2341 |
2020-10-27 14:15
|
F62BowAeOHaWkJ.exe 42e2d1d77e7b06eeefeb06a779b8dd75 VirusTotal Malware RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://154.91.33.137:443/kbjM3Fxq6/Rqvh0muenJLyWpBlja/b3UlyWbtoGMYy7r/OAeG8e/ - mailcious
|
1
154.91.33.137 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
5.0 |
M |
5 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2342 |
2020-10-27 14:19
|
ZROO26A9.exe 52a32baeffe4eeaf585965700d174832 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/1nUT/wRmpHv/UUgQPiqQLluBThrD4/TTgIjadHETlbQp/RflYdpG86/
|
1
|
|
|
6.6 |
|
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2343 |
2020-10-27 14:23
|
October Invoice.doc 6417e13118cf88c3a42ed070cae0e8ce Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://61.118.67.173/crbyOZ4qgH8lU9f9/WP5Um4j/sZ9b6WRDmnWJJFgvb/DDSkxjWLp9abnuf/hzkTOA/ https://cardandev.com/balancedteens/N2aAqwmfux/
|
3
cardandev.com(67.43.4.115) 61.118.67.173 67.43.4.115
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2344 |
2020-10-27 14:30
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/kkGGN/eVWONrKSMxXKDwiXoI/
|
1
|
|
|
5.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2345 |
2020-10-27 17:33
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/rx1kpHQz6AyHyLdYTa/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2346 |
2020-10-27 17:33
|
udi.exe 6c928c0bb16fbe2a4b655cbbdd08c226 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2347 |
2020-10-27 17:34
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Tor ComputerName crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
api.ipify.org(184.73.247.141) 54.225.169.28
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2348 |
2020-10-27 17:41
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(50.19.252.36) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2349 |
2020-10-27 17:42
|
Fsl2uw.exe f8e613f97dfaad6b5e4f25aa9c9a52e5 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/X00DApi56EqexN/IE9i13knJe/BHOOP9/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2350 |
2020-10-27 17:57
|
U86GkXRRov.exe b86e39e2efa1d7739534e74d194d06eb Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/4Es8r3qc8nTFF/o8D8eq/
|
1
|
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2351 |
2020-10-27 17:57
|
zzf.exe db6c083fb31ee45ab0dcfb438d15e411 PDB |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2352 |
2020-10-27 17:59
|
muo4guvow.jpg.exe a84721e4044bb7cef292b2e46393dc24 VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.2 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2353 |
2020-10-27 18:14
|
kung.exe 45bfc424046b617fe8d016e34e047c0a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/chang/gate.php - mailcious
|
2
magicview.ga(91.203.192.84) - mailcious 91.203.192.84 - suspicious
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
M |
31 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2354 |
2020-10-27 18:17
|
mT2cge6ejFx20w3Hu.exe f583ada80565e37b45785f7e35e2bec2 Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://104.131.92.244:8080/UpnPUowtfqf8qspt1/Qqwr1NrLzr3LzL/
|
2
45.16.226.117 - suspicious 104.131.92.244
|
1
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2355 |
2020-10-27 18:19
|
FILE-2020_10_27-YE455729.doc e6df4c6ce89b90689352e5f18778cd5d Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://104.131.92.244:8080/RGc8Ihma897MD9Up/x4JW/F9mrfCWszepi3o/ http://kbppp.ilmci.com/wp-includes/z/ http://www.royalempresshair.com/wp-content/upgrade/Ete/
|
6
www.royalempresshair.com(45.79.219.198) - mailcious kbppp.ilmci.com(103.241.24.165) - mailcious 45.79.219.198 - suspicious 103.241.24.165 - suspicious 45.16.226.117 - suspicious 104.131.92.244
|
5
ET CNC Feodo Tracker Reported CnC Server group 18 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|