| 44641 |
2020-12-10 23:29
|
zonetor.exe 6bc7aa419dc5a3cbfc520f22a59c2b8b
VirusTotal Malware suspicious privilege Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs IP Check Tofsee Ransomware Interception Windows Tor ComputerName DNS keylogger |
1
https://myexternalip.com/raw
|
8
myexternalip.com(216.239.32.21)
94.130.171.63
31.185.104.19
147.135.6.69
176.9.40.131
216.239.36.21 - suspicious
108.53.208.157
37.120.174.249 - mailcious
|
5
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 577
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44642 |
2020-12-10 23:28
|
X2.exe 78b9c1744de7f8ddef1680319bfd354c
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44643 |
2020-12-10 23:21
|
win32.exe 8d5bd34794ba7ea25340f86a02a541c8
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
|
2
begadi.ga(93.189.42.91) - mailcious
93.189.42.91
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44644 |
2020-12-10 23:21
|
win.doc f0380e5176d3bc9ca533dbe45d171e49
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Exploit DNS crashed |
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44645 |
2020-12-10 23:15
|
svchost.exe cf38f6f8b3eeb914316d54174854dd36
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder DNS crashed |
|
|
|
|
3.8 |
M |
26 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44646 |
2020-12-10 23:15
|
svchost2.exe d3da2b742449333f758de33b3506409b
VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
2.8 |
M |
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44647 |
2020-12-10 22:57
|
Reycmtl_Signed_.xlsx dfba505056fd8177dca4e19a2b18aae1
unpack itself malicious URLs |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44648 |
2020-12-10 22:56
|
rot.exe fb382afd515c00e6347893d2f416ed19
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://hastebin.com/raw/eyegajehok
https://hastebin.com/raw/lulekuropu
|
2
hastebin.com(104.24.127.89) - mailcious
172.67.143.180 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
41 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44649 |
2020-12-10 22:36
|
output.xls f7af5da0b8a984e944868d021d136295
VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://tinyurl.com/yyzsq9nf
|
2
tinyurl.com(172.67.1.225) - mailcious
104.20.138.65 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44650 |
2020-12-10 22:36
|
PJAS#104256.xls 2c37e2b780112b33d40af28f91291e09
VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://tinyurl.com/y6m5spjf
|
2
tinyurl.com(104.20.138.65) - mailcious
104.20.139.65 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44651 |
2020-12-10 19:22
|
op.exe 7e67efbba22afde4bcabfb39000f726f
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee ComputerName crashed |
38
https://hastebin.com/raw/fexibifivu
https://hastebin.com/raw/cokemuzuyi
https://hastebin.com/raw/awujoqayit
https://hastebin.com/raw/ocawixetex
https://hastebin.com/raw/yuqudiwufu
https://hastebin.com/raw/puqusopolo
https://hastebin.com/raw/saqejutede
https://hastebin.com/raw/alihufozub
https://hastebin.com/raw/rumiqatafu
https://hastebin.com/raw/iwuwemijez
https://hastebin.com/raw/nuforicudi
https://hastebin.com/raw/ronoxeqiru
https://hastebin.com/raw/uyedokuhiz
https://hastebin.com/raw/zobocayuyi
https://hastebin.com/raw/hugujupizo
https://hastebin.com/raw/isexowapak
https://hastebin.com/raw/exowagoxih
https://hastebin.com/raw/siworufuye
https://hastebin.com/raw/nubojiloro
https://hastebin.com/raw/gibeyurefe
https://hastebin.com/raw/oropugagub
https://hastebin.com/raw/ayapezafal
https://hastebin.com/raw/riditusuvi
https://hastebin.com/raw/afojoviyak
https://hastebin.com/raw/uzulonuqeh
https://hastebin.com/raw/ayoyatased
https://hastebin.com/raw/olacuyazec
https://hastebin.com/raw/tesilawedo
https://hastebin.com/raw/hiyevukuti
https://hastebin.com/raw/ukiqagasil
https://hastebin.com/raw/ukonudufax
https://hastebin.com/raw/eduqomezib
https://hastebin.com/raw/ihiseceteg
https://hastebin.com/raw/enecegazok
https://hastebin.com/raw/ecayaxuwij
https://hastebin.com/raw/jaqefopoxe
https://hastebin.com/raw/exahererax
https://hastebin.com/raw/lidopeminu
|
2
hastebin.com(172.67.143.180) - mailcious
104.24.126.89 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44652 |
2020-12-10 19:21
|
OOhms.exe 0a1251ea53849db102c5a07c0deb63b2
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs Windows ComputerName DNS Cryptographic key |
|
|
|
|
3.8 |
M |
45 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44653 |
2020-12-10 19:00
|
OG.exe 52c1c0a68da545fd829d2b5ed7c2b4f4
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
|
|
|
|
13.4 |
M |
16 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44654 |
2020-12-10 19:00
|
oat.exe 3c9f99f80db4eda2078a8564afe7185f
Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key crashed keylogger |
4
https://hastebin.com/raw/owevufadiv
https://hastebin.com/raw/boxulixina
https://hastebin.com/raw/egocozidab
https://hastebin.com/raw/vezufanayu
|
2
hastebin.com(104.24.127.89) - mailcious
104.24.126.89 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44655 |
2020-12-10 18:52
|
nd.exe d2143133b45d9a684c06edb3b9b2c81c
VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Detects VirtualBox Check virtual network interfaces suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Tofsee Windows ComputerName DNS Cryptographic key Software crashed |
38
https://hastebin.com/raw/ejoxacutog
https://hastebin.com/raw/ajizaneqep
https://hastebin.com/raw/ahixebawov
https://hastebin.com/raw/uyiticizex
https://hastebin.com/raw/atudamanev
https://hastebin.com/raw/iveqiqaqid
https://hastebin.com/raw/kagaxarira
https://hastebin.com/raw/mafoxibuti
https://hastebin.com/raw/vikimuhiri
https://hastebin.com/raw/uxusacikib
https://hastebin.com/raw/ijudugigeg
https://hastebin.com/raw/joricagove
https://hastebin.com/raw/ameyidipiq
https://hastebin.com/raw/utaciqadey
https://hastebin.com/raw/acafanakac
https://hastebin.com/raw/ikuqifiyak
https://hastebin.com/raw/ahasoticug
https://hastebin.com/raw/nonilabigu
https://hastebin.com/raw/ujopeqevon
https://hastebin.com/raw/ubikuqitik
https://hastebin.com/raw/raziqizoda
https://hastebin.com/raw/vokilacemu
https://hastebin.com/raw/uxiyavisev
https://hastebin.com/raw/iyovujiqef
https://hastebin.com/raw/evolazezun
https://hastebin.com/raw/iwalovetog
https://hastebin.com/raw/izekayenem
https://hastebin.com/raw/efiyoyirol
https://hastebin.com/raw/kufacucavo
https://hastebin.com/raw/igilobalir
https://hastebin.com/raw/epijepujey
https://hastebin.com/raw/mivaciguti
https://hastebin.com/raw/gutiqetoni
https://hastebin.com/raw/xuquzovoyu
https://hastebin.com/raw/zegemunowu
https://hastebin.com/raw/ugojehazuj
https://hastebin.com/raw/yopotelube
https://hastebin.com/raw/caqesedilu
|
2
hastebin.com(104.24.126.89) - mailcious
104.24.127.89 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
38 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|