| 45376 |
2020-11-12 18:16
|
koba.exe 9353d01ebee0c3e51ab99756ed0d5858
VirusTotal Malware AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Remote Code Execution |
1
https://Uw0soheevahjahsaifae.glowtrow.fun/image/urJ9gdmL_i2gc5upFXcESEVfA4beeau49U7C6_Vgoe7MeIl553cZMwp5CvusQLYK8H_VfaCynGlclkQK5ooEHlcSqlHDZOg9esW8MNl2Dxy0fGAXSsY_iyrbKCpSiqR9JxINxCrquiVekqKSQAbEe6Wuvw-TrFt5X2dqAHOhdlPK_e20/kitten.gif
|
4
GdrsqPZruMdDbqG.GdrsqPZruMdDbqG()
uw0soheevahjahsaifae.glowtrow.fun(172.67.207.117)
uTnvWjDVD.uTnvWjDVD()
172.67.207.117
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
38 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45377 |
2020-11-12 18:13
|
frankf.exe 15020601e34aba5ba33327768bfea90f
VirusTotal Malware Check memory Checks debugger unpack itself DNS crashed |
|
1
172.217.25.14 - suspicious
|
|
|
3.2 |
M |
20 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45378 |
2020-11-12 18:11
|
lm.exe 7963405aa32d8133136158a9797e05c4
AutoRuns PDB Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution |
|
2
YizvumLsWcW.YizvumLsWcW()
LRuZxZd.LRuZxZd()
|
|
|
7.0 |
|
|
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45379 |
2020-11-12 18:06
|
cash.exe 1d7b9d853d71cc41bf2e401070a8efb5
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
3.0 |
M |
21 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45380 |
2020-11-12 18:04
|
xyy.exe 9c6fb8746b6cccb65cee1d12cfe9dd67
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.8 |
M |
18 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45381 |
2020-11-12 17:55
|
ohms.exe 9fb233f62041871884ea5a8235a8b6c2
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.225.66.103
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45382 |
2020-11-12 17:51
|
b.exe 268f6a197a208cca3d28c81059a0267d
Code Injection Checks debugger buffers extracted RWX flags setting unpack itself malicious URLs ComputerName Remote Code Execution DNS |
|
2
172.217.25.14 - suspicious
194.113.34.49
|
|
|
9.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45383 |
2020-11-12 17:50
|
oscjgfhwvvas.exe 9c4dae36c101af2a1bf1b1de16ee5868
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs Windows |
|
|
|
|
7.4 |
M |
45 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45384 |
2020-11-12 17:23
|
b.exe 268f6a197a208cca3d28c81059a0267d
Code Injection Checks debugger buffers extracted RWX flags setting unpack itself malicious URLs ComputerName Remote Code Execution DNS |
|
2
172.217.25.14 - suspicious
194.113.34.49
|
|
|
9.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45385 |
2020-11-12 17:22
|
b.exe 268f6a197a208cca3d28c81059a0267d
Code Injection Checks debugger buffers extracted RWX flags setting unpack itself malicious URLs ComputerName Remote Code Execution DNS |
|
1
|
|
|
9.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45386 |
2020-11-12 16:50
|
ohms.exe 9fb233f62041871884ea5a8235a8b6c2
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(54.235.142.93)
crt.comodoca.com(91.199.212.52)
54.243.161.145
91.199.212.52
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
40 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45387 |
2020-11-12 16:39
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
1
http://magicview.ga/webxpo/gate.php - rule_id: 94
|
3
magicview.ga(77.223.96.18) - mailcious
duracom.ga(77.223.96.18) - malware
77.223.96.18
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
1
http://magicview.ga/webxpo/gate.php
|
5.2 |
M |
33 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45388 |
2020-11-12 16:32
|
new.exe c0bd12ba651f8b291161a4e1886a6081
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
1
http://192.210.214.146/webpanel-majorboy2/inc/3321836fba4ddd.php
|
1
192.210.214.146 - suspicious
|
|
|
10.0 |
|
24 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45389 |
2020-11-12 16:29
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
Malware download VirusTotal Malware exploit crash unpack itself Windows Exploit DNS crashed |
|
2
duracom.ga(77.223.96.18) - malware
77.223.96.18
|
4
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
3.6 |
M |
33 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45390 |
2020-11-12 15:52
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware
|
3
magicview.ga(77.223.96.18) - mailcious
duracom.ga(77.223.96.18) - malware
77.223.96.18
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET POLICY PE EXE or DLL Windows file download HTTP
|
1
http://magicview.ga/webxpo/gate.php
|
4.4 |
M |
33 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|