1756 |
2020-09-17 14:29
|
k.exe 03ee1b3842ed89d04387ab0bca377f93 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1757 |
2020-09-17 14:30
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1758 |
2020-09-17 14:37
|
Windows Desktop Service.exe 8493fad5457907ede406c7a4c3a062ca VirusTotal Malware |
|
|
|
|
1.8 |
|
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1759 |
2020-09-17 14:38
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535 PDB |
|
|
|
|
0.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1760 |
2020-09-17 14:39
|
WindowsHostService.exe d5ebc9c528e0b12e46f6f86b35f20d2f PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.0 |
|
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1761 |
2020-09-17 18:38
|
Attachments-3370623.doc 80ed1babd3eb82afe06707e642356179 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://38.88.126.202:8080/MticMlegzsdrKOIyKAc/XxGbS/MGxeY2p6BFneM0U3/V6Rf7nWA5zS/jVyW6zlg/tcoNq0jCI/ http://localesfavoritos.com/wp-admin/c/
|
5
174.113.69.136 217.61.130.34 38.88.126.202 51.38.124.206 82.196.15.205
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1762 |
2020-09-17 18:38
|
invoice_233131.doc a91fa70c30ad0a8f44690103b7eae994 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://babaseoa.com/cartel/five/fre.php http://babaseoa.com/cartel/five/fre.php http://tsdyshgshgnationalobjindustrialat21mpq.duckdns.org/shengdoc/vbc.exe
|
2
103.141.138.130 185.209.1.124
|
12
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1763 |
2020-09-17 18:42
|
vnCCABpwYPRX4baP.exe ce34c7cdcab98f7079871c93c60f5c52 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/63AF/J0jZ8vawc7jMRA/wSFU6dnZEeAgbeD0/
|
1
|
|
|
6.6 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1764 |
2020-09-18 08:02
|
http://blog.penmman.com/wp-con... 6f34b1d69e321a9e7732d2c6f89cb9f5 VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
3
http://134.209.36.254:8080/nQVwnK5kipQq3M/ http://blog.penmman.com/wp-content/uploads/1ECbn9K/ http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
117.18.232.200 13.235.119.142 134.209.36.254 71.72.196.159
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
12.6 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1765 |
2020-09-18 09:14
|
19796066164507054740687.doc f8473dc3fcda21407659420512f2f347 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://71.72.196.159/g8HwGzlJGmUJv2vA/ymTfP5sL/lrgXuwwDqDDVfVg0/uIwL5/oT0WeoB6dh7nR4EcS/ http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1766 |
2020-09-18 09:15
|
DOC_QSU_090120_CCC_091820.doc f8473dc3fcda21407659420512f2f347 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/ http://71.72.196.159/G2bGreKGpkKf4R9vnbE/OXHPKAKL/VdGApd88fdIt/cxdYCgs/gAgKLoXGWvE5CyK7xo/kHRUq/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1767 |
2020-09-18 09:26
|
Et9TKtRVeJOssH1zKCDX.exe 789178461b2d4a00b3cc78cab36c6669 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/bxWb/J7hS3/J284OPI00GuAjv3e/2l4MNRECeng/iJ0zHnIdXWWSlB0/
|
3
38.88.126.202 51.38.124.206 91.105.94.200
|
|
|
7.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1768 |
2020-09-18 09:43
|
tel.exe 0b52424adb115b1336d084cf0cfbb73e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces malicious URLs AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://checkip.dyndns.org/ http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://freegeoip.app/xml/175.208.134.150 https://freegeoip.app/xml/175.208.134.150
|
4
104.28.4.151 131.186.113.70 149.154.167.220 216.146.43.71
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO TLS Handshake Failure
|
|
10.2 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1769 |
2020-09-18 09:43
|
testest.exe a16782a5ea9ab3ad0e71e61db261f550 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1770 |
2020-09-18 10:00
|
22xVW0v.exe 36bc7cd40eb0d9563621bc3afc834dd8 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://5.189.168.53:8080/UoBc0sXE7hvMKlY/XKnKe2SRr9ndMN/Sm9aKk/hmeghhelJOk1mRUqY/8qwsE5c7eF/UqxUkyfaKVrBRTp/
|
2
190.192.39.136 5.189.168.53
|
|
|
7.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|