| 1696 |
2020-09-10 09:37
|
Complaint_Letter_1163852919_09... e7d0adf42a8a7e72bdf8c7f3aa58234d
Malware Malicious Traffic Check memory Checks debugger unpack itself Windows DNS |
|
1
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1697 |
2020-09-10 10:18
|
Invoice.exe 176ec96505cf39b80719907bd8386058
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files unpack itself malicious URLs sandbox evasion Tofsee Windows ComputerName DNS crashed keylogger |
1
https://myexternalip.com/raw
https://myexternalip.com/raw
|
2
185.165.153.231
216.239.36.21
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.4 |
|
34 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1698 |
2020-09-10 13:40
|
Search results.txt 4e1df12e5dfc38f9fc5e6776d6a908bc
Check memory unpack itself malicious URLs |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1699 |
2020-09-10 15:10
|
UNTITLED-20200906-61199.doc e8c455b9d0a528d8e47a5fa5c949e368
VirusTotal Malware Malicious Traffic unpack itself Windows Browser DNS |
2
http://51.38.124.206/HGczKIEwm8rl5Hn/3xPqp3KOZ2pF/OB5O/VPpBdB8LrqYF/
http://xn--ruqumz1h0h.com/wp-content/zj/
|
3
159.138.11.3
185.215.227.107
51.38.124.206
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
5.0 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1700 |
2020-09-10 15:28
|
ns8uyl3nawcgvej.msi 9bee85e261119758897496566570c781
VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check human activity check ComputerName |
|
|
|
|
3.8 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1701 |
2020-09-10 15:29
|
Vicky.doc 14508d1afccdd5ea6987ea28e1c737e6
VirusTotal Malware buffers extracted exploit crash unpack itself malicious URLs Tofsee Exploit DNS crashed |
1
https://2mval.com/1/ns8uyl3nawcgvej.msi
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
34 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1702 |
2020-09-11 09:11
|
http://wangpaiedu.com/ 7adc92cbeb9b8ea95250edd38cfa81cc
Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows Google DNS |
8
http://clkfeed.com/adServe/feed?pid=277439&cid=294967874220200911080847&ip=175.208.134.150&q=wangpaiedu.com&ref=http%3A%2F%2Fclick.com.cn&num=1&ua=Mozilla%2F4.0+%28compatible%3B+MSIE+8.0%3B+Windows+NT+6.1%3B+Trident%2F4.0%3B+SLCC2%3B+.NET+CLR+2.0.50727%3B+.NET+CLR+3.5.30729%3B+.NET+CLR+3.0.30729%3B+Media+Center+PC+6.0%3B+InfoPath.2%3B+.NET4.0C%3B+.NET4.0E%29&ar=sr&format=jsonp&callback=jCallBack
http://makemoneywithus.work/
http://makemoneywithus.work/selfclicks?utm_id=10893&utm_campaign=Worldwide+SDX&utm_source=422372689&utm_cost=0.0016
http://p277439.infopicked.com/adServe/domainClick?ai=QZA1Kz1Z7btlho2dXM3TbwcfticQWplya2HEcWq2mpGwzUj8CXdBg9XuZGHwNDnSCKDRxlSFy7FLueFlntN-D1NbbFPaH-VJdRePfirJtYMCozyvMhv4-LlU-hBqlV3wbM7TR-A6o2LnrG8E1DfQ9Q6HRvyXwtB8WKd9ALxRfmAtGDmB6E48Uglt7BALO2dZ9Q5yhu1oeOiXreINDQp2lZc9r3PL9gX2uVeQWWNuKrgiorEW5cQXei1p_uIUYwY5qUzaeYhSjwo4wze4caGpDvAdDxfNZOFVxWfBO_Pgkf9Lj9hxf0SJk0tVfUbfcXAU2dgRsl_cISdhzavJEfo6eseVq4GY9uFdESEy041wghMrAgV2R4ubIyh-8XWjYI5uvZ0tvrAyc11VkHRUwGVzse4_hxqmBidZ34_EUBB7T3W5HBHAGI8aSz1hqTgxc2azrd0OcIEX6rmPeOjcIg01sg&ui=Ilxxar-4JDjHYSZnQRV0rY-50-QI18VbLWXp3on882KiNKxwAofaTFsLZKL4p86ALR0U4xGThR3FwOjJcLmGzL0iFFrsJeWfLvTEwvL362OCWKPFwucsuHCCYbZnLnHd_5uMjGqlGjE&si=1&oref=d3c2837da0e02e3a4a67f0afabcb8712&rb=TqxNRUmuhLY&rr=1&isco=t
http://wangpaiedu.com/
http://infopicked.com/aS/feedclick?s=Ilxxar-4JDjHYSZnQRV0rUoLXZk8gkPQWEhgdNzDmljI6j6WA_S05lIUa0Wvr2aDrtKGeLDN2bDp6O7CY8H5ouesbwTUN9D1Q57WzBF2czkWE365F5gTS3p_DRrQ0jsCiUnMKG1xv31r6HPqc5_T5XfmENYXbWzNNl6RGTsBSknipUdQkBxwwvXUJLXEL5w2d8sOkaR9z5Sl-snI089o_kl4EY6ZHCmYrP9aB3BVULMl1BQU3BX0v099TsCiSWeeyTnvlHDIIbm3FH7cuB0ZlXYmdOrmH5DpUvSZqsTL6b4nM44mnAjLIuoj-HsUnhSzW9SSNU-oCJEk7-tFA2kJXc0qY9xeJzIdVMrynipz3hAKkCiv8Ww0dWeh1tupCjZL66KOCDZBVG0pNUdaJo8Vc5hI7WCHjQWpFGUFClm5VIHiyF34ondk0Lur38Oij7pN4exah3noPXt9ttBDinuePKKW8UFBtGeET6uzUu7BPw6PstcTKb3bZeSHOMpCuIMl7BG2-Nz-gq7AbAHEML8ResISecZGCDLOWRopVUjg18umG9Xgtyg9oWRV2iYh3gAmQa3i54wNYAb-DScVgVFATmf0gK6DZvOUhBfsNtpIEqg6qpGCO2u35rHTeC9xy5AHhuPXZARi-4udjFBVwC6keEVMZY8gLnPYz9lVIEfnyrkoxjcaJBJS16MnluCRIHPFp2xiDSsNpRd9eS9aQwJbVMdtxr6qJw60fNTqdiq1JRhYvzgSQzJgd1qd6g4yh9Qm2NSHLf7nkV5GpoasWGjiv9rRKPueLVnS05oewM7e-IaETrClojCGNTOQ3ulOftSTFeUUbd1VKyeGd8ISq8w5dGLba1BcZ4j5a7sk1oUypyTlG72KLefn6MUqoaL2TcNAmta4YR5UybeIY4_O8hLZH6OuyFLOt81QRO9knzqBUExaR9vyDzFQ9S6xkQhLiOrlh9MXNJt3VYcdrGZpm9pTUA2aEevDP6hxG7Ffxj-Ath_Zes5sMWJmUS43XbTYL3bLxSsABYJaIqd_xCNVhZlbnn7tQ5ixhcbdIwYh5RgTCbPcUD3KnM8Dd-uxnt0KKzYHQkMjt4YgYCEEn3pdnGSoQorn9i_PN5gouzPa8jv1G2rAQ85Br1mO7krRJhUw7clDbW1YByshVQc6v7Rcw1vRjR0kmx_hSWcdnpAWuhpxMpt2sFPFaye-wl58GALxbeAPMUtTyFSpO5AXpR1qLlXMteW9V0jD2MysWxp6fmCy6zWBykaoh87Ye8ZjFW49kpaSaPdn2DAPLxuhAh9cYmkvQ0xOwteg4fQdhS-0mWWKAtgLTNS385dE9-d05p2Em2wEThS_zYdsP04n6V3tloDw0uJScWxh4yqbC0VSTzbzjT41WrRNEvzzSQtyUB7eEzy9nP6HnTP1d7TFwOjJcLmGzL0iFFrsJeWfLvTEwvL362OCWKPFwucsuHCCYbZnLnHdWY0JBIAAqtU74of1Y1hh5QD4e3GvDgOmsxNa3zAkBwa0Z1WJPf135jh8phB2CXFzCBk-zXXZfyD1DnKG7Wh46Jet4g0NCnaVGh7r2i-9nTAnG00LmBllGXnaMzr4fK_SWzwPMWqk_rBUKs5kwgJm6w
https://google.com/
https://www.google.com/
|
6
172.217.26.132
172.217.31.238
173.192.101.21
173.192.101.24
188.225.75.54
8.209.245.234
|
4
ET INFO Observed DNS Query to .work TLD
ET INFO HTTP Request to Suspicious *.work Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Generic 302 Redirect to Google
|
|
3.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1703 |
2020-09-11 10:56
|
poward.php.exe b2337d287b503d8acf9cd7aefd54da5a |
|
|
|
|
0.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1704 |
2020-09-11 15:46
|
http://jizhonghua.com/ 5966fba3149a696609051604712b3816
Code Injection Creates executable files unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
38
http://p277439.infopicked.com/adServe/domainClick?ai=8eMCpQlSsekmWbYiN0NBBzMfLeiJuihSNtFGgzKXZQOwzUj8CXdBg9XuZGHwNDnSCKDRxlSFy7FLueFlntN-D1xPg1o-Xk5odRePfirJtYMCozyvMhv4-LlU-hBqlV3wbM7TR-A6o2LnrG8E1DfQ9Q6HRvyXwtB8WKd9ALxRfmAtGDmB6E48Uglt7BALO2dZ6Mhp9GRTObjHX6-J19tL05c9r3PL9gX2sn_nvDF4GQ4t5zaXx1yBEEYhqc56eO97qUzaeYhSjwo4wze4caGpDvAdDxfNZOFVxWfBO_Pgkf9Lj9hxf0SJk0tVfUbfcXAU2dgRsl_cISdhzavJEfo6eseVq4GY9uFdESEy041wghMrAgV2R4ubIyh-8XWjYI5uvZ0tvrAyc11VkHRUwGVzse4_hxqmBidZ3QDOn6PxAaE&ui=Ilxxar-4JDjHYSZnQRV0rY-50-QI18VbLWXp3on882KiNKxwAofaTFFP6Xclv_YdUGaWpgfx9b425YqUR9Ck2sIy58B5IdscmKdjmrMs3Amw-wUj0UXAm_rrKhdWBnAaOGhDH7iZ_NA&si=1&oref=d3c2837da0e02e3a4a67f0afabcb8712&rb=J2LBa6WjUeY&rr=1&isco=t
http://clkfeed.com/adServe/feed?pid=277439&cid=294967874220200911144125&ip=175.208.134.150&q=jizhonghua.com&ref=http%3A%2F%2Fclick.com.cn&num=1&ua=Mozilla%2F4.0+%28compatible%3B+MSIE+8.0%3B+Windows+NT+6.1%3B+Trident%2F4.0%3B+SLCC2%3B+.NET+CLR+2.0.50727%3B+.NET+CLR+3.5.30729%3B+.NET+CLR+3.0.30729%3B+Media+Center+PC+6.0%3B+InfoPath.2%3B+.NET4.0C%3B+.NET4.0E%29&ar=sr&format=jsonp&callback=jCallBack
http://infopicked.com/aS/feedclick?s=Ilxxar-4JDjHYSZnQRV0rUoLXZk8gkPQx5FCAi3WVV3I6j6WA_S05vkTG2YMRQikrtKGeLDN2bDp6O7CY8H5ouesbwTUN9D1Q57WzBF2czkWE365F5gTS3p_DRrQ0jsCiUnMKG1xv31r6HPqc5_T5XfmENYXbWzNNl6RGTsBSkmXlMFIbkj4h8aP0N0xFih6RMJaghgFO-fYiVZbg3g_tzJvkUClWGz0ENjuu7QzUsUl1BQU3BX0v099TsCiSWeeyTnvlHDIIbm3FH7cuB0ZlXYmdOrmH5Dp8Zrge_i5fFw9SAp1cdSLP-oj-HsUnhSzW9SSNU-oCJEk7-tFA2kJXc0qY9xeJzIdVMrynipz3hAKkCiv8Ww0dWeh1tupCjZL66KOCDZBVG0pNUdaJo8Vc5hI7WCHjQWpFGUFClm5VIEW69oOQVbmIE94el943rXl9lDr_KGxuH8uK6TIkJ2d-U765EK_g1BzY5IwQfr1cg26ZYIa2i7lDntzQ63ETCwYTtkmpJLxcJ3AbAHEML8ResISecZGCDLOWRopVUjg18umG9Xgtyg9oWRV2iYh3gAmQa3i54wNYAb-DScVgVFATmf0gK6DZvOUhBfsNtpIEqg6qpGCO2u35rHTeC9xy5AHhuPXZARi-4udjFBVwC6keEVMZY8gLnPYz9lVIEfnyrkoxjcaJBJS16MnluCRIHPFp2xiDSsNpRd9eS9aQwJbVCx3AoKwmC8_fqYWXfQd04vA4MhFTZ3sq9mO09i9x6mJh4wG_iFebbxS532hviZRTbbgPp4mpypnNQNOZbxwW92liJCPllP-LdKpu1sJ-RLrSh_V-qFvdoSoPqb1SCCHa_gARoSRPCWc7R75KNwzYMm90-J_2ptxWnPmSO9DmdhGhv3n4DT_qVhwNo6GeDkMVQWOgIVMR_x4CKLaBPqNO0dQAYjesUJkyxcpkts0s5B-4fEd43ekEDgVlFdz_qhtAEYeEaMk87sZRGhk1FqmsHCpMYvhxvmQ0Dw2PGj0-dm6Lixz-smsmwVHQJpsyxV7mxsxoia2e8eCCGOjZw13dqnfDJyd6ykzK9468724rthkRa8Vv1y9IfWiW8yKyuTfRAx5x0mJqKD7Zey9f5p93aJcWAkKEK2bG_Og1ni2Qa-pBhHozS8BWG1leTdAGItm-tSnBodL8cZv5e_8hS45gi79muVAWtqrxGXr8H3YpYarbaE5HD1-s1FdaJtIx_CNvl9cwxB1taNEKPMaR4Mopx-f4kFFz2TmfrWkub3GAMKr3ncOQQVx8I0qjyI7UmiJb3K1ljmqCoaHDpa-p8iD3q-mW_HsSxEriqGlB4j1F-h2GiBxtfaYRl8WLhgvuigzZd9w7tAVLcS8HvwaNLH4Is3Ukn7AoaHZskha_ve_eM9dcSaJlwjrBZBcfx0th3Q4kfKnIW_0erMqJD400Vzgfaw2XiEazOcsvmZ0i1y4n2oNXnWo5OCnb2WwCMoixrppYjMfLeiJuihSvw49BJB-TH_mh6y2RNxf5w
http://jizhonghua.com/
https://log.videocampaign.co/Watch/V5/?campaign_id=SAFeU5c67W_T15&pubfeed=422386313&cc=KR&baej=1
https://log.videocampaign.co/Watch/Pixel/?campaign_id=SAFeU5c67W_T15&pubfeed=422386313&subid=&lv=4
https://log.videocampaign.co/Continue/?lv=4&rdtp=0&elog=0&bnvref=1&baat=0&cid=SAFeU5c67W_T15&pubfeed=422386313&subid=&jsl=1&btp=IE&ifr=0&plm=1&usm=0&nvm=1&ibv=0&pltf=Win32&sid=P_e8cf77b9-8cfe-4128-a508-b4b50cba58fe_1599806487&cc=KR&baej=1&atmp=1&v=3
https://log.videocampaign.co/Log/?log_V4=1
https://log.videocampaign.co/ContinueV/?vid=yyQZOVcDwjs&jid=4354733&cc=KR
https://youtu.be/yyQZOVcDwjs
https://www.youtube.com/watch?v=yyQZOVcDwjs&feature=youtu.be
https://www.youtube.com/s/desktop/34930df8/cssbin/www-main-desktop-player-skeleton.css
https://www.youtube.com/error_204?client.name=1&client.version=2.20200910.05.00&level=ERROR&t=jserror&msg=%EC%86%8D%EC%84%B1%20%EC%84%A4%EB%AA%85%EC%9E%90%EC%9D%98%20'enumerable'%20%ED%8A%B9%EC%84%B1%EC%9D%80%20%EC%9D%B4%20%EA%B0%9C%EC%B2%B4%EC%97%90%20%EB%8C%80%ED%95%B4%20'true'%EB%A1%9C%20%EC%84%A4%EC%A0%95%ED%95%A0%20%EC%88%98%20%EC%97%86%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DyyQZOVcDwjs%26feature%3Dyoutu.be&line=15
https://www.youtube.com/s/player/8c24a503/player_ias.vflset/ko_KR/base.js
https://www.youtube.com/s/desktop/34930df8/jsbin/scheduler.vflset/scheduler.js
https://www.youtube.com/s/desktop/34930df8/cssbin/www-main-desktop-watch-page-skeleton.css
https://www.youtube.com/s/player/8c24a503/www-player.css
https://i.ytimg.com/generate_204
https://www.youtube.com/error_204?client.name=1&client.version=2.20200910.05.00&level=ERROR&t=jserror&msg=%EA%B0%9C%EC%B2%B4%EB%8A%94%20%EC%9D%B4%20%EA%B8%B0%EB%8A%A5%EC%9D%84%20%EC%A7%80%EC%9B%90%ED%95%98%EC%A7%80%20%EC%95%8A%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DyyQZOVcDwjs%26feature%3Dyoutu.be&line=12
https://fonts.googleapis.com/css?family=YT%20Sans%3A300%2C500%2C700
https://www.youtube.com/error_204?client.name=1&client.version=2.20200910.05.00&level=ERROR&t=jserror&msg=%EA%B0%9C%EC%B2%B4%EA%B0%80%20%EC%9D%B4%20%EC%86%8D%EC%84%B1%20%EB%98%90%EB%8A%94%20%EB%A9%94%EC%84%9C%EB%93%9C%EB%A5%BC%20%EC%A7%80%EC%9B%90%ED%95%98%EC%A7%80%20%EC%95%8A%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fplayer%2F8c24a503%2Fplayer_ias.vflset%2Fko_KR%2Fbase.js&line=5141
https://www.youtube.com/s/desktop/34930df8/jsbin/spf.vflset/spf.js
https://www.youtube.com/s/desktop/34930df8/jsbin/network.vflset/network.js
https://www.youtube.com/s/desktop/34930df8/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js
https://www.youtube.com/s/desktop/34930df8/jsbin/webcomponents-lite-noPatch.vflset/webcomponents-lite-noPatch.js
https://www.youtube.com/s/desktop/34930df8/jsbin/fetch-polyfill.vflset/fetch-polyfill.js
https://r8---sn-3u-bh2ll.googlevideo.com/generate_204
https://r8---sn-3u-bh2ll.googlevideo.com/generate_204?conn2
https://www.youtube.com/s/desktop/34930df8/jsbin/www-i18n-constants-ko_KR.vflset/www-i18n-constants.js
https://www.youtube.com/error_204?client.name=1&client.version=2.20200910.05.00&level=ERROR&t=jserror&msg='%3A'%EA%B0%80%20%ED%95%84%EC%9A%94%ED%95%A9%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F34930df8%2Fjsbin%2Fweb-animations-next-lite.min.vflset%2Fweb-animations-next-lite.min.js&line=35
https://www.youtube.com/error_204?client.name=1&client.version=2.20200910.05.00&level=ERROR&t=jserror&msg=%EC%8B%9D%EB%B3%84%EC%9E%90%EA%B0%80%20%ED%95%84%EC%9A%94%ED%95%A9%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F34930df8%2Fjsbin%2Fwebcomponents-lite-noPatch.vflset%2Fwebcomponents-lite-noPatch.js&line=30
https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc8.eot
https://fonts.gstatic.com/s/roboto/v18/KFOjCnqEu92Fr1Mu51S7ACc6CsA.eot
https://fonts.gstatic.com/s/ytsans/v10/46kqlb3ta3zqoJU2dePmb0Jg1g.eot
https://fonts.gstatic.com/s/roboto/v18/KFOkCnqEu92Fr1Mu51xIIzY.eot
https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26feature%3Dpassive%26hl%3Dko%26next%3D%252Fsignin_passive&hl=ko&passive=true&service=youtube&uilel=3
https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxO.eot
https://www.youtube.com/opensearch?locale=ko_KR
|
11
138.128.241.162
172.217.161.138
172.217.161.142
172.217.161.163
172.217.174.206
172.217.26.141
173.192.101.21
173.192.101.24
216.58.200.86
59.18.45.83
8.209.245.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1705 |
2020-09-11 18:06
|
vbc.exe 05ebf344864ad1538637f6b95ba778f4
VirusTotal Malware RWX flags setting unpack itself malicious URLs Tofsee Interception DNS crashed |
|
2
162.159.130.233
23.212.13.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1706 |
2020-09-12 08:41
|
http://edunara.kr/ 62407ebce6acc76d32bd9289d92e1b9c
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
23
http://edunara.kr/px.js?ch=1
http://edunara.kr/?ga=awb8xz%2BA7ve6F88Cr3MGFN7q3rQQPbgaVbUr6GyMraaba9KJIo4dB4hvMl%2FfsJK8UH7OMVw9iT%2FUmcVJklRDVpBwWFCQdoFgEIWYMhIu7jNKBkawLh7uoY7xDJVlHGGO%2FRqmnGZaeVqn09KhDtm3Jq6mJ3hMtQdc19IdRn%2BDijs%3D&gerf=WLj5kOi7iirrE%2B%2BrvjP8w0ooZivZ8%2FpdBMyZJ8Vbeqo%3D&guro=tF8zehb1tSBa8XZN1Qqcx7nHMxicTt0JerFMRvXnnenlbfZRLdKBYZ0CvypSkf4j&
http://ww1.trhzc.com/adclk?&gm=bsI07IWUyIV2Ka8dw8djZ37PFPKcW2cndtJMXyW4%2FIckIeHV6ge6sksRiyp33bpu0lT1e70hwccmwmCg31VuvAbIqVRpbWCDIDStDeJr3Eu%2FH7XDQizXjup0umIOqhkXYZPYTGtCkNDeYXEhiHmlat%2BTRDqhzEVutnsSgqyzJNOlUIj0suxEGdC7FlSPx3OXhh0jtJUxWkKG9hhQthA9kxy98lrDXyVynOhGmYBo56%2FVt%2BjlvaK3jGyqihLnJlCP5vtm9c4pVM7W1rwwr7ctiNacICO5q9iOzKacj9%2Fecm1jUeauZzaztU%2BFFkCIUu982bxvfCKArzf15qI%2FrfQ%2BNc%2FXOCMvHyr2Uyp3rCq6OGspp2ju2ghpJG8vxb%2FAsJzOHQ74LYSB1MLzxgUE%2BYLWSvvpGzUaIH3Y7CY%2FuLJv3uq507ErqViMrlnH2GTpXlMclJCw3%2BXMYqN4Nb%2BORezvwQ5clqIQQkeScaLnEfN4xQi%2BjbUQJhBQPGVbUkucT6Wp7s9QGWaLQ1IVGeAGxHLWIEaGi6Gi%2B4HLomel4ST4HJksaXUqnw1JHfdbeZHfkZT1yQR1GX646lBj1fgRjXbD4dwxSx2tsVq2Mp8juePOYfmr1CU5s0yuEZG3kiCgBtWfsMPVfaaa%2BFg4ghFVI4QmfOh3Jxfd8JEewQ%2BEfGBHDvqDUy9L0gos48t7ANuN3%2Bbl%2BTSUST3kyWH7U%2BleqQJsIhFbrVR48pAbvft9ezMUEEPykJqqjLxT6YKluVb2m2%2FKwnFEZSC2YTyNmXRGnDiAsNmBhKy4t32w2Ofr2OM43ycwGtYfso3zCwWGHI%2FKdxPBOcRekGO0%2BZgNp5YxUmMWEEi%2BxDkWABAggNljFdsp%2B0xQJGYYNl1GdhVi9552%2FwQk2tZYeaR9iYZZ32I%2ButtpjomKSNRVCZJkZlZ%2FSvKp5QXs3NBQu%2FlJc4GAxKgpBx%2B7c2Ptz9a5q8h%2BY1EP8qP80muy8uD%2Fo7XJPZNDedWMfHfJDPpDlpmyOqTO4Z%2BNzgWzfGg3Prhb8yClCgP9l5YK9jZ9z7AhPNzuwvTJFfF0bfmHrSdiACIxqCIZYidHYzNRkfGFOXU7CerG%2FDHb14%2FQOw6CYjPWQUM8z3caLztJUyXUq5flK0gu%2FTNGZPYMDAkLThMCP8IbsvFcXRVqKq5pvKEpqhR0z17ZogKP%2FFKisvTStQDI%2B3P82bsk4Bw6VwseUInvrPKF1sk9t%2FRDcrMZ9%2BW3af6Ni5%2FAS%2FzSBCNVyoACn34xj2au%2F90pY0rwJWoCdqzxlgq319sI7729MaA65txB6FC%2BgYtlLThX%2Bcm%2F3FZBOO9D2UvJvocm0N2JIJkQfF%2Bi3RC%2B%2BluSmv6ZDImmirIppaWNKiUmp0yoOXtpRE4j%2BS8ZzBh4P5h2rWUTTmTG8zrII6snCqPLr9qjqFmecop2uVPk%2BB8mYi2GJM33akYiinc8WlnNpD1aiUXZlI5wGwsFZlO7sbzAk1zv8IWcUw%3D%3D&gc=11213474130636542908481&gi=0aXMkitdz%2FVvSWCmw%2Bh9FHIDpzPd1CG0laEBwdwnTl12%2BlSyWivTLA0AYZUggrSGJovBNr9p%2BTCIFr5b8VRK0u2dMjbAcp5XLoRjZBYL3fI%2F8d%2Ffeuo4oBdYWlCf5TLatMvR5xScSTNjnxCKzs78mxf84yU0nqlgOgStpjs7Qcu9f60yln%2F4TacJzc4b76WdtbwdWNHbHn6xh1p4V2yQgyDjC%2FUXuLW8SK1CdH%2Bmm2MnK7GwOabCNXqINfPkKztCIvXhusH8JfPWoTFelCZaeWOKEwNY0WWNp0huPx%2B1vBcyRHYBN4VSV80ja%2BeRgmV%2FSzP8g6jK99WoUdc5UZ7IXCLqI9bbTALHUgkcN6HCwdWRMRjGQQs%2Fj3BG%2BFZ7n7Ab9mOtbcIYeHITpFHtELUQS1RKiYDbtGNjVPjROVCdOaoty2mEQCcVvNlbn4YSQZ6Zp6QVpX2bTJy%2B0B%2FSPbBLfXSDXgMW03t5uL5guyAEdEmTGJesQUksoXPobChYTfowEd2Pc%2BYww2z%2BfMWKt4UXS9XyLQNRD%2FCOiG1L6vcgng2v%2FHyka9v%2FlfDDSrgybiE7&kgp=0&jccheck=1&jccheck=1
http://usd.caralla-ver.com/zcvisitor/c9deb705-f487-11ea-a476-120e0984743d?campaignid=082dbb60-c1ce-11ea-88e6-0a06ea97c507
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://b.rmgserving.com/rmgjsc/zcFilters.js?1
http://edunara.kr/px.js?ch=2
http://usd.caralla-ver.com/zcredirect?visitid=c9deb705-f487-11ea-a476-120e0984743d&type=js&browserWidth=1365&browserHeight=899&iframeDetected=false
http:///aS/feedclick?s=Ilxxar-4JDjHYSZnQRV0rUoLXZk8gkPQzJIFgMMJ7HGt3Q5wgRfquSe2OJdlX63PY_iD5bFykKi_84eTTfdYjvJhYB0lhN02w7bvw4bnd-XLCFIhen9oD9fl2ChBfAdzhQ0O0I9iZDweaVYoZmXEVYsDcmf9w760mHrvRQw28YDKSryssGQIWINIZuR0mzAZszK6E-LTBjMaErBWzlaW_MO8KmEjE3lCpNiSF15W_V7SUHgp2EbYUXv-BEgjbgjmkJv6Zqf22z24Nl70bRlTg9pYsL10OFCvIGFtwg0rXatySHfdF8Ma1uKkllkvm5AtBpmOml8fwMigngA9SL4TWj_LFKaQfdCIVYx2X8on_ZxYsVcZjpavJHkTi8lKZLSFZ3WnptWoEGfiYqdNQvLa1zYaJ_flDSUFZ8QWW7j6bn4-5zQAw_SMiBNyfJB76_soJBDnmy9KcrrzzNEUvxSkbKvOg46Va3f-_vFRJKq_srdbO70pAEgFy5tkmHo4aOOFl64NHR90YXLP6ik4j51C2CskUOQmg6TVg2Z7HmlPtZID-RtqD0DhJ2e8sxfilBLImZvlPsE8nObaUjqEiMDP7Mzo-iaQO9BUUYs87cSM6RfhHbGNGYChBs90fQ0LqcIwXCMRZlJi9gThm7g3FAcnetEHCCIE4pVjsIS5wOuL0xsUM1IP2kU-pvwRpXua_bU8-SNCwjFAvHg4QqBuvwihZInw4M-_rfhH_NoOs6KMZpxBdlpHwHwDjwRvNNXzh5JgmO0bfxTGXfX5I0LCMUC8eHoavf051Q4ODfhK9r4vWBr1DlBNI13BMQWdyZ4eTTIM0dvovJRNREzTrAProoQ5FyNi7QSB_c0dnqMgvMfNlSPZEKuFuMF-oID85zlRYY7saHxzwupDhsDCEP5V8JezGTjHVpE8R1nhB6PnMyDwljuxj0PwWlfnFVOP9ISHF0wYsAjKIsa6aWI8HAfv9d74HWIGglLC1obQTlG3YiOI3nfP7pBp4EP_YzSRcozgNlZs_D1fdtlVx5npDrNpO7UVd63dDnCBF-q5tkgEH90WUE65HBHAGI8aS8n2OHleMoJ61fx25-Gqo1lchtxrvhNiPZqZwZ7Q4zkYDu0MNRbfmqZlkkLEB146pQ
http://edunara.kr/
https://www.lovefiestaonline.club/?pazer&source=ochre-snail
https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js
https://assets.landingpages.gamigo.com/assets/fiesta/vid_fiestagf/css/reg.min.css
https://assets.landingpages.gamigo.com/assets/fiesta/vid_fiestagf/css/style.animated.css
https://assets.landingpages.gamigo.com/RegAPI/validation/jquery.validationEngine-en-c.min.js
https://assets.landingpages.gamigo.com/RegAPI/emailonly1.1.4.2.min.js?t=1535120453
https://assets.landingpages.gamigo.com/legal/meWantCookies1.8.js
https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js
https://fonts.googleapis.com/css?family=Cinzel+Decorative:900%7CCinzel:900%7CLato:400,700&subset=latin
https://fonts.gstatic.com/s/cinzeldecorative/v9/daaHSScvJGqLYhG8nNt8KPPswUAPniZQa9lESTc.woff
https://fonts.gstatic.com/s/lato/v16/S6u9w4BMUTPHh6UVSwiPHw.woff
https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
https://fonts.gstatic.com/s/cinzel/v10/8vIU7ww63mVu7gtR-kwKxNvkNOjw-n_gfY3lCw.woff
|
11
117.18.232.200
141.8.224.25
172.217.24.202
172.217.24.42
172.67.216.63
173.192.101.24
182.162.106.16
208.73.211.177
216.58.197.99
54.225.132.253
69.16.175.10
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SURICATA HTTP unable to match response to request
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1707 |
2020-09-12 08:48
|
newkon.exe bdf4d66a3488a185a2a2b5d9ff81e2b9
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://pastebin.com/raw/WjKr6ZD3
https://pastebin.com/raw/pd6dEQRh
|
2
104.23.98.190
54.225.66.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1708 |
2020-09-12 08:53
|
winlog.exe f9fc2f65baf1f6048cf18f04720fb5a9
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
3.8 |
|
13 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1709 |
2020-09-12 08:53
|
invoice_241234.doc 0f12dbebb691cf51c4252d6399c00005
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://wsdychinese2onlyywalkaloneinlifev26mba.duckdns.org/chnsfrnd2/winlog.exe
http://joovy.ga/choolee/gate.php
http://joovy.ga/choolee/gate.php
|
2
103.140.251.164
80.249.144.226
|
15
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET INFO DNS Query for Suspicious .ga Domain
|
|
5.6 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1710 |
2020-09-12 08:54
|
invoice_241565.doc 83628b9dba41ccd7dc08cc4a6d989bca
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://remzclot.ga/etc/main/l09/ap0s/home.php
http://remzclot.ga/etc/main/l09/ap0s/home.php
http://coltec.ga/~zadmin/temp/0ap.exe
|
1
|
12
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
4.8 |
M |
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|