| 13996 |
2021-10-23 10:23
|
 details_010.21.doc aca3ce06cbd73347cfdc1019f37fa0b4
VBA_macro Malicious Packer Malicious Library UPX Word 2007 file format(docx) GIF Format PE64 PE File DLL Malware download VirusTotal Malware Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself suspicious process AntiVM_Disk VM Disk Size Check Interception Windows crashed |
1
http://burnsbuddyg.com/cbfsd/BlDFRsj1bsGvKdLIj/98697/7309/33451/Pg9zYLcfzirZtPtx1Pn64fLoWAIDvNPx4lclw/LaQAZSeiLYPCjjCble334/QdHhD0r/98/RDvuSh/peju4?q=RYaTpLn2leLH6rxKG0pux1CME3RY&sid=UY8SVDRzRqZb&CWpJmycHi=iF0I26&sid=YGrkJjD4n&q=mbdtF5ziKWJczkstBlW0PBT7Ia&time=DEYO7nTt&q=EY7sl24iZtw7zTehznnCVwHt&q=G9FdCrnm6Z6yu
|
2
burnsbuddyg.com(45.95.11.181)
45.95.11.181
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
|
|
8.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13997 |
2021-10-23 10:27
|
Profit and Loss Statement.xlsx... a0c1ca01548be7690f2976742f068e67
Generic Malware Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM GIF Format VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Interception Advertising Google ComputerName DNS |
13
http://apps.identrust.com/roots/dstrootcax3.p7c
https://support.google.com/drive/answer/6283888
https://support.google.com/favicon.ico
https://fonts.gstatic.com/s/googlesanstext/v16/5aUp9-KzpRiLCAt4Unrc-xIKmCU5oLlVrmw.woff
https://share.stablemarket.org/
https://fonts.googleapis.com/css2?family=Google+Sans+Text:wght@400;500;700
https://docs.google.com/spreadsheets/d/1CTWarBPpx6kQjpevxr7qeQGPenjAR_7H/edit?usp=sharing&ouid=118006626630144401406&rtpof=true&sd=true
https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
https://fonts.gstatic.com/s/googlesanstext/v16/5aUp9-KzpRiLCAt4Unrc-xIKmCU5oPFTrmw.woff
https://www.google-analytics.com/analytics.js
https://fonts.gstatic.com/s/googlesanstext/v16/5aUu9-KzpRiLCAt4Unrc-xIKmCU5mE4.woff
https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
|
14
www.google-analytics.com(142.250.207.46)
fonts.googleapis.com(142.251.42.170)
support.google.com(216.58.197.238)
docs.google.com(142.251.42.142) - mailcious
share.stablemarket.org(149.28.162.113)
apps.identrust.com(23.59.72.9)
fonts.gstatic.com(142.251.42.131)
142.250.66.138
61.111.58.35 - malware
142.250.204.110
142.250.204.46
142.250.66.99
149.28.162.113 - mailcious
142.250.66.46 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
12.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13998 |
2021-10-23 10:28
|
 biz-1951660782.xls 8c4ebf556800331468c722f83c670a6f
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://pvplglobal.com/G3Sc73WpcSo5/211021.gif
https://ivyfashion.in/9EzVsRwPKml/211021.gif
https://m2autopartsindia.com/Ho2EjThhAmw/211021.gif
|
6
pvplglobal.com(162.251.80.13)
ivyfashion.in(50.87.154.175)
m2autopartsindia.com(103.211.216.48)
50.87.154.175 - mailcious
162.251.80.13
103.211.216.48 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13999 |
2021-10-23 10:30
|
 biz-1951697195.xls c4b92b6602eef756c2d357d707ec4001
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://pvplglobal.com/G3Sc73WpcSo5/211021.gif
https://ivyfashion.in/9EzVsRwPKml/211021.gif
https://m2autopartsindia.com/Ho2EjThhAmw/211021.gif
|
6
ivyfashion.in(50.87.154.175)
pvplglobal.com(162.251.80.13)
m2autopartsindia.com(103.211.216.48)
50.87.154.175 - mailcious
162.251.80.13
103.211.216.48 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14000 |
2021-10-25 09:23
|
 biz-1951697195.xls c4b92b6602eef756c2d357d707ec4001
Downloader KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14001 |
2021-10-25 09:43
|
 socks2010.exe bf03442f038443b9e4eff1081bb51c38
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14002 |
2021-10-25 09:43
|
 socks12110.exe fa1bbe98e6ecfc6ac3e8e9c881a7532a
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14003 |
2021-10-25 11:57
|
 Device-4159546084121719159.htm... eb67fb7fe4864f7ea2c64921c82801f3
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
https://www.gstatic.com/images/icons/material/system/1x/phone_android_grey600_24dp.png
https://fonts.googleapis.com/css?family=Roboto
|
5
www.gstatic.com(142.250.207.35)
fonts.googleapis.com(172.217.174.106)
142.250.207.35 -
20.43.94.199 -
172.217.174.106 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
Bird
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14004 |
2021-10-25 13:27
|
 vbc.exe db0086d6c41fea58417b589f20de1b52
Loki NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
2
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php - rule_id: 6875
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
2
74f26d34ffff049368a6cff8812f86ee.ml(172.67.205.83)
172.67.205.83
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
10.4 |
|
47 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14005 |
2021-10-25 13:43
|
 136.exe 64420e27dd8930254ff853f4bbcfbbf4
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware |
|
|
|
|
1.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14006 |
2021-10-25 16:12
|
 2.exe 294fab1523dc3b50cbcc120e67946a5b
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware DNS |
|
1
139.196.224.137 - malware
|
|
|
4.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14007 |
2021-10-25 16:56
|
 sefile3.exe 44a8c9e3ca634b851c48ab01349f5d8a
Malicious Library UPX PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
41 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14008 |
2021-10-25 17:00
|
 vbc.exe 4ff00f9a22ee7a1e2dc3890e6fc59d05
Loki NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq(104.21.62.32) - mailcious
172.67.219.104
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14009 |
2021-10-25 17:06
|
 reason.exe 5dc1d41e2f9969d85896921f7b4ae261
Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
newme122.3utilities.com(23.105.131.228) - mailcious
23.105.131.228 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
13.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14010 |
2021-10-25 17:07
|
 vbc.exe f184c7be5715b6cee3458d2b830788cf
Loki PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://bobbyelectronics.xyz/five/fre.php - rule_id: 6744
|
2
bobbyelectronics.xyz(172.67.184.253) - mailcious
172.67.184.253
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://bobbyelectronics.xyz/five/fre.php
|
13.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|