| 2521 |
2020-11-03 12:50
|
KF29794499E_COVID-19_SARS-CoV-... 4d2fad1fb87c821b1ab823ccaf06c38d
Vulnerability unpack itself DNS |
|
14
aus.thunderbird.net(54.230.62.91)
aus5.mozilla.org(35.244.181.201)
d2js2viceajwla.cloudfront.net(54.230.62.91)
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
99.86.144.61
59.18.45.76
59.18.31.17
172.217.161.174 - suspicious
99.86.144.100
35.244.181.201
172.217.25.14 - suspicious
99.86.144.82
172.217.24.67
99.86.144.46
|
|
|
3.4 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2522 |
2020-11-03 13:06
|
noNnzwxW3a0IOoZ.exe 113c6291efcb16880ef982fe221902a7
VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key DDNS |
|
2
vikingo1928.duckdns.org(46.246.6.71) - mailcious
46.246.6.71 - suspicious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
M |
57 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2523 |
2020-11-03 13:07
|
raz.exe 52c7166b6bf6b32f30a20b21ed902afc
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2524 |
2020-11-03 13:34
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email DNS |
|
2
35.244.181.201
99.86.144.82
|
|
|
3.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2525 |
2020-11-03 13:37
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email |
|
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2526 |
2020-11-03 13:44
|
document.doc 594b812a9529aa440b10bc94bdff567e
LokiBot Malware download Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://antoinesauvagesqcomcomantoinesauvagesqcomcom.ydns.eu/svchost.exe
http://1filesharing.ga/kayo/gate.php
|
4
antoinesauvagesqcomcomantoinesauvagesqcomcom.ydns.eu(103.125.191.69)
1filesharing.ga(91.203.193.242) - mailcious
91.203.193.242 - suspicious
103.125.191.69 - suspicious
|
12
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2527 |
2020-11-03 13:45
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email DNS |
1
http://175.208.134.150:8282/test/test.eml
|
14
translate.googleapis.com(172.217.175.106)
www.google.com(172.217.26.36)
p5-z7rtggxvgfm4u-innojjmgqysspheu-320178-i2.stbcast2-stb.metric.gstatic.com(216.239.32.62)
p5-z7rtggxvgfm4u-innojjmgqysspheu-320178-i1.anycast-stb.metric.gstatic.com(216.239.32.65)
_googlecast._tcp.local()
p5-z7rtggxvgfm4u-innojjmgqysspheu-320178-s1-v6exp3-v4.metric.gstatic.com(216.58.220.99)
clientservices.googleapis.com(172.217.174.99)
216.239.32.62
175.208.134.150
172.217.31.227
172.217.174.196
216.239.32.65
216.58.220.202
172.217.161.131
|
2
ET JA3 Hash - [Abuse.ch] Possible Adware
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Adware)
|
|
3.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2528 |
2020-11-03 13:56
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email DNS |
2
http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=65
http://175.208.134.150:8282/test/test.eml
|
17
p5-ozk5sado3pbmu-btobzjf363c3ehek-891628-i2-v6exp3.v4.metric.gstatic.com(172.217.174.114)
translate.googleapis.com(172.217.175.106)
www.google.com(172.217.26.36)
sb-ssl.google.com(172.217.161.78)
p5-ozk5sado3pbmu-btobzjf363c3ehek-891628-s1-v6exp3-v4.metric.gstatic.com(172.217.25.99)
sb-ssl.l.google.com(172.217.161.78)
p5-ozk5sado3pbmu-btobzjf363c3ehek-891628-i1-v6exp3.ds.metric.gstatic.com(172.217.175.114)
_googlecast._tcp.local()
clientservices.googleapis.com(216.58.197.227)
175.208.134.150
216.58.221.228 - suspicious
172.217.161.146
172.217.25.3
172.217.26.142
216.58.220.210
172.217.24.78
172.217.161.131
|
|
|
3.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2529 |
2020-11-03 14:23
|
takercry.exe bdb4967fc8da80d11cc90285815b7546
VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.4 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2530 |
2020-11-03 14:37
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger RWX flags setting unpack itself malicious URLs Ransomware Email DNS |
|
4
sb-ssl.l.google.com(172.217.161.78)
sb-ssl.google.com(172.217.161.78)
216.58.199.14 - suspicious
59.18.30.79
|
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2531 |
2020-11-03 14:39
|
vbc.exe 7a66c7a386932ce26f9e2a4975800d41
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/kung/gate.php - mailcious
|
2
magicview.ga(91.203.193.242) - mailcious
91.203.193.242 - suspicious
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.8 |
M |
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2532 |
2020-11-03 14:46
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email |
|
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2533 |
2020-11-03 14:49
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself malicious URLs installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2534 |
2020-11-03 14:50
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email |
|
3
sb-ssl.l.google.com(172.217.161.78)
sb-ssl.google.com(172.217.161.78)
172.217.31.238 - suspicious
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2535 |
2020-11-03 15:47
|
test_zip_doc.eml 01f1f0ec6e5dc25b2c1e8215d75f51d9
Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email |
|
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|