2476 |
2020-10-30 21:21
|
FAS_100120_OBW_103020.doc 26e46a86e1386111f4c7790bab599869 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2477 |
2020-10-30 21:50
|
invoice_771275.doc 2fabe873166b42d734a12c918f792764 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs IP Check Tofsee Windows Exploit DNS DDNS crashed |
3
http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
8
mail.salujaford.in(199.101.134.84) wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 162.88.193.70 104.28.5.151 212.162.149.27 - suspicious 199.101.134.84 - suspicious
|
8
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET POLICY PE EXE or DLL Windows file download HTTP SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
5.4 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2478 |
2020-10-30 21:59
|
POP.exe 8cf74500bb24624b63930bf263aafcb0 AutoRuns suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs Windows |
|
|
|
|
5.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2479 |
2020-10-30 22:39
|
win32.exe 7c0ec544d981d901c7819996d90dacc8 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
mail.salujaford.in(199.101.134.84) freegeoip.app(104.28.5.151) checkip.dyndns.org(216.146.43.71) 104.28.4.151 131.186.161.70 199.101.134.84 - suspicious
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SURICATA Applayer Detect protocol only one direction
|
|
17.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2480 |
2020-10-31 09:09
|
FILE_PO_10312020EX.doc b864ecba7b8fee96b95159cb9f4d30b2 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/BHsFILw0Hais/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2481 |
2020-10-31 09:13
|
8.exe 56564e2f274ac21803580be8a236518d AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows ComputerName DNS DDNS crashed |
|
2
kingshakes.linkpc.net(79.134.225.52) - mailcious 79.134.225.52 - suspicious
|
|
|
14.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2482 |
2020-10-31 09:14
|
donpyx.exe 319a790ffd7c286a2ed494469ddd1357 Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Browser Email ComputerName Software |
1
http://ciuj.ir/donpy/index.php
|
2
ciuj.ir(104.237.252.41) 104.237.252.41
|
1
ET MALWARE AZORult v3.3 Server Response M3
|
|
15.6 |
|
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2483 |
2020-10-31 09:15
|
83iUuVObiSnKzI9WfkpU.exe cc0b69abe8dd0a2cf87ffe7e1a1e1d2f Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/rTd1BLeci/ION6jVntQcFEnskr/nVplv25C/H9DfHq1WUDUpB/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2484 |
2020-10-31 09:31
|
Inf_EDV_100120_URP_103120.doc 11b0ade6c38d27ba741294173f088621 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2485 |
2020-10-31 09:36
|
mBhuyP.exe 2acfebc586eac54f79cc41fd78e897ce Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/upYJrV/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2486 |
2020-10-31 09:41
|
ePh0eJZNL1NJpMw.exe d3c3cff0bfce9f34418da4cf2fdfb027 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName crashed |
|
|
|
|
13.6 |
|
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2487 |
2020-10-31 09:42
|
ike.exe 5b938ccc78b8b6af082c85f969d188f7 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.0 |
|
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2488 |
2020-10-31 09:46
|
https://bitbucket.org/soyag/la... 9ada122303e6dee1c0f0171bf2e59253 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
bitbucket.org(104.192.141.1) - malware 18.205.93.2 - suspicious 117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2489 |
2020-10-31 09:47
|
regasm.exe 355e70c00a060f1e2a0680676227d7ce Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/rojas/gate.php
|
2
magicview.ga(91.203.193.242) - mailcious 91.203.193.242
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
|
38 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2490 |
2020-10-31 09:50
|
UNTITLED_FY4695778951OT.doc dfa215f2b84d0df40c221d76309acb13 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/hcVx/OgLyOkmDwCTmM/p2pkqLA15Sm/MDkzk/EN8kGI/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|