| 14641 |
2023-03-14 09:30
|
 ii.js 1dc71c2cc5442d5aa65f23d8e5b86e95
crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14642 |
2023-03-14 09:29
|
 eatn.js 2673f27962ec3428d2a6a10c5f7df171
unpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14643 |
2023-03-14 07:44
|
 GG18.exe 46f4cfe6ef60deaa237d12e936905cd4
Loki Loki_b Loki_m PWS .NET framework RAT DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.164/kung/five/fre.php - rule_id: 27159
|
1
171.22.30.164 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/kung/five/fre.php
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14644 |
2023-03-13 17:56
|
 purelog1.exe 1fad42aeb237cb7c66f57a03a9689c0e
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14645 |
2023-03-13 17:53
|
 vbc.exe 80e931736ae515aa4c63458e1bd9c7fb
RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
1
http://www.starfish.press/g2fg/?xVJtG4Th=lWcjeiBloi4EDbg7MN3rvx7EqhokJu38Iq2Oe6cWJqEYyMwYkHsTTSC60+FG1O/0m2FzwNNs&1bw=L6Adp0nXjfjLdR2p - rule_id: 27950
|
3
www.strlocal.com()
www.starfish.press(157.90.241.6) - mailcious
157.90.241.6 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.starfish.press/g2fg/
|
11.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14646 |
2023-03-13 17:50
|
hm............................... a0fdf8e2944577e63827431a287559ea
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed Downloader |
1
http://143.42.136.20/2707/vbc.exe
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14647 |
2023-03-13 17:48
|
 vbc.exe 234310e8c8c038eb9e17fc11d97ec1d4
PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
13.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14648 |
2023-03-13 17:47
|
 vbc.exe 1fb0cd15b8150e5dfb87c8c78e679612
PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(64.185.227.155)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14649 |
2023-03-13 12:22
|
 blueloader.exe bc81b04299cda5fd5785caf50260dd29
.NET EXE PE32 PE File suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14650 |
2023-03-13 10:01
|
 serv.exe 9162ab01ab22607f46d44291327aaf42
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14651 |
2023-03-13 09:59
|
 vokka.exe be63aa025274e205b98a190c40f918c7
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14652 |
2023-03-13 09:58
|
 qbittorrent.exe cb03a80bc17d2d81fd34aab4341e89eb
Gen2 Gen1 UPX Malicious Library Anti_VM Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware PDB MachineGuid Check memory unpack itself Ransomware |
|
|
|
|
2.6 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14653 |
2023-03-13 09:58
|
 vbc.exe eb86a131d28521c31b5657a236514082
PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.starfish.press/g2fg/?mtxhs=lWcjeiBloi4EDbg7MN3rvx7EqhokJu38Iq2Oe6cWJqEYyMwYkHsTTSC60+FG1O/0m2FzwNNs&sPxL3H=mnRlt2QHpPdD
http://www.celimot.xyz/g2fg/?mtxhs=uSms+J8o1mIA6+wvZEfStnxeTJHxSsXMJcGf2ExRFCk7DrgbAjxC0fXMma/1S3JhdH+3q7pg&sPxL3H=mnRlt2QHpPdD - rule_id: 11159
|
4
www.celimot.xyz(162.0.222.121)
www.starfish.press(157.90.241.6)
162.0.222.121
157.90.241.6
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.celimot.xyz/g2fg/
|
10.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14654 |
2023-03-13 09:55
|
 installation.exe f9b6aa6b0694cc878ed1cc0f7f4c9e63
UPX OS Processor Check PE32 PE File Browser Info Stealer VirusTotal Malware Check memory buffers extracted unpack itself Browser DNS |
|
1
94.142.138.10 - mailcious
|
1
SURICATA Applayer Protocol detection skipped
|
|
3.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14655 |
2023-03-13 09:51
|
 lega.exe 5086db99de54fca268169a1c6cf26122
Generic Malware UPX Malicious Library Malicious Packer Antivirus Downloader Admin Tool (Sysinternals etc ...) OS Processor Check PE32 PE File MZP Format PE64 .NET EXE DLL Malware download Amadey VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key crashed Downloader |
9
http://62.204.41.88/lend/blueloader.exe
http://62.204.41.87/joomla/index.php
http://62.204.41.87/joomla/Plugins/cred64.dll
http://62.204.41.87/joomla/Plugins/clip64.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://downloads.buparts.store/views/download.php?shortURL=DgIz04
http://downloads.buparts.store/download.php?shortURL=DgIz04
http://62.204.41.88/lend/Installer.exe
http://179.43.155.247/cc.exe
|
9
downloads.buparts.store(87.236.19.211)
buparts.store(45.130.41.59)
62.204.41.88 - malware
62.204.41.87 - malware
121.254.136.27
179.43.155.247 - malware
103.114.163.134
45.130.41.59
87.236.19.211
|
12
ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE - Served Attached HTTP
|
|
11.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|