| 14446 |
2021-11-02 17:45
|
 sqlservr.exe 0235dd2db63e1e5623f2ef0801f4fdf6
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
12.8 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14447 |
2021-11-02 17:46
|
 vbc.exe bd6966e21dcfc96431ea8480ca155210
Generic Malware Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P AntiDebug AntiVM PE File PE32 FormBook Emotet Malware download VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed |
11
http://www.monascake.xyz/n8rn/?Pxo=3fKP&vPk=N+dVDga5k5AlZARgxf0keIIR5PT09j6wREJ5P1Drd6FP6MHOFZZzURI1C8BfFN1cL/fZ3JG0
http://www.bredaslo.com/n8rn/?vPk=YvkrLgX5v+gJLfYhZfQlVjOJ0OIl65oSsVBXHv1hYHJfNDyLkexHx42TzRiy/ukcmn+kwtcz&Pxo=3fKP
http://www.phillystore.net/n8rn/?Pxo=3fKP&vPk=JB6wAuEkgy1Nk6Tu6zbqaEuGQElQy2wdDt9NUPdjCsR5tR3VwKW+HfPEGyIYiGiHHoiODDnN
http://www.ff4c75x4e.xyz/n8rn/?vPk=CBFdZGnlCWVyMNbmcVQzF6AW/CZxn+KqjlORQ9hNsSK+4izEjtpZMhTv1QtxgyyzCztkLTJv&Pxo=3fKP
http://www.falcongroupmanagement.com/n8rn/?vPk=3xlBHzuE5euLVvcsiNIMjPhb86iYLA9xdco2AA0J4ute1jO3RwK5T+IefUHbd6tmt5Iag9Cg&Pxo=3fKP
http://www.gb2022-club.com/n8rn/?vPk=o1gu4PeDCGZ8O7/faZBmRhPW5GICwfPAiqrEmBPVxrkFFiNE1m4IuJhA1F+Bnq1vJSz8Ctqu&Pxo=3fKP
http://www.nekomediphile.com/n8rn/?vPk=BeS87FozIjObfhQbb0qima65PDce7tJfTy+2W7jryaKe46jtR54eN2VVXZ5JDrAz5HefR4eS&Pxo=3fKP
http://www.lab-design.online/n8rn/?Pxo=3fKP&vPk=LKMF4jNCARj2uzutzxP04GNkD95VZlHoB4lLHyNgq1q6DZlTHkNd4XvAyDE3Qjg/y/Gr5de9
http://www.nomarcapital.com/n8rn/?Pxo=3fKP&vPk=5fudNtQb7QGDewQUcAnpca8CxpRsfIxl6oYL1821qyEnrOOlpvuIBk6+M0fG21gfpwODYZYC
http://www.mgav26.xyz/n8rn/?vPk=YjHQL/lZ9lt15+1S7htBkoLP3cVg4raGTzPrL96VOT7wYXJUlMGIpKHQe9o+Px0XhwLbcxzF&Pxo=3fKP
https://cdn.discordapp.com/attachments/902800096066928694/904612550010863636/Ouxdtsdanhfgbtopuikzukibwmuiitm
|
25
www.islandresiliency.com()
www.mgav26.xyz(45.128.51.66)
www.jaynelsonphotog.com()
www.nekomediphile.com(118.27.122.222)
www.gb2022-club.com(185.49.20.101)
www.prill.quest()
www.bredaslo.com(182.50.132.242)
www.nomarcapital.com(34.80.190.141)
www.phillystore.net(192.200.108.3)
cdn.discordapp.com(162.159.129.233) - malware
www.ff4c75x4e.xyz(23.225.139.107)
www.falcongroupmanagement.com(35.222.73.243)
www.monascake.xyz(162.0.209.201)
www.lab-design.online(182.50.132.242)
162.0.209.201
162.159.134.233 - malware
35.222.73.243
185.157.160.198
45.128.51.66
23.225.139.107
182.50.132.242 - mailcious
34.80.190.141 - mailcious
192.200.108.3
185.49.20.101 - mailcious
118.27.122.222
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14448 |
2021-11-02 17:48
|
 vbc.exe 4a785dbc6b09f17d9a1975b842a4d34a
PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
63.250.40.204 - mailcious
|
|
|
13.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14449 |
2021-11-02 17:48
|
 .csrss.exe 96a5e7556e6b7631e4e6655fdd5a757b
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga14/fre.php - rule_id: 7227
http://secure01-redirect.net/ga14/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga14/fre.php
|
13.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14450 |
2021-11-02 17:50
|
 ziyu.hta 098a6e795f1b51c28d9f82f90b2aad13VirusTotal Malware DNS crashed |
|
1
|
|
|
1.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14451 |
2021-11-02 17:50
|
 isssch.exe 0587ab2b7897ebbdedb5d5e1289bd683
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName crashed |
|
|
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14452 |
2021-11-02 17:54
|
 ziy.exe 656fa586fb11c81a8120231ed97b0d1a
RAT PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
7
http://www.favoriteofalltime.store/q36e/?p0D=4+EuI7NYMUg7fe5W8wpZ0FpDy8An1cTkjmFclP8Tq/CaEDyOpWOfSjDMWo3BRO1gAbhT+lDn&pPU=EFQDPF10qRF0
http://www.onroadassistance.com/q36e/?p0D=vTFuE46AqSOkt4kNc+5hUkNkO95M27ysfuDb2vYJH6PS1Y/46xdm8ZXGH1kZV82/xVaXvlAM&pPU=EFQDPF10qRF0
http://www.oneportalmegastore.online/q36e/?p0D=ckUaxNidQUL13/aCa+UGITI+iGM4C8eNU+lHoTvCPNr4tuxDmXJYujScDrBxX5pI/N3gJJUT&pPU=EFQDPF10qRF0
http://www.mindfuljew.net/q36e/?p0D=OCW1/rvfDKjkpNaqeCUE3UAeDoFYz97IWMjE0gCX1bVVzjLz//OU5wlXZ7d7LD6dGUZQLisS&pPU=EFQDPF10qRF0
http://www.lifeworkswap.com/q36e/?p0D=Q0cF2NUfPjSIXvAVUhwbscpYkb6g6sx01Eb/JVEmkOE6Br4IyYelssa5hFYxMF5lm7zxf54r&pPU=EFQDPF10qRF0
http://www.france-assistance.info/q36e/?p0D=4EDJ72mcRaLHeSwKooh+GCGdZkL0TpYhqHLxruumwxQ+kKRyzjuHaeqXXCGWhcYzos4UlsmW&pPU=EFQDPF10qRF0
http://www.doglawgic.com/q36e/?p0D=POO5H63zyns0GZC+m/FvycVDUig91PdZz1QMzbpv7XRsmk1cO4g0GGaYcub9KvUJJkx2k0nL&pPU=EFQDPF10qRF0
|
17
www.cat2628.top(106.52.199.141)
www.france-assistance.info(185.137.235.84)
www.mindfuljew.net(103.231.30.44)
www.salamsnuts.com(34.102.136.180)
www.doglawgic.com(2.57.90.16)
www.lifeworkswap.com(217.21.190.175)
www.onroadassistance.com(46.17.175.32)
www.favoriteofalltime.store(34.102.136.180)
www.oneportalmegastore.online(169.239.216.61)
103.231.30.44
169.239.216.61
217.21.190.175
34.102.136.180 - mailcious
2.57.90.16 - mailcious
185.137.235.84 - mailcious
46.17.175.32
106.52.199.141
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14453 |
2021-11-02 17:56
|
 ziyu.hta 098a6e795f1b51c28d9f82f90b2aad13
Generic Malware Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
|
2
enoe.net(162.0.217.19)
162.0.217.19
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14454 |
2021-11-02 18:36
|
 ziy.hta 5c88bf7225ed953a328bf598abfd9ce6
Generic Malware Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
|
2
enoe.net(162.0.217.19)
162.0.217.19
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14455 |
2021-11-02 22:14
|
 Chiamando.exe.com 78ba0653a340bac5ff152b21a83626cc
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware Check memory Checks debugger Creates shortcut unpack itself human activity check ComputerName |
|
|
|
|
2.2 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14456 |
2021-11-02 22:17
|
 Mainsetupv1.0.exe 689b7bfb1424aa69046653e635ecb9ac
Malicious Library UPX Create Service DGA Socket Steal credential DNS Internet API Hijack Network Code injection Sniff Audio HTTP KeyLogger FTP Escalate priviledges Downloader ScreenShot Http API P2P persistence AntiDebug AntiVM PE File PE32 OS Processor C VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows |
|
1
iBFBxuLonchVeJiTrbJe.iBFBxuLonchVeJiTrbJe()
|
|
|
7.0 |
|
51 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14457 |
2021-11-03 07:01
|
 VirbelaSetup.exe ff260b18bacce2eafa35e1363bb005be
RAT Formbook Gen1 Gen2 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE File OS Processor Check PE32 .NET DLL DLL GIF Format PE64 Malware Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check human activity check ComputerName |
|
|
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14458 |
2021-11-03 07:50
|
 vbc.exe bf5ad5ce60c095fd0e15435c7c7ab862
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14459 |
2021-11-03 08:02
|
invc_000002340003032030.wbk 4da8c38808017d5f01ba220a5e02944a
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://secure01-redirect.net/fd11/fre.php
http://202.55.135.190/77077/vbc.exe
|
3
secure01-redirect.net(94.142.140.223)
94.142.140.223
202.55.135.190
|
14
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Checkin
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET INFO Packed Executable Download
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14460 |
2021-11-03 08:02
|
 csrss.exe 58efcac56ff319990d2cc6d9110e981e
Loki PWS Loki[b] Loki.m .NET framework Generic Malware Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/fd4/fre.php - rule_id: 6874
http://secure01-redirect.net/fd4/fre.php
|
2
secure01-redirect.net(94.142.140.223)
94.142.140.223
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/fd4/fre.php
|
14.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|