44971 |
2020-11-26 10:31
|
document.doc 57672c47c193f3a557553cab8126f356 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
|
3
www.media-cruise.com() www.thelittleredcraftshack.com() 54.179.174.132 - suspicious
|
5
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44972 |
2020-11-26 10:24
|
config2.json.exe db50f0059022bc9532961ea296494f03 VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44973 |
2020-11-26 10:17
|
chrome.exe eefab6a739efad4b904ee832f9179985 VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files Windows utilities malicious URLs WriteConsoleW Windows DNS keylogger |
|
2
sandshoe.myfirewall.org(79.134.225.105) 79.134.225.105 - suspicious
|
|
|
9.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44974 |
2020-11-26 10:16
|
CFILEE.exe 018460c9c7fba779d2c0b79c824ad5d4 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName |
|
|
|
|
7.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44975 |
2020-11-26 10:03
|
CFILEE.exe 018460c9c7fba779d2c0b79c824ad5d4 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName DNS |
|
|
|
|
9.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44976 |
2020-11-26 10:01
|
Bbyzuwhvoljsm1.exe 883025ad08af47c1efac400822932857 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS |
1
|
3
www.google.com(172.217.25.196) 216.58.220.196 20.43.94.199
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44977 |
2020-11-26 09:31
|
ach.vbs 7eb75ac29bcdb9b04ffd7be21be218c0 Malware powershell Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself powershell.exe wrote Check virtual network interfaces malicious URLs WriteConsoleW Windows Java ComputerName DNS Cryptographic key DDNS |
|
6
google.com(172.217.26.46) creditcollectionglobal.co(68.65.120.230) - mailcious daemontime.myq-see.com(79.134.225.120) 79.134.225.120 - suspicious 216.58.199.14 - suspicious 68.65.120.230 - suspicious
|
3
ET INFO Observed DNS Query to .myq-see .com DDNS Domain ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44978 |
2020-11-26 09:31
|
a14.exe 3eafc3e74deeffaccc2a203154265a30 Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Email ComputerName DNS Software |
3
http://217.8.117.62/b2bsk4ddW/index.php http://217.8.117.62//b2bsk4ddW/index.php http://217.8.117.62//b2bsk4ddW/index.php?scr=up
|
1
217.8.117.62 - suspicious
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Amadey CnC Check-In
|
|
11.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44979 |
2020-11-26 07:54
|
http://195.3.146.180/cia.exe a7d58a3a9f2ff3e1fefd69ed12cceeb1 Dridex VirusTotal Malware Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
|
1
195.3.146.180 - suspicious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
6.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44980 |
2020-11-25 18:36
|
winlog2.exe 953183f2f75bd5550052ec78c16f1f28 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows |
5
http://www.theplatinumworld.com/ogg/?EzrxUr=z4WWY2NGDQA3TT970o2t6UJYrBZlOTp5t0HWRFWiJXrZveQAnQBDb/Q+hz+Oh6TLV9U4RDLY&anM=TXFDw2SpHTH0S http://www.moneybusinessclub.com/ogg/?EzrxUr=PD+A/uZZjHqP2DE+br7tala8gkAXPgZdBw4uif/jhwXtpQmdgbjHM7L4nfrDT9H/G3/GJr0I&anM=TXFDw2SpHTH0S http://www.mybuildingneeds.com/ogg/?EzrxUr=FSuMtK+4cIF2dgg9R8/Am8atNYEqepqwKIxzNRd2vmoZjUi8YNUHcO9eylnwG8TASaDp3Fc2&anM=TXFDw2SpHTH0S http://www.zdysks.com/ogg/?EzrxUr=h9fUdnKRQufkCbej0B2zDKYyE5dQPtw7ynwbYbfWK2SXogl5VJXj7+ljaUQejbnu0ocEcl3d&anM=TXFDw2SpHTH0S http://www.blog-cybersecurite.net/ogg/?EzrxUr=uyIbKDCrypeXPZ6yI4wWJtRQLd3qsroUFyMxRi5llJsKcNcLyiSZfqtWNsDNHLipxP26HmJh&anM=TXFDw2SpHTH0S
|
10
www.theplatinumworld.com(35.213.172.3) www.mybuildingneeds.com(162.241.85.210) www.moneybusinessclub.com(23.227.38.74) www.zdysks.com(172.120.175.60) www.blog-cybersecurite.net(213.186.33.5) 172.120.175.60 35.213.172.3 213.186.33.5 - suspicious 162.241.85.210 23.227.38.74
|
|
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44981 |
2020-11-25 18:32
|
winlog.exe a3369a332aebbd578c291cc27ccb354b Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName Software |
1
http://quehenbergar.com/coke/five/fre.php - rule_id: 110
|
2
quehenbergar.com() - mailcious 193.106.175.41
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://quehenbergar.com/coke/five/fre.php
|
17.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44982 |
2020-11-25 18:31
|
winlog2.exe 953183f2f75bd5550052ec78c16f1f28 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows |
|
|
|
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44983 |
2020-11-25 18:28
|
whe.exe 095e1574fea1e95a9ed568d2e679fb77 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
|
|
|
8.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44984 |
2020-11-25 18:28
|
vbc2.exe ec26b497c9a213858ee08585ff4b3f10 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
1
http://quehenbergar.com/coast/five/fre.php
|
2
quehenbergar.com(193.106.175.41) - mailcious 193.106.175.41
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44985 |
2020-11-25 18:22
|
vbc.exe f3d05ab1f7e10173609506ba7f343cd6 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://hastebin.com/raw/tedeqozodo
|
2
hastebin.com(104.24.127.89) - mailcious 172.67.143.180 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|