| 1756 |
2020-09-17 14:29
|
k.exe 03ee1b3842ed89d04387ab0bca377f93
VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1757 |
2020-09-17 14:30
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535
VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1758 |
2020-09-17 14:37
|
Windows Desktop Service.exe 8493fad5457907ede406c7a4c3a062ca
VirusTotal Malware |
|
|
|
|
1.8 |
|
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1759 |
2020-09-17 14:38
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535
PDB |
|
|
|
|
0.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1760 |
2020-09-17 14:39
|
WindowsHostService.exe d5ebc9c528e0b12e46f6f86b35f20d2f
PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.0 |
|
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1761 |
2020-09-17 18:38
|
Attachments-3370623.doc 80ed1babd3eb82afe06707e642356179
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://38.88.126.202:8080/MticMlegzsdrKOIyKAc/XxGbS/MGxeY2p6BFneM0U3/V6Rf7nWA5zS/jVyW6zlg/tcoNq0jCI/
http://localesfavoritos.com/wp-admin/c/
|
5
174.113.69.136
217.61.130.34
38.88.126.202
51.38.124.206
82.196.15.205
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1762 |
2020-09-17 18:38
|
invoice_233131.doc a91fa70c30ad0a8f44690103b7eae994
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://babaseoa.com/cartel/five/fre.php
http://babaseoa.com/cartel/five/fre.php
http://tsdyshgshgnationalobjindustrialat21mpq.duckdns.org/shengdoc/vbc.exe
|
2
103.141.138.130
185.209.1.124
|
12
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1763 |
2020-09-17 18:42
|
vnCCABpwYPRX4baP.exe ce34c7cdcab98f7079871c93c60f5c52
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/63AF/J0jZ8vawc7jMRA/wSFU6dnZEeAgbeD0/
|
1
|
|
|
6.6 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1764 |
2020-09-18 08:02
|
http://blog.penmman.com/wp-con... 6f34b1d69e321a9e7732d2c6f89cb9f5
VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
3
http://134.209.36.254:8080/nQVwnK5kipQq3M/
http://blog.penmman.com/wp-content/uploads/1ECbn9K/
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
117.18.232.200
13.235.119.142
134.209.36.254
71.72.196.159
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
12.6 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1765 |
2020-09-18 09:14
|
19796066164507054740687.doc f8473dc3fcda21407659420512f2f347
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://71.72.196.159/g8HwGzlJGmUJv2vA/ymTfP5sL/lrgXuwwDqDDVfVg0/uIwL5/oT0WeoB6dh7nR4EcS/
http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1766 |
2020-09-18 09:15
|
DOC_QSU_090120_CCC_091820.doc f8473dc3fcda21407659420512f2f347
Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/
http://71.72.196.159/G2bGreKGpkKf4R9vnbE/OXHPKAKL/VdGApd88fdIt/cxdYCgs/gAgKLoXGWvE5CyK7xo/kHRUq/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1767 |
2020-09-18 09:26
|
Et9TKtRVeJOssH1zKCDX.exe 789178461b2d4a00b3cc78cab36c6669
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/bxWb/J7hS3/J284OPI00GuAjv3e/2l4MNRECeng/iJ0zHnIdXWWSlB0/
|
3
38.88.126.202
51.38.124.206
91.105.94.200
|
|
|
7.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1768 |
2020-09-18 09:43
|
tel.exe 0b52424adb115b1336d084cf0cfbb73e
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces malicious URLs AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://checkip.dyndns.org/
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://freegeoip.app/xml/175.208.134.150
https://freegeoip.app/xml/175.208.134.150
|
4
104.28.4.151
131.186.113.70
149.154.167.220
216.146.43.71
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO TLS Handshake Failure
|
|
10.2 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1769 |
2020-09-18 09:43
|
testest.exe a16782a5ea9ab3ad0e71e61db261f550
Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1770 |
2020-09-18 10:00
|
22xVW0v.exe 36bc7cd40eb0d9563621bc3afc834dd8
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://5.189.168.53:8080/UoBc0sXE7hvMKlY/XKnKe2SRr9ndMN/Sm9aKk/hmeghhelJOk1mRUqY/8qwsE5c7eF/UqxUkyfaKVrBRTp/
|
2
190.192.39.136
5.189.168.53
|
|
|
7.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|