| 45571 |
2020-11-09 09:25
|
http://148.163.12.101/WMndFrdk... d41d8cd98f00b204e9800998ecf8427e
Dridex Malware MachineGuid Code Injection Malicious Traffic buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Detects VMWare malicious URLs VMware anti-virtualization Tofsee Windows Exploit ComputerName Remote Code Execution DNS crashed |
32
http://213.159.203.207/favicon.ico
http://213.159.203.207/views/rdpb3udnofc8etf0l3a1jdiqek.swf
http://213.159.203.207/views/s4jjqqptbg5tbnp5q1a70vbp30.wav
http://213.159.203.207/views/6bb1568jo2ek0hrc9htdnbtugc.html
http://213.159.203.207/js/75igt458lmif5le9cg5aic3bq8.js
http://213.159.203.207/static/tinyjs.min.js
http://213.159.203.207/logo.swf
http://213.159.203.207/static/encrypt.min.js
http://213.159.203.207/images/captcha.png?mod=attachment&u=c4e997449a0304b8f0e86ed9b1a02893
http://213.159.203.207/views/lu0ie4nlb1a683q0rgedljr0ps.html
http://213.159.203.207/pubs/servlet.php?fp=7879ddce894732bc87601131d5c45cb1&lang=ko&token=&id=49602&sign=504a15b3c39c531bb490d070e90a54ad&validate=d29086bebf2daf64bc641279855a3c07
http://213.159.203.207/views/vnpbqti1fm79cvu6clf2psjop0.wav
http://148.163.12.101/WMndFrdk?keyword=Other&cost=0.00100&ad_campaign_id=262704&source=145866
http://213.159.203.207/index.php?ad_campaign_id=262704&browser=Internet+Explorer&browser_version=9.0&country=KR&id=698&os=Windows&os_version=7
http://213.159.203.207/pubs/article.php?id=7c9dfe57676505f24a0d11649c36f69f
http://213.159.203.207/js/bh95n09106uh4hsmnhar2nnb5o.js
http://213.159.203.207/pubs/wiki.php?id=7db44cc8397c202185532cf3ee87917f
http://213.159.203.207/views/b9t3mbu486appfvh8lica7t544.html
https://www.huobi.fm/topic/invited/?invite_code=quyq3
https://www.huobi.fm/favicon.ico
https://file.hbfile.net/global/image/invited-bg.7561a62.png
https://file.hbfile.net/global/script/topic/invited.16cb1a640694cf25be36.js
https://file.hbfile.net/global/image/share_logo.32d525d.jpg
https://file.hbfile.net/global/script/runtime.7300d7561df0519d0eef.js
https://file.hbfile.net/global/image/dialogs-close.4f01033.svg
https://file.hbfile.net/global/script/commons.6f744463ff1d4e4fab85.js
https://file.hbfile.net/global/image/tips_gold_bg.7eabc9b.png
https://file.hbfile.net/global/image/tips_diamond_bg.f36ec40.png
https://file.hbfile.net/global/image/icon-inmail.1da2242.svg
https://file.hbfile.net/global/styles/topic/invited.da976d944a65d2f85e45c26b6c1e5bb3.css
https://file.hbfile.net/global/font/fedui-icon.8f4a69b.ttf
https://file.hbfile.net/global/image/footer-logo.460e857.png
|
9
file.hbfile.net(104.18.29.151)
www.huobi.fm(104.18.9.216)
www.lookupdns.club(213.159.203.205)
148.163.12.101
104.18.29.151
104.18.9.216
213.159.203.207
213.159.203.205
117.18.232.200 - suspicious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Outdated Flash Version M1
ET EXPLOIT_KIT Underminer EK Resource File Download M1
ET EXPLOIT_KIT Underminer EK SWF Request
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET EXPLOIT_KIT Underminer EK Resource File Download M2
|
|
11.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45572 |
2020-11-08 23:02
|
Runtime.exe ff5f3f329d995edc248fd3a5ee17ed37
VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AppData folder malicious URLs |
|
|
|
|
4.4 |
M |
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45573 |
2020-11-08 22:16
|
Runtime.exe ff5f3f329d995edc248fd3a5ee17ed37
VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AppData folder malicious URLs |
|
|
|
|
4.4 |
M |
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45574 |
2020-11-08 22:11
|
Scan copy.exe 2e3783f9a6d09de8e60564c7a8c9370a
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Software |
|
2
sieqwarteg.com(185.147.80.211) - mailcious
178.250.157.171
|
|
|
14.4 |
M |
47 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45575 |
2020-11-08 22:10
|
svchost.jpg.exe 5c21ea2caa5fa83d2f91a97da6702cee
VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself Windows utilities suspicious process malicious URLs Windows ComputerName |
|
|
|
|
4.8 |
M |
57 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45576 |
2020-11-08 22:09
|
VSP2091.exe 7abcfd428e72ce9cc2bdeef462e31523
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
172.217.25.14 - suspicious
|
|
|
11.6 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45577 |
2020-11-08 22:07
|
scan00002346_Doc.exe 94e005d8a11e1bcc17b6fdae777e5b62
VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.8 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45578 |
2020-11-06 14:18
|
reservation.exe 59d5f66f4cd5889b1e825239097a5974
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Tofsee Ransomware Windows Tor ComputerName Cryptographic key crashed |
1
https://456345746g546646.gb.net//inc/040b73a6c5b6ac.php - mailcious
|
2
456345746g546646.gb.net() - mailcious
103.153.182.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45579 |
2020-11-06 13:25
|
7123853.xlsb ff10e6466f4031b5d873be6efea559b6
VirusTotal Malware Check memory Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs WriteConsoleW ComputerName crashed |
|
|
|
|
4.8 |
M |
5 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45580 |
2020-11-06 13:20
|
https://sunspalato.com/wp-cont... 289d3afec6ddf67f84277c0bacac2d1f
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
4
sunspalato.com(18.159.119.57) - malware
172.217.25.14 - suspicious
18.159.119.57 - suspicious
117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45581 |
2020-11-06 11:26
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware
|
4
magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
172.217.25.14 - suspicious
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.8 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45582 |
2020-11-06 11:10
|
tyx.exe 32e7a6c613f21394c0f89b8b948e4f01
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.0 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45583 |
2020-11-06 11:06
|
reservation.exe 59d5f66f4cd5889b1e825239097a5974
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Tofsee Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
1
https://456345746g546646.gb.net//inc/040b73a6c5b6ac.php
|
3
456345746g546646.gb.net()
103.153.182.50
117.18.232.200 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
53 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45584 |
2020-11-06 11:03
|
http://ps.popcash.net/go/27536... a954a876386a7bb1541498370036cb31
Dridex VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://ps.popcash.net/go/275368/567202 - mailcious
http://ps.popcash.net/ad/ad?p=275368&w=567202&t=6e236c90efedc53e&r=&vw=0&vh=0 - mailcious
https://simplegrg.shop/favicon.ico
https://simplegrg.shop/home/base64.min.js
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/aes.min.js
https://simplegrg.shop/home/image.php
https://shachibato-anime.shop/
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
https://cdnjs.cloudflare.com/ajax/libs/zepto/1.2.0/zepto.min.js
https://simplegrg.shop/home/?key=8BCE03840BE4E829
https://simplegrg.shop/home?key=8BCE03840BE4E829
|
9
ps.popcash.net(52.201.162.15) - mailcious
cdnjs.cloudflare.com(104.16.19.94) - mailcious
simplegrg.shop(185.178.208.137)
shachibato-anime.shop(185.178.208.164)
185.178.208.164 - suspicious
104.16.18.94
52.203.234.71
185.178.208.137
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45585 |
2020-11-06 10:52
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download Vulnerability VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware
|
3
magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.8 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|