24347/41EodPr8rdAPbi/rFjYEqQBN9BzlXOJ/co2DYqCcQatc3tAfiFpqO/kjCz20ymbCMJOn6FyZTDtGZBcaJ2NEXURT1Fv4LjjUwj/65781/h0ZG8aSvwTaxxnHLMlOEl0l9P5EKiO/nTsA9y9hdvZVFYOv4FXv/iRH894BQn5REjnyNNViZab9ri8KRve9vDsY32giK/Iix2kVOrJlJj1M9CMWpP73kUBQhklw6/zes2?ref=AuVcQ
|
2
carwaded.com(185.53.46.50)
185.53.46.50
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
|
|
7.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13910 |
2021-10-21 18:32
|
 loader3.exe 5e9c6466f89089a73465bec3e84f6731
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
25
http://www.zitzies.xyz/ons6/?t8rL=hZn+h4i3qdjTvlrFTGBuGCKYeL7fx9ifE9FggzQ92Zn9lbpv8mLmxbTq9s8XLHOhsR7FCksw&1bVHT=mzrd
http://www.pinnap.online/ons6/
http://www.algoescrow.com/ons6/
http://www.parasitevhs.net/ons6/
http://www.ktndetermine.xyz/ons6/?t8rL=hsISH4OHQbwAzFD8sw5R8ibBoXqjnq3rD9DL1tZnwnB9Hd1+cJwfc431OSdC7X2Zl5JwC7n9&1bVHT=mzrd
http://www.miltonjorge.net/ons6/
http://www.tinturas-espagiricas.com/ons6/?t8rL=iIzayoLE23mGgxynHjOYRl9PYUP2qm5VdNCSkLZw3/FXI9XjUQBaDfeomXYvjIDjuyHUqn+8&RRm=rzrxPvVXEt3h1V
http://www.ancditalia.com/ons6/?t8rL=FqNY8GtcjD33AatuGxZVeLNAL7NCMjzFx4DR/EkfIuUI1nBdJ29F87IFN/JOzYZj2heFFPtj&1bVHT=mzrd
http://www.pinnap.online/ons6/?t8rL=T6IzNIefCt9asoM7wwl9vJHvNA8mHbVSIT7fQPN9khiXvHagvcAS0QXryNsRvv6cCNHi/hH2&1bVHT=mzrd
http://www.ancditalia.com/ons6/
http://www.zitzies.xyz/ons6/
http://www.nagukoohatomo.xyz/ons6/?t8rL=AU+/5gjjPw5Dm7aO9w7wHS0YBjsv8vB0MKtvFyQe5P/L/nwKZqqTHP+wSIlGIao5xIcO+W/k&1bVHT=mzrd
http://www.ktndetermine.xyz/ons6/
http://www.regencyimperial.com/ons6/
http://www.regencyimperial.com/ons6/?t8rL=pLcPY8DfVC4nF6nImpsYDslgQTm8hb6zaSbefXYfTYcwDwG8RZYyRprx0kRJ8HTy9l/fsGrp&1bVHT=mzrd
http://www.nagukoohatomo.xyz/ons6/
http://www.nikurei.com/ons6/?t8rL=p66laJGF/T/0GpXxDd5hPjZubfTol0Lr3IwBrqBRPCvhxhKDrtw9PJ387dQ2b+OE0rZGfG2l&1bVHT=mzrd
http://www.advertising.land/ons6/
http://www.ilkermulla.com/ons6/
http://www.algoescrow.com/ons6/?t8rL=UZGepyMrR79POtZQLeB3ajJI81oFbK1boHubTc9HwB4nkf80NE7aBFqbJaYFAd0yFJ1izkfv&1bVHT=mzrd
http://www.parasitevhs.net/ons6/?t8rL=K3/O5qStXw91cEZafq/vhJilaUZh0YJN+5nekOno/0bdfp1j2HTF92oxwv5f7cu06ufW7UgY&1bVHT=mzrd
http://www.ilkermulla.com/ons6/?t8rL=htUh7pgQwNNfonrnVODaoHFM/ntRzGt2NReYjs2/5acpPEiDUC1M6/iirndOWmVYqwPaQDzl&1bVHT=mzrd
http://www.nikurei.com/ons6/
http://www.miltonjorge.net/ons6/?t8rL=ion/dvzazzRROQ/XthjQyoKaw08WdXBcQebFYFFZYCISD6I22k/rL6VDxVsOJE+QY/yDsfb+&1bVHT=mzrd
http://www.advertising.land/ons6/?t8rL=5atXNRmUx37mOBRWSYjO7P9m1FhF1iu6rr12G6zuRSfmWlt8qfmLuUoCi3zjZJe340qI9kJw&1bVHT=mzrd
|
26
www.zitzies.xyz(104.21.75.74)
www.ktndetermine.xyz(34.102.136.180)
www.algoescrow.com(162.255.119.57)
www.storeydrive.rentals()
www.ancditalia.com(72.247.211.17)
www.regencyimperial.com(34.102.136.180)
www.parasitevhs.net(209.99.40.222)
www.tinturas-espagiricas.com(34.102.136.180)
www.bitterbaybay.com()
www.nagukoohatomo.xyz(172.217.175.51)
www.nikurei.com(34.102.136.180)
www.advertising.land(172.67.179.65)
www.pinnap.online(185.68.16.23)
www.ilkermulla.com(103.224.212.221)
www.miltonjorge.net(162.241.203.56)
www.desso.one()
172.217.175.51 - phishing
209.99.40.222 - mailcious
162.241.203.56 - mailcious
34.102.136.180 - mailcious
162.255.119.57
172.67.179.65
72.247.211.17
103.224.212.221
185.68.16.23
104.21.75.74
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13911 |
2021-10-21 18:32
|
 QA4ty2uUkTCD2tfNQSE5.exe 1eada844f6d267f4451b9ffa8eba6624
Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.70)
216.146.43.71
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
15.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13912 |
2021-10-21 18:34
|
 vbc.exe 016d9078762cb89a6043b916f3634374
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.8 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13913 |
2021-10-21 18:45
|
 vbc.exe 43c4f31951dfaa67b56f438bc1454522
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows crashed |
11
http://www.trashwasher.com/ht08/?jrQDrX=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&p0D=QfrDsny8j2kPE0s
http://www.swisstradecenter.com/ht08/?jrQDrX=QSE46j0HNZ2QncZWLMtuNIJxO3VJtHj2iE4I7IkNciklA1BQH3YeyQjbp0g62VHrm1UWPSce&p0D=QfrDsny8j2kPE0s
http://www.kinmanpowerwashing.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=wJPYOBNPPe4q/AU39b/otaYCYPUa59MhN5lNfdB/7j2pgKnFe5P4sOF7ywpp0IQx2Nw/u5M7
http://www.cdgdentists.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=EXbQHeCb31o1gaBaR2ATYI6ExABbI7DKLBQ2CIR3ARrEXHsMlpnG7TJ7X1JozzLBrtTu60nh
http://www.oilelm.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=+MKoH/T1lSGBa8iWH91/ZquhTarcPNk/tfbZWgzq/IKlWL2S/ubFt9bqD7NQKtX6NP3pa9SI
http://www.amaroqadvisors.com/ht08/?jrQDrX=u/HH8oXplBhOFryswzp14fRHx2iZXqd5LlKZ1+of1fszA0QUqCsF/wVmyePk0HUmpsPYuBxx&p0D=QfrDsny8j2kPE0s
http://www.oooci.com/ht08/?jrQDrX=N3mp3TnmlmOVAV+GBSkbxeVJeF+TLCeopoFxOLndztPBPVOFElj2miXAPLJhlFBp52cue+7l&p0D=QfrDsny8j2kPE0s
http://www.septemberstockevent200.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP
https://owfboa.dm.files.1drv.com/y4mmGEQ-1TDGWvA6srDdg7lIrn1Oc-IcieS9yK0yjEgqixnisRz1pHwTYHyXpmsBWdPtArgy7blgdempTtadNiVRcbinYKYCyletcXYWpE5khUcMHXWFto4eVdeTdAIrs0BatLzvepPG8tTU5ebW2mvg4zCaH1LHQxf_F95RdwjWiFbiFK28ZqFIaBN0iq15Gfi0vvbafd9LrWYvE6pJ7efIA/Ewzmyhkhgsejfrjfwzttwocuueudzgr?download&psid=1
https://owfboa.dm.files.1drv.com/y4mUfne4wayPOFatX-pbl6vWAtr619eHfZxjSq-Nz-7Vqg6l3ceiOlz0DebBFWCOW_3msvrTRqCAoBdhpjV1KeyTZ4XPy4CNzV-5M1Cq7oXAB8kGm9SPNgqXKQVg3qkcrWjuAv9rbUSvXX_Z34Ybr5jYUlszfdrxqFZhzKrUigROi5ITLXVl3DcbLodY3blfsCvabJpAY3zWSWxQMGIxQVszQ/Ewzmyhkhgsejfrjfwzttwocuueudzgr?download&psid=1
https://onedrive.live.com/download?cid=BCFBDC0738CBFF0F&resid=BCFBDC0738CBFF0F%21109&authkey=AONmXFICrRaoFt4
|
24
onedrive.live.com(13.107.42.13) - mailcious
www.digipoint-entertainment.com()
www.swisstradecenter.com(217.26.63.20)
www.oilelm.com(172.67.159.113)
www.amaroqadvisors.com(34.102.136.180)
www.septemberstockevent200.com(172.67.188.247)
www.getjoyce.net()
www.curebase-test.com()
www.oooci.com(101.35.123.80)
www.kinmanpowerwashing.com(182.50.132.242)
owfboa.dm.files.1drv.com(13.107.42.12)
www.shangduli.space(114.95.162.70)
www.cdgdentists.com(34.102.136.180)
www.trashwasher.com(151.101.66.159)
13.107.42.13 - mailcious
13.107.42.12 - malware
217.26.63.20
34.102.136.180 - mailcious
172.67.188.247
182.50.132.242 - mailcious
114.95.162.70
101.35.123.80
104.21.66.109
151.101.66.159 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13914 |
2021-10-21 18:46
|
 vbc.exe d0e4c13e6c8ba9fe34d86b554b595d9a
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
18
http://www.candypalette.com/kqna/?XPJPe4Q0=gfz7SykQtqnvqGHDVt9Sq/sQwFu3mmkE3P7hoh5mXhnlze04JbT/9GbgDzlkmDUFL9Oz3qhg&EBZ=ZTFtdFihOjc0V - rule_id: 6786
http://www.generationgirlnaturals.com/kqna/
http://www.netkopat.com/kqna/
http://www.netkopat.com/kqna/?XPJPe4Q0=XCeMQl5kuZk/VAPz1x3NMFNaYm0TP5U/J5/9BEX1GnrVHj0GaV8zX9dSOYzSTsdbHQNQtFsF&EBZ=ZTFtdFihOjc0V
http://www.hautlescoeurscollection.com/kqna/
http://www.fraserstephendop.com/kqna/?XPJPe4Q0=/ubmoBp65Okyuu3LQpd6BICjkbw0SXb2/UwCCZwJ/Fe1H/pHrLEpRm6qotblqBtYRSTWmjxF&EBZ=ZTFtdFihOjc0V
http://www.surfsolutions.info/kqna/ - rule_id: 6791
http://www.candypalette.com/kqna/ - rule_id: 6786
http://www.tigerstarmatka.com/kqna/ - rule_id: 6785
http://www.surfsolutions.info/kqna/?XPJPe4Q0=dcnZeOVVJSfvUaco8qQNZ9XrhbJ3we+xyEUMa9yoWpEuWq2eXXPIXA5TkXgJFjsZU/Pq8NER&EBZ=ZTFtdFihOjc0V - rule_id: 6791
http://www.hautlescoeurscollection.com/kqna/?XPJPe4Q0=5D8+/NUJ6SHRwR8iDAR3xdQ85MKY3LVZxxY031ww84efqx2r1agFQuE5bYzBJbXYeHOEJ4PT&EBZ=ZTFtdFihOjc0V
http://www.tigerstarmatka.com/kqna/?XPJPe4Q0=WsqGZAQros6YqmWTBX4NfZ/s8YWhGwfZXTAI3K43qiDXPWL+08MoNe9ItI/4zkDRJBUw3EwW&EBZ=ZTFtdFihOjc0V - rule_id: 6785
http://www.generationgirlnaturals.com/kqna/?XPJPe4Q0=y7M/lgAT23Oh1oltO5RaxlEy4Bz2jyK1luujiozG5pWU+I4JVxp3OS49isl7KGuf1hAvA74/&EBZ=ZTFtdFihOjc0V
http://www.fraserstephendop.com/kqna/
http://www.alifdanismanlik.com/kqna/
http://www.globalmarineserv.com/kqna/ - rule_id: 6788
http://www.alifdanismanlik.com/kqna/?XPJPe4Q0=mQnobkOfgPtywstNWl93w92LClziyi9exAIAZ2dbJOdepP7Ogt31xGCBzTFokFA1igwL7X4B&EBZ=ZTFtdFihOjc0V
http://www.globalmarineserv.com/kqna/?XPJPe4Q0=OcQswr2RSap8Tqs4oU4ZFsiLsHswYX19Q+tKNUlPXhjH/8KnGfVJ0KkYssvjpVDRe7cJzP2E&EBZ=ZTFtdFihOjc0V - rule_id: 6788
|
24
www.g632b.online()
www.minutemannetwork.net()
www.tigerstarmatka.com(51.81.73.1)
www.anthemmg.com()
www.alifdanismanlik.com(157.90.247.57)
www.fraserstephendop.com(198.54.117.212)
www.hjku.xyz()
www.gregdokes.com()
www.surfsolutions.info(138.201.145.141)
www.craftstockco.com()
www.candypalette.com(216.194.173.79)
www.netkopat.com(154.64.42.97)
www.globalmarineserv.com(138.128.160.186)
www.generationgirlnaturals.com(3.33.152.147)
www.hautlescoeurscollection.com(217.70.184.50)
15.197.142.173
216.194.173.79 - mailcious
138.128.160.186 - mailcious
157.90.247.57
138.201.145.141 - mailcious
198.54.117.217 - phishing
51.81.73.1 - mailcious
154.64.42.97
217.70.184.50 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.candypalette.com/kqna/
http://www.surfsolutions.info/kqna/
http://www.candypalette.com/kqna/
http://www.tigerstarmatka.com/kqna/
http://www.surfsolutions.info/kqna/
http://www.tigerstarmatka.com/kqna/
http://www.globalmarineserv.com/kqna/
http://www.globalmarineserv.com/kqna/
|
6.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13915 |
2021-10-21 18:46
|
 vbc.exe 1be75ae8266bee2a29b8846a503fbd44
NSIS Malicious Library UPX PE File PE32 DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13916 |
2021-10-21 18:47
|
 vbc.exe 5118a67b86f2cad297041b94b6531470
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://secure01-redirect.net/ga18/fre.php
|
3
secure01-redirect.net(185.22.172.2)
37.123.118.150 - mailcious
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13917 |
2021-10-21 18:49
|
 vbc.exe 03c4801d0dc21f4d6f0ba7df857844f9
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php - rule_id: 6744
|
2
bobbyelectronics.xyz(172.67.184.253) - mailcious
172.67.184.253
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobbyelectronics.xyz/five/fre.php
|
13.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13918 |
2021-10-21 18:49
|
 p.rar 3fd464b516d58fe73d39af362b397478
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13919 |
2021-10-21 18:51
|
 vbc.exe e412dec033b703991798c4ac7f7b013b
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga17/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13920 |
2021-10-21 18:54
|
Int-Report-Poonch.rar 66d3eeb3e3466a255e8f8dd5aa90175d
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|