| 3871 |
2020-12-22 14:31
|
X00KP2W7CTZ.doc c58f6dbd86dd09e812f520b2f72fa2af
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://50.116.111.59:8080/np8osc7cezebsbzl/gniv579yd875/ufd81we87xk5vib/ - rule_id: 193
|
9
musickidsprogram.com(107.180.20.91) - malware
schooldz.co(70.32.23.73) - malware
amartaka.net(104.18.54.1) - mailcious
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
104.18.54.1 - mailcious
70.32.23.73 - malware
50.116.111.59 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3872 |
2020-12-22 15:11
|
Update.exe 808e1ade2dea30a742f120a5a26d6a32
VirusTotal Malware malicious URLs WriteConsoleW |
|
2
gore.p-e.kr(125.185.111.249)
125.185.111.249
|
|
|
3.2 |
|
59 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3873 |
2020-12-22 16:10
|
reg.exe c62b1e8e806ff0d93d1579721f2b2052
VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows Cryptographic key crashed |
|
|
|
|
11.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3874 |
2020-12-22 16:22
|
Paradox.exe 18db4025efcafb1584789e0fbdd3db2a
VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.0 |
|
33 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3875 |
2020-12-22 16:24
|
Paradox.exe 18db4025efcafb1584789e0fbdd3db2a
VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3876 |
2020-12-22 16:28
|
reg.exe c62b1e8e806ff0d93d1579721f2b2052
VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows Cryptographic key crashed |
|
|
|
|
11.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3877 |
2020-12-22 16:40
|
Paradox.exe 18db4025efcafb1584789e0fbdd3db2a
VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself malicious URLs Windows DNS Cryptographic key |
|
|
|
|
3.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3878 |
2020-12-22 16:40
|
reg.exe c62b1e8e806ff0d93d1579721f2b2052
VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows Cryptographic key crashed |
|
|
|
|
11.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3879 |
2020-12-22 18:25
|
4.5.jpg.exe 11acdd3bc366b04cbca2b5727d836ceb
VirusTotal Cryptocurrency Miner Malware Cryptocurrency PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Auto service Check virtual network interfaces suspicious process malicious URLs Tofsee Windows ComputerName DNS |
3
http://185.81.157.186/files/ex/551x64.png
https://pastebin.com/raw/g9Nyq98E
https://pastebin.com/raw/NkK1HH5V
|
3
pastebin.com(104.23.98.190) - mailcious
104.23.99.190 - mailcious
185.81.157.186 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Cryptocurrency Miner Checkin
|
|
12.4 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3880 |
2020-12-22 18:28
|
4.5.exe e00c93a8d92089c7c76fbe9494756767
VirusTotal Cryptocurrency Miner Malware Cryptocurrency PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Auto service Check virtual network interfaces malicious URLs Tofsee Windows ComputerName DNS |
2
http://185.81.157.186/testmin/5.11x64.png
https://pastebin.com/raw/g9Nyq98E
|
3
pastebin.com(104.23.98.190) - mailcious
104.23.99.190 - mailcious
185.81.157.186 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Cryptocurrency Miner Checkin
|
|
11.8 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3881 |
2020-12-22 18:35
|
45.exe c2c24dbead6a0c0e3028869440216664
VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
3.2 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3882 |
2020-12-22 18:35
|
19932.0.exe a990743dc1d517be8fdbd9c16c32919e
VirusTotal Malware PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee ComputerName DNS |
1
https://pastebin.com/raw/tYFULNB5
|
3
pastebin.com(104.23.99.190) - mailcious
185.81.157.186 - malware
104.23.99.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
45 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3883 |
2020-12-23 08:01
|
http://jomorder.co/wp-admin/l9... 46212534ccb9c29480ac03b9d9b61f45
Dridex VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://jomorder.co/wp-admin/l995meuTde1MTpf/
|
2
jomorder.co(103.27.74.190)
103.27.74.190
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3884 |
2020-12-23 09:06
|
19934.5.exe 63166f4636e5156006b25b214f8708ca
VirusTotal Malware PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee ComputerName DNS |
1
https://pastebin.com/raw/tYFULNB5
|
3
pastebin.com(104.23.99.190) - mailcious
185.81.157.186 - malware
104.23.98.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
60 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3885 |
2020-12-23 09:07
|
datos.exe 5a67e5c4236e16b4ed8cf12576946eb0
Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files unpack itself malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Kovter Windows Tor ComputerName Remote Code Execution DNS keylogger |
7
http://139.162.210.252/tor/server/fp/0ac4c4d8bca8da7bae6be3fea87442e724353cbf
http://176.123.5.193/tor/server/fp/ccf38c8682e5936852f6f33a0a333aff30ca453f
http://23.129.64.192/tor/server/fp/a29d2a78a8a954819e220cefbebce95d2fcfa54d
http://91.250.242.12/tor/server/fp/951307ba74e44a9c9c208b2f134cda2409944075
http://91.234.19.55/tor/server/fp/204dfd2a2c6a0dc1fa0eacb495218e0b661704fd
http://89.35.34.33/tor/server/fp/2aba1345fc9975152372f42d06a1a7dcc870c2f5
https://api.ipify.org/
|
14
api.ipify.org(54.225.220.115)
time-a.nist.gov(129.6.15.28)
91.234.19.55
100.15.249.55
193.23.244.244 - mailcious
23.129.64.192
178.164.158.82
139.162.210.252
176.123.5.193
89.35.34.33
129.6.15.28
94.16.116.137
23.21.252.4
91.250.242.12
|
18
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359
SURICATA HTTP Request abnormal Content-Encoding header
ET POLICY TOR Consensus Data Requested
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET P2P Tor Get Server Request
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 824
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Exit Node Traffic group 23
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 804
ET TOR Known Tor Exit Node Traffic group 150
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150
ET TOR Known Tor Exit Node Traffic group 90
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91
ET COMPROMISED Known Compromised or Hostile Host Traffic group 24
|
|
10.6 |
M |
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|