| 13981 |
2021-10-23 09:51
|
 vbc.exe e72e46f86b972fa7e171cc9104995bee
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
1.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13982 |
2021-10-23 09:51
|
 new.exe 66906a29cfa4ad3d5e928581bba0dda4
RAT PWS .NET framework Generic Malware Antivirus PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed |
2
https://cdn.discordapp.com/attachments/893177342426509335/901105964105736232/95B17865.jpg
https://cdn.discordapp.com/attachments/893177342426509335/901105965397577808/C24F9F86.jpg
|
2
cdn.discordapp.com(162.159.130.233) - malware
162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13983 |
2021-10-23 09:53
|
 vbc.exe c58e48fe28f84e2359af820fb583bc82
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga20/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13984 |
2021-10-23 09:53
|
 zwoag.exe 7e7e20bac722de83b363c29ee7e4efbd
Themida Packer PE64 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13985 |
2021-10-23 09:57
|
 sdd.dll de8b54a938ac18f15cad804d79a0e19d
Gen2 Gen1 Generic Malware Malicious Library UPX Antivirus PE File OS Processor Check PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
localhost(127.0.0.1)
185.158.250.216
|
|
|
16.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13986 |
2021-10-23 09:58
|
inv_0001233.wbk c53168d1494977e6433cc671f6f9aceb
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://103.167.84.138/pro80x86/vbc.exe
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
2
63.250.40.204 - mailcious
103.167.84.138 - malware
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13987 |
2021-10-23 10:00
|
 csrss.exe ca66da9aeea970c1476519b769af2cf7
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd4/fre.php - rule_id: 6874
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd4/fre.php
|
14.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13988 |
2021-10-23 10:14
|
 vbc.exe 940fb7ef71682b6110d7c2d37a92f5df
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13989 |
2021-10-23 10:15
|
 139.exe 398371c8cc3528881ea5d49f678a541e
Themida Packer Anti_VM UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
1
144.76.183.53 - mailcious
|
|
|
9.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13990 |
2021-10-23 10:15
|
 vbc.exe f2b0b0c3a1df878a36acb0736b8e2ccf
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13991 |
2021-10-23 10:15
|
 .wininit.exe 1edc5ae8174533de1c038341b84685c5
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download VirusTotal Malware c&c MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser |
1
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
9.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13992 |
2021-10-23 10:16
|
 136.exe 64420e27dd8930254ff853f4bbcfbbf4
RAT BitCoin Generic Malware ASPack Malicious Packer Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
4
http://103.246.146.160:6677/
https://cdn.discordapp.com/attachments/893177342426509335/900460516747657216/95E3E248.jpg
https://cdn.discordapp.com/attachments/893177342426509335/900460520904200212/8BA525E2.jpg
https://api.ip.sb/geoip
|
6
cdn.discordapp.com(162.159.134.233) - malware
api.ip.sb(172.67.75.172)
104.26.12.31
103.246.146.160
162.159.133.233 - malware
20.43.94.199
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
16.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13993 |
2021-10-23 10:17
|
 vbc.exe 8449ee0cd73ae89d429ff7a6081fe0d9
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga17/fre.php - rule_id: 6829
http://secure01-redirect.net/ga17/fre.php
|
2
secure01-redirect.net(185.22.172.2)
185.22.172.2
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga17/fre.php
|
12.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13994 |
2021-10-23 10:17
|
 trulexzx.exe e2827700e9676ad0d4b734d5f4a221b3
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.trendingintown.com/k8u7/?Dxlpd=Vr0Rh7zQTLeNfw8adC2JQqvpc/3aYgxURDfGcR/suFLAtqxvODOkh6Reg2pL8lwE08YXA0fB&6l=lnPh
http://www.perdiemsuites.com/k8u7/?Dxlpd=2/fw7tjBwMqqEn8BZnZEoD2KmJEHmDK3XsQ17M4M4A3pTMb2Fza7gEsBV4rgW3i9DOkODtyc&6l=lnPh
http://www.howtofindbantingbalance.com/k8u7/?Dxlpd=p6GTacn3/Q6AxTFZ/ZB3p/bKO+ZqPSIrBFIZ8yN7vuPf5MrEzId2b0EoxX15HGsoR8icZzBf&6l=lnPh
http://www.868h.asia/k8u7/?Dxlpd=lb8rjfl52cmYdhThEvD9kZf/bwgiwD22iu0LVQMCIXW9ezzDd6Os1fkQVY7frnNdQjl/k1tK&6l=lnPh
http://www.panchotrucking.com/k8u7/?Dxlpd=3SRMCF84GJJBOvwcj5jDcB+vDYXsgp++ASGYiz6SnWPEoK0qreZ+nWrgbp8MRTTSPve+gvk+&6l=lnPh
http://www.biggergrip.com/k8u7/?Dxlpd=CLaWwSkYDzetNKQrRBb6EjbZGfXFJS47cJSoZ//uEPbcWJjLWFp5Gt+MBCj2yyU3ErK29nww&6l=lnPh
http://www.guidedwaveradar.com/k8u7/?Dxlpd=m7XsaC3LFTc3DL3UpfSM5HghLUgmteSwbdp7Mmqxe4n/PuqOauCFs0cjKfmd0+Mbiyfr5uj6&6l=lnPh
|
15
www.868h.asia(34.102.136.180)
www.trendingintown.com(172.67.152.150)
www.perdiemsuites.com(85.159.209.113)
www.ly3389.com()
www.ardisadr.online()
www.biggergrip.com(3.223.115.185)
www.howtofindbantingbalance.com(3.33.152.147)
www.panchotrucking.com(34.102.136.180)
www.guidedwaveradar.com(154.220.42.157)
3.33.152.147
172.67.152.150
34.102.136.180 - mailcious
154.220.42.157
3.223.115.185 - mailcious
85.159.209.113
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.asia domain
|
|
8.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13995 |
2021-10-23 10:19
|
 140.exe 0680fd1ef21a489b3812b4ef2f9a8f40
Lazarus Family Themida Packer Anti_VM Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
2
http://109.234.34.254:6677/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
109.234.34.254
104.26.12.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|