| 2386 |
2020-10-28 11:38
|
aPfjegjaF.exe 6d8eb085d7dfcfdd55f26262e51fbfdc
Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
16
http://morasergiov.ac.ug/
http://217.8.117.77/oJHstwpndf.exe - malware
http://morasergiov.ac.ug/vcruntime140.dll
http://jamesrlongacre.ug/rc.exe
http://morasergiov.ac.ug/nss3.dll
http://morasergiov.ac.ug/sqlite3.dll
http://jamesrlongacre.ug/ds2.exe
http://jamesrlongacre.ug/index.php
http://morasergiov.ac.ug/freebl3.dll
http://morasergiov.ac.ug/mozglue.dll
http://jamesrlongacre.ug/ac.exe
http://jamesrlongacre.ug/ds1.exe
http://morasergiov.ac.ug/main.php
http://morasergiov.ac.ug/msvcp140.dll
http://morasergiov.ac.ug/softokn3.dll
https://cdn.discordapp.com/attachments/752128569169281083/770252881495326780/Uvop123
|
9
morasergiov.ac.ug(217.8.117.77)
discord.com(162.159.136.232)
taenaia.ac.ug(79.134.225.121)
jamesrlongacre.ug(217.8.117.77)
cdn.discordapp.com(162.159.130.233) - malware
79.134.225.121 - suspicious
162.159.136.232
162.159.129.233 - suspicious
217.8.117.77 - suspicious
|
11
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M3
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
27.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2387 |
2020-10-28 12:18
|
dat-730044.doc 86383b38ce26730817e15b0ae7191437
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://www.josejuanarroyo.com/antithetical-bulblet/l/ - malware
http://78.206.229.130/uKGfHwmnTEnY6/wjVGkGYqbNm/OpCtHvEIGdQVlYOcem/fDtBX5jksao28y/dxopC8I/MURSzK4WAPeY/ - mailcious
|
3
www.josejuanarroyo.com(65.254.227.224) - mailcious
78.206.229.130 - suspicious
65.254.227.224 - suspicious
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
4.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2388 |
2020-10-28 12:26
|
reqrm.exe cc219392a073e3c644174607af417b93
Malware download Azorult VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://workwithjoshuaking.com/ssq/cow/index.php
|
2
workwithjoshuaking.com(162.0.231.127)
162.0.231.127
|
1
ET MALWARE AZORult Variant.4 Checkin M2
|
|
14.4 |
|
38 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2389 |
2020-10-28 12:26
|
Electronic form.doc eb6a6943bf8db6a0c7003c1c869b3323
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://91.121.200.35:8080/oQduEUzyuXYOG1/iosXbeze6L0YK93Z/r3qIMIMkoLSL/NEUB/oa9411o42Xd/ - mailcious
https://agenciainfluenciar.com.br/indexing/X/ - malware
https://e-spaic.pt/hacks_list/LK/ - mailcious
|
6
agenciainfluenciar.com.br(107.180.71.232) - malware
e-spaic.pt(161.97.75.68) - mailcious
179.15.102.2 - suspicious
107.180.71.232 - suspicious
161.97.75.68 - suspicious
91.121.200.35 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2390 |
2020-10-28 18:06
|
link.exe a9cbc59987ec442437ffea45aade05ba
Dridex VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Cryptographic key |
1
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
|
2
bprbalidananiaga.co.id(103.253.212.238)
103.253.212.238
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY HTTP traffic on port 443 (POST)
|
|
9.4 |
M |
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2391 |
2020-10-28 18:14
|
5j03vVHmJpg.exe 0dd348f4aa94c0be2e84561dda14eac0
Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/xVkFvi0xr0OKrwmZRS/IkvcNT3Xm/fJ2IMGEt7DTjKU00/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2392 |
2020-10-28 18:15
|
pinac33fb.exe d204e66e0d2ca29b4c382818fa44e710
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
10.4 |
|
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2393 |
2020-10-28 18:15
|
office99fb.exe 5bc7fe05cc6777e298f4af807926dfe6
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
10.4 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2394 |
2020-10-28 18:28
|
office99fb.exe 5bc7fe05cc6777e298f4af807926dfe6
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
1
http://www.hamptonsgeneralcontractors.com/acq/?wh=0QAhRrP8y1RAj5XU33Cusl4oZQrV0aSnFtY2d6l9bccmMffCxyrW75SYWrN9oI13N2c7yo3H&YBZ0=cxlL6
|
3
www.hamptonsgeneralcontractors.com(147.154.3.56)
www.exo365.ltd()
147.154.3.56
|
|
|
11.2 |
M |
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2395 |
2020-10-28 18:29
|
pinac33fb.exe d204e66e0d2ca29b4c382818fa44e710
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
2
http://www.qrealstate.com/v5e/?hBZ=U8uYJGSxoLyhT5pbzaQ9qctLbacRs+moGSuQsXfqB1aF5sMBe8L8sBVSRbRvl3A+E3BaxDnm&or=3f2pdRAXg
http://www.ikonnfood.com/v5e/?hBZ=W6KdrNObcxIjnvFa/ckLxHjNsYQo6VSzkwlNO041eL/2JEugRfg9ANiOZrYvupe42yLeExKi&or=3f2pdRAXg
|
4
www.qrealstate.com(68.66.224.8)
www.ikonnfood.com(217.160.0.167)
217.160.0.167 - suspicious
68.66.224.8 - suspicious
|
|
|
11.2 |
M |
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2396 |
2020-10-28 18:38
|
form.doc 77153b25765b8f500ec3b9199fde031a
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://91.121.200.35:8080/5p26GFubm/9pfmBu06/m4RahRb8CPnsVM1/Idbok7gct/Qtl4m6AYI4LTtYWO/bymnR/ - mailcious
http://www.meshzs.com/wp-includes/E/
|
4
www.meshzs.com(188.166.149.118)
179.15.102.2 - suspicious
188.166.149.118
91.121.200.35 - suspicious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
10 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2397 |
2020-10-28 18:45
|
antidami32kl.exe a6b913ac4445753786c8e62a08df5449
VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Ransomware Windows Tor ComputerName Cryptographic key crashed |
|
|
|
|
13.8 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2398 |
2020-10-28 18:46
|
FD-6507.jpg.exe db8548d27da86c27809420b5ef7143b0
AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Ransomware Windows Tor ComputerName Cryptographic key crashed |
|
|
|
|
12.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2399 |
2020-10-28 18:50
|
invoice.doc 373cb701b632ae6397bf97b0b3f6336b
Vulnerability VirusTotal Malware exploit crash unpack itself malicious URLs Windows Exploit crashed |
1
http://bvcxzlkjhgfdsapoiuytrewqwertyuiopasdfghj.ydns.eu/akin.exe - malware
|
2
bvcxzlkjhgfdsapoiuytrewqwertyuiopasdfghj.ydns.eu(103.140.251.164) - malware
103.140.251.164 - suspicious
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.8 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2400 |
2020-10-28 18:53
|
INV_6347.doc b78a1fa8b1dfc94a57d1a35c3953e1fa
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://www.meshzs.com/wp-includes/E/ - malware
http://91.121.200.35:8080/BKhHW3pyD/wVLE4VHOlIwgK1NBL/0FPEf/xVxOqWB2k/bFKzPnusSsEuWnLHG/v202jrsDZIbG/ - mailcious
|
4
www.meshzs.com(188.166.149.118) - malware
179.15.102.2 - suspicious
188.166.149.118 - suspicious
91.121.200.35 - suspicious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
10 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|