14431 |
2023-03-29 11:09
|
RegSvcs.exe 004a919e31049dce0f9b96699cbbec5e PWS .NET framework RAT UPX Malicious Library Malicious Packer OS Processor Check .NET EXE PE32 PE File Malware download AsyncRAT NetWireRC Malware DNS DDNS |
|
4
4-hitler.publicvm.com(207.32.216.119) hitler5573.linkpc.net(142.202.240.126) 207.32.216.119 142.202.240.126
|
4
ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14432 |
2023-03-29 10:52
|
RegSvcs.exe 7f47c9d043fcec52e995e98d21813482 PWS .NET framework RAT UPX Malicious Library Malicious Packer OS Processor Check .NET EXE PE32 PE File Malware download AsyncRAT NetWireRC Malware DNS DDNS |
|
3
pop12.linkpc.net(15.204.170.1) 15.204.170.1 45.80.158.108
|
3
ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14433 |
2023-03-29 10:50
|
2.1.0ff.exe bc338e23e5411697561306eabb29bd9c PE32 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14434 |
2023-03-29 10:48
|
Tarlatan.exe b26480dce772642635204619f30c35d6 RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14435 |
2023-03-29 10:47
|
Tarlatan.exe b26480dce772642635204619f30c35d6 RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14436 |
2023-03-29 10:46
|
65................65............. 20e82801d2b5b859faab91680dbcb903 MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://171.22.30.164/china/five/fre.php
http://107.174.45.106/65/vbc.exe
|
2
171.22.30.164 - mailcious
107.174.45.106 -
|
15
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET INFO Executable Download from dotted-quad Host ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14437 |
2023-03-29 10:44
|
Gmeyad.exe a8001f151c1ce13aac56097a2bf1f789 NPKI PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14438 |
2023-03-29 10:42
|
62................62............. 1b91a9d902d2d5c7f9c094955a1537f4 Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://sempersim.su/ha25/fre.php - rule_id: 27980
http://192.3.111.161/62/vbc.exe
|
3
sempersim.su(46.148.39.36) - mailcious 192.3.111.161 - malware
46.148.39.36 - mailcious
|
16
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO Executable Download from dotted-quad Host ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://sempersim.su/ha25/fre.php
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14439 |
2023-03-29 10:41
|
vbc.exe fb4f4746d44d1ae472506334dacf6956 Loki UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/ha25/fre.php - rule_id: 27980
|
2
sempersim.su(46.148.39.36) - mailcious 46.148.39.36 - mailcious
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/ha25/fre.php
|
8.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14440 |
2023-03-29 10:41
|
vbc.exe 7c85964484c4e3471124dd4dd5ef34df UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
3
http://www.1cweb.online/gn35/?_DKdKJa=GGTZroRoL1BXwM3MXiLpR9yEKm8KXFWUPJQo2rBdJCC/pgm2ifzqsBXvCGkh1lxdt+0GDl+4&QZ3=ehux_8Xh401XOrt http://www.hyrxo.win/gn35/?_DKdKJa=Px4xbTIrKwyUbcbV7Sa4MFdwj6MuY8cQxHdgLkOTvjLt2qFRB4E1b+Ud0Zeqp82x10XYRgaJ&QZ3=ehux_8Xh401XOrt http://www.reinifix.net/gn35/?_DKdKJa=/oLJKsvMxImT2IdLjwC7RXLGQP6Il4Qvv7Du59jzs3EP6cW1xcwdDxVo3LxxLXdrTKNn2jpT&QZ3=ehux_8Xh401XOrt
|
8
www.hyrxo.win(103.24.53.30) www.ldkj9qq.vip() www.cortinasagave.store() www.1cweb.online(85.15.189.140) www.reinifix.net(81.169.145.82) 81.169.145.82 - mailcious 85.15.189.140 103.188.120.191
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14441 |
2023-03-29 10:38
|
2023.03.28-000125689.exe 147ca2fb0887fd3d38afae9c02b5ca11 UPX PE32 PE File VirusTotal Malware Buffer PE Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Detects VirtualBox Detects VMWare AppData folder sandbox evasion VMware anti-virtualization Windows Remote Code Execution crashed |
|
|
|
|
9.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14442 |
2023-03-29 10:15
|
99.exe 3769516d37fcc4a870aee040c22dfc81 RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
1
|
|
|
8.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14443 |
2023-03-29 10:14
|
vbc.exe 3d5458f26b59708a5d0da5567189aa41 UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168) 158.101.44.242
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
9.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14444 |
2023-03-29 10:14
|
100.exe 9039af66487c909b5c54343b065a7d48 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14445 |
2023-03-29 10:13
|
sgd.exe e4a076e7e4ef7dda7760195ed7e69a63 PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|