| 2416 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8
AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/
https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220)
117.18.232.200 - suspicious
192.198.91.138
104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2417 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(104.27.160.57) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
104.27.161.57
160.153.137.210 - suspicious
208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2418 |
2020-10-29 09:29
|
D.exe 0f005763d29a9c1276e5b28d6660f7a4
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/x3YJv/4VGLv8i3cqYFcpQqj2/gqyR3Wn/50FCBqlDcJF/MvDOieWpqdYFzA/GvMszxXpG/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2419 |
2020-10-29 09:30
|
httUAcNMH.exe f989edb0552c0972871f92004df28aa1
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/aAZwuDxm/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2420 |
2020-10-29 09:30
|
k.png.exe 28e9316fb298d2e7a3d9fd71c662b3ec
VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://api.ipify.org/
http://epperhaptem.com/7/forum.php
|
4
epperhaptem.com(95.216.151.81)
api.ipify.org(54.204.14.42)
95.216.151.81 - suspicious
174.129.214.20
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.0 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2421 |
2020-10-29 09:36
|
0k0T8JlNG3cBImu.exe 6e71622e15fd0f1862778f091d26bfa4
RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://192.198.91.138:443/dO7GPe/LFLEb/cdz2fkO/ - mailcious
|
1
192.198.91.138 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2422 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(172.67.140.232) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
160.153.137.210 - suspicious
104.27.160.57
208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2423 |
2020-10-29 09:39
|
document.doc c71813d096c329c4cc6f447b02d33668
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://78.128.92.94/win/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2424 |
2020-10-29 09:46
|
AutoVLM Clone.exe 1eeb0ed06b17538b62b3bf0859c5f496
VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.6 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2425 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious
http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/
http://nanettecook.org/wp-admin/x/ - mailcious
https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware
nanettecook.org(74.80.58.254) - mailcious
85.50.100.181 - suspicious
80.227.52.78
74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2426 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/
https://weparditestaa.fi/wp-admin/72uPk/ - malware
https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182)
weparditestaa.fi(192.130.146.156) - malware
gayatrienterprise.org(104.27.153.75)
192.130.146.156 - suspicious
80.227.52.78
104.27.152.75
51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2427 |
2020-10-29 10:04
|
vbc.exe 981e5205357b236c348d4f43f01e4936
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.2 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2428 |
2020-10-29 10:05
|
KQGM9kR.exe 8e1906f95a563aca2fed0dc278eb67ea
Malware Malicious Traffic ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/YkXasmCh3TPZqmM/RguI9g0SOMojbpzJd61/gKpYfLbHX5m/hHaFiW6z0sL9SgMb/TecMluoGIoG/A2AcQhB6VekGEBw8FIN/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.8 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2429 |
2020-10-29 10:07
|
n1.exe 8aad8fa5cd8e6a9742079b7d579aadf4
VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2430 |
2020-10-29 10:09
|
vbc.exe 981e5205357b236c348d4f43f01e4936
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|