| 12766 |
2023-05-30 17:12
|
 INET.exe 7f9f5628b1698378cecaff303fb4cf2d
PWS .NET framework Formbook SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12767 |
2023-05-30 17:11
|
index.ps1 d41d8cd98f00b204e9800998ecf8427e
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12768 |
2023-05-30 16:38
|
 QT367001.exe c72b6d0fa5da7249b6ddffe1b3d83363
Loki Loki_b Loki_m PWS .NET framework Formbook Hide_EXE Socket DNS PWS[m] Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://185.246.220.85/seth1/five/fre.php - rule_id: 33819
http://185.246.220.85/seth1/five/fre.php
|
1
185.246.220.85 - mailcious
|
4
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
|
1
http://185.246.220.85/seth1/five/fre.php
|
15.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12769 |
2023-05-30 16:36
|
 Signed Proposal pdf.exe 6cac87c1e2aa3e15837dcfff9d23cf0c
Loki NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://171.22.30.147/lee/five/fre.php - rule_id: 33818
http://171.22.30.147/lee/five/fre.php
|
1
171.22.30.147 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://171.22.30.147/lee/five/fre.php
|
9.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12770 |
2023-05-30 16:33
|
 RV1-INV-2023090.exe e7eca1999e37695727ae022c0bc65d18
Loki NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://185.246.220.60/project/five/fre.php - rule_id: 33817
http://185.246.220.60/project/five/fre.php
|
1
185.246.220.60 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.246.220.60/project/five/fre.php
|
9.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12771 |
2023-05-30 16:30
|
 DHL Receipt_AWB_20458290822.ex... e0bce4c29887875b2089b16fb21d4fad
Loki_b Loki_m PWS .NET framework Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
|
1
|
|
|
13.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12772 |
2023-05-30 16:28
|
 Shipping documents against Com... ffe9559fdba21527911e2c7a9536fc7e
Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
|
1
208.67.105.148 - mailcious
|
|
|
15.2 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12773 |
2023-05-30 16:27
|
 Request PDA_MT Tanker 1.exe a1d3e7d0ecb80b47259ac1222c821090
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://185.246.220.60/seth2/five/fre.php - rule_id: 33814
|
1
185.246.220.60 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://185.246.220.60/seth2/five/fre.php
|
14.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12774 |
2023-05-30 16:25
|
 Kimball Electronics PO NO45032... 4d05c10b6ba4bf4e4db1c49232f2e144
Loki Loki_b Loki_m PWS .NET framework RAT Generic Malware Antivirus Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://194.180.48.58/blessedjay/five/fre.php - rule_id: 33813
http://194.180.48.58/blessedjay/five/fre.php
|
1
194.180.48.58 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://194.180.48.58/blessedjay/five/fre.php
|
16.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12775 |
2023-05-30 16:21
|
 MATERIAL AVT MEPZ FSL2022.ex... 81dfce6bac91a9a7bd90613995595aa3
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software crashed |
2
http://171.22.30.147/jungletwo/five/fre.php - rule_id: 33812
http://171.22.30.147/jungletwo/five/fre.php
|
1
171.22.30.147 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
1
http://171.22.30.147/jungletwo/five/fre.php
|
13.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12776 |
2023-05-30 16:16
|
 IMG-506402301.exe acd18f56751acb94768ff35aca47b1e1
Loki_b Loki_m PWS .NET framework UPX Socket DNS PWS[m] AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://94.131.105.161/geot/f/pin.php
|
1
94.131.105.161 - mailcious
|
|
|
14.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12777 |
2023-05-30 16:13
|
 270EA03E47CD4B98478524B51302E1... 270ea03e47cd4b98478524b51302e134
Loki Loki_b Loki_m Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
2
http://193.42.32.209/a/fre.php - rule_id: 33810
http://193.42.32.209/a/fre.php
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
1
http://193.42.32.209/a/fre.php
|
7.6 |
|
63 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12778 |
2023-05-30 15:15
|
 kds7uq5kknv.exe 433dbed8a7afbf15bfee967c63a50769
UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE Code Injection Malicious Traffic Checks debugger buffers extracted unpack itself Collect installed applications WriteConsoleW installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware DNS crashed |
1
http://185.99.133.246/c2sock - rule_id: 33485
|
1
185.99.133.246 - mailcious
|
2
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
SURICATA HTTP unable to match response to request
|
1
http://185.99.133.246/c2sock
|
12.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12779 |
2023-05-30 13:41
|
 06777499.exe 6392f9473488585adf633a7fde82f28b
Redline Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Ransomware Lumma Stealer Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
5
http://95.214.27.98/lend/kds7uq5kknv.exe
http://95.214.27.98/cronus/Plugins/cred64.dll
http://95.214.27.98/cronus/index.php - rule_id: 33802
http://95.214.27.98/cronus/index.php
http://185.99.133.246/c2sock - rule_id: 33485
|
3
83.97.73.127 - mailcious
95.214.27.98 - malware
185.99.133.246 - mailcious
|
14
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
SURICATA HTTP unable to match response to request
|
2
http://95.214.27.98/cronus/index.php
http://185.99.133.246/c2sock
|
22.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12780 |
2023-05-30 10:47
|
File_pass1234.7z 0d6f6b6bd8f63cb7ea5854d7fb265cb4
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
11
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://45.63.40.48:3002/
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-20.userapi.com/c237331/u791620691/docs/d11/350130cbb9c6/PMp123a.bmp?extra=tONVqElPo-mONv9H1N77dl5gnf0qx0RIDWhnQv0pfnggFyTSr0lcbBRhJPwYJlQIn69bcwZK5a77VAfW3irjaK0ObffcoXk5OiNOBL_6TNiZ1gJsMrCYqiluWsgsUZ703Jp5VOCRRBfq9vyf7w
https://vk.com/doc791620691_664562355?hash=60bw0oeYE8Op2FAtVeNLN5ZQODckNwEGocYRxvow6eT&dl=JqisKfdCTOlrG5C2zMgxyjDbqMol1WVGsHKuMJ7KUEL&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-21.userapi.com/c237031/u791620691/docs/d10/1bb194217104/cosmic.bmp?extra=OzP24DVVNdJlAer6TrgAxQeVsgO593sZw5mfKKl8xTWXj7lwr_z097-pN9i5YcJ_4RF8zAGPCKGry1YMyyMfhUwODYfgzyVCvqJBZ4tscygTmOcjl43jai4gNPweG2FKerWXaLJ2Ntl6HPbakQ
https://vk.com/doc791620691_664633016?hash=Kx9Lk64SiBei7Frzj0lSzmTRwDQUGuLRnag9eWB0Yvz&dl=7l27SR2LgFb34pTgCkFSsXiqFFhU6Hm1fHoJzcRRnP4&api=1&no_preview=1
|
24
db-ip.com(104.26.5.15)
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(104.21.18.146) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
vk.com(87.240.137.164) - mailcious
api.db-ip.com(104.26.4.15)
87.240.137.164 - mailcious
45.12.253.74 - malware
104.26.4.15
45.63.40.48
163.123.143.4 - mailcious
95.142.206.1
95.142.206.0
91.215.85.147 - malware
34.117.59.81
85.208.136.10 - mailcious
176.113.115.239 - malware
104.26.5.15
104.21.18.146
104.17.214.67
83.97.73.126 - malware
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
3
http://hugersi.com/dl/6523.exe
http://85.208.136.10/api/firegate.php
http://85.208.136.10/api/tracemap.php
|
6.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|