2416 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8 AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/ https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220) 117.18.232.200 - suspicious 192.198.91.138 104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2417 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(104.27.160.57) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 104.27.161.57 160.153.137.210 - suspicious 208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2418 |
2020-10-29 09:29
|
D.exe 0f005763d29a9c1276e5b28d6660f7a4 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/x3YJv/4VGLv8i3cqYFcpQqj2/gqyR3Wn/50FCBqlDcJF/MvDOieWpqdYFzA/GvMszxXpG/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2419 |
2020-10-29 09:30
|
httUAcNMH.exe f989edb0552c0972871f92004df28aa1 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/aAZwuDxm/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2420 |
2020-10-29 09:30
|
k.png.exe 28e9316fb298d2e7a3d9fd71c662b3ec VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://api.ipify.org/ http://epperhaptem.com/7/forum.php
|
4
epperhaptem.com(95.216.151.81) api.ipify.org(54.204.14.42) 95.216.151.81 - suspicious 174.129.214.20
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.0 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2421 |
2020-10-29 09:36
|
0k0T8JlNG3cBImu.exe 6e71622e15fd0f1862778f091d26bfa4 RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://192.198.91.138:443/dO7GPe/LFLEb/cdz2fkO/ - mailcious
|
1
192.198.91.138 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2422 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(172.67.140.232) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 160.153.137.210 - suspicious 104.27.160.57 208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2423 |
2020-10-29 09:39
|
document.doc c71813d096c329c4cc6f447b02d33668 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://78.128.92.94/win/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2424 |
2020-10-29 09:46
|
AutoVLM Clone.exe 1eeb0ed06b17538b62b3bf0859c5f496 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.6 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2425 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/ http://nanettecook.org/wp-admin/x/ - mailcious https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware nanettecook.org(74.80.58.254) - mailcious 85.50.100.181 - suspicious 80.227.52.78 74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2426 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/ https://weparditestaa.fi/wp-admin/72uPk/ - malware https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182) weparditestaa.fi(192.130.146.156) - malware gayatrienterprise.org(104.27.153.75) 192.130.146.156 - suspicious 80.227.52.78 104.27.152.75 51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2427 |
2020-10-29 10:04
|
vbc.exe 981e5205357b236c348d4f43f01e4936 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.2 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2428 |
2020-10-29 10:05
|
KQGM9kR.exe 8e1906f95a563aca2fed0dc278eb67ea Malware Malicious Traffic ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/YkXasmCh3TPZqmM/RguI9g0SOMojbpzJd61/gKpYfLbHX5m/hHaFiW6z0sL9SgMb/TecMluoGIoG/A2AcQhB6VekGEBw8FIN/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.8 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2429 |
2020-10-29 10:07
|
n1.exe 8aad8fa5cd8e6a9742079b7d579aadf4 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2430 |
2020-10-29 10:09
|
vbc.exe 981e5205357b236c348d4f43f01e4936 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|