14386 |
2023-03-30 18:58
|
vbc.exe 291a20fef6482b753cc6e9cc3d6bc292 UPX Malicious Library PE32 PE File VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
46 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14387 |
2023-03-30 16:51
|
vbc.exe 92a24824d555bc8f4a947992d85027b0 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
26
http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.avisrezervee.com/u2kb/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.un-object.com/u2kb/ - rule_id: 28137 http://www.un-object.com/u2kb/?VZnvbqyZ=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28137 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.white-hat.uk/u2kb/?VZnvbqyZ=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28001 http://www.bitservicesltd.com/u2kb/?VZnvbqyZ=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28003 http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.222ambking.org/u2kb/ http://www.thedivinerudraksha.com/u2kb/?VZnvbqyZ=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28009 http://www.thedivinerudraksha.com/u2kb/?VZnvbqyZ=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&XM=Cm-BiUYxb1EmIVMU http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/?VZnvbqyZ=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28005 http://www.energyservicestation.com/u2kb/?VZnvbqyZ=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&XM=Cm-BiUYxb1EmIVMU http://www.222ambking.org/u2kb/?VZnvbqyZ=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28004 http://www.shapshit.xyz/u2kb/?VZnvbqyZ=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28008 http://www.thewildphotographer.co.uk/u2kb/?VZnvbqyZ=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28007 http://www.younrock.com/u2kb/?VZnvbqyZ=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28006 http://www.gritslab.com/u2kb/?VZnvbqyZ=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28002 http://www.younrock.com/u2kb/ - rule_id: 28006
|
24
www.thewildphotographer.co.uk(45.33.2.79) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.fclaimrewardccpointq.shop() - mailcious www.avisrezervee.com(31.186.11.254) www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.un-object.com(192.185.17.12) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(192.187.111.219) - mailcious 45.33.2.79 - mailcious 85.187.128.34 - mailcious 78.141.192.145 - mailcious 192.185.17.12 - mailcious 31.186.11.254 - mailcious 213.145.228.111 - mailcious 63.141.242.46 94.176.104.86 - mailcious 161.97.163.8 - mailcious 45.33.6.223 199.192.30.147 - mailcious 91.195.240.94 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.gritslab.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.un-object.com/u2kb/ http://www.un-object.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.white-hat.uk/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.younrock.com/u2kb/ http://www.gritslab.com/u2kb/ http://www.younrock.com/u2kb/
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14388 |
2023-03-30 16:51
|
vbc.exe 291a20fef6482b753cc6e9cc3d6bc292 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
21
http://www.white-hat.uk/u2kb/?4NVW=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&cpjP-=37DlWKi5SClC - rule_id: 28001 http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.energyservicestation.com/u2kb/?4NVW=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&cpjP-=37DlWKi5SClC - rule_id: 28005 http://www.thedivinerudraksha.com/u2kb/?4NVW=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&cpjP-=37DlWKi5SClC - rule_id: 28009 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.thewildphotographer.co.uk/u2kb/?4NVW=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&cpjP-=37DlWKi5SClC - rule_id: 28007 http://www.gritslab.com/u2kb/?4NVW=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&cpjP-=37DlWKi5SClC - rule_id: 28002 http://www.222ambking.org/u2kb/?4NVW=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&cpjP-=37DlWKi5SClC - rule_id: 28004 http://www.bitservicesltd.com/u2kb/?4NVW=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&cpjP-=37DlWKi5SClC - rule_id: 28003 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.younrock.com/u2kb/?4NVW=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&cpjP-=37DlWKi5SClC - rule_id: 28006 http://www.younrock.com/u2kb/?4NVW=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&cpjP-=37DlWKi5SClC http://www.younrock.com/u2kb/ - rule_id: 28006 http://www.shapshit.xyz/u2kb/?4NVW=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&cpjP-=37DlWKi5SClC - rule_id: 28008 http://www.shapshit.xyz/u2kb/?4NVW=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&cpjP-=37DlWKi5SClC http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.222ambking.org/u2kb/ http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
21
www.gritslab.com(78.141.192.145) - mailcious www.thewildphotographer.co.uk(198.58.118.167) - mailcious www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(192.187.111.219) - mailcious 193.233.20.36 - malware 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 199.192.30.147 - mailcious 212.87.204.93 - mailcious 213.145.228.111 - mailcious 192.187.111.219 - mailcious 94.176.104.86 - mailcious 161.97.163.8 - mailcious 45.33.6.223 173.255.194.134
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.white-hat.uk/u2kb/ http://www.gritslab.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.gritslab.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.younrock.com/u2kb/ http://www.younrock.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.222ambking.org/u2kb/
|
6.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14389 |
2023-03-30 16:43
|
lega.exe 1a5f749669d8b3a12463fdf8b7cc3f83 RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT NPKI RedLine Stealer Generic Malware UPX Malicious Library Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Confuser .NET SMTP PWS[m] AntiDebug AntiVM CAB PE32 PE File OS Processor Check .N Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser Email ComputerName Remote Code Execution Trojan DNS Cryptographic key Software crashed Downloader |
11
http://193.233.20.36/joomla/index.php
http://193.233.20.36/lend/123dsss.exe
http://193.233.20.36/lend/Tarlatan.exe
http://193.233.20.36/lend/Gmeyad.exe
http://185.246.221.126/bins/2023.exe.exe
http://185.246.221.126/bins/w.exe
http://193.233.20.36/lend/tmpBEB8.tmp.exe
http://193.233.20.36/joomla/Plugins/cred64.dll
http://193.233.20.36/joomla/Plugins/clip64.dll
https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
|
13
downloads.exodus.com(104.18.18.218)
bitcoin.org(172.67.40.154)
download.electrum.org(104.21.89.144) 185.246.221.126 - mailcious
193.233.20.36 - malware
176.113.115.145
172.67.40.154
212.87.204.93 - mailcious
199.115.193.116
66.42.108.195 - mailcious
172.67.160.221
45.33.6.223
104.18.19.218
|
10
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host DLL Request ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
24.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14390 |
2023-03-30 16:42
|
clip64.dll 6a4c2f2b6e1bbce94b4d00e91e690d0d UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE32 PE File VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14391 |
2023-03-30 16:40
|
vbc.exe a3b0daf59ad3e6d2e465ea72ea83c4e0 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
31.186.11.254 - mailcious
|
|
|
2.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14392 |
2023-03-30 16:38
|
white.exe 89a133e7158e8bb6e2614a7c9bd7ff5d NPKI Gen1 UPX Malicious Packer Malicious Library PE32 PE File OS Processor Check DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Windows Browser Email ComputerName DNS crashed |
8
http://79.137.206.15/a472d2f653c1a1f6/vcruntime140.dll http://79.137.206.15/a472d2f653c1a1f6/sqlite3.dll http://79.137.206.15/385785d59336a866.php http://79.137.206.15/a472d2f653c1a1f6/nss3.dll http://79.137.206.15/a472d2f653c1a1f6/freebl3.dll http://79.137.206.15/a472d2f653c1a1f6/mozglue.dll http://79.137.206.15/a472d2f653c1a1f6/softokn3.dll http://79.137.206.15/a472d2f653c1a1f6/msvcp140.dll
|
1
|
3
ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
7.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14393 |
2023-03-30 16:34
|
xme.exe 48efad145d5274859e353e1cf8018e45 Emotet RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
10
http://www.88vqq.com/lf80/?1nk=MSiiOWab7QGE4OsGqNUf0CjYIOhimWiHfwxthaTSJ8ZN7v6H0tr9Kvwqa+LjvVHLJHijakkDSyn+6AhO4AX19nbBqGYAyzw2LVFYqB4=&2R8Y=VADnZM1Y http://www.fluttering.info/lf80/ http://www.88vqq.com/lf80/ http://www.fluttering.info/lf80/?1nk=vdUvd4KMcs02oJHOqazuyWeULNYj9ziXLbdaBklN4QZLswKe18yc7gBmli0SaeLYRqNWchuZuJZKel0zJd0sN+qba2pORzREmC/Malw=&2R8Y=VADnZM1Y http://www.toplegalserves.com/lf80/?1nk=iIHSWm9EKbE4LjX243veP2lmBJalZgZwOGqRYCYa0bxTcNU/qsqdO599/0gGzMbmPKZM4KeyGlGsFSkFvsSSZkNMG60YCeVz3NJjEjs=&2R8Y=VADnZM1Y http://www.carcosainvest.com/lf80/?1nk=U1AfX2eZFZv2hBCTqgPkcuANZ20kgeq2vS8gtcHKe8ZJSs3Oy12xCliJ0zonbRqHTLXay59VdXyZMRRK+Tu2D9w7yrgJnaEu4iBoGU0=&2R8Y=VADnZM1Y http://www.fantasticserver.yachts/lf80/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.toplegalserves.com/lf80/ http://www.fantasticserver.yachts/lf80/?1nk=C+NRImNoToCD7C+RudibhX2FyNhV6QDK3DTVu5TP5j9xeLMXsFNWcyV4ZKkL/2WNJNyMWiJ/EMH3DJK+HE42s4WyueexzCKRcbRLZww=&2R8Y=VADnZM1Y
|
12
www.fantasticserver.yachts(165.22.36.197) www.fluttering.info(198.177.124.57) www.toplegalserves.com(208.91.197.27) www.felco.online() www.88vqq.com(154.94.81.137) www.carcosainvest.com(206.54.190.30) 165.22.36.197 208.91.197.27 - mailcious 154.94.81.137 206.54.190.30 198.177.124.57 - mailcious 45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14394 |
2023-03-30 16:33
|
vbc.exe 921fba8af6c955c0fc7c8206e833bbe4 PWS .NET framework RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.scotwork.us/g2fg/?Jfy=gMiLTpy0oYEUy47EDaZJ0YPIhSGoXFYVIqBfB3cGNY39N1b0aizH0s/A9IIAdCbpZx7zYbtr&ojq4dR=RVlPiv - rule_id: 23120
|
4
www.programagubernamental.store() www.scotwork.us(104.21.75.84) - mailcious www.majenta.info() 172.67.217.149
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.scotwork.us/g2fg/
|
10.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14395 |
2023-03-30 16:32
|
tmpBEB8.tmp.exe 5aa405d35131a36ce1647c6937d3e529 PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14396 |
2023-03-30 16:29
|
25.....25.............doc 2c5cf406f3e4cfa448b167751eaea73b Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://171.22.30.164/china/five/fre.php - rule_id: 28197
http://107.174.45.106/25/vbc.exe
|
2
171.22.30.164 - mailcious
107.174.45.106 - mailcious
|
16
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO Executable Download from dotted-quad Host ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://171.22.30.164/china/five/fre.php
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14397 |
2023-03-30 16:17
|
Stork.vbs 8d4e3f96fb554ff1db02b999210126d6 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName DNS Cryptographic key crashed |
1
http://194.180.48.211/ryan/Anlae.xsn
|
1
194.180.48.211 - mailcious
|
|
|
9.0 |
M |
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14398 |
2023-03-30 16:03
|
Kionectomy1.vbs 305ec8dca6e74b54c808d4796374676c Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.0 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14399 |
2023-03-30 09:23
|
info.pdf a05bb251aa7a4b93f443023a6b8c8b67 PDF ZIP Format Windows utilities Windows DNS |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
|
1
185.246.220.130 - malware
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14400 |
2023-03-30 09:22
|
run.vbs 530c052db1411cc1d2a9e37da4def497 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://dl.dropbox.com/s/9r6dz0xby0ha2o0/2_INSTALL.ps1?dl=0
|
|
|
|
6.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|