2221 |
2020-10-21 09:24
|
ref.exe b4752ea9a091f525e65c620e11a21e91 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
1
|
|
|
11.0 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2222 |
2020-10-21 09:24
|
crun20.gif.exe 920851e8341b9c59d75fe0efd2c06e82 VirusTotal Malware unpack itself malicious URLs WriteConsoleW ComputerName |
|
1
|
|
|
3.6 |
M |
33 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2223 |
2020-10-21 09:28
|
https://globaltechealthy.com/x... 230c5d72b8bfd4d14b4f9e55d2633345 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
globaltechealthy.com(198.54.126.81) - malware 117.18.232.200 - suspicious 164.124.101.2 198.54.126.81 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2224 |
2020-10-21 09:31
|
3415201.png.exe 07d5fa7649869e710ef336500cd6474a unpack itself malicious URLs WriteConsoleW ComputerName |
|
1
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2225 |
2020-10-21 09:32
|
CY5nqSSJtbnOQgY2.exe 6b02115591d461da500c43c531ef061e VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://59.148.253.194:8080/fgXUwXU/0Aq2zlnP4OTuAdND/ - mailcious
|
3
164.124.101.2 173.68.199.157 59.148.253.194 - suspicious
|
|
|
7.0 |
M |
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2226 |
2020-10-21 09:38
|
xADus3db3.exe 07ba84898b8694b57af73fac693f467e VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://75.188.96.231/TuyUqyv5/M31okGeXTuoP4a/HBqeBSTDQdb1uDU/kPvZ/kzvWwAo/ - mailcious
|
2
164.124.101.2 75.188.96.231 - suspicious
|
|
|
6.0 |
M |
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2227 |
2020-10-21 09:40
|
IncomeTax-Payment-Receipt.exe b6c7d6070550125b8afc5e885497584a AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows |
|
1
|
|
|
9.0 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2228 |
2020-10-21 09:42
|
INV_54907087.doc 7b57c2e543a5c68eb97c2c3814f753e9 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://75.188.96.231/ofPdu0LE/ - mailcious http://nursefreedomsystem.com/cgi-bin/eYae/ - malware
|
4
nursefreedomsystem.com(148.72.3.169) - malware 148.72.3.169 - suspicious 164.124.101.2 75.188.96.231 - suspicious
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2229 |
2020-10-21 09:44
|
IncomeTax-Payment-Receipt.exe b6c7d6070550125b8afc5e885497584a AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows |
|
1
|
|
|
9.0 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2230 |
2020-10-21 09:50
|
560120.jpg.exe 0ad85c29dbce9562804072147e7edf0f VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Ransomware Windows Tor ComputerName Cryptographic key crashed |
|
1
|
|
|
13.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2231 |
2020-10-21 09:55
|
035708552.doc 9bc89e09c2f9d3532490809a26ff2126 Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee DNS |
2
http://188.226.165.170:8080/sUMLSLn5QPY86TXZUlU/tt66ph/moPEwTi/74gIsQHK/Nnq4b/MsmOT9UTSVXPf4/ - mailcious https://luofox.com/wp-admin/fpTWdJzQR/ - mailcious
|
7
luofox.com(106.54.225.198) - mailcious 104.131.144.215 - suspicious 106.54.225.198 - suspicious 164.124.101.2 188.226.165.170 - suspicious 5.2.246.108 - suspicious 91.121.87.90 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2232 |
2020-10-21 10:00
|
word.pif 794c1b3f3a58594f247487bcb0690e8f VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows ComputerName DNS Cryptographic key DDNS |
1
|
5
waynegriffin.publicvm.com(104.244.74.228) ip-api.com(208.95.112.1) 104.244.74.228 164.124.101.2 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
12.6 |
M |
55 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2233 |
2020-10-21 10:37
|
doument_f.doc 66ceeaa89b207eceac70097eb38a7a64 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://crestmart.ga/main/l09/US/mode.php http://kregmartlime.ga/main/mode/vbc.exe http://crestmart.ga/main/l09/US/mode.php
|
4
crestmart.ga(46.173.218.219) kregmartlime.ga(46.173.218.219) 164.124.101.2 46.173.218.219
|
11
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
|
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2234 |
2020-10-21 10:37
|
https://itravel.co.tz/Img/docu... 28fbc92abd52bd871cfa322673390621 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
itravel.co.tz(160.153.133.172) 117.18.232.200 - suspicious 160.153.133.172 164.124.101.2
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2235 |
2020-10-21 10:38
|
https://itravel.co.tz/Img/VKO.... 09cebe17b568ad619a95aa0d868db2b9 Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows |
|
3
itravel.co.tz(160.153.133.172) 160.153.133.172 164.124.101.2
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|