| 13966 |
2021-10-22 17:03
|
 vbc.exe a5ad00e076df522a7002ec00b4531bae
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13967 |
2021-10-22 17:04
|
 gregzx.exe 43040c5411616eb26e97dd9beac0a329
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://37.0.10.225/greg/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13968 |
2021-10-22 17:06
|
 138.exe cf92a854dea1fb28cb12c47f6b5d595b
Generic Malware Themida Packer UPX PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows Remote Code Execution Firmware DNS Cryptographic key crashed |
|
1
51.91.193.179 - mailcious
|
|
|
9.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13969 |
2021-10-22 17:08
|
fdsf.wbk 101432a1a18a5696344be741f620349b
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://198.46.199.226/007/vbc.exe
http://secure01-redirect.net/ga13/fre.php
|
3
secure01-redirect.net(185.22.172.2)
198.46.199.226
185.22.172.2
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13970 |
2021-10-22 17:08
|
 Sample.exe b31b5c207c40b7f5a343125fe4f08e8a
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://cdn.discordapp.com/attachments/893177342426509335/900478656328138772/99A61DC4.jpg
|
6
checkip.dyndns.org(193.122.130.0)
freegeoip.app(104.21.19.200)
cdn.discordapp.com(162.159.130.233) - malware
193.122.6.168
172.67.188.154
162.159.135.233 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
13.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13971 |
2021-10-22 17:19
|
 vbc.exe c8448f9cc3379dcbc504469d36446ed5
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13972 |
2021-10-23 01:45
|
 inCFxdZ2eOW7KAW.exe 709e4bfe015ece74ba2f90752f1c1164
RAT PWS .NET framework Generic Malware task schedule Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
66.154.113.12 - mailcious
|
|
|
13.2 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13973 |
2021-10-23 09:42
|
 asadzx.exe 6908cd5efe5473c75c9f2fc4a0b71557
RAT PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
8.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13974 |
2021-10-23 09:42
|
 mazx.exe bf2302cff715f9a1467dce502cad654d
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.sacredkashilifestudio.net/mxwf/?wh=eipsewIB2PU7fLq0V+MVTYpseXSXiNmBphXFeMyyAJ/wgZWHvgK6rmKFdWqq2CZ89/HqMPFu&Tj=CpFL - rule_id: 3876
http://www.groupdae.com/mxwf/?wh=k7vpI/3PMH4jcIAXIfGfTLl3pvHRoBq1bVmzI2/AQefYrPvtwmNikP3b8wYVz0NH8h/qUbFO&Tj=CpFL
|
4
www.groupdae.com(172.217.161.51)
www.sacredkashilifestudio.net(34.102.136.180)
34.102.136.180 - mailcious
142.250.204.147
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.sacredkashilifestudio.net/mxwf/
|
8.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13975 |
2021-10-23 09:44
|
 vbc.exe 8efc94a68d078ed67459403c868aa9f0
NSIS Malicious Library UPX PE File PE32 DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder ComputerName |
|
|
|
|
4.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13976 |
2021-10-23 09:44
|
 vbc.exe d64d1b6ebcfe87c43b84001380cd3477
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13977 |
2021-10-23 09:46
|
 101.exe d1b620ccec63f2d35f0225d7c2fe5b85
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key |
2
https://cdn.discordapp.com/attachments/893177342426509335/901105848204541952/50250686.jpg
https://cdn.discordapp.com/attachments/893177342426509335/901105850364612669/15A4ECD8.jpg
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.134.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13978 |
2021-10-23 09:46
|
 os.zip 07f5f3b04b3997354115cc715febc848
Malicious Library PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns PDB Malicious Traffic unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
2
http://web.jsonpost.xyz/sj2vMs/index.php
http://web.jsonpost.xyz/sj2vMs/index.php?scr=1
|
3
web.xmlpost.xyz()
web.jsonpost.xyz(169.197.142.162)
169.197.142.162
|
1
ET MALWARE Amadey CnC Check-In
|
|
6.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13979 |
2021-10-23 09:49
|
 star.exe 36a1f9ebb9147ae271bfc11b3594a282
RAT PWS .NET framework Generic Malware Antivirus PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed |
2
https://cdn.discordapp.com/attachments/893177342426509335/901105736413773824/2E8F5667.jpg
https://cdn.discordapp.com/attachments/893177342426509335/901105734870257774/E6735BF1.jpg
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13980 |
2021-10-23 09:49
|
 vbc.exe 34df0e4d3d5863b1a86489be85a045aa
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Tofsee crashed |
3
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634950022&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D25E9CF6E21BEFFDC%26resid%3D25E9CF6E21BEFFDC%2521106%26authkey%3DAA9IzMKpx1T2bSQ&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=25E9CF6E21BEFFDC&resid=25E9CF6E21BEFFDC%21106&authkey=AA9IzMKpx1T2bSQ
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634950021&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D25E9CF6E21BEFFDC%26resid%3D25E9CF6E21BEFFDC%2521106%26authkey%3DAA9IzMKpx1T2bSQ&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
|
4
login.live.com(20.190.166.5)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
40.126.35.64
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|