The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from June 13th, 2022 (Monday) to June 19th, 2022 (Sunday).
For the main category, info-stealer ranked top with 63.8%, followed by backdoor with 17.8%, downloader with 8.9%, banking malware with 7.5%, and ransomware with 1.9%.

Top 1 – AgentTesla
AgentTesla is an infostealer that ranked first place with 29.1%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.
It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.
- server : smtp.yandex[.]com
sender : frankneymars42@yandex[.]com
receiver : frankneymars42@yandex[.]com
user : frankneymars42@yandex[.]com
pw : jfxb********mone - server : mail.dyreco[.]com
sender : uniformidad@dyreco[.]com
receiver : salespcbcom@gmail[.]com
user : uniformidad@dyreco.com
pw : Dyr********
As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.
- Order Inquiry.exe
- DHL-AWB 1942022875.exe
- 09-06-22_PDF.exe
- RFQ_JUNE 2022_01112272253535.pdf.exe
- PO20060683385086_PDF.exe
- 106198202205012020531MES_S Quote.exe
- SHIPPING DOCUMENT.exe
- e96d46.exe
Top 2 – Formbook
Formbook ranked second place with 17.8%.
Like other info-stealer, it is mainly distributed through spam emails. The distributed file names are close to each other.
- PAYMENT COPY.exe
- INV13-06-2022_0835.exe
- WHMSHC22060125_SUR.exe
- Purchase Order #052240.exe
- Archnext Trading- First Contact Inquiry_#15062022.exe
- WHMSHC22060125_SUR.exe
- INV13-06-2022_0835.exe
- 6ZfDVH36DaKNCMr.exe
- XLoader_v2.8.exe
- QUOTE 17062022.exe
As Formbook is injected into two normal processes (one is explorer.exe and the other in system32 directory), the malicious behaviors are performed by the normal processes. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.
Below is the list of confirmed C&C server URLs of Formbook.
- hxxp://www.range4tis[.]com/eaf6/
- hxxp://www.rabies36[.]com/n8m8/
- hxxp://www.fxivcama[.]com/be3s/
- hxxp://www.dambofegroup[.]xyz/fs92/
- hxxp://www.hertgoodusa[.]xyz/d94e/
- hxxp://www.keropy[.]xyz/s4s9/
- hxxp://www.buggy4t[.]com/itq4/
- hxxp://www.berendsit[.]com/a2es/
- hxxp://www.ginas4t[.]com/op53/
- hxxp://www.renaziv[.]online/mh76/
- hxxp://www.hertgoodusa[.]xyz/d94e/
Top 3 – Lokibot
Lokibot malware ranked third place with 8.0%. It is an info-stealer that leaks information about programs such as web browsers, email clients, and FTP clients.
Being a malware that is distributed through spam emails, it shares similar file names with other malware spam emails.
- NEW ORDER____XLS.exe
- vbc.exe
- 975268.exe
- COMMERCIAL INVOICE, BILL OF L……., BILL OF LADING, ETC DOC.exe
- DHL Receipt_AWB#2045829822.exe
- Payment Slip copy.exe
- bca3a0.exe
As shown below, most Lokibot C&C server URLs tend to end in fre.php.
- hxxp://sempersim[.]su/gh8/fre.php
- hxxp://sempersim[.]su/gh7/fre.php
- hxxp://198.187.30[.]47/p.php?id=19957150644816880
- hxxp://198.187.30[.]47/p.php?id=53483370875096238
- hxxp://sempersim[.]su/gh8/fre.php
- hxxp://45.133.1[.]45/perez1/five/fre.php
- hxxp://45.133.1[.]45/me/five/fre.php
- hxxp://45.133.1[.]45/perez1/five/fre.php
- hxxp://198.187.30[.]47/p.php?id=22583568731095518
- hxxp://178.128.244[.]245/search.php?key=8d66e77fc413068c4827bb206e1618f5
- hxxp://198.187.30[.]47/p.php?id=19957150644816880
- hxxp://secure01-redirect[.]net/gc19/fre.php
- hxxp://sempersim[.]su/gg23/fre.php
- hxxp://sempersim[.]su/gh5/fre.php
- hxxp://45.133.1[.]45/perez1/five/fre.php
- hxxp://198.187.30[.]47/p.php?id=38763503330434635
Top 4 – Emotet
Emotet malware ranked fourth place with 7.0%. Emotet is a banking malware that is being continuously distributed via spam mails.
In its basic form, it is a downloader without additional features, but once installed on a system, it can download additional modules or additional malware.
Additional modules include user info-stealing modules that steal information such as web browser and e-mail credentials, and propagation module that spreads via shared folders. Additional malware strains include other banking malware such as Qakbot and Trickbot.
Top 5 – SmokeLoader
Smoke Loader is an info-stealer / downloader malware that ranked fifth place with 6.6%. For analysis report related to Smoke Loader, refer to the ASEC Report below ([PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks).
https://global.ahnlab.com/site/securitycenter/asec/asecReportList.do
The confirmed C&C server URLs are as follows.
- host-file-host6[.]com
- host-host-file8[.]com
- monsutiur4[.]com
- nusurionuy5ff[.]at
- moroitomo4[.]net
- susuerulianita1[.]net
- cucumbetuturel4[.]com
- nunuslushau[.]com
- linislominyt11[.]at
- luxulixionus[.]net
- lilisjjoer44[.]com
- nikogminut88[.]at
- limo00ruling[.]org
- mini55tunul[.]com
- samnutu11nuli[.]com
- nikogkojam[.]org
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Statistics