| 44446 |
2020-12-22 16:24
|
Paradox.exe 18db4025efcafb1584789e0fbdd3db2a
VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44447 |
2020-12-22 16:22
|
Paradox.exe 18db4025efcafb1584789e0fbdd3db2a
VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.0 |
|
33 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44448 |
2020-12-22 16:10
|
reg.exe c62b1e8e806ff0d93d1579721f2b2052
VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows Cryptographic key crashed |
|
|
|
|
11.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44449 |
2020-12-22 15:11
|
Update.exe 808e1ade2dea30a742f120a5a26d6a32
VirusTotal Malware malicious URLs WriteConsoleW |
|
2
gore.p-e.kr(125.185.111.249)
125.185.111.249
|
|
|
3.2 |
|
59 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44450 |
2020-12-22 14:31
|
X00KP2W7CTZ.doc c58f6dbd86dd09e812f520b2f72fa2af
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://50.116.111.59:8080/np8osc7cezebsbzl/gniv579yd875/ufd81we87xk5vib/ - rule_id: 193
|
9
musickidsprogram.com(107.180.20.91) - malware
schooldz.co(70.32.23.73) - malware
amartaka.net(104.18.54.1) - mailcious
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
104.18.54.1 - mailcious
70.32.23.73 - malware
50.116.111.59 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44451 |
2020-12-22 14:31
|
XZ30IV23MGAC.doc 95f5812b150c3ddf46908e4d65efa830
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/b9kcyola7sbskse2/lwiehhm3ps08of/io22rg2ehwdh7s7nhz/f9uarwk51l5wl22uj/iki45m25lmdch9/ - rule_id: 193
|
5
palladium.tdmcdev.co.za(197.242.155.144) - malware
197.87.160.216 - mailcious
197.242.155.144 - malware
50.116.111.59 - mailcious
78.188.225.105 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44452 |
2020-12-22 13:30
|
L8MICS8W8.doc ab0df6e0ad74541979d7eeaf71f88c74
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/lkbgvh2j/3hkkiis/k3dz5b15z/ - rule_id: 193
|
5
schooldz.co(70.32.23.73) - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
70.32.23.73 - malware
50.116.111.59 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44453 |
2020-12-22 13:30
|
OXZ5JY.doc 4f0f77186bc4b10b8f897f0313c6cda5
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/au1q53vri3b5bgwn/i9ctnnaupsppu1/y4msoks89pdgoaff6d/37efkvoe55gygohun/t3f0lb516v51y6/ - rule_id: 193
|
7
enableinfosolutions.com(166.62.45.30) - malware
nguyenphuchn.com(45.32.124.178) - malware
197.87.160.216 - mailcious
166.62.45.30 - malware
78.188.225.105 - mailcious
45.32.124.178 - malware
50.116.111.59 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44454 |
2020-12-22 12:24
|
HM68DCU.doc 4f0f77186bc4b10b8f897f0313c6cda5
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/27chhoguocutamup/5imql7bgzmxb27gdx5w/u9fj1w7wwkbo8bxsv/ - rule_id: 193
|
9
enableinfosolutions.com(166.62.45.30) - malware
amartaka.net(104.18.55.1) - mailcious
nguyenphuchn.com(45.32.124.178) - malware
197.87.160.216 - mailcious
166.62.45.30 - malware
78.188.225.105 - mailcious
104.18.55.1
45.32.124.178 - malware
50.116.111.59 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44455 |
2020-12-22 12:22
|
DE4GKQWD8CA.doc a6e82e49f8fac750dea41d36e926f4d9
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://50.116.111.59:8080/bz7nnk/ - rule_id: 193
https://update.googleapis.com/service/update2?cup2key=10:308671038&cup2hreq=3e3441fd0f40a06388e518ef6b977f6a1da78bd764227383e475bc0c5cb30b88
|
7
palladium.tdmcdev.co.za(197.242.155.144) - malware
musickidsprogram.com(107.180.20.91) - malware
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
50.116.111.59 - mailcious
197.242.155.144 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44456 |
2020-12-22 12:20
|
file.exe 6d048030d31349665bb357ad55cd79b1
VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44457 |
2020-12-22 11:40
|
ANC1QRIZ0X.doc 989c3a50ecfe2a54f97e739eee3154bf
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://50.116.111.59:8080/l5a5l1op6fchimox/ - rule_id: 193
|
7
palladium.tdmcdev.co.za(197.242.155.144) - malware
musickidsprogram.com(107.180.20.91) - malware
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
50.116.111.59 - mailcious
197.242.155.144 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44458 |
2020-12-22 11:39
|
config2.json.exe 062f86194f7d3281a7eac6238c635237
VirusTotal Malware unpack itself malicious URLs DNS crashed |
|
|
|
|
3.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44459 |
2020-12-22 11:21
|
78983-4.xlsm e8fecc39968a9add2d38560e88d3c07a
Malware download Dridex TrickBot VirusTotal Malware suspicious privilege Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter Windows ComputerName DNS crashed Downloader |
1
http://www.orthogen.com.tr/properties.png
|
7
www.orthogen.com.tr(5.180.184.204)
5.180.184.204
196.45.140.146
103.87.25.220
103.126.185.7
41.243.29.182
103.65.196.44
|
7
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
10.0 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44460 |
2020-12-22 11:12
|
1WMZPO6LD84.doc c4a740227ca940d4bd157716f2c9f0e0
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/up2bvtk2k3m5i88p/8xb0u79bai58/1robzvbdpq7sbc2/
|
5
swallow.tdmcdev.co.za(197.242.155.144) - malware
197.87.160.216
78.188.225.105
50.116.111.59
197.242.155.144 - malware
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|