| 14281 |
2021-10-29 17:55
|
 awsa.exe d23ca1a68c0067ad0bd32dda2109c7db
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself |
|
2
www.foreverphotos0910.net(216.239.36.21)
www.course2millions.com()
|
|
|
7.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14282 |
2021-10-29 18:00
|
 awsa.exe d23ca1a68c0067ad0bd32dda2109c7db
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.bikingforbalance.com/pufi/
http://www.bikingforbalance.com/pufi/?lZB=UFQL6PspYVB8cBA&mfsl7bO=Fr21o2VXwBHdUIjOGFad3q3JfXi6eFqQm7z8TVFYWCMh3a0MtFC07bKzhrbkd9snJ3U+/qpR
http://www.keepkalmm.com/pufi/
http://www.keepkalmm.com/pufi/?mfsl7bO=jpp0dRjJ7WPRoxr8J+a3vnsmVYkdai/17tP3ql/CPwKNulj4w8lUkhnoLA0Uff//tgaFGZrE&lZB=UFQL6PspYVB8cBA
|
8
www.keepkalmm.com(75.2.48.238)
www.visionaryking83.com()
www.northfacemall.online()
www.rescueandrestoreministries.net(51.210.64.36)
www.bikingforbalance.com(185.201.10.135)
75.2.48.238
51.210.64.36
185.201.10.135
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14283 |
2021-10-29 18:02
|
 vbc.exe 8980a24aeb5d63283add48c1391ebc40
Malicious Library UPX PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Tofsee Windows DNS crashed |
15
http://www.joy1263.com/ht08/?wP9=5zTHw+cMQysQB01avDS62dEk0lc83/+ymY2tuhZYuDPhhCZOWQyRnsgLnjpjzHaWki+k6UdA&lZQ=7nbLpdZHS
http://www.angyfoods.com/ht08/?wP9=i+WDIm9jHC82FUdEypgqNiotqHRMt1GHvUM0F97kEGeCHK0nEcPd7ey+L8ZvA9C8LXWvmksm&lZQ=7nbLpdZHS
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS - rule_id: 6848
http://www.septemberstockevent200.com/ht08/?wP9=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP&lZQ=7nbLpdZHS
http://www.timothyschmallrealt.com/ht08/?wP9=67tCic8sYzV3es+kuEWGJwm1Ye4iZ5Z2e1jXvgEPi6twS6Q6g6gUEXBuqD/zm8ihdyV9/0Vz&lZQ=7nbLpdZHS
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS - rule_id: 6852
http://www.trashwasher.com/ht08/?wP9=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&lZQ=7nbLpdZHS
http://www.centercodebase.com/ht08/?wP9=/+0I8Ix2qwnmm99cJTV+asIBU4YhAk3i42qpadk7iBPvfU/iuBCITxOCE2i7jfepiW74eJH1&lZQ=7nbLpdZHS
http://www.progettogenesi.cloud/ht08/?wP9=GSCIKY2MiKJRQQFt3aZ/9xy11Q2rDBmxaZZvlmLuIp/PfjM3dG+vVKQyviZHcQzjsXYyybP/&lZQ=7nbLpdZHS
http://www.kalaraskincare.com/ht08/?wP9=VdZobeFV+7zDZ4W6RO8SoxUhXPNifKLPEeijVGSeVjZRWgaL88Xeqi3CusAoM82Kcv2du8+8&lZQ=7nbLpdZHS
http://www.coachingbywatson.com/ht08/?wP9=mAxcwESmkYSGCUCaLnGm/zT/JlgVo9zog7cKgoc53e0EkOLj0DO/YWNBWe36QgFLCczpzj83&lZQ=7nbLpdZHS
http://www.huakf.com/ht08/?wP9=lRq/YKJ/q1c7pbxstH5R510zK5E/jMlHWkiKB6bNw1tOje7FFb/Ec3t87aIL9cVe6vCoPnf2&lZQ=7nbLpdZHS
https://mpdtiw.am.files.1drv.com/y4mJYrNKi50QwA_4D2kFQ1obXvJGvka4_Aepi3gF9xIwvSduItdBQbjKsurMtjJwmEqon-FEWclF2tawlL_getvIRqrD7PGWwtpszBvM64c2z4g5jNuam15AXG5t-ks8HcXwers3rC2Zu_QeSB0SPd0zd-nV4osRn8fC9pvguJOqfWHgvaOaAgep8VT4XAuwS8PQL450gMztpxEvjWE6u4qZQ/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
https://onedrive.live.com/download?cid=5495F48E1F7898E3&resid=5495F48E1F7898E3%21116&authkey=AP3RqWxF2H8Kmj4
https://mpdtiw.am.files.1drv.com/y4mJOoxPJribiJ-aSEneiHMYI3MTo8oKXFvAh3BnPfhB133CpfLraTAQRbykpPnKOfUF_ySNijPlCdzBXfAOry3_pYrx4iwYP6nhEhxFKVVZE5bw_4qWDRBV04siT86HHgf1OPGJdWjiojOeivhllaSWbkdCwZ4A7HQwioUSleEaX1FLAdv9h77_aB5Ma-13sYSNmZQxrVUN8qGhsSr-Exu7w/Qorqwwjgxvvuezotsloiazwjlfrranh?download&psid=1
|
26
www.coachingbywatson.com(35.204.59.57)
www.istanbulemlakgalerisi.online()
www.digipoint-entertainment.com()
www.angyfoods.com(77.68.118.64)
www.progettogenesi.cloud(34.80.190.141)
www.centercodebase.com(137.184.99.236)
www.huakf.com(154.208.173.82)
mpdtiw.am.files.1drv.com(13.107.42.12)
www.kalaraskincare.com(34.102.136.180)
www.timothyschmallrealt.com(34.68.234.4)
onedrive.live.com(13.107.42.13) - mailcious
www.joy1263.com(45.116.161.174)
www.septemberstockevent200.com(172.67.188.247)
www.trashwasher.com(151.101.66.159)
35.204.59.57
34.68.234.4
13.107.42.13 - mailcious
13.107.42.12 - malware
34.102.136.180 - mailcious
61.4.115.183
172.67.188.247
77.68.118.64
34.80.190.141 - mailcious
154.208.173.82
137.184.99.236
151.101.66.159 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.septemberstockevent200.com/ht08/
http://www.trashwasher.com/ht08/
|
8.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14284 |
2021-10-29 18:11
|
 .csrss.exe c2c509a61a1d811d29ade6067e54c011
PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
1
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14285 |
2021-10-29 18:20
|
 PE.txt.ps1 964c031b3cca7673f0af28adf461f2b3
PowerShell MZ Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14286 |
2021-10-29 18:20
|
 rundll32.exe 5273a14914db4656593872056f2ced12
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14287 |
2021-10-29 18:20
|
adal.jar e83ec42ad9c282b28e4561dc5fec346dVirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14288 |
2021-10-29 18:22
|
 vbc.exe d031d354378993ddf3aca597f723b301
Loki NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
2
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php - rule_id: 6875
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
2
74f26d34ffff049368a6cff8812f86ee.ml(104.21.22.146)
104.21.22.146
|
10
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
|
10.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14289 |
2021-10-29 18:22
|
 vbc.exe cd848603273b1d0f6227a7ef17180cc9
Loki PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
12.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14290 |
2021-10-29 18:25
|
 .csrss.exe c2c509a61a1d811d29ade6067e54c011
Loki PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(94.142.141.221)
94.142.141.221
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
14.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14291 |
2021-10-29 18:25
|
 ConsoleApp11.exe cc63cb7d19ca8cffa27530b760c81528
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE DLL Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee Stealer Windows Browser Email ComputerName DNS Cryptographic key crashed |
3
http://136.144.41.229/public/sqlite3.dll
https://bbuseruploads.s3.amazonaws.com/7cb2b9a6-8bc3-49fe-a2b6-8e9aea534518/downloads/650c9764-176a-49cd-aad7-61d972772227/File.png?Signature=r3Je48wVNO1bvdlgEcYkhQoEbrA%3D&Expires=1635501151&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=HkGYJi0mLzSso6bzzsGO9Vs_9MOZYip6&response-content-disposition=attachment%3B%20filename%3D%22File.png%22
https://bitbucket.org/terrywells9609/rz/downloads/File.png
|
5
bbuseruploads.s3.amazonaws.com(52.216.152.68) - malware
bitbucket.org(104.192.141.1) - malware
52.217.200.129
136.144.41.229 - mailcious
104.192.141.1 - mailcious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
|
|
17.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14292 |
2021-10-29 18:27
|
 B86b0mDlYqpH2306105pdf.exe ff8d08be90a98bf46f8f359ee4cb35f7
RAT PWS .NET framework Generic Malware Malicious Packer Malicious Library UPX Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE GIF Format Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(193.122.6.168)
216.146.43.70 - suspicious
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14293 |
2021-10-29 18:29
|
 vbc.exe ca3406debaf00a3dda67a24153c4b2a8
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Dridex TrickBot VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder Kovter |
|
2
ControllerFinallineballinglove33.webredirect.org(79.134.225.9) - mailcious
79.134.225.9 - mailcious
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14294 |
2021-10-29 18:30
|
 test.exe 5dfe5aee3f22321fe7efbb310a79a235
Malicious Library PE64 PE File VirusTotal Malware MachineGuid RWX flags setting Tofsee ComputerName |
1
https://updata.microsoft-api.workers.dev/be.css
|
2
updata.microsoft-api.workers.dev(172.67.159.138)
172.67.159.138
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14295 |
2021-10-29 18:31
|
 .csrss.exe 4fb2f672e188592f43da7b4c6d64e80e
PWS Loki[b] Loki.m RAT Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=9099522 - rule_id: 6600
|
2
79.134.225.9 - mailcious
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
13.6 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|