| 12781 |
2023-05-30 10:25
|
File_pass1234.7z 1a2c8653d23e5f54570f9600ea338ab4
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealer Windows DNS |
13
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php
http://77.91.68.62/wings/game/index.php - rule_id: 33726
http://45.63.40.48:3002/
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-21.userapi.com/c237031/u791620691/docs/d10/1bb194217104/cosmic.bmp?extra=OzP24DVVNdJlAer6TrgAxQeVsgO593sZw5mfKKl8xTWXj7lwr_z097-pN9i5YcJ_4RF8zAGPCKGry1YMyyMfhUwODYfgzyVCvqJBZ4tscygTmOcjloXlai4gNPweG2FKerKUa7d-OdssS_aMlg
https://vk.com/doc791620691_664562355?hash=60bw0oeYE8Op2FAtVeNLN5ZQODckNwEGocYRxvow6eT&dl=JqisKfdCTOlrG5C2zMgxyjDbqMol1WVGsHKuMJ7KUEL&api=1&no_preview=1
https://sun6-20.userapi.com/c237331/u791620691/docs/d11/350130cbb9c6/PMp123a.bmp?extra=tONVqElPo-mONv9H1N77dl5gnf0qx0RIDWhnQv0pfnggFyTSr0lcbBRhJPwYJlQIn69bcwZK5a77VAfW3irjaK0ObffcoXk5OiNOBL_6TNiZ1gJsM7ieqiluWsgsUZ703Mt4U-DFQRfnpfmZ7Q
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc791620691_664633016?hash=Kx9Lk64SiBei7Frzj0lSzmTRwDQUGuLRnag9eWB0Yvz&dl=7l27SR2LgFb34pTgCkFSsXiqFFhU6Hm1fHoJzcRRnP4&api=1&no_preview=1
|
31
db-ip.com(172.67.75.166)
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(104.21.18.146) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
vk.com(93.186.225.194) - mailcious
api.db-ip.com(172.67.75.166)
93.186.225.194 - mailcious
77.91.68.62 - malware
91.215.85.147 - malware
104.26.5.15
83.97.73.126 - malware
83.97.73.127 - mailcious
172.67.75.166
157.254.164.98
34.117.59.81
172.67.182.87 - malware
45.63.40.48
45.12.253.74 - malware
94.142.138.131 - mailcious
94.142.138.113 - mailcious
104.17.214.67
45.15.156.229
104.26.4.15
163.123.143.4 - mailcious
95.142.206.1
95.142.206.0
51.210.170.199
176.113.115.239 - malware
|
14
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Packed Executable Download
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
4
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://77.91.68.62/wings/game/index.php
http://94.142.138.131/api/tracemap.php
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12782 |
2023-05-30 10:20
|
File_pass1234.7z 1a2c8653d23e5f54570f9600ea338ab4
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12783 |
2023-05-30 09:56
|
 foto148.exe bd83774449462adfb38deec655db2d53
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.127 - mailcious
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12784 |
2023-05-30 09:54
|
 fotocr06.exe 990c304a94d6c1421a36461c0b6bee0d
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.127 - mailcious
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12785 |
2023-05-30 09:52
|
 fotocr06.exe 990c304a94d6c1421a36461c0b6bee0d
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.127
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12786 |
2023-05-30 09:52
|
 foto148.exe bd83774449462adfb38deec655db2d53
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.127
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12787 |
2023-05-30 09:45
|
 ddd.xlsb 0e65c589e0c6edffb3b305e7595a271b
ZIP Format Excel Binary Workbook file format(xlsb) VirusTotal Malware exploit crash unpack itself Exploit crashed |
|
|
|
|
1.8 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12788 |
2023-05-30 09:40
|
 cc.exe 6752f0f596295d6281b9f48e291aa5e5
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
185.206.215.165 - mailcious
|
|
|
2.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12789 |
2023-05-30 09:37
|
 macrigan2.1.exe c5f9705e5682c03412ec7ca32e22c17c
NSIS UPX Malicious Library PE File PE32 DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
3
cmark.duckdns.org(185.206.215.165) - mailcious
77.91.68.62 - malware
185.206.215.165 - mailcious
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
6.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12790 |
2023-05-30 09:36
|
 clp6.exe d6c0b5e502d7816fa0eb105b10dfa481
UPX Malicious Library OS Processor Check PE64 PE File DNS |
|
1
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12791 |
2023-05-30 09:36
|
 p0aw25.exe 8a8c08155bce86d582d32eee9defcfcd
Gen2 Gen1 Malicious Library Malicious Packer PE64 PE File PDB Remote Code Execution |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12792 |
2023-05-30 09:35
|
 foto148.exe 1917a7b5b899f2296d04aea2054e9b15
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.127
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12793 |
2023-05-30 09:34
|
 Zp1TK71j2PhbPpv.exe b1fb36fc31e2e9e18b07abc77c833fe8
Suspicious_Script_Bin task schedule Admin Tool (Sysinternals etc ...) ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 Malware download NetWireRC Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check DCRat Windows ComputerName crashed |
4
http://vm654.loyal.sclad.network/Localcentral.php?zd6j65aNjuVpR2dlLFVTgimdEO6=YyfjnbjzFmbPFeceXRnVmMkDT&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzADOycTN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&0f59c38e192e12ce220bdf8b59a895d7=d1nIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIzkDMlNzM3IWY4czNmdjZhFTZlRGZ1YGZiFmN2AzY5gzMiRTZlRDNwIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiImFmM0ADNyUDMyQ2YiFDNhZmYzEWM3kDOkFjNzYGZxgDZllTMyYWYxIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W
http://vm654.loyal.sclad.network/Localcentral.php?Q0cfr9nyvPw=zS&5625e97c4d8e9c3063c63b0955fdc835=8301e0bb6d69478ba19292bc151c321a&d8cddfd69873ce3642f4bcba78d2ff45=AN2gDM1MWZ2gjZyUTYkVmMxQWOiVWZwczNhZzNiNjZ0UDOzYDO0EWO&Q0cfr9nyvPw=zS
http://vm654.loyal.sclad.network/Localcentral.php?zd6j65aNjuVpR2dlLFVTgimdEO6=YyfjnbjzFmbPFeceXRnVmMkDT&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzADOycTN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&6ac09b49a2173238fb278404d63037d7=QX9JSUmlWSxMFd4ITYjhnRihWNtNWM502Un10MkZnUtJGckZEWj5EWaNHbtJ1ZwcVW5RmMilnQGh1YwpXUp9maJ9mUYlVUKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUaJl2Tpd2RkhmQWJGaKNjWsh3VaVlSDxUaJl2Tp1ESjdnRVJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTSDJlSKhlW6ZlVihmVHRGVKNETpRjMkZXNyEWdWxWS2kUajxmTYZFdGdlWw4EbJNXSpJ2M50mYyVzVWl2bqlkb1cVWNFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQWJGaWdEZUp0QMl2aD1WN5VGcll3TJZHbHpVMGVUS1lzVhBDbtJGcadlWFJ0Qh5GbHN1b3F2Z0RlYuNna0AncMl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W
http://vm654.loyal.sclad.network/Localcentral.php?zd6j65aNjuVpR2dlLFVTgimdEO6=YyfjnbjzFmbPFeceXRnVmMkDT&76dac9c05f68f73a7ea391369b42615f=QZyUmZ0QWNmVTYxYjZ3MTYiBjYkdjMiRTZ5UWMwAjNzETM0gjMyMGMxczNxUDMxcjMzADOycTN&d8cddfd69873ce3642f4bcba78d2ff45=gYyIjYygDMyQWNkFGN3QWZ5UGZzEDNkhTOzMmYzEDNkFmM0MzM3cDN&952d38e09aadb53c0aa60f7607bf464e=0VfiIiOikzYhVGNwAjN3gzMhVzNlJjM4ITN1UDZlhDOklDNmVWYiwiIllDMjZDOykjYxMGNxQGO1E2N5UDMmVzYhRWN4EWMiBjMklDM5Y2YzIiOiADO3cTNkNWZwImN4MWYlNTZ5Q2YycjZyIWO5QWYyQmYiwiIwY2MzkzNyYGZiNTZ4MDNzkjZwUzYwYWO4kDMjN2YiRmNllzNwAzM0IiOiIDMiVmYwkDZxMGOllTMzUjZ3IGZ3YWYzYzY1YjZyYTYis3W
|
2
vm654.loyal.sclad.network(194.50.153.131)
194.50.153.131
|
1
ET MALWARE DCRAT Activity (GET)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12794 |
2023-05-30 09:34
|
 fotocr06.exe e9cdf6f42ec689a4f12eed551865668c
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/DSC01491/fotocr06.exe
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
http://77.91.68.62/DSC01491/foto148.exe
|
2
77.91.68.62 - malware
83.97.73.127
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12795 |
2023-05-30 00:37
|
 Newtonsoft.Json.dll 715a1fbee4665e99e859eda667fe8034
RAT UPX .NET DLL DLL PE File PE32 PDB |
|
|
|
|
0.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|