| 14176 |
2023-03-29 10:44
|
 Gmeyad.exe a8001f151c1ce13aac56097a2bf1f789
NPKI PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14177 |
2023-03-29 10:42
|
62................62............. 1b91a9d902d2d5c7f9c094955a1537f4
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://sempersim.su/ha25/fre.php - rule_id: 27980
http://192.3.111.161/62/vbc.exe
|
3
sempersim.su(46.148.39.36) - mailcious
192.3.111.161 - malware
46.148.39.36 - mailcious
|
16
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://sempersim.su/ha25/fre.php
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14178 |
2023-03-29 10:41
|
 vbc.exe fb4f4746d44d1ae472506334dacf6956
Loki UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha25/fre.php - rule_id: 27980
|
2
sempersim.su(46.148.39.36) - mailcious
46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha25/fre.php
|
8.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14179 |
2023-03-29 10:41
|
 vbc.exe 7c85964484c4e3471124dd4dd5ef34df
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
3
http://www.1cweb.online/gn35/?_DKdKJa=GGTZroRoL1BXwM3MXiLpR9yEKm8KXFWUPJQo2rBdJCC/pgm2ifzqsBXvCGkh1lxdt+0GDl+4&QZ3=ehux_8Xh401XOrt
http://www.hyrxo.win/gn35/?_DKdKJa=Px4xbTIrKwyUbcbV7Sa4MFdwj6MuY8cQxHdgLkOTvjLt2qFRB4E1b+Ud0Zeqp82x10XYRgaJ&QZ3=ehux_8Xh401XOrt
http://www.reinifix.net/gn35/?_DKdKJa=/oLJKsvMxImT2IdLjwC7RXLGQP6Il4Qvv7Du59jzs3EP6cW1xcwdDxVo3LxxLXdrTKNn2jpT&QZ3=ehux_8Xh401XOrt
|
8
www.hyrxo.win(103.24.53.30)
www.ldkj9qq.vip()
www.cortinasagave.store()
www.1cweb.online(85.15.189.140)
www.reinifix.net(81.169.145.82)
81.169.145.82 - mailcious
85.15.189.140
103.188.120.191
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14180 |
2023-03-29 10:38
|
 2023.03.28-000125689.exe 147ca2fb0887fd3d38afae9c02b5ca11
UPX PE32 PE File VirusTotal Malware Buffer PE Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Detects VirtualBox Detects VMWare AppData folder sandbox evasion VMware anti-virtualization Windows Remote Code Execution crashed |
|
|
|
|
9.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14181 |
2023-03-29 10:15
|
 99.exe 3769516d37fcc4a870aee040c22dfc81
RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
1
|
|
|
8.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14182 |
2023-03-29 10:14
|
 vbc.exe 3d5458f26b59708a5d0da5567189aa41
UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168)
158.101.44.242
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
9.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14183 |
2023-03-29 10:14
|
 100.exe 9039af66487c909b5c54343b065a7d48
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14184 |
2023-03-29 10:13
|
 sgd.exe e4a076e7e4ef7dda7760195ed7e69a63
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14185 |
2023-03-29 09:58
|
 unknown.exe cd1bafd37e93fdee22767836f098caa2
RAT UPX Malicious Library .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://discord.com/api/webhooks/1089956337733087274/uYNA_D8Ns1z9NZ3B1mGp0XXyGq-785KLGIfEAZsrz3TJd5fvOjXA927F7bUTTzbNT6Zk
https://api.ipify.org/
|
4
discord.com(162.159.136.232) - mailcious
api.ipify.org(104.237.62.211)
173.231.16.76
162.159.138.232 - mailcious
|
3
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain (discord .com in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14186 |
2023-03-29 09:57
|
 vbc.exe 4f57c474b77a208ee4d212894b3512d2
PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://www.drandl.com/g2fg/?q6A=CWwfQMcOabB0OYvUL0KuV3yjiiJTTZBBzAVKPdJMLdwkoV04TnCmBs4eZSctpt7zb3Z0AbHn&rTFDm=GBLpaD_PA8odIr - rule_id: 18888
http://www.usdp.trade/g2fg/?q6A=sSeyT3cu/Fh8IMYE4dkXfPG02cBaSDgP+UeXcTNSXack25VwISfgZcRXRsMt/2RRVYEm+imk&rTFDm=GBLpaD_PA8odIr - rule_id: 10296
|
5
www.nexans.cloud()
www.drandl.com(3.33.152.147) - mailcious
www.usdp.trade(3.64.163.50)
3.64.163.50 - mailcious
15.197.142.173 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .cloud TLD
|
2
http://www.drandl.com/g2fg/
http://www.usdp.trade/g2fg/
|
11.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14187 |
2023-03-29 09:55
|
atom.xml bb3afc961cd9b132922db723407508e7
Hide_EXE PowerShell Script MZ Generic Malware Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
2
https://backuphotelall.blogspot.com/atom.xml
https://zevodayback.blogspot.com/atom.xml
|
|
|
|
4.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14188 |
2023-03-29 09:54
|
 Contract_02_21_Copy#32.exe 6e4e21b15f5c27ca82b7934fa6544c5d
UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware ICMP traffic unpack itself ComputerName DNS |
|
5
210.251.33.116
197.170.198.152
163.223.67.191
40.193.27.226
73.237.181.95
|
|
|
5.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14189 |
2023-03-29 09:53
|
 vbc.exe 9d2cb12118d3f3e4ff3d14c61ebab4e0
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14190 |
2023-03-29 09:51
|
 unknown.exe 56d15468fdb9bafcbcb155f50ac902b8
RAT UPX OS Processor Check .NET EXE PE32 PE File suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|