| 3061 |
2020-11-16 18:30
|
sendhookfile.exe 7555e7e8511af8c51837674d79f6e391
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
3.0 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3062 |
2020-11-16 23:19
|
10674100.jpg.exe a8d086952534df0b84fbd100e0b39f7d
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(162.88.193.70)
104.28.5.151
131.186.161.70
167.88.170.103
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
|
|
10.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3063 |
2020-11-16 23:28
|
BOQ8600.txt.exe 5f3d7585543a71950085cb925730494e
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key |
1
|
2
api.ipify.org(23.21.42.25)
54.225.169.28
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
12.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3064 |
2020-11-16 23:28
|
invoice_141147.doc c11c7bd737d1dcf126e3cea347737ae6
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
5
magicview.ga(8.208.99.216) - mailcious
unitedstdyfrkesokoriorimistreetsmstgpd.ydns.eu(103.141.138.122) - malware
8.208.99.216
103.141.138.122 - suspicious
172.217.25.14 - suspicious
|
12
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO DNS Query for Suspicious .ga Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://magicview.ga/akin/gate.php
|
5.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3065 |
2020-11-16 23:37
|
vbc.exe ffdeea6205f5911f3e7d7b103308c3e2
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
2
magicview.ga(8.208.99.216) - mailcious
8.208.99.216
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
|
1
http://magicview.ga/akin/gate.php
|
7.8 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3066 |
2020-11-16 23:41
|
BOQ8600.txt.exe 5f3d7585543a71950085cb925730494e
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key |
1
|
2
api.ipify.org(50.19.252.36)
54.235.83.248
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
12.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3067 |
2020-11-16 23:43
|
web ori2.exe 3b7b6e39851547b367a5f4e398cea7bd
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
aarque.co(45.155.36.57) - mailcious
pastebin.com(104.23.98.190) - mailcious
45.155.36.57 - suspicious
104.23.99.190 - suspicious
172.217.25.14 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
19.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3068 |
2020-11-16 23:47
|
Setup.exe 142a8356420248e2ccbfa977b576279c
VirusTotal Malware Check memory Checks debugger WMI unpack itself ComputerName |
|
|
|
|
2.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3069 |
2020-11-16 23:51
|
svchost.exe 9044b597dc455f00b922491411426ef6
VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs ComputerName DNS |
2
http://45.63.58.134/WGTcpDEjfJlnd9IASbPhArlczzzhLNQC
http://45.63.58.134/g.pixel
|
1
45.63.58.134 - suspicious
|
|
|
6.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3070 |
2020-11-16 23:53
|
arch64.exe 62993bb7deb866e9d52ac4221d266468
VirusTotal Malware RWX flags setting unpack itself Windows utilities suspicious process malicious URLs Windows ComputerName DNS |
2
http://45.134.21.8:61/SDuQ
http://45.134.21.8:61/fwlink
|
2
45.134.21.8
172.217.25.14 - suspicious
|
|
|
5.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3071 |
2020-11-17 07:21
|
http://download.logins.online/... 9f566a164a5c6ae046c24d0e911dc577
Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://download.logins.online/exe/LinK13112020.msi
|
3
download.logins.online(172.67.136.62)
172.67.136.62
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3072 |
2020-11-17 07:30
|
http://stoplyingme.com/pdf/nas... d9e4ff69934ce995feaa9e54e0d5ad07
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Windows Exploit DNS crashed |
1
http://stoplyingme.com/pdf/nass.exe
|
3
stoplyingme.com(37.72.175.148)
172.217.25.14 - suspicious
37.72.175.148
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3073 |
2020-11-17 09:03
|
document-1559797301.xlsb b716cc176fe7a6c664ee428bcda1704e
unpack itself malicious URLs |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3074 |
2020-11-17 09:08
|
161120.gif.exe 62796a07ec927fa798d39dbcaa16a967
unpack itself Remote Code Execution |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3075 |
2020-11-17 09:09
|
document-1559797301.xlsb b716cc176fe7a6c664ee428bcda1704e
unpack itself malicious URLs |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|