| 14236 |
2021-10-29 09:10
|
 Mfile.exe 674fb73b1fd08e6778e47debcb1c3a6c
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.entyrcrypto.com/btn2/?Bh=ACPkNsXTo6dilfq45Lra3uW/+TPD4AUv4Am4UzDI5UY8j0ej46TPxke+wVsBoD1KjZrSje0k&SzulsJ=9rV872vP_0fDj
http://www.greatdesigns.net/btn2/?Bh=ahXCd/GvrCToH6QNgUAz2eOIJc+aa9K5tSOdXWaZwg3Pe+PdCCKDxsMmVKTkbvQ4mmwbxnMF&SzulsJ=9rV872vP_0fDj
http://www.fluttermixtures.com/btn2/?Bh=RbtSph0VL15EBLRPHmyYLGfYbVcQX3SOUU6PUyI4zaQw+Nl5dejQmqICrMIftnxcgscMpiXv&SzulsJ=9rV872vP_0fDj
|
6
www.fluttermixtures.com(130.211.40.170)
www.greatdesigns.net(198.54.117.210)
www.entyrcrypto.com(64.68.200.44)
130.211.40.170 - mailcious
64.68.200.44
198.54.117.212 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14237 |
2021-10-29 09:11
|
 .csrss.exe 0a7a0226b591a93d521911b140c0ba11
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
14.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14238 |
2021-10-29 09:13
|
 crocin.exe db030d5044011041bfb6d1a919337459
Themida Packer PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14239 |
2021-10-29 09:13
|
 maxi.exe 1bcd242e21181da424e62eba71f13e1d
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.skinpromelaka.com/dyh6/?tXU=r1WEwJI6U+VJeP6bM+vVAjaf5cE+e2ck5sKejeK8Jz1UX1ZVwLVUK5qASeGYHxK/W/J+g9Ox&UlSp=GVgT1hY8x6yXQt
http://www.klhcn.com/dyh6/?tXU=QJfkTbwg0uEmySK3KrbdDchdupippK/2Is82vyMjuQlTN9/UWGf/9z/norFUEOTmO+iBC3Fh&UlSp=GVgT1hY8x6yXQt
http://www.4pxshop.com/dyh6/?tXU=ntm2ZTI4g5cQhbWRMk1O8xwmxYBvjw0fH58qVVLRtQQKF9nwB6i3bkwWoo+tGLEMnprQxBoF&UlSp=GVgT1hY8x6yXQt
|
7
www.4pxshop.com(35.163.64.160)
www.bonitacandle.com()
www.klhcn.com(154.26.211.192)
www.skinpromelaka.com(142.250.196.115)
35.163.64.160
172.217.31.243
154.26.211.192
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14240 |
2021-10-29 09:14
|
 pub3.exe dc0d13a11537c91ee0436e1cdaaef2ed
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14241 |
2021-10-29 09:17
|
 dllhost.exe fdebcac35105439faeecb9658e617a8c
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.libertyquartermaster.com/kzk9/?1bxdAHD=lQWMBkwrhmWz63jtUzXLTMN6LJKSSp5MpzhCN2bai0hlUDGE91c1O/aLF41w75q/inmarkMn&LZa0=kJEXUjV
|
3
www.forschungsraumtheater.com()
www.libertyquartermaster.com(199.34.228.164)
199.34.228.164
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14242 |
2021-10-29 09:19
|
 vbc.exe 1d03eee90db5e3881e7111490bd0d76d
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://gridnetworks.xyz/five/fre.php
|
2
gridnetworks.xyz(172.67.209.118)
104.21.16.10
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14243 |
2021-10-29 09:21
|
 vbc.exe 0c8a26b69495724a46d7299ed9a8dd69
RAT PWS .NET framework Generic Malware DNS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
11.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14244 |
2021-10-29 09:24
|
 pig.dll 5adaaad9852f8358aeeb367f1cd26b76
Emotet Gen1 Malicious Packer Malicious Library UPX PE File OS Processor Check PE32 DLL Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://45.36.99.184/rob137/TEST22-PC_W617601.D16DDEB5BBD8D1502A3365011B6BB3B6/5/file/
|
5
128.201.76.252 - mailcious
46.99.175.149 - mailcious
216.166.148.187 - mailcious
45.36.99.184 - mailcious
185.56.175.122 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
8.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14245 |
2021-10-29 09:27
|
 ss.exe b2ae544b04a0936cd1ac3ca6783cf134
PWS Loki[b] Loki.m RAT .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://lokich.xyz/icecobe/so/ui.php
|
3
lokich.xyz(172.67.149.73) - mailcious
45.36.99.184 - mailcious
104.21.79.226 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14246 |
2021-10-29 09:27
|
 vbc.exe cb37241bc90fefcc0d61becffbe4d1ce
Loki NSIS Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php - rule_id: 5674
|
2
74f26d34ffff049368a6cff8812f86ee.gq() - mailcious
104.21.62.32 - mailcious
|
10
ET INFO DNS Query for Suspicious .gq Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.gq domain
ET INFO HTTP Request to a *.gq domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
|
10.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14247 |
2021-10-29 09:29
|
 trze3v.tar 8c6258bd9f567fed899aeb3f68aaa861
Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14248 |
2021-10-29 09:31
|
 ss.exe be4f9863a63917e9e55cf5350c617363
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
16
http://www.lsurpriseremix.com/n8cr/
http://www.hotdog-dsk.com/n8cr/?MZkp=Z32XtU2gJD8QlYHCpGU25AoHfOj1Vai+ydW2dyi6BZYO/QaiHIKk0xLuZohE2ORJnmFcb6fb&U4kp=Ntx0ULGP4BTDMV0
http://www.darbodrum.com/n8cr/
http://www.dellmoor.com/n8cr/
http://www.dellmoor.com/n8cr/?MZkp=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&U4kp=Ntx0ULGP4BTDMV0
http://www.189montreal.com/n8cr/?MZkp=fudlFknPfRUBIPges38R/P7W6JXx2qm+9H/4l6uL9UhaDiAq0zFN72YOPos0aTmlI8/mdbxG&U4kp=Ntx0ULGP4BTDMV0
http://www.pharmasolutionspr.net/n8cr/?MZkp=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&U4kp=Ntx0ULGP4BTDMV0
http://www.faceandco.clinic/n8cr/?MZkp=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&U4kp=Ntx0ULGP4BTDMV0
http://www.189montreal.com/n8cr/
http://www.darbodrum.com/n8cr/?MZkp=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&U4kp=Ntx0ULGP4BTDMV0
http://www.karasevda-jor.com/n8cr/?MZkp=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&U4kp=Ntx0ULGP4BTDMV0
http://www.hotdog-dsk.com/n8cr/
http://www.lsurpriseremix.com/n8cr/?MZkp=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&U4kp=Ntx0ULGP4BTDMV0
http://www.faceandco.clinic/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.karasevda-jor.com/n8cr/
|
21
www.karasevda-jor.com(151.101.194.199)
www.makeithappenshow.com()
www.istesdesv.xyz()
www.mistikistapp.xyz()
www.faceandco.clinic(34.102.136.180)
www.twdesignacreation.com()
www.darbodrum.com(52.58.78.16)
www.lbsp3.xyz()
www.javcricket.com()
www.dangkytrasauviettel360.club()
www.hotdog-dsk.com(185.182.56.12)
www.dellmoor.com(34.102.136.180)
www.lsurpriseremix.com(3.64.163.50)
www.pharmasolutionspr.net(34.102.136.180)
www.189montreal.com(3.33.152.147)
52.58.78.16 - mailcious
15.197.142.173
34.102.136.180 - mailcious
151.101.66.199
3.64.163.50 - mailcious
185.182.56.12
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14249 |
2021-10-29 09:32
|
 kon.exe d013f086c852f0855b884b09d6273894
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
9.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14250 |
2021-10-29 09:34
|
 out.exe 671eb2b7682de507f36f6d57ca812b1c
RAT Generic Malware UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself ComputerName |
18
http://www.lsurpriseremix.com/n8cr/
http://www.darbodrum.com/n8cr/
http://www.faceandco.clinic/n8cr/?BRjh4D=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/
http://www.dellmoor.com/n8cr/
http://www.dellmoor.com/n8cr/?BRjh4D=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&J46Tz=ARm8z0bxQhIX40p0
http://www.darbodrum.com/n8cr/?BRjh4D=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&J46Tz=ARm8z0bxQhIX40p0
http://www.karasevda-jor.com/n8cr/?BRjh4D=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/?BRjh4D=4bZxzaC+6Rb3KtW25UC3MyfmF9MiGl1RBuRXSALb6XsaDdV8S10uPqd/+3Q9Cm1C2PxTwzjc&J46Tz=ARm8z0bxQhIX40p0
http://www.isearchpartner.agency/n8cr/?BRjh4D=dcLZxWQ2Dmoyk8mqq6WD24qjgh46lJJJRLC+7rDi3CpeHO6n9MooORgZ9Lo+BmkGFEyIoRDx&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/?BRjh4D=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&J46Tz=ARm8z0bxQhIX40p0
http://www.lsurpriseremix.com/n8cr/?BRjh4D=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&J46Tz=ARm8z0bxQhIX40p0
http://www.equityreleaseshelpukweb.com/n8cr/
http://www.isearchpartner.agency/n8cr/
http://www.faceandco.clinic/n8cr/
http://www.pharmasolutionspr.net/n8cr/
http://www.pharmasolutionspr.net/n8cr/?BRjh4D=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&J46Tz=ARm8z0bxQhIX40p0
http://www.godigitalwithpavitra.com/n8cr/
|
20
www.isearchpartner.agency(34.102.136.180)
www.darbodrum.com(52.58.78.16)
www.equityreleaseshelpukweb.com(185.53.179.93)
www.istesdesv.xyz()
www.radiesn.store()
www.mistikistapp.xyz()
www.karasevda-jor.com(151.101.130.199)
www.twdesignacreation.com()
www.recifetopschoolteacher.com()
www.faceandco.clinic(34.102.136.180)
www.lbsp3.xyz()
www.lsurpriseremix.com(3.64.163.50)
www.godigitalwithpavitra.com(34.102.136.180)
www.dellmoor.com(34.102.136.180)
www.pharmasolutionspr.net(34.102.136.180)
185.53.179.93
52.58.78.16 - mailcious
34.102.136.180 - mailcious
3.64.163.50 - mailcious
151.101.130.199
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|