2311 |
2020-10-26 10:47
|
64.exe fcbb520e5c66b1f024440e4eea650686 VirusTotal Malware Buffer PE AutoRuns PDB buffers extracted Creates executable files unpack itself Disables Windows Security suspicious process AppData folder malicious URLs Firewall state off IP Check Windows |
71
http://okdoekeoehghaoer.ws/4 http://faugzeazdezgzgfr.ws/1 http://api.wipmania.com/ http://feuhdeuhduhuehdr.ws/1 http://feuhdeuhduhuehdr.ws/2 http://feuhdeuhduhuehdr.ws/3 http://feuhdeuhduhuehdr.ws/4 http://feuhdeuhduhuehdr.ws/5 http://seuufhehfueugher.ws/4 http://eafueudzefverrgr.ws/1 http://seuufhehfueugher.ws/1 http://eafueudzefverrgr.ws/3 http://efeuafubeubaefur.ws/4 http://efeuafubeubaefur.ws/3 http://efeuafubeubaefur.ws/2 http://efeuafubeubaefur.ws/1 http://worm.ws/corp/20.txt http://seuufhehfueugher.ws/3 http://eafueudzefverrgr.ws/2 http://worm.ws/sexesss/n.txt http://eafueudzefverrgr.ws/5 http://worm.ws/4 http://worm.ws/5 http://worm.ws/2 http://worm.ws/3 http://worm.ws/1 http://efuheruhdehduhgr.ws/2 http://efuheruhdehduhgr.ws/3 http://icanhazip.com/ http://efuheruhdehduhgr.ws/1 http://efuheruhdehduhgr.ws/4 http://efuheruhdehduhgr.ws/5 http://feauhueudughuurr.ws/4 http://wduufbaueeubffgr.ws/2 http://wduufbaueeubffgr.ws/3 http://wduufbaueeubffgr.ws/1 http://feauhueudughuurr.ws/3 http://wduufbaueeubffgr.ws/4 http://wduufbaueeubffgr.ws/5 http://fheuhdwdzwgzdggr.ws/4 http://fheuhdwdzwgzdggr.ws/5 http://faugzeazdezgzgfr.ws/3 http://faugzeazdezgzgfr.ws/2 http://faugzeazdezgzgfr.ws/5 http://faugzeazdezgzgfr.ws/4 http://worm.ws/corp/n.txt http://fheuhdwdzwgzdggr.ws/1 http://eafueudzefverrgr.ws/4 http://fheuhdwdzwgzdggr.ws/2 http://gaueudbuwdbuguur.ws/2 http://gaueudbuwdbuguur.ws/3 http://gaueudbuwdbuguur.ws/1 http://gaueudbuwdbuguur.ws/4 http://gaueudbuwdbuguur.ws/5 http://deauduafzgezzfgr.ws/1 http://deauduafzgezzfgr.ws/3 http://deauduafzgezzfgr.ws/2 http://deauduafzgezzfgr.ws/5 http://deauduafzgezzfgr.ws/4 http://fheuhdwdzwgzdggr.ws/3 http://okdoekeoehghaoer.ws/5 http://worm.ws/sexesss/129.txt http://okdoekeoehghaoer.ws/3 http://okdoekeoehghaoer.ws/2 http://okdoekeoehghaoer.ws/1 http://feauhueudughuurr.ws/5 http://seuufhehfueugher.ws/2 http://efeuafubeubaefur.ws/5 http://feauhueudughuurr.ws/1 http://seuufhehfueugher.ws/5 http://feauhueudughuurr.ws/2
|
23
yahoo.com(74.6.231.21) seuufhehfueugher.ws(64.70.19.203) wduufbaueeubffgr.ws(64.70.19.203) feuhdeuhduhuehdr.ws(64.70.19.203) api.wipmania.com(212.83.168.196) gaueudbuwdbuguur.ws(64.70.19.203) fheuhdwdzwgzdggr.ws(64.70.19.203) worm.ws(217.8.117.10) - malware efeuafubeubaefur.ws(64.70.19.203) faugzeazdezgzgfr.ws(64.70.19.203) efuheruhdehduhgr.ws(64.70.19.203) deauduafzgezzfgr.ws(64.70.19.203) okdoekeoehghaoer.ws(64.70.19.203) icanhazip.com(147.75.47.199) mta5.am0.yahoodns.net(67.195.204.79) feauhueudughuurr.ws(64.70.19.203) eafuebdbedbedggr.ws(64.70.19.203) eafueudzefverrgr.ws(64.70.19.203) 136.144.56.255 64.70.19.203 - suspicious 212.83.168.196 217.8.117.10 - suspicious 67.195.228.106
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET POLICY IP Check Domain (icanhazip. com in HTTP Host) ET POLICY External IP Lookup Attempt To Wipmania
|
|
12.8 |
M |
54 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2312 |
2020-10-26 10:47
|
officeorning.exe 656c7d3ebfbda0f059b3d4d87fe1eb01 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
10.4 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2313 |
2020-10-26 11:00
|
p.exe e879df3fc1421ae6fddb927b080a8544 VirusTotal Malware Buffer PE AutoRuns PDB buffers extracted Creates executable files Disables Windows Security suspicious process AppData folder malicious URLs Firewall state off IP Check Windows |
163
http://feuhdeuhduhuehdr.ws/2 http://worm.ws/2 http://efuheruhdehduhgu.ws/3 http://efuheruhdehduhgu.ws/2 http://efuheruhdehduhgu.ws/1 http://efeuafubeubaefur.ws/4 http://efeuafubeubaefur.ws/3 http://efeuafubeubaefur.ws/2 http://efeuafubeubaefur.ws/1 http://efuheruhdehduhgu.ws/4 http://efaeduvedvzfufuu.ws/1 http://wdkowdohwodhfhfu.ws/5 http://wdkowdohwodhfhfu.ws/4 http://wdkowdohwodhfhfu.ws/1 http://wdkowdohwodhfhfu.ws/3 http://wdkowdohwodhfhfu.ws/2 http://edhuaudhuedugufr.ws/1 http://edhuaudhuedugufr.ws/2 http://edhuaudhuedugufr.ws/3 http://edhuaudhuedugufr.ws/4 http://edhuaudhuedugufr.ws/5 http://eafuebdbedbedggr.ws/4 http://feuhdeuhduhuehdr.ws/4 http://worm.ws/tldr.php?inf=1 http://feuhdeuhduhuehdr.ws/5 http://deauduafzgezzfgu.ws/5 http://gaueudbuwdbuguur.ws/2 http://gaueudbuwdbuguur.ws/3 http://gaueudbuwdbuguur.ws/1 http://gaueudbuwdbuguur.ws/4 http://gaueudbuwdbuguur.ws/5 http://okdoekeoehghaoer.ws/5 http://okdoekeoehghaoer.ws/4 http://okdoekeoehghaoer.ws/3 http://okdoekeoehghaoer.ws/2 http://okdoekeoehghaoer.ws/1 http://deauduafzgezzfgu.ws/1 http://worm.ws/1 http://worm.ws/corp/118.txt http://worm.ws/sexesss/934.txt http://efaeduvedvzfufur.ws/1 http://efaeduvedvzfufur.ws/2 http://efaeduvedvzfufur.ws/3 http://efaeduvedvzfufur.ws/4 http://efaeduvedvzfufur.ws/5 http://eafueudzefverrgr.ws/1 http://eafueudzefverrgr.ws/3 http://eafueudzefverrgr.ws/2 http://eafueudzefverrgr.ws/5 http://efeuafubeubaefur.ws/5 http://eafuebdbedbedggu.ws/5 http://efuheruhdehduhgr.ws/2 http://efuheruhdehduhgr.ws/3 http://efuheruhdehduhgr.ws/1 http://efuheruhdehduhgu.ws/5 http://efuheruhdehduhgr.ws/4 http://efuheruhdehduhgr.ws/5 http://deauduafzgezzfgu.ws/4 http://wdkowdohwodhfhfr.ws/1 http://wdkowdohwodhfhfr.ws/2 http://wdkowdohwodhfhfr.ws/3 http://wdkowdohwodhfhfr.ws/4 http://wdkowdohwodhfhfr.ws/5 http://deauduafzgezzfgu.ws/2 http://deauduafzgezzfgu.ws/3 http://deauduafzgezzfgr.ws/1 http://deauduafzgezzfgr.ws/3 http://deauduafzgezzfgr.ws/2 http://deauduafzgezzfgr.ws/5 http://deauduafzgezzfgr.ws/4 http://seuufhehfueugher.ws/3 http://seuufhehfueugher.ws/2 http://seuufhehfueugher.ws/1 http://seuufhehfueugher.ws/5 http://seuufhehfueugher.ws/4 http://feauhueudughuuru.ws/1 http://feauhueudughuuru.ws/2 http://feauhueudughuuru.ws/3 http://feauhueudughuuru.ws/4 http://efeuafubeubaefuu.ws/4 http://worm.ws/5 http://feuhdeuhduhuehdr.ws/1 http://eafuebdbedbedggr.ws/5 http://feuhdeuhduhuehdr.ws/3 http://eafuebdbedbedggr.ws/3 http://eafuebdbedbedggr.ws/2 http://eafuebdbedbedggr.ws/1 http://efeuafubeubaefuu.ws/3 http://eafuebdbedbedggu.ws/4 http://wduufbaueeubffgu.ws/4 http://eafuebdbedbedggu.ws/2 http://eafuebdbedbedggu.ws/3 http://eafuebdbedbedggu.ws/1 http://worm.ws/sexesss/n.txt http://wduufbaueeubffgu.ws/3 http://wduufbaueeubffgu.ws/2 http://wduufbaueeubffgu.ws/1 http://efeuafubeubaefuu.ws/5 http://efeuafubeubaefuu.ws/2 http://worm.ws/3 http://wduufbaueeubffgu.ws/5 http://efeuafubeubaefuu.ws/1 http://eafueudzefverrgu.ws/4 http://eafueudzefverrgu.ws/5 http://icanhazip.com/ http://eafueudzefverrgu.ws/1 http://eafueudzefverrgu.ws/2 http://eafueudzefverrgu.ws/3 http://wduufbaueeubffgr.ws/2 http://wduufbaueeubffgr.ws/3 http://wduufbaueeubffgr.ws/1 http://wduufbaueeubffgr.ws/4 http://wduufbaueeubffgr.ws/5 http://fheuhdwdzwgzdggr.ws/4 http://fheuhdwdzwgzdggr.ws/5 http://fheuhdwdzwgzdggr.ws/1 http://fheuhdwdzwgzdggr.ws/2 http://fheuhdwdzwgzdggr.ws/3 http://faugzeazdezgzgfu.ws/4 http://faugzeazdezgzgfu.ws/5 http://faugzeazdezgzgfu.ws/1 http://faugzeazdezgzgfu.ws/2 http://faugzeazdezgzgfu.ws/3 http://feauhueudughuurr.ws/5 http://feauhueudughuurr.ws/4 http://feauhueudughuurr.ws/1 http://feauhueudughuurr.ws/3 http://feauhueudughuurr.ws/2 http://okdoekeoehghaoeu.ws/4 http://okdoekeoehghaoeu.ws/5 http://okdoekeoehghaoeu.ws/2 http://okdoekeoehghaoeu.ws/3 http://okdoekeoehghaoeu.ws/1 http://api.wipmania.com/ http://seuufhehfueugheu.ws/5 http://eafueudzefverrgr.ws/4 http://feuhdeuhduhuehdu.ws/5 http://feuhdeuhduhuehdu.ws/4 http://feuhdeuhduhuehdu.ws/1 http://feuhdeuhduhuehdu.ws/3 http://feuhdeuhduhuehdu.ws/2 http://faugzeazdezgzgfr.ws/1 http://faugzeazdezgzgfr.ws/3 http://faugzeazdezgzgfr.ws/2 http://faugzeazdezgzgfr.ws/5 http://faugzeazdezgzgfr.ws/4 http://worm.ws/corp/n.txt http://worm.ws/4 http://gaueudbuwdbuguuu.ws/3 http://gaueudbuwdbuguuu.ws/2 http://gaueudbuwdbuguuu.ws/1 http://gaueudbuwdbuguuu.ws/5 http://gaueudbuwdbuguuu.ws/4 http://seuufhehfueugheu.ws/2 http://seuufhehfueugheu.ws/3 http://seuufhehfueugheu.ws/1 http://seuufhehfueugheu.ws/4 http://feauhueudughuuru.ws/5 http://fheuhdwdzwgzdggu.ws/1 http://fheuhdwdzwgzdggu.ws/3 http://fheuhdwdzwgzdggu.ws/2 http://fheuhdwdzwgzdggu.ws/5 http://fheuhdwdzwgzdggu.ws/4
|
42
feuhdeuhduhuehdr.ws(64.70.19.203) gaueudbuwdbuguuu.ws(64.70.19.203) gaueudbuwdbuguur.ws(64.70.19.203) eafuebdbedbedggu.ws(64.70.19.203) fheuhdwdzwgzdggr.ws(64.70.19.203) edhuaudhuedugufr.ws(64.70.19.203) fheuhdwdzwgzdggu.ws(64.70.19.203) efuheruhdehduhgr.ws(64.70.19.203) icanhazip.com(136.144.56.255) eafuebdbedbedggr.ws(64.70.19.203) wduufbaueeubffgr.ws(64.70.19.203) wduufbaueeubffgu.ws(64.70.19.203) worm.ws(217.8.117.10) - malware feauhueudughuuru.ws(64.70.19.203) seuufhehfueugheu.ws(64.70.19.203) feuhdeuhduhuehdu.ws(64.70.19.203) efeuafubeubaefuu.ws(64.70.19.203) deauduafzgezzfgr.ws(64.70.19.203) seuufhehfueugher.ws(64.70.19.203) efuheruhdehduhgu.ws(64.70.19.203) faugzeazdezgzgfu.ws(64.70.19.203) efaeduvedvzfufur.ws(64.70.19.203) faugzeazdezgzgfr.ws(64.70.19.203) mta7.am0.yahoodns.net(67.195.228.110) eafueudzefverrgr.ws(64.70.19.203) feauhueudughuurr.ws(64.70.19.203) deauduafzgezzfgu.ws(64.70.19.203) yahoo.com(74.6.143.26) api.wipmania.com(212.83.168.196) wdkowdohwodhfhfu.ws(64.70.19.203) okdoekeoehghaoer.ws(64.70.19.203) efeuafubeubaefur.ws(64.70.19.203) eaffuebudbeudbbr.ws(64.70.19.203) okdoekeoehghaoeu.ws(64.70.19.203) wdkowdohwodhfhfr.ws(64.70.19.203) eafueudzefverrgu.ws(64.70.19.203) efaeduvedvzfufuu.ws(64.70.19.203) 136.144.56.255 64.70.19.203 - suspicious 212.83.168.196 217.8.117.10 - suspicious 67.195.228.111
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET POLICY External IP Lookup Attempt To Wipmania ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
|
|
12.8 |
M |
60 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2314 |
2020-10-26 11:42
|
officeorning.exe 656c7d3ebfbda0f059b3d4d87fe1eb01 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
2
http://www.semedio.com/acq/?Mvdl=NqLlTwXUsj5Kzjnlt237G4f7ej0Sp48euzhCLuvYMzh7siJr7hc7s3fxGk1tQDQ3AGqQVSRa&VPXhs=wBWDJtyPg http://www.devillalembang.com/acq/?Mvdl=s0iazL2unxriaJ/Cm260e8xh7qyEaf+jXZDkCXj1+1FzNPXMZd3/kROTlT1k/5614n0MzMYn&VPXhs=wBWDJtyPg
|
4
www.semedio.com(96.62.31.227) www.devillalembang.com(159.89.205.63) 96.62.31.227 159.89.205.63
|
|
|
11.2 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2315 |
2020-10-26 13:23
|
FARA_3VJQAXBD0.doc d61a47be392a0a7af4b6777057503911 Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
6
http://www.chapelknollestates.com/cgi-bin/Xr9RkLq/ - malware http://akdparivar.com/css/J/ - malware http://ffbutik.com/wp-includes/tb/ http://200.116.145.225:443/fCjnth4T60/kJmvtvAcq6/h49QjWAMJg8SLp2/ - mailcious https://inspiresint.com/wp-admin/4qNS8hW/ https://rallyemas.com/wp-content/x51/ - mailcious
|
15
www.chapelknollestates.com(131.153.44.4) - malware akdparivar.com(13.234.68.224) - malware ffbutik.com(109.232.217.183) inspiresint.com(172.67.136.156) swiftbusinesspay.com(68.66.248.54) - malware www.sc2gym.com(145.239.84.108) - malware rallyemas.com(88.99.145.163) - mailcious 88.99.145.163 - suspicious 13.234.68.224 - suspicious 131.153.44.4 - suspicious 104.27.162.9 200.116.145.225 - suspicious 109.232.217.183 - suspicious 68.66.248.54 - suspicious 145.239.84.108 - suspicious
|
8
ET CNC Feodo Tracker Reported CnC Server group 13 ET POLICY HTTP traffic on port 443 (POST) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
37 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2316 |
2020-10-26 14:40
|
vbc.exe e71652ac1d472828524b5a43962b3348 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.0 |
|
32 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2317 |
2020-10-26 18:53
|
FJfhy2V8.exe d2d2e7674d84b1585a53317135e34ea4 VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://94.23.62.116:8080/xosojc/
|
2
94.23.62.116 81.214.253.80 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 22
|
|
7.4 |
|
13 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2318 |
2020-10-26 18:58
|
DAT 20201026 027.doc e1f273a4b0fd69772722315d5085d45d Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://inbichngoc.com/wp-admin/S/ http://94.23.62.116:8080/yXAAUMUR9cRwoGWUoxe/hLBP3cOoW/2CNAcOoQj5yhU3IrHC/PdP79d4wroFIpaFqz/fgWv9hljOCV4U/9fROOUoZ/
|
4
inbichngoc.com(104.18.63.160) 94.23.62.116 104.18.63.160 81.214.253.80 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET CNC Feodo Tracker Reported CnC Server group 22
|
|
6.4 |
|
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2319 |
2020-10-26 19:04
|
C6X.exe 3ebb229c5f6cd3f52d20579656542e79 RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://118.7.227.42:443/iZaEaqmEhFglix3zMxO/aX4Fl5NFJ2kRA/ok02/pvqgXkq2t2/
|
1
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2320 |
2020-10-26 19:12
|
zzf.exe 729345ea251d77b62ce4651faea91c84 PDB malicious URLs |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2321 |
2020-10-26 22:12
|
October Invoice.doc d02aacd9c1bce2fa523b6a45342a5a74 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://heankan.bio/js/T8oCHm/ - malware http://118.7.227.42:443/bOyrBq1ayfNcOnxFFpx/uF47a/ - mailcious
|
5
heankan.bio(81.68.185.94) - malware madrushdigital.com(148.72.196.10) - mailcious 148.72.196.10 - suspicious 118.7.227.42 - suspicious 81.68.185.94 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
4.6 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2322 |
2020-10-26 22:23
|
OSW.exe 0212c8d940b054a6213a15685124f471 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows |
1
|
2
api.ipify.org(184.73.247.141) 54.235.98.120
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
9.6 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2323 |
2020-10-26 22:24
|
ABU.exe 974acc695d86bd5417dab90eba289404 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows |
1
|
2
api.ipify.org(54.204.14.42) 54.235.98.120
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
9.6 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2324 |
2020-10-26 22:25
|
priscabby.exe d9c2a3e11415e630a160e7a474e30bcf Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
7.6 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2325 |
2020-10-26 22:27
|
NUl1riRhXoQYQ.exe a895ac0dd9f7ce54053c8933f59b721a Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://94.23.62.116:8080/Pbag0h/mvUd62SsNH8/4DYYXhPm/ - mailcious
|
2
94.23.62.116 - suspicious 81.214.253.80 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 22
|
|
7.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|