2641 |
2020-11-05 18:25
|
tt.exe fc63e8813cca45e82fdde362a2836794 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2642 |
2020-11-05 18:26
|
main.file.rtf 55e166bdfb914283278f0f7d9dcc9f65 Malware Malicious Traffic buffers extracted exploit crash unpack itself malicious URLs Tofsee Exploit crashed |
1
https://cdn-sop.net/202/8f8rO7e7zsx35Mmi38pAVx5cmQLe5IkBed85bmMn/-1/13897/171a9d16
|
2
cdn-sop.net(172.93.188.161) 172.93.188.161
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2643 |
2020-11-06 07:38
|
https://ultimatenutritiononlin... c58dd175c569b8713620bcefa5635753 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
ultimatenutritiononline.com(108.167.158.215) 108.167.158.215 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2644 |
2020-11-06 07:44
|
https://ultimatenutritiononlin... c58dd175c569b8713620bcefa5635753 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
ultimatenutritiononline.com(108.167.158.215) - malware 108.167.158.215 - suspicious 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2645 |
2020-11-06 07:57
|
http://216.170.114.73/chous.do... 644c300e72c2a2eb7dea039dcf95af8a Dridex VirusTotal Malware Code Injection Malicious Traffic exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://216.170.114.73/chous.doc
|
2
216.170.114.73 - suspicious 117.18.232.200 - suspicious
|
5
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET INFO Dotted Quad Host DOC Request ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
|
|
5.8 |
|
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2646 |
2020-11-06 08:15
|
http://movies3002.online/1.zip d58abe50000351513990c86213e824bb |
|
|
|
|
|
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2647 |
2020-11-06 09:50
|
http://175.208.134.150:8282/te... 5c8e2fed189e7b7f7f1d9e756fd072f8 Code Injection RWX flags setting unpack itself Windows utilities Windows DNS |
2
http://175.208.134.150:8282/test/test.eml http://175.208.134.150:8282/favicon.ico
|
2
172.217.25.14 - suspicious 175.208.134.150
|
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2648 |
2020-11-06 09:58
|
ajhtredfga.exe 5516ba90dc9a6978aaec99276ba4383c Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
11
http://217.8.117.77/ohtredfga.exe http://morasergiov.ac.ug/ - mailcious http://morasergiov.ac.ug/vcruntime140.dll http://morasergiov.ac.ug/nss3.dll http://morasergiov.ac.ug/sqlite3.dll http://jamesrlongacre.ug/index.php - mailcious http://morasergiov.ac.ug/freebl3.dll http://morasergiov.ac.ug/mozglue.dll http://morasergiov.ac.ug/main.php - mailcious http://morasergiov.ac.ug/msvcp140.dll http://morasergiov.ac.ug/softokn3.dll
|
3
morasergiov.ac.ug(217.8.117.77) - mailcious jamesrlongacre.ug(217.8.117.77) - malware 217.8.117.77 - suspicious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.0 |
M |
51 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2649 |
2020-11-06 10:06
|
http://175.208.134.150:8282/te... 5c8e2fed189e7b7f7f1d9e756fd072f8 Code Injection RWX flags setting unpack itself Windows utilities Windows DNS |
2
http://175.208.134.150:8282/test/test.eml http://175.208.134.150:8282/favicon.ico
|
2
172.217.25.14 - suspicious 175.208.134.150
|
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2650 |
2020-11-06 10:19
|
7123854.xlsb c55b3057e78df922252a6e2cec03cbd1 VirusTotal Malware Check memory Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs WriteConsoleW ComputerName crashed |
|
|
|
|
4.8 |
|
4 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2651 |
2020-11-06 10:20
|
Clhwv8.exe bea248598c663d948e0acacc45520392 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
172.217.25.14 - suspicious
|
|
|
14.4 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2652 |
2020-11-06 10:23
|
document.doc 79448c02d4b2b2e220122144474ee234 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/ex/us8/vbc.exe http://crestmart.ga/main/config/US/temp.php
|
3
crestmart.ga(46.173.214.75) - mailcious kregmartlime.ga(46.173.214.75) - malware 46.173.214.75 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2653 |
2020-11-06 10:25
|
document2.doc 7fbbd3038fcb18fba29a100ed36821ad VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
3
http://www.abcsolucion.com/vdi/?-Z=XmqBrgm/s7sJaqHdKZUQX45I0MCw0sdqQpbMI0R4giA4jEtnVtacsT7YFth3uMROrJSEaG0d&rZ=X48HMfqP http://www.westermann-shop.com/vdi/?rZ=X48HMfqP&-Z=w6PY0/hsT1sd2nqyQp0d8BtC9NhnAFKUrNmR4SZhU1/BEmJAGkOSsP6FVKbEb6p0EWKD4LTW http://qdrenfa.com/~zadmin/ban2/ban2.exe
|
7
www.abcsolucion.com(162.241.61.243) www.westermann-shop.com(134.119.234.55) qdrenfa.com(46.173.214.75) - mailcious 134.119.234.55 46.173.214.75 - suspicious 162.241.61.243 172.217.25.14 - suspicious
|
2
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2654 |
2020-11-06 10:28
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php http://duracom.ga/SD3/win32.exe
|
3
magicview.ga(46.173.214.75) - mailcious duracom.ga(46.173.214.75) - malware 46.173.214.75 - suspicious
|
13
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2655 |
2020-11-06 10:28
|
f4n.exe 1db6bd4d13cb9966e8875b3812aef71d Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
cussoricti.com() api.ipify.org(184.73.247.141) 54.225.153.147 185.18.52.47
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
9.4 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|