| 12751 |
2023-05-30 17:27
|
 mslink1.exe 2f41ab13ff3d31ff39b85a4ff6501a0f
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12752 |
2023-05-30 17:25
|
 kkraken.png 9ad05df0b2acb11c60556ad6c0cb0ec2
PWS .NET framework RAT SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12753 |
2023-05-30 17:25
|
 binn.exe 30a3926a8293094811d943a6b26fced2
PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12754 |
2023-05-30 17:23
|
 GIB.exe d4e2fa45feaaaae4012c30b47c9eb9cd
Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12755 |
2023-05-30 17:23
|
uiuiuiuiuui%23%23%23%23%23%23%... 3152aef08e3025e3ce9efe5db513f5dd
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://103.133.104.112/232/IE_BROWSER.exe
http://171.22.30.164/fred1/five/fre.php
|
2
171.22.30.164 - mailcious
103.133.104.112 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12756 |
2023-05-30 17:21
|
 trust.exe 1f95b8c2dc09a84f6a9fe6f74dbf7d96
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12757 |
2023-05-30 17:21
|
 INET.exe c2d972a2b74ef5bd3db1f8a7c939e088
PWS .NET framework Formbook SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12758 |
2023-05-30 17:19
|
 100.exe 022ffcaf0d05a9f02b4199f44c40d86a
RAT Generic Malware UPX Malicious Library Antivirus Malicious Packer OS Processor Check PE File PE32 PE64 VirusTotal Malware powershell PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
|
|
|
7.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12759 |
2023-05-30 17:19
|
 serfew.exe c12e38b35a365aeb19e001bf4ca76ae9
Raccoon Stealer Generic Malware UPX Obsidium protector PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12760 |
2023-05-30 17:16
|
kakazx.doc d89bca5a30ab63889a8d2829dc6704a6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12761 |
2023-05-30 17:16
|
 IE_NET.exe aa8062b0fe51ad7da061a51ca03f1ea0
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
185.246.220.85 - mailcious
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12762 |
2023-05-30 17:14
|
 IE_NET.exe 7f7fa32e062ebeb860b487840ea9c95f
Loki Loki_b Loki_m Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs installed browsers check Windows Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12763 |
2023-05-30 17:14
|
 ready.exe 68a12439e64b2e4fd0733e2600153045
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
194.50.153.131 - mailcious
|
|
|
2.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12764 |
2023-05-30 17:13
|
 sQdXMQIHJl75b1w.exe e7f043a52ed8bbd9dd37bec764801f7e
Suspicious_Script_Bin task schedule Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check DCRat Windows ComputerName crashed |
4
http://vm654.loyal.sclad.network/Localcentral.php?lcM9Rlwz4r8y1usY2r3pk0JCzivB3d=Q15vnjyCemeZpp&7bUPIE3uWvSJKt0u=aSr668FzDpZCFadXUkUrnUUWHi9UZo&5625e97c4d8e9c3063c63b0955fdc835=8301e0bb6d69478ba19292bc151c321a&d8cddfd69873ce3642f4bcba78d2ff45=AN2gDM1MWZ2gjZyUTYkVmMxQWOiVWZwczNhZzNiNjZ0UDOzYDO0EWO&lcM9Rlwz4r8y1usY2r3pk0JCzivB3d=Q15vnjyCemeZpp&7bUPIE3uWvSJKt0u=aSr668FzDpZCFadXUkUrnUUWHi9UZo - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&6ac09b49a2173238fb278404d63037d7=d1nIRZWaNhEZ3xWbjpmTGh1YOhkY2lzRWNGex4Ue0IjYvJFWlFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJB3ZaV3cYFnbzRUeiBnUXRmQClmY2x2RkBXNXFWbWdkUndmMaBHaFt0Z3F2Z0RlYuNna0AncMl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&0f59c38e192e12ce220bdf8b59a895d7=d1nIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiImFmM0ADNyUDMyQ2YiFDNhZmYzEWM3kDOkFjNzYGZxgDZllTMyYWYxIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
http://vm654.loyal.sclad.network/Localcentral.php?xXg4O6XL92ttIEp58nPrsQqYhS1z=yxc1v93Hoh1XY3CFsGxLpB&D4JgqIW6FheLEQ1WFwxUFYUTXnTyLDo=wx&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzAzMzETN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W - rule_id: 33777
|
2
vm654.loyal.sclad.network(194.50.153.131) - mailcious
194.50.153.131 - mailcious
|
1
ET MALWARE DCRAT Activity (GET)
|
4
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
http://vm654.loyal.sclad.network/Localcentral.php
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12765 |
2023-05-30 17:12
|
 INET.exe 7f9f5628b1698378cecaff303fb4cf2d
PWS .NET framework Formbook SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|