44521 |
2020-12-17 16:19
|
vbn.exe 74e570ba5f6106f6e93121660da4f462 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.excellentsunshop.com/cgc/?v2=SU0xek3BHwTUkYY7nlKXQ7zeI8h4mxTMtb12zbJJxjrhGHWatOaRJA5AnYPvMNX+zCUTF0rO&oX=TxohN6vpNVWDF
|
2
www.excellentsunshop.com(161.117.47.123) 161.117.47.123
|
|
|
13.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44522 |
2020-12-17 15:17
|
vbc.exe ae8d9001b6fc7686c84fb7cd58d95894 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44523 |
2020-12-17 15:15
|
suf.hta 3bc3c371d30b1a8633a3dbb3069e86ad VirusTotal Malware suspicious privilege Check memory WMI unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
2
www.hahae.co.kr(211.233.50.229) - mailcious 211.233.50.229 - malware
|
|
|
5.0 |
M |
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44524 |
2020-12-17 15:08
|
suf.hta 3bc3c371d30b1a8633a3dbb3069e86ad VirusTotal Malware crashed |
|
|
|
|
1.0 |
|
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44525 |
2020-12-17 10:05
|
document.doc 01c8f989db53ea3a342cc16ede71e06f VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
|
1
54.169.136.76 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44526 |
2020-12-17 10:04
|
http://www.hahae.co.kr/new3/IS... 06cfdaf0990fcd6ace527e1ae005e36f Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://www.hahae.co.kr/new3/ISAF/Libs/php/cross.php?op=1&dt=1214&uid=01 http://www.hahae.co.kr/favicon.ico
|
2
www.hahae.co.kr(211.233.50.229) - mailcious 211.233.50.229 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44527 |
2020-12-17 09:50
|
winlog.exe 926682b2da9a8406bcb427da6a9e00ac Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/akin/gate.php
|
2
webtex.ga(176.118.165.175) - mailcious 176.118.165.175
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
|
14.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44528 |
2020-12-17 09:49
|
diego.png.exe d8a449d9a8aa11d58db91e3dc2387595 VirusTotal Malware unpack itself DNS |
|
|
|
|
2.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44529 |
2020-12-17 09:37
|
svchost.exe d543a59ba12985acaf4134c3ff427b86 NetWireRC VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization Windows ComputerName DNS Cryptographic key DDNS Software |
|
2
rnnfibi.hopto.org(194.5.98.33) - mailcious 194.5.98.33
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
16.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44530 |
2020-12-17 09:36
|
prosperx.scr 9c13e16c165b2a914fd342729e7e919c VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44531 |
2020-12-17 09:18
|
prosperx.scr 9c13e16c165b2a914fd342729e7e919c VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44532 |
2020-12-17 09:16
|
OSW.exe f0e54257937a0cce319faf635a3e1f98 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
2.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44533 |
2020-12-17 09:01
|
Lab15-03-pr.exe cf30e80afa4570f94a066d0264c5a3da VirusTotal Malware malicious URLs sandbox evasion WriteConsoleW crashed |
2
http://rarcesearch.fun/funny.html http://rarcesearch.fun/1
|
2
rarcesearch.fun(35.205.61.67) 35.205.61.67 - mailcious
|
|
|
3.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44534 |
2020-12-17 08:59
|
Lab16-01.exe 7faafc7e4a5c736ebfee6abbbc812d80 VirusTotal Malware Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows |
|
|
|
|
4.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44535 |
2020-12-16 18:23
|
Lab15-03.exe bfadb08f07304b6b293707e4f9c9f1a9 VirusTotal Malware Malicious Traffic buffers extracted malicious URLs sandbox evasion WriteConsoleW Tofsee Windows DNS crashed |
6
http://redirector.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe http://www.practicalmalwareanalysis.com/tt.html http://r7---sn-3u-bh2lz.gvt1.com/edgedl/release2/update2/cvA_S5Xpe1gieHmJ_saL_Q_1.3.36.52/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Sd&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lz&ms=nvh&mt=1608110186&mv=m&mvi=7&pl=18&shardbypass=yes https://update.googleapis.com/service/update2 https://practicalmalwareanalysis.com/tt.html https://update.googleapis.com/service/update2?cup2key=10:177881428&cup2hreq=016457274a4079e7110e64f6d35cb10690bff0ad17ff457e6357bf2cfadfac2e
|
4
www.practicalmalwareanalysis.com(192.0.78.25) r7---sn-3u-bh2lz.gvt1.com(59.18.45.210) 192.0.78.24 - mailcious 59.18.45.210
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|