| 14116 |
2021-10-27 13:39
|
 vbc.exe c30565830025332db48b9f38ddb2ab3f
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=475803 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.6 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14117 |
2021-10-27 14:02
|
 66890294103.pdf fc78d2cdb494fd18e3b59dbf2b5ded11
PDF Suspicious Link PDF VirusTotal Malware unpack itself Windows utilities Windows |
|
|
|
|
2.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14118 |
2021-10-27 14:20
|
 chromedriver.exe 9e5141400fa79953543f744bac726cc8
Generic Malware Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 MSOffice File PDB unpack itself DNS |
|
4
5.62.40.202
13.230.135.153
34.202.213.193
14.0.113.209
|
|
|
1.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14119 |
2021-10-27 14:33
|
https://mega.nz/file/SwZT3KDa#... 154e1d38545984d2ba0cef1e24f1e232
Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
mega.nz(66.203.127.18)
66.203.127.18
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14120 |
2021-10-27 14:47
|
 GOMAUDIOKORSETUP_NEW.EXE 9f869aecfc2c65dc3a0c170ebcd4d429
Gen2 RAT Formbook Gen1 PWS .NET framework Emotet Eredel Stealer Extended njRAT backdoor North Korea NPKI Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer ASPack Antivirus Anti_VM Socket Escalate priviledges ScreenSh VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Tofsee Windows Browser Advertising ComputerName Firmware crashed keylogger |
59
http://r6726306.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-997.vpx
http://r3802239.iavs9x.u.avast.com/iavs9x/part-prg_ais-15020997.vpx
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
http://g1928587.vps18tiny.u.avcdn.net/vps18tiny/part-vps_windows-21102505.vpx
http://r6726306.iavs9x.u.avast.com/iavs9x/offertool_x64_ais-997.vpx
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
http://img.gomlab.com/img/gomproduct/setup/gomaudio_header.png
http://r6726306.iavs9x.u.avast.com/iavs9x/instcont_x64_ais-997.vpx
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
http://www.google-analytics.com/collect?aiid=mmm_gom_ppi_003_434_m&an=Free&av=21.8.6586&cd=stub-extended&cd3=Online&cid=f67aa09e-bd89-4ed5-8e92-1707c1a27e97&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
http://playinfo.gomlab.com/cms/bundle/log.gom?log=avast,KR,KR,175.208.134.150&mode=new&type=show
http://img.gomlab.com/js/web/jquery-1.8.x.js?20170228
http://playinfo.gomlab.com/cms/bundle/log.gom?log=avast,KR,KR,175.208.134.150&mode=new&type=AcceptClicked
http://r6726306.iavs9x.u.avast.com/iavs9x/sbr_x64_ais-997.vpx
http://r6726306.iavs9x.u.avast.com/iavs9x/avbugreport_x64_ais-997.vpx
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
http://r6726306.iavs9x.u.avast.com/iavs9x/instup_x64_ais-997.vpx
http://g1928587.vps18tiny.u.avcdn.net/vps18tiny/part-jrog2-41.vpx
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=zum_dirpage&prd=audio&type=check¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://playinfo.gomlab.com/setup_v2/index.gom?setup=audio&name=GOMAUDIOKORSETUP_NEW&bit=32&lang=kor&version=2.2.27.0&checkdate=202104151505
http://r6726306.iavs9x.u.avast.com/iavs9x/setgui_x64_ais-997.vpx
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
http://playinfo.gomlab.com/setup_v2/bundle.gom?bundle=avast&resource=true&country=KR&setup=audio
http://log.gomlab.com/audio/install?build=new_kor&fpb=&version=2.2.27.0&os=windows764bit&lang=kor&bit=32bit&guid=9604e1a277cf0c84fd663ec04db3d3fb&browser=ie
http://r6726306.iavs9x.u.avast.com/iavs9x/part-setup_ais-15020997.vpx
http://r6726306.iavs9x.u.avast.com/iavs9x/servers.def.vpx
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=zum_dirpage&prd=audio&type=view¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://playinfo.gomlab.com/cms/bundle/log.gom?log=avast,KR,KR,175.208.134.150&mode=new&type=check
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://r6726306.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
http://r3802239.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=zum_finish&prd=audio&type=check¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://r6726306.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-997.vpx
http://g1928587.vps18tiny.u.avcdn.net/vps18tiny/prod-vps.vpx
http://ncube.gomtv.com/gom/Promotion.ini
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=clipdown&prd=gomaudio&type=set¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=zum_dirpage&prd=audio&type=set¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://go.microsoft.com/fwlink/?linkid=2088631
http://playinfo.gomlab.com/setup_v2/bundle.gom?bundle=clipdown&resource=true&country=KR&setup=audio
http://estat-thirdparty.zum.com/at.gif?data=eyAiZXZlbnQiOiAiQENvbnNlbnQiLCAicHJvcGVydGllcyI6IHsgInNvZnR3YXJlIjogIkdvbUF1ZGlvIiwgImNoZWNrYm94Q2xpY2siOiAidHJ1ZSIsICJjaGVja1N0ZXAiOiAyLCAidGltZSI6IDE2MzUzNDkzNDAgfSB9&time=1635349340621
http://img.gomlab.com/css/gomproduct/setup.css?20170228
http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online_x64.exe
http://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/8494001c276a4b96804cde7829c04d7f/ndp48-x86-x64-allos-enu.exe
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=clipdown&prd=gomaudio&type=view¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://ana.gomtv.com/cgi-bin/prdpromo.cgi?promo=clipdown&prd=gomaudio&type=check¶m=KOR,2.2.27.0&agent=GomAudio_Setup&ukey=7446
http://playinfo.gomlab.com/cms/bundle/log.gom?log=avast,KR,KR,175.208.134.150&mode=new&type=installed
http://www.google-analytics.com/collect
https://cdn.gomlab.com/gretech/GOMSetupV2/Bundle/clipdown/img/banner.png
https://alpha-license-dealer.ff.avast.com/common/v1/device/unattendedtrial
https://cdn.gomlab.com/gretech/GOMSetupV2/Bundle/avast/img/cma-2706_498x200-kr.png
https://cdn2.gomlab.com/gretech/GOMSetupV2/ruledef.ini
https://shepherd.ff.avast.com/
https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_gom_ppi_003_434_m/avast_free_antivirus_setup_online.exe
https://cdn.gomlab.com/gretech/promotion_sw/clidpdownsetup.exe
https://cdn.gomlab.com/gretech/GOMSetupV2/Bundle/finish_kor/img/promotion.bmp
https://cdn.gomlab.com/gretech/GOMSetupV2/Bundle/flash_kor/img/promotion.png
https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
|
52
log.gomlab.com(34.202.213.193)
ana.gomtv.com(183.110.10.189)
z4055813.iavs9x.u.avast.com(23.43.165.50)
p9854759.iavs9x.u.avast.com(23.43.165.50)
cdn.gomlab.com(14.0.114.117)
bits.avcdn.net(23.40.45.32)
shepherd.ff.avast.com(69.94.69.113)
r4427608.vps18tiny.u.avcdn.net(23.43.165.59)
r0965026.vps18tiny.u.avcdn.net(23.43.165.59)
c3978047.iavs9x.u.avast.com(23.43.165.50)
h4444966.vps18tiny.u.avcdn.net(23.43.165.59)
y8002308.iavs9x.u.avast.com(23.43.165.50)
s-iavs9x.avcdn.net(23.40.45.32)
l7814800.iavs9x.u.avast.com(23.43.165.75)
s-vps18tiny.avcdn.net(23.40.45.32)
m0658849.iavs9x.u.avast.com(23.43.165.75)
iavs9x.u.avast.com(23.43.165.50)
r3802239.iavs9x.u.avast.com(23.43.165.50)
ncube.gomtv.com(183.110.10.192)
h4444966.iavs9x.u.avast.com(23.43.165.75)
g1928587.vps18tiny.u.avcdn.net(23.43.165.59)
www.google-analytics.com(172.217.31.142)
alpha-license-dealer.ff.avast.com(69.94.69.205)
l4691727.iavs9x.u.avast.com(23.43.165.50)
r6726306.iavs9x.u.avast.com(23.43.165.50)
www.microsoft.com(104.109.241.178)
v7event.stats.avast.com(69.94.68.209)
img.gomlab.com(54.192.70.16)
download.visualstudio.microsoft.com(192.229.232.200)
cdn2.gomlab.com(14.0.114.116)
playinfo.gomlab.com(13.224.42.10)
n4291289.vps18tiny.u.avcdn.net(23.43.165.59)
estat-thirdparty.zum.com(112.175.191.56)
112.175.191.56
183.110.10.192
23.43.165.75
77.234.46.23
23.53.224.176
99.84.224.136
96.7.251.224
34.202.213.193
183.110.10.189
142.250.199.78
5.62.53.239
14.0.114.116
99.86.207.102
23.43.165.50
5.62.40.201
23.201.37.168
5.62.38.16
23.43.165.59
192.229.232.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
18.4 |
|
7 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14121 |
2021-10-27 14:59
|
 LOIC.exe e6fa3028cd03318496852718143d256f
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
58 |
JYC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14122 |
2021-10-27 15:40
|
 Sample_20120351252_ISO_003729.... c1f5b864b5ccde85fc6f84e2429cf03b
RAT Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14123 |
2021-10-27 17:15
|
inv_009000987.wbk 18dd40cd43c42c1fb35bea3f13b4056a
RTF File doc VirusTotal Malware buffers extracted RWX flags setting |
|
|
|
|
2.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14124 |
2021-10-27 17:44
|
inv_009000987.wbk 18dd40cd43c42c1fb35bea3f13b4056a
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://secure01-redirect.net/ga21/fre.php
http://202.55.132.141/0091/vbc.exe
|
3
secure01-redirect.net(193.38.51.112)
193.38.51.112
202.55.132.141 - mailcious
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14125 |
2021-10-27 17:51
|
inv_009000987.wbk 18dd40cd43c42c1fb35bea3f13b4056a
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://secure01-redirect.net/ga21/fre.php
http://202.55.132.141/0091/vbc.exe
|
3
secure01-redirect.net(193.38.51.112)
193.38.51.112
202.55.132.141 - mailcious
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14126 |
2021-10-27 17:54
|
inv_009000987.wbk 18dd40cd43c42c1fb35bea3f13b4056a
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://secure01-redirect.net/ga21/fre.php
http://202.55.132.141/0091/vbc.exe
|
3
secure01-redirect.net(193.38.51.112)
193.38.51.112
202.55.132.141 - mailcious
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14127 |
2021-10-27 18:05
|
 vbc.exe 29700aaa1450d6b23716c12573ed0faa
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14128 |
2021-10-27 18:05
|
 GymManagementSystem.dll c3df5f1eadd40189c6519fa25addeab8
Generic Malware PE File PE32 .NET DLL DLL VirusTotal Malware PDB |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14129 |
2021-10-27 18:05
|
 jb5wrmt56.rar f793cad74aae9dab113ac269b4aab998
Malicious Library UPX PE File OS Processor Check PE32 DLL PDB unpack itself crashed |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14130 |
2021-10-27 18:08
|
 new_virus.exe 84ec08ab0bc4e88c3cbaa0d211044685
AgentTesla(IN) RAT Generic Malware Malicious Packer Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
5.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|