| 44971 |
2020-11-26 10:31
|
document.doc 57672c47c193f3a557553cab8126f356
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
|
3
www.media-cruise.com()
www.thelittleredcraftshack.com()
54.179.174.132 - suspicious
|
5
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44972 |
2020-11-26 10:24
|
config2.json.exe db50f0059022bc9532961ea296494f03
VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44973 |
2020-11-26 10:17
|
chrome.exe eefab6a739efad4b904ee832f9179985
VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows DNS keylogger |
|
2
sandshoe.myfirewall.org(79.134.225.105)
79.134.225.105 - suspicious
|
|
|
9.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44974 |
2020-11-26 10:16
|
CFILEE.exe 018460c9c7fba779d2c0b79c824ad5d4
VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName |
|
|
|
|
7.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44975 |
2020-11-26 10:03
|
CFILEE.exe 018460c9c7fba779d2c0b79c824ad5d4
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
|
|
|
9.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44976 |
2020-11-26 10:01
|
Bbyzuwhvoljsm1.exe 883025ad08af47c1efac400822932857
VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS |
1
|
3
www.google.com(172.217.25.196)
216.58.220.196
20.43.94.199
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44977 |
2020-11-26 09:31
|
ach.vbs 7eb75ac29bcdb9b04ffd7be21be218c0
Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS |
|
6
google.com(172.217.26.46)
creditcollectionglobal.co(68.65.120.230) - mailcious
daemontime.myq-see.com(79.134.225.120)
79.134.225.120 - suspicious
216.58.199.14 - suspicious
68.65.120.230 - suspicious
|
3
ET INFO Observed DNS Query to .myq-see .com DDNS Domain
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44978 |
2020-11-26 09:31
|
a14.exe 3eafc3e74deeffaccc2a203154265a30
Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Email ComputerName DNS Software |
3
http://217.8.117.62/b2bsk4ddW/index.php
http://217.8.117.62//b2bsk4ddW/index.php
http://217.8.117.62//b2bsk4ddW/index.php?scr=up
|
1
217.8.117.62 - suspicious
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey CnC Check-In
|
|
11.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44979 |
2020-11-26 07:54
|
http://195.3.146.180/cia.exe a7d58a3a9f2ff3e1fefd69ed12cceeb1
Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
|
1
195.3.146.180 - suspicious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44980 |
2020-11-25 18:36
|
winlog2.exe 953183f2f75bd5550052ec78c16f1f28
VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows |
5
http://www.theplatinumworld.com/ogg/?EzrxUr=z4WWY2NGDQA3TT970o2t6UJYrBZlOTp5t0HWRFWiJXrZveQAnQBDb/Q+hz+Oh6TLV9U4RDLY&anM=TXFDw2SpHTH0S
http://www.moneybusinessclub.com/ogg/?EzrxUr=PD+A/uZZjHqP2DE+br7tala8gkAXPgZdBw4uif/jhwXtpQmdgbjHM7L4nfrDT9H/G3/GJr0I&anM=TXFDw2SpHTH0S
http://www.mybuildingneeds.com/ogg/?EzrxUr=FSuMtK+4cIF2dgg9R8/Am8atNYEqepqwKIxzNRd2vmoZjUi8YNUHcO9eylnwG8TASaDp3Fc2&anM=TXFDw2SpHTH0S
http://www.zdysks.com/ogg/?EzrxUr=h9fUdnKRQufkCbej0B2zDKYyE5dQPtw7ynwbYbfWK2SXogl5VJXj7+ljaUQejbnu0ocEcl3d&anM=TXFDw2SpHTH0S
http://www.blog-cybersecurite.net/ogg/?EzrxUr=uyIbKDCrypeXPZ6yI4wWJtRQLd3qsroUFyMxRi5llJsKcNcLyiSZfqtWNsDNHLipxP26HmJh&anM=TXFDw2SpHTH0S
|
10
www.theplatinumworld.com(35.213.172.3)
www.mybuildingneeds.com(162.241.85.210)
www.moneybusinessclub.com(23.227.38.74)
www.zdysks.com(172.120.175.60)
www.blog-cybersecurite.net(213.186.33.5)
172.120.175.60
35.213.172.3
213.186.33.5 - suspicious
162.241.85.210
23.227.38.74
|
|
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44981 |
2020-11-25 18:32
|
winlog.exe a3369a332aebbd578c291cc27ccb354b
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName Software |
1
http://quehenbergar.com/coke/five/fre.php - rule_id: 110
|
2
quehenbergar.com() - mailcious
193.106.175.41
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://quehenbergar.com/coke/five/fre.php
|
17.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44982 |
2020-11-25 18:31
|
winlog2.exe 953183f2f75bd5550052ec78c16f1f28
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows |
|
|
|
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44983 |
2020-11-25 18:28
|
whe.exe 095e1574fea1e95a9ed568d2e679fb77
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
8.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44984 |
2020-11-25 18:28
|
vbc2.exe ec26b497c9a213858ee08585ff4b3f10
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://quehenbergar.com/coast/five/fre.php
|
2
quehenbergar.com(193.106.175.41) - mailcious
193.106.175.41
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44985 |
2020-11-25 18:22
|
vbc.exe f3d05ab1f7e10173609506ba7f343cd6
VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://hastebin.com/raw/tedeqozodo
|
2
hastebin.com(104.24.127.89) - mailcious
172.67.143.180 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|