| 14011 |
2021-10-25 17:07
|
 vbc.exe f29e9e4fa36add92b5e974b87999acc1
Loki PWS Loki[b] Loki.m Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga20/fre.php - rule_id: 6926
http://secure01-redirect.net/ga20/fre.php
|
2
secure01-redirect.net(185.224.212.69)
185.224.212.69
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://secure01-redirect.net/ga20/fre.php
|
13.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14012 |
2021-10-25 17:17
|
 rqvufRfLLN.dll 419e0fb814d614d491fe487ef29ea77e
Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14013 |
2021-10-25 17:19
|
 rqvufRfLLN.dll 419e0fb814d614d491fe487ef29ea77e
Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14014 |
2021-10-25 17:21
|
 rqvufRfLLN.dll 419e0fb814d614d491fe487ef29ea77e
Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14015 |
2021-10-25 17:23
|
 reason me.exe 5dc1d41e2f9969d85896921f7b4ae261
Generic Malware DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
newme122.3utilities.com(23.105.131.228) - mailcious
23.105.131.228 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
13.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14016 |
2021-10-25 17:25
|
chegouseupix_d2av9g.html 0b8460d45c14a1f4cfa24d50251b5534
NPKI AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
https://cdnjs.cloudflare.com/ajax/libs/jszip/3.6.0/jszip.min.js
https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/2.0.5/FileSaver.min.js
|
3
cdnjs.cloudflare.com(104.16.19.94) - mailcious
23.105.131.228 - mailcious
104.16.18.94
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14017 |
2021-10-25 17:28
|
 rqvufRfLLN.dll 419e0fb814d614d491fe487ef29ea77e
Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14018 |
2021-10-25 17:28
|
 .csrss.exe 90397a5fdff62ca9efc2e2edb989f88f
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
15.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14019 |
2021-10-25 17:29
|
 .wininit.exe 0a05406ccbc442244398e953b278603e
Loki PWS Loki[b] Loki.m Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd3/fre.php - rule_id: 6923
http://secure01-redirect.net/fd3/fre.php
|
2
secure01-redirect.net(185.224.212.69)
185.224.212.69
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd3/fre.php
|
13.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14020 |
2021-10-25 17:30
|
 vbc.exe ec0897cc11ca44b815afbbee38c01316
Malicious Library UPX PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14021 |
2021-10-25 17:31
|
reason.xlsx 9adafeb992d82eba6e4c5d1e420a48ef
MSOffice File RWX flags setting exploit crash unpack itself Windows Exploit DNS DDNS crashed |
1
http://itisalllove.servepics.com/georgia/city/reason.exe
|
4
newme122.3utilities.com(23.105.131.228) - mailcious
itisalllove.servepics.com(31.3.244.76)
23.105.131.228 - mailcious
31.3.244.76 - malware
|
3
ET POLICY DNS Query to DynDNS Domain *.servepics .com
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14022 |
2021-10-25 17:33
|
 Singapore supply Quote#142574R... b649cfb75c80a2007de27dfa415ec12e
Generic Malware Malicious Library UPX PE64 PE File OS Processor Check DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14023 |
2021-10-25 17:35
|
 PO # RSLDH102115239.xll 1cc9482b904e696e6f874589e085aae8
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14024 |
2021-10-26 09:25
|
 1202120788.exe f6be182d94ecfa6172e27d254444e88f
Malicious Packer PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
2
http://185.215.113.45/g4MbvE/index.php?scr=1
http://185.215.113.45/g4MbvE/index.php
|
1
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE Amadey CnC Check-In
|
|
7.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14025 |
2021-10-26 09:25
|
 ACL.exe 7e34b4aa4d4f682ee40b83168405a191
AgentTesla RAT PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Create Service Socket Code injection Sniff Audio KeyLogger Escalate priviledges Downloader AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process Windows DNS DDNS keylogger |
|
2
jamaru1444.myftp.biz(212.193.30.133) - mailcious
212.193.30.133
|
2
ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain
ET INFO Observed DNS Query to .biz TLD
|
|
15.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|