| 2341 |
2020-10-27 14:15
|
F62BowAeOHaWkJ.exe 42e2d1d77e7b06eeefeb06a779b8dd75
VirusTotal Malware RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://154.91.33.137:443/kbjM3Fxq6/Rqvh0muenJLyWpBlja/b3UlyWbtoGMYy7r/OAeG8e/ - mailcious
|
1
154.91.33.137 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
5.0 |
M |
5 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2342 |
2020-10-27 14:19
|
ZROO26A9.exe 52a32baeffe4eeaf585965700d174832
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/1nUT/wRmpHv/UUgQPiqQLluBThrD4/TTgIjadHETlbQp/RflYdpG86/
|
1
|
|
|
6.6 |
|
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2343 |
2020-10-27 14:23
|
October Invoice.doc 6417e13118cf88c3a42ed070cae0e8ce
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://61.118.67.173/crbyOZ4qgH8lU9f9/WP5Um4j/sZ9b6WRDmnWJJFgvb/DDSkxjWLp9abnuf/hzkTOA/
https://cardandev.com/balancedteens/N2aAqwmfux/
|
3
cardandev.com(67.43.4.115)
61.118.67.173
67.43.4.115
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2344 |
2020-10-27 14:30
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/kkGGN/eVWONrKSMxXKDwiXoI/
|
1
|
|
|
5.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2345 |
2020-10-27 17:33
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/rx1kpHQz6AyHyLdYTa/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2346 |
2020-10-27 17:33
|
udi.exe 6c928c0bb16fbe2a4b655cbbdd08c226
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2347 |
2020-10-27 17:34
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Tor ComputerName crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
api.ipify.org(184.73.247.141)
54.225.169.28
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2348 |
2020-10-27 17:41
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(50.19.252.36)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2349 |
2020-10-27 17:42
|
Fsl2uw.exe f8e613f97dfaad6b5e4f25aa9c9a52e5
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/X00DApi56EqexN/IE9i13knJe/BHOOP9/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2350 |
2020-10-27 17:57
|
U86GkXRRov.exe b86e39e2efa1d7739534e74d194d06eb
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/4Es8r3qc8nTFF/o8D8eq/
|
1
|
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2351 |
2020-10-27 17:57
|
zzf.exe db6c083fb31ee45ab0dcfb438d15e411
PDB |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2352 |
2020-10-27 17:59
|
muo4guvow.jpg.exe a84721e4044bb7cef292b2e46393dc24
VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.2 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2353 |
2020-10-27 18:14
|
kung.exe 45bfc424046b617fe8d016e34e047c0a
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/chang/gate.php - mailcious
|
2
magicview.ga(91.203.192.84) - mailcious
91.203.192.84 - suspicious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
M |
31 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2354 |
2020-10-27 18:17
|
mT2cge6ejFx20w3Hu.exe f583ada80565e37b45785f7e35e2bec2
Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://104.131.92.244:8080/UpnPUowtfqf8qspt1/Qqwr1NrLzr3LzL/
|
2
45.16.226.117 - suspicious
104.131.92.244
|
1
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2355 |
2020-10-27 18:19
|
FILE-2020_10_27-YE455729.doc e6df4c6ce89b90689352e5f18778cd5d
Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://104.131.92.244:8080/RGc8Ihma897MD9Up/x4JW/F9mrfCWszepi3o/
http://kbppp.ilmci.com/wp-includes/z/
http://www.royalempresshair.com/wp-content/upgrade/Ete/
|
6
www.royalempresshair.com(45.79.219.198) - mailcious
kbppp.ilmci.com(103.241.24.165) - mailcious
45.79.219.198 - suspicious
103.241.24.165 - suspicious
45.16.226.117 - suspicious
104.131.92.244
|
5
ET CNC Feodo Tracker Reported CnC Server group 18
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|