| 17551 |
2023-05-30 17:14
|
 ready.exe 68a12439e64b2e4fd0733e2600153045
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
194.50.153.131 - mailcious
|
|
|
2.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17552 |
2023-05-30 17:13
|
 sQdXMQIHJl75b1w.exe e7f043a52ed8bbd9dd37bec764801f7e
Suspicious_Script_Bin task schedule Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check DCRat Windows ComputerName crashed |
4
http://vm654.loyal.sclad.network/Localcentral.php?lcM9Rlwz4r8y1usY2r3pk0JCzivB3d=Q15vnjyCemeZpp&7bUPIE3uWvSJKt0u=aSr668FzDpZCFadXUkUrnUUWHi9UZo&5625e97c4d8e9c3063c63b0955fdc835=8301e0bb6d69478ba19292bc151c321a&d8cddfd69873ce3642f4bcba78d2ff45=AN2gDM1MWZ2gjZyUTYkVmMxQWOiVWZwczNhZzNiNjZ0UDOzYDO0EWO&lcM9Rlwz4r8y1usY2r3pk0JCzivB3d=Q15vnjyCemeZpp&7bUPIE3uWvSJKt0u=aSr668FzDpZCFadXUkUrnUUWHi9UZo - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&6ac09b49a2173238fb278404d63037d7=d1nIRZWaNhEZ3xWbjpmTGh1YOhkY2lzRWNGex4Ue0IjYvJFWlFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJB3ZaV3cYFnbzRUeiBnUXRmQClmY2x2RkBXNXFWbWdkUndmMaBHaFt0Z3F2Z0RlYuNna0AncMl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&0f59c38e192e12ce220bdf8b59a895d7=d1nIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiImFmM0ADNyUDMyQ2YiFDNhZmYzEWM3kDOkFjNzYGZxgDZllTMyYWYxIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
|
2
vm654.loyal.sclad.network(194.50.153.131) - mailcious
194.50.153.131 - mailcious
|
1
ET MALWARE DCRAT Activity (GET)
|
4
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17553 |
2023-05-30 17:12
|
 INET.exe 7f9f5628b1698378cecaff303fb4cf2d
PWS .NET framework Formbook SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17554 |
2023-05-30 17:11
|
index.ps1 d41d8cd98f00b204e9800998ecf8427e
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17555 |
2023-05-30 16:38
|
 QT367001.exe c72b6d0fa5da7249b6ddffe1b3d83363
Loki Loki_b Loki_m PWS .NET framework Formbook Hide_EXE Socket DNS PWS[m] Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://185.246.220.85/seth1/five/fre.php - rule_id: 33819
http://185.246.220.85/seth1/five/fre.php
|
1
185.246.220.85 - mailcious
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
|
1
http://185.246.220.85/seth1/five/fre.php
|
15.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17556 |
2023-05-30 16:36
|
 Signed Proposal pdf.exe 6cac87c1e2aa3e15837dcfff9d23cf0c
Loki NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://171.22.30.147/lee/five/fre.php - rule_id: 33818
http://171.22.30.147/lee/five/fre.php
|
1
171.22.30.147 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://171.22.30.147/lee/five/fre.php
|
9.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17557 |
2023-05-30 16:33
|
 RV1-INV-2023090.exe e7eca1999e37695727ae022c0bc65d18
Loki NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://185.246.220.60/project/five/fre.php - rule_id: 33817
http://185.246.220.60/project/five/fre.php
|
1
185.246.220.60 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.246.220.60/project/five/fre.php
|
9.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17558 |
2023-05-30 16:30
|
 DHL Receipt_AWB_20458290822.ex... e0bce4c29887875b2089b16fb21d4fad
Loki_b Loki_m PWS .NET framework Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
|
|
|
13.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17559 |
2023-05-30 16:28
|
 Shipping documents against Com... ffe9559fdba21527911e2c7a9536fc7e
Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
208.67.105.148 - mailcious
|
|
|
15.2 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17560 |
2023-05-30 16:27
|
 Request PDA_MT Tanker 1.exe a1d3e7d0ecb80b47259ac1222c821090
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://185.246.220.60/seth2/five/fre.php - rule_id: 33814
|
1
185.246.220.60 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.246.220.60/seth2/five/fre.php
|
14.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17561 |
2023-05-30 16:25
|
 Kimball Electronics PO NO45032... 4d05c10b6ba4bf4e4db1c49232f2e144
Loki Loki_b Loki_m PWS .NET framework RAT Generic Malware Antivirus Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://194.180.48.58/blessedjay/five/fre.php - rule_id: 33813
http://194.180.48.58/blessedjay/five/fre.php
|
1
194.180.48.58 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://194.180.48.58/blessedjay/five/fre.php
|
16.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17562 |
2023-05-30 16:21
|
 MATERIAL AVT MEPZ FSL2022.ex... 81dfce6bac91a9a7bd90613995595aa3
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://171.22.30.147/jungletwo/five/fre.php - rule_id: 33812
http://171.22.30.147/jungletwo/five/fre.php
|
1
171.22.30.147 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://171.22.30.147/jungletwo/five/fre.php
|
13.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17563 |
2023-05-30 16:16
|
 IMG-506402301.exe acd18f56751acb94768ff35aca47b1e1
Loki_b Loki_m PWS .NET framework UPX Socket DNS PWS[m] AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://94.131.105.161/geot/f/pin.php
|
1
94.131.105.161 - mailcious
|
|
|
14.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17564 |
2023-05-30 16:13
|
 270EA03E47CD4B98478524B51302E1... 270ea03e47cd4b98478524b51302e134
Loki Loki_b Loki_m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
2
http://193.42.32.209/a/fre.php - rule_id: 33810
http://193.42.32.209/a/fre.php
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://193.42.32.209/a/fre.php
|
7.6 |
|
63 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17565 |
2023-05-30 15:15
|
 kds7uq5kknv.exe 433dbed8a7afbf15bfee967c63a50769
UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself Collect installed applications WriteConsoleW installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware DNS crashed |
1
http://185.99.133.246/c2sock - rule_id: 33485
|
1
185.99.133.246 - mailcious
|
2
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
SURICATA HTTP unable to match response to request
|
1
http://185.99.133.246/c2sock
|
12.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|