2626 |
2020-11-05 11:11
|
Client.exe 1e5f3d37e050d773f8798da41b372984 malicious URLs WriteConsoleW |
|
|
|
|
2.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2627 |
2020-11-05 11:22
|
온라인+학술대회+한시적+지원+관련+Q&A.hwp... 257a81471a001af1fa0d82069c92993c VirusTotal Malware Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs DNS |
|
1
172.217.25.14 - suspicious
|
|
|
3.8 |
M |
30 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2628 |
2020-11-05 11:43
|
FILE_336.zip 47c75f290ec56d8450f333a4deed2494 Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
2
172.217.25.14 - suspicious 117.18.232.200 - suspicious
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2629 |
2020-11-05 12:21
|
c7e640e2617d5fdaa6fc4d50d98ca3... 6400bca5e8d52210b733f79370449e3b VirusTotal Email Client Info Stealer Malware Malicious Traffic Checks debugger unpack itself malicious URLs suspicious TLD Tofsee Ransomware Email DNS |
6
http://superbetprediction.com/js/Qo/ - malware http://nguyenlieuphachehanoi.com/wp-admin/kL/ - malware http://pattanitkpark.com/gipe2h/iqt/ - malware http://huaibangchina.com/kic3kc/c/ - malware http://superbetprediction.com/js/Qo http://notesever.com/cgi-bin/Cfs/ - malware
|
14
pattanitkpark.com(122.154.56.109) - malware notesever.com(208.109.9.44) - malware www.xxdaytoy.top(8.210.23.28) - malware babyshop.webdungsan.com() - malware huaibangchina.com(39.100.15.2) - malware superbetprediction.com(185.210.145.110) - malware nguyenlieuphachehanoi.com(103.101.161.23) - malware 8.210.23.28 - suspicious 39.100.15.2 - suspicious 208.109.9.44 - suspicious 185.210.145.110 122.154.56.109 - suspicious 172.217.25.14 - suspicious 103.101.161.23 - suspicious
|
2
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2630 |
2020-11-05 12:44
|
abc.doc 9c4bc837af9308a9a4a89220ed106145 VirusTotal Malware buffers extracted exploit crash unpack itself malicious URLs Tofsee Exploit DNS crashed |
3
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092 https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.327.342.0/x86/mpas-fe.exe https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
5
definitionupdates.microsoft.com(104.109.240.114) www.microsoft.com(23.212.13.232) 23.53.224.34 104.76.88.63 23.212.13.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2631 |
2020-11-05 13:43
|
bob.exe 97cb8ea6cb97811e07cf485bf4187e2f Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.2 |
M |
41 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2632 |
2020-11-05 13:45
|
peace.exe c74a4de1af2ca02c62ab19625eb98b8b Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.8 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2633 |
2020-11-05 13:53
|
lvs7kabg6ouix3r.exe d32acba23526d5c591027df645884b39 Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS |
|
2
172.217.25.14 - suspicious 84.38.134.114 - suspicious
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
M |
53 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2634 |
2020-11-05 18:08
|
peace.exe c74a4de1af2ca02c62ab19625eb98b8b Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.8 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2635 |
2020-11-05 18:08
|
f4n.exe 1db6bd4d13cb9966e8875b3812aef71d Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
cussoricti.com(62.76.40.132) api.ipify.org(184.73.247.141) 50.19.252.36 62.76.40.132
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
8.6 |
|
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2636 |
2020-11-05 18:11
|
vbc.exe b95a2c81ccdad3a6515190121cdf4e90 VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder DNS crashed |
|
1
172.217.25.14 - suspicious
|
|
|
3.6 |
|
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2637 |
2020-11-05 18:13
|
invoice_141144.doc 4c084f9a7c1a961a35768108ca70e1f5 LokiBot Malware download Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
2
http://unitedfrtsdykesokoriorimistreetsmtsfma.ydns.eu/chnsfrnd1/vbc.exe http://magicview.ga/akin/gate.php
|
4
magicview.ga(91.203.193.242) - mailcious unitedfrtsdykesokoriorimistreetsmtsfma.ydns.eu(103.141.138.122) 91.203.193.242 - suspicious 103.141.138.122 - suspicious
|
12
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2638 |
2020-11-05 18:21
|
26848.exe 8bac2dfe38653583440ca35fffb5180e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Browser Email ComputerName Remote Code Execution DNS Software crashed |
1
http://185.208.182.54/mmc/index.php
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
16.8 |
M |
37 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2639 |
2020-11-05 18:22
|
info.exe e2ec666e8f1c920dbdf54816e2350fac VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
58 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2640 |
2020-11-05 18:23
|
document.doc 01a61f8646cf09a907c9876b2a3f0227 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/ex/ap1/vbc.exe - malware http://crestmart.ga/main/config/emma/temp.php
|
3
crestmart.ga(91.203.193.242) - mailcious kregmartlime.ga(91.203.193.242) - malware 91.203.193.242 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.8 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|