| 2236 |
2020-10-21 10:45
|
Bsa0EU8qz4h.exe 5ff52ab6d0ea008d5863ac2ebe443f66
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://59.148.253.194:8080/RgpXGY1vrrEKcRP/ciDkjur/diWefO1oWfpWLv0/vpusga4zLG/gDRvQLY/pEoR0CpyXrsqh2hh/ - mailcious
|
3
164.124.101.2
173.68.199.157 - suspicious
59.148.253.194 - suspicious
|
|
|
6.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2237 |
2020-10-21 11:30
|
vbc.exe ed3e155b736c7f072cd1358938e9c046
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
3.8 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2238 |
2020-10-21 11:41
|
doument_f.doc 66ceeaa89b207eceac70097eb38a7a64
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/mode/vbc.exe - malware
http://crestmart.ga/main/l09/US/mode.php - mailcious
|
4
crestmart.ga(46.173.218.219) - mailcious
kregmartlime.ga(46.173.218.219) - malware
164.124.101.2
46.173.218.219 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2239 |
2020-10-21 13:23
|
vbc.exe ed3e155b736c7f072cd1358938e9c046
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
1
|
|
|
3.8 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2240 |
2020-10-21 13:25
|
document.doc cc6c4031b59d182755ae188c7f66ad7e
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu/chang.exe
http://magicview.ga/chang/gate.php - mailcious
|
5
magicview.ga(46.173.218.219) - mailcious
asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu(103.133.108.6)
164.124.101.2
46.173.218.219 - suspicious
103.133.108.6 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2241 |
2020-10-21 13:33
|
tar7ce.exe 9d79b08deadcde5b3b913ee75d3fff8d
VirusTotal Malware Check memory RWX flags setting unpack itself |
|
1
|
|
|
3.0 |
|
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2242 |
2020-10-21 13:38
|
f3.exe c9917fd15fed108ad9d6ee548dd2e4c1
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
5
functionalrejh.com(5.63.155.126)
api.ipify.org(174.129.214.20)
164.124.101.2
50.17.193.91
5.63.155.126
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
9.0 |
|
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2243 |
2020-10-21 14:13
|
chang.exe eff92670eb22b10ea6e2b458805e5b91
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
1
|
|
|
3.8 |
M |
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2244 |
2020-10-21 14:18
|
chang.exe eff92670eb22b10ea6e2b458805e5b91
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder crashed |
|
1
|
|
|
3.0 |
M |
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2245 |
2020-10-21 14:20
|
vbc.exe ed3e155b736c7f072cd1358938e9c046
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
1
|
|
|
3.8 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2246 |
2020-10-21 14:27
|
document.doc cc6c4031b59d182755ae188c7f66ad7e
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu/chang.exe - malware
http://magicview.ga/chang/gate.php - mailcious
|
5
magicview.ga(46.173.218.219) - mailcious
asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu(103.133.108.6) - mailcious
164.124.101.2
46.173.218.219 - suspicious
103.133.108.6 - suspicious
|
11
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2247 |
2020-10-21 14:51
|
test.html b72ffe471af70ddc123de0722008442d
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
8
https://ssl.pstatic.net/sstatic/search/pc/css/api_atcmp_200709.css
https://ssl.pstatic.net/tveta/libs/assets/js/pc/main/min/pc.veta.core.min.js
https://www.naver.com/
https://pm.pstatic.net/dist/lib/search.jindo.20200326.js?o=www
https://pm.pstatic.net/dist/js/nmain.ie.4cb9b44e.js?o=www
https://pm.pstatic.net/dist/css/nmain.20201020.css
https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
https://static-whale.pstatic.net/main/img_darkmode@2x.png
|
13
www.google.com(216.58.220.132)
google.com(216.58.220.110)
static-whale.pstatic.net(101.79.137.172)
pm.pstatic.net(104.109.240.206)
ssl.pstatic.net(104.109.240.195)
www.naver.com(23.46.23.18)
101.79.137.169
125.209.222.142 - suspicious
125.209.254.182
172.217.25.14 - suspicious
101.79.137.173
172.217.161.132
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2248 |
2020-10-21 15:07
|
W4O1NAY.exe 1fbffee16a716bc28add2eb40a33c6e0
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
|
2
59.148.253.194 - suspicious
173.68.199.157 - suspicious
|
|
|
6.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2249 |
2020-10-21 15:19
|
3cn1KY5.exe 38d5017ef64f05d01bb8d9b088f53b76
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
|
3
59.148.253.194 - suspicious
173.68.199.157 - suspicious
173.212.197.71 - suspicious
|
|
|
6.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2250 |
2020-10-21 15:52
|
Payment status.doc 37460b69ee0ed3d349f47106a4717c63
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
|
3
luofox.com(106.54.225.198) - mailcious
106.54.225.198 - suspicious
5.2.246.108 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|