2281 |
2020-10-22 17:44
|
vbc.exe c996760f664ce16cb93116e4325c8dbe PDB Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
2.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2282 |
2020-10-22 17:50
|
BAL_JHP_100120_OOI_102220.doc fc5c2e307bbfe9488674c0e149d39736 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
3
http://24.178.90.49/h9KbPK1gLEI/XXlZTim7tH/EzXDn/36caQbGNEEY7ZG/ - mailcious http://eubanks7.com/administrator/ubdDbB/ - malware http://96.126.101.6:8080/YDl07q2mBXY/901iVTaPm2iAZmfD/ - mailcious
|
4
eubanks7.com(69.65.3.162) - mailcious 24.178.90.49 - suspicious 96.126.101.6 - suspicious 69.65.3.162 - suspicious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.2 |
M |
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2283 |
2020-10-22 18:13
|
Chrome.exe 74222e2523e271c551f8c0e50af1ae19 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Checks debugger buffers extracted exploit crash unpack itself malicious URLs IP Check Tofsee Ransomware Windows Exploit Browser Tor Email Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(54.225.169.28) crt.comodoca.com(91.199.212.52) 91.199.212.52 50.17.193.91
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2284 |
2020-10-22 19:35
|
message.vbs 06466e239d3389ff30cfeddb71624bed Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS keylogger |
1
http://185.172.110.201/dkhh/hades.jpg - malware
|
5
google.com(172.217.175.78) jollymorgan.myq-see.com(198.23.192.204) 185.172.110.201 - suspicious 172.217.24.78 198.23.192.204
|
3
ET INFO Observed DNS Query to .myq-see .com DDNS Domain ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
|
|
17.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2285 |
2020-10-22 19:37
|
tl.exe cad70078636cc2bc01019e66c90c8144 VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
3.8 |
M |
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2286 |
2020-10-22 23:24
|
Mssz6xtWX5orm7o1nlYg.exe ff2ce8b5a2e8f56035f0fd2741e9d45e VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://167.114.153.111:8080/gtG28g/ynMKzV9XZyPmE/O5cAFtAz9y5UkFddW5U/xxPbLWGI0rztF/Faf9AW0b/ - mailcious
|
2
208.180.207.205 - suspicious 167.114.153.111 - suspicious
|
|
|
8.0 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2287 |
2020-10-23 10:34
|
0488939.doc 3f0d1297b898cc4b868d373bd3b1f38d Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://allcannabismeds.com/unraid-map/xcGN/ http://stopinfo.vhostgo.com/info3.html?data=jiafunongye.com%2Fapplication%2FNJ3Ta¬e=%E7%97%85%E6%AF%92%E9%93%BE%E6%8E%A5%E6%9C%AA%E5%88%A0%E9%99%A4&type=1 http://amarteargentina.com.ar/wp-admin/GOAvrV/ http://jiafunongye.com/application/NJ3Ta/ https://acheterdrogues.com/wp-admin/m/
|
13
hcareconcepts.com(51.81.109.122) amarteargentina.com.ar(66.97.40.114) - mailcious jiafunongye.com(211.149.252.72) - mailcious allcannabismeds.com(35.208.69.64) - malware acheterdrogues.com(104.18.49.158) stopinfo.vhostgo.com(211.149.246.250) 35.208.69.64 - suspicious 78.90.78.210 211.149.246.250 66.97.40.114 - suspicious 172.67.186.189 211.149.252.72 - suspicious 51.81.109.122
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2288 |
2020-10-23 10:35
|
photos.exe 7fe46c0cd8eb73f3d51c17eeda16bdf9 VirusTotal Malware |
|
|
|
|
1.2 |
M |
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2289 |
2020-10-23 10:45
|
uu1hTTn1h.exe 10ac7570e15e05eeeda62fcafca1cb9f VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://188.226.165.170:8080/DsKr19C9vITeWAXHSZ/ - mailcious
|
2
188.226.165.170 - suspicious 78.90.78.210
|
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2290 |
2020-10-23 10:46
|
t.exe c7d0c34935ed91bda9d99688b4cd1fe3 VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://96.126.101.6:8080/d8HFt/Wi9QIuN1Noi0x0/ - mailcious
|
2
96.126.101.6 - suspicious 200.116.145.225 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2291 |
2020-10-23 10:57
|
X_22195069.doc d61a47be392a0a7af4b6777057503911 Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://www.chapelknollestates.com/cgi-bin/Xr9RkLq/ - malware http://96.126.101.6:8080/eTYkX/5Fl9s5owHWh9BD6sP6/ - mailcious https://rallyemas.com/wp-content/x51/
|
8
www.chapelknollestates.com(131.153.44.4) - malware rallyemas.com(88.99.145.163) swiftbusinesspay.com(68.66.248.54) - malware 96.126.101.6 - suspicious 88.99.145.163 200.116.145.225 - suspicious 131.153.44.4 - suspicious 68.66.248.54 - suspicious
|
7
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET CNC Feodo Tracker Reported CnC Server group 13 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2292 |
2020-10-23 11:10
|
inf-2020_10_23-EJ505.doc 1d5be9c83557b664dc292323fc4ec573 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
5
http://autodidactai.com/wp-content/5SF/ http://primaage.com/wp-admin/is/ http://uvibrands.com/QIG/ http://177.107.79.214:8080/xnoNI2qo11i3D/3aNkn/XcAA7MF7AWKL4LMEiEf/9NYV9VrLE/Mb8iWJuY/sncmOVN9EXFxv/ https://cs.vitalero.com/wp-includes/Vf/
|
11
cs.vitalero.com(89.221.212.63) morrobaydrugandgift.com(46.17.175.19) primaage.com(103.8.25.135) uvibrands.com(172.67.155.28) autodidactai.com(104.31.77.164) 177.107.79.214 103.8.25.135 - suspicious 46.17.175.19 - suspicious 104.31.77.164 104.18.48.233 89.221.212.63
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2293 |
2020-10-23 20:00
|
presh.exe 0a9d84384de463aabdecb558364b7fb8 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
10.4 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2294 |
2020-10-23 20:02
|
uzo.exe 48520b30c57caafbf360c5e71920b82a VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.8 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2295 |
2020-10-23 20:24
|
vbc.exe fcba8b1c5716461bba1273bfb0c2b825 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.2 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|