2371 |
2020-10-28 10:02
|
gfers.exe 8d330917b4d7220eb231327236f93c95 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2372 |
2020-10-28 10:11
|
16.exe db02751a702b316fe074381f82f04965 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs anti-virtualization Ransomware Windows Tor ComputerName DNS crashed keylogger |
|
5
46.166.182.20 185.100.85.61 217.182.196.70 37.187.102.108 95.217.183.21
|
6
ET TOR Known Tor Exit Node Traffic group 31 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617
|
|
11.6 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2373 |
2020-10-28 10:12
|
2.scr f0d8f5b7a0e01207efc16af30462944c Malware download Amadey Malware AutoRuns MachineGuid Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
3
http://searchtool.space/oOjgox/index.php http://tradingsignals.club/oOjgox/index.php http://cpaglobal.cloud/oOjgox/index.php
|
6
searchtool.space(161.117.255.56) tradingsignals.club(162.255.119.106) cpaglobal.cloud(192.64.119.152) 162.255.119.106 161.117.255.56 192.64.119.152
|
3
ET INFO Observed DNS Query to .cloud TLD ET MALWARE Amadey CnC Check-In ET INFO HTTP Request to Suspicious *.cloud Domain
|
|
6.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2374 |
2020-10-28 10:15
|
nono.exe d5e700f8d120095ecfc77edc1476c844 VirusTotal Malware Check memory Checks debugger unpack itself Checks Bios Detects VirtualBox malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Cryptographic key Software |
|
|
|
|
7.6 |
M |
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2375 |
2020-10-28 10:16
|
9.scr f0d8f5b7a0e01207efc16af30462944c Malware download Amadey VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Tor ComputerName DNS |
3
http://searchtool.space/oOjgox/index.php http://tradingsignals.club/oOjgox/index.php http://cpaglobal.cloud/oOjgox/index.php
|
7
searchtool.space(161.117.255.56) tradingsignals.club(162.255.119.106) cpaglobal.cloud(192.64.119.152) 162.255.119.106 161.117.255.56 192.64.119.152 217.182.196.70
|
4
ET MALWARE Amadey CnC Check-In ET INFO Observed DNS Query to .cloud TLD ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447 ET INFO HTTP Request to Suspicious *.cloud Domain
|
|
8.2 |
M |
56 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2376 |
2020-10-28 10:17
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware 181.214.142.131 - suspicious 117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2377 |
2020-10-28 10:21
|
tyuew.exe 4fc3c6a6fc4711ad9907fdf45810829c VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows DNS Cryptographic key crashed |
4
https://ahgwqrq.xyz/getrandombase64.php?get=330F8E490A8A44EFA30583C338272735 https://ahgwqrq.xyz/getrandombase64.php?get=2546F095A204453AA8FD8516FFDCA892 https://ahgwqrq.xyz/getrandombase64.php?get=97D7C843E8234D4687C41F0958409F28 https://ahgwqrq.xyz/getrandombase64.php?get=99DA4645D7AD484294E084764E693136
|
5
www.google.it(172.217.174.99) ahgwqrq.xyz(104.27.180.69) 104.27.180.69 216.58.200.3 185.165.153.249
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2378 |
2020-10-28 10:21
|
crypwarzne.exe 11462f772298d022d297e311c9c4410d VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Browser Email Cryptographic key |
|
|
|
|
9.4 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2379 |
2020-10-28 10:22
|
Inv_RM55024.exe 3983beae3cd93351990cb562fd901ae7 Malware download VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Windows Tor ComputerName DNS Software crashed keylogger |
1
http://3ple.farm/16.exe - malware
|
8
3ple.farm(181.214.142.131) - malware 81.7.14.253 178.254.45.64 217.182.196.68 - suspicious 181.214.142.131 - suspicious 80.127.137.19 78.82.243.187 31.185.104.20
|
8
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE JS/Nemucod.M.gen downloading EXE payload ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 742 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 725
|
|
21.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2380 |
2020-10-28 10:30
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware 181.214.142.131 - suspicious 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2381 |
2020-10-28 10:34
|
DOC_96439691.doc 56a98d4ac1377142220a9cfc737a13b3 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://tangshizhi.com/wp-admin/pcFD/ http://107.170.146.252:8080/x1M3/oedgL4bl1Sxsa/vi44ggjQKWaE/ohU9Y8R8JN/QP7G8wd6RNEPGKnq2/ - mailcious
|
6
tangshizhi.com(202.95.11.52) cuutrolulut.info(208.113.172.110) 107.170.146.252 - suspicious 88.153.35.32 - suspicious 208.113.172.110 202.95.11.52 - suspicious
|
5
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2382 |
2020-10-28 10:34
|
fem76rrOZaV1Rmecl.exe 52d43e04889f414a4822214ea6385746 VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/zhKsdlEc6/bbweYIbi0il/watuUvIP7uh/PdWOatw60/
|
3
70.39.251.94 45.16.226.117 - suspicious 104.131.92.244 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
8.2 |
|
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2383 |
2020-10-28 10:35
|
https://achremittanceservices.... d32109224e04cbdb24ca32fb320f89a1 Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows Tor DNS |
|
3
achremittanceservices.com(68.65.123.61) 68.65.123.61 178.254.45.64
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2384 |
2020-10-28 11:33
|
99.exe e2cd3596bdec815d580dfeadec5209bb ENERGETIC BEAR VirusTotal Malware suspicious privilege Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs anti-virtualization Ransomware Windows Tor ComputerName DNS crashed keylogger |
|
6
163.172.149.155 5.135.65.145 45.66.33.45 78.129.193.54 108.53.208.157 51.15.77.244
|
6
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 717
|
|
12.0 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2385 |
2020-10-28 11:36
|
oJHstwpndf.exe 0eec3e7a4adb97d3262da05499627f11 Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check human activity check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS |
9
http://morasergiov.ac.ug/ http://morasergiov.ac.ug/vcruntime140.dll http://morasergiov.ac.ug/nss3.dll http://morasergiov.ac.ug/sqlite3.dll http://morasergiov.ac.ug/freebl3.dll http://morasergiov.ac.ug/mozglue.dll http://morasergiov.ac.ug/main.php http://morasergiov.ac.ug/msvcp140.dll http://morasergiov.ac.ug/softokn3.dll
|
4
morasergiov.ac.ug(217.8.117.77) 78.129.193.54 51.15.77.244 217.8.117.77 - suspicious
|
6
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 717 ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.8 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|