| 12256 |
2023-06-14 09:39
|
 tr.exe e30b956aebb229faaab4457ef95ffb91
Ave Maria WARZONE RAT Generic Malware UPX Malicious Library Downloader Malicious Packer Antivirus OS Processor Check PE File PE32 VirusTotal Malware Check memory unpack itself Remote Code Execution DNS DDNS |
|
4
testing1212.ddns.net(58.65.223.25)
backup1212.ddns.net(103.179.142.136)
58.65.223.25
103.179.142.136
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
5.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12257 |
2023-06-14 09:37
|
 patlak.exe 46003a917927235059d68042c451a6ca
UPX PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself crashed |
|
|
|
|
3.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12258 |
2023-06-14 09:37
|
 ok.exe ed298d3727507724a544adec1a931f72
UPX Antivirus PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12259 |
2023-06-14 09:35
|
 rat2.exe 79064eba32981da8c9491a8950fdb4ab
UPX Antivirus PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12260 |
2023-06-14 09:35
|
 ne.exe 8dfcd4af0d57b29701526c0cbe5920d1
UPX PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12261 |
2023-06-14 09:33
|
 pat1.exe 3cc8d342301cf9a933f00af6b09619e0
Generic Malware UPX PE File PE32 VirusTotal Malware Buffer PE buffers extracted RWX flags setting unpack itself crashed |
|
|
|
|
3.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12262 |
2023-06-14 09:33
|
 no.exe d2413f4409c6338ec819039b93c09630
UPX Antivirus PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12263 |
2023-06-14 08:57
|
 cleanmgr.exe 27257bd3c7ab01e7625be4ce37c99efb
Malicious Library PE File PE32 PDB unpack itself |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12264 |
2023-06-14 07:33
|
 rengad_new.exe 02a9d3d1420152eb639a16d34ec2ebbf
RAT UPX OS Processor Check .NET EXE PE File MSOffice File PE32 Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Remote Code Execution Cryptographic key |
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12265 |
2023-06-13 23:33
|
 kali.exe 84b1cbc52fa9a20124dda922f7fc24b7
UPX PE File PE32 VirusTotal Malware RWX flags setting crashed |
|
|
|
|
1.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12266 |
2023-06-13 23:32
|
iiiiiiiiiiiiiiiiiiiiiiiiiiiiii... ae15e353edb611c651dc6b29ed9b73bc
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://192.3.176.146/cv/OLegAaWDxBDtbdq144.bin
http://194.180.48.58/black/five/fre.php
http://192.3.176.146/278/cleanmgr.exe
|
2
194.180.48.58 - mailcious
192.3.176.146 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12267 |
2023-06-13 23:31
|
ilililililililililillilillilil... 0191b68971c6f07c59ad7ca657247345
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
3
http://192.3.176.146/cv/ch/oMFMQiEty186.bin
http://185.246.220.60/bis/five/fre.php
http://192.3.176.146/279/cleanmgr.exe
|
2
185.246.220.60 - mailcious
192.3.176.146 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12268 |
2023-06-13 23:30
|
rerererererererererererererere... 49bfcee9de8939af35318e912dce1a48
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://109.248.144.244/35/cleanmgr.exe
http://194.180.48.58/morgan/five/fre.php
|
2
194.180.48.58 - mailcious
109.248.144.244 - mailcious
|
10
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12269 |
2023-06-13 23:29
|
seseseseseseseessesesese%23%23... 0cb711fdef6f0d33c61dcd0974bd64ce
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://171.22.30.147/chang2/five/fre.php - rule_id: 33983
http://45.81.39.192/232/cleanmgr.exe
|
2
45.81.39.192 - mailcious
171.22.30.147 - mailcious
|
12
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://171.22.30.147/chang2/five/fre.php
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12270 |
2023-06-13 23:28
|
imimimiimimimmiiimmimimimmiiim... f0b5a393cccd0dad6fad80352a1f89b9
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
3
http://192.3.176.146/cv/mi/wPMarLqzBwF93.bin
http://171.22.30.164/cuit/five/fre.php
http://192.3.176.146/280/cleanmgr.exe
|
2
171.22.30.164 - mailcious
192.3.176.146 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|