| 12691 |
2023-05-31 22:22
|
 photo430.exe b6ed4cad3e59dbf00df04523cfc39466
Redline Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/DSC01491/fotocr06.exe - rule_id: 33774
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
http://77.91.68.62/DSC01491/foto148.exe - rule_id: 33773
|
2
77.91.68.62 - malware
83.97.73.127 - mailcious
|
11
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET INFO Executable Download from dotted-quad Host
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
5
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/DSC01491/fotocr06.exe
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
http://77.91.68.62/DSC01491/foto148.exe
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12692 |
2023-05-31 18:06
|
gtgtgtgtggtgtgtgtg%23%23%23%23... a75b82ea2020ba61e2679c2f09d589cc
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://171.22.30.164/fred1/five/fre.php - rule_id: 33826
http://103.133.104.112/113/INTERNET.exe
|
2
171.22.30.164 - mailcious
103.133.104.112 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://171.22.30.164/fred1/five/fre.php
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12693 |
2023-05-31 18:05
|
 f5a15fe5b539876ed5696e5172a525... 27eadcb9f04343ba902a7931f2405818
Gen2 Gen1 Generic Malware PhysicalDrive Downloader Malicious Library Antivirus UPX Malicious Packer Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenSh Malware download VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://hpsj.firewall-gateway.net:443/uddiexplorer
http://hpsj.firewall-gateway.net:80/hpjs.php
|
2
hpsj.firewall-gateway.net(194.26.192.234) - mailcious
194.26.192.234
|
1
ET MALWARE LazyScripter Related Domain in DNS Lookup (hpsj .firewall-gateway .net)
|
|
10.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12694 |
2023-05-31 18:03
|
 office_lic.exe d7a9fc879fc9b5c6b5b189afb304dade
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12695 |
2023-05-31 18:03
|
 e1045b24baf8207aa06d8e7084cafe... da77256e7b17c71c20d18fc43fef9147
Downloader Code injection PWS[m] Http API Create Service DGA Socket DNS HTTP Sniff Audio Steal credential P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger unpack itself suspicious process malicious URLs WriteConsoleW installed browsers check Browser |
|
|
|
|
4.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12696 |
2023-05-31 18:01
|
 Powerpnt.exe c8b26a037fc23edbcb3bfed197656944
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware unpack itself DNS |
|
1
45.159.189.105 - mailcious
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12697 |
2023-05-31 18:00
|
 ead93a91b05cfc325f236397f6357b... 554142645426b4e3b0d8594bff09b0f9
Generic Malware Downloader Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
https://www.mediafire.com/error.php?errno=320&origin=download
https://www.mediafire.com/file/1ush0ujca5221mj/axorojeyi1.rar/file
https://www.mediafire.com/file/l25w81fnaj63swq/bipicajuva2.rar/file
|
2
www.mediafire.com(104.16.54.48) - mailcious
104.16.53.48 - mailcious
|
2
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12698 |
2023-05-31 17:59
|
 INTERNET.exe 6e201981b59dbed41004e8a0787ab06e
.NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities Windows ComputerName Cryptographic key crashed |
|
|
|
|
6.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12699 |
2023-05-31 17:59
|
 aaa1.exe ed1561c9851a479d7fe85248706a4cf9
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12700 |
2023-05-31 17:58
|
 jjjj.exe 7338191364d7eb9a6f697f08833b7fe4
RAT Gen2 Gen1 PhysicalDrive Generic Malware Malicious Packer UPX Malicious Library Antivirus PWS[m] Anti_VM AntiDebug AntiVM PE File PE32 JPEG Format PE64 OS Processor Check .NET EXE Browser Info Stealer Malware download Amadey VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key crashed |
6
http://45.159.189.105/bot/online?guid=TEST22-PC&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34 - rule_id: 26212
http://78.47.9.120/so57Nst/index.php?scr=1
http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34 - rule_id: 26211
http://78.47.9.120/so57Nst/index.php
http://162.55.212.236/unsecapp.exe
http://162.55.212.236/tcpupdate.exe
|
4
78.47.9.120
162.55.188.246 - mailcious
45.159.189.105 - mailcious
162.55.212.236 - malware
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Laplas Clipper - Regex CnC Request
ET MALWARE Laplas Clipper - SetOnline CnC Checkin
ET MALWARE Arechclient2 Backdoor CnC Init
ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://45.159.189.105/bot/online
http://45.159.189.105/bot/regex
|
18.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12701 |
2023-05-31 17:58
|
11c09291e70a558964dc467f22068a... 6ada3fcf24ecc9e5a9e3fab7b77b8ed9
Generic Malware Downloader Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://transfer.sh/get/mcU8V5/Ta.zip
|
|
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12702 |
2023-05-31 17:57
|
ilililililili%23%23%23%23%23%2... d9eca8a9237d39e32b892cacd27ac633
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://45.66.230.128/110/IE_CACHE.exe
http://45.66.230.128/il/MuviCIVc248.bin
|
1
45.66.230.128 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12703 |
2023-05-31 17:55
|
 browser_cache.exe 524d20bd1245aa40eaafaa90992488e3
Loki_b Loki_m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/chang1/five/fre.php
|
1
185.246.220.85 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
8.0 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12704 |
2023-05-31 17:55
|
 gogw.exe 486ce67349a1f31a1426600888d189a9
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
1.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12705 |
2023-05-31 17:54
|
tititiitititiiti%23%23%23%23%2... 15d6c18e34ad68f0907981c8850ba29f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit crashed |
|
|
|
|
3.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|