45706 |
2020-11-03 13:44
|
document.doc 594b812a9529aa440b10bc94bdff567e LokiBot Malware download Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://antoinesauvagesqcomcomantoinesauvagesqcomcom.ydns.eu/svchost.exe http://1filesharing.ga/kayo/gate.php
|
4
antoinesauvagesqcomcomantoinesauvagesqcomcom.ydns.eu(103.125.191.69) 1filesharing.ga(91.203.193.242) - mailcious 91.203.193.242 - suspicious 103.125.191.69 - suspicious
|
12
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45707 |
2020-11-03 13:37
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8 Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email |
|
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45708 |
2020-11-03 13:34
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8 Email Client Info Stealer Checks debugger unpack itself malicious URLs Ransomware Email DNS |
|
2
35.244.181.201 99.86.144.82
|
|
|
3.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45709 |
2020-11-03 13:07
|
raz.exe 52c7166b6bf6b32f30a20b21ed902afc Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45710 |
2020-11-03 13:06
|
noNnzwxW3a0IOoZ.exe 113c6291efcb16880ef982fe221902a7 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key DDNS |
|
2
vikingo1928.duckdns.org(46.246.6.71) - mailcious 46.246.6.71 - suspicious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
M |
57 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45711 |
2020-11-03 12:50
|
KF29794499E_COVID-19_SARS-CoV-... 4d2fad1fb87c821b1ab823ccaf06c38d Vulnerability unpack itself DNS |
|
14
aus.thunderbird.net(54.230.62.91) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(54.230.62.91) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 59.18.45.76 59.18.31.17 172.217.161.174 - suspicious 99.86.144.100 35.244.181.201 172.217.25.14 - suspicious 99.86.144.82 172.217.24.67 99.86.144.46
|
|
|
3.4 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45712 |
2020-11-03 12:47
|
test3.eml 8506416b94e6ba322c3d066104237df5 VirusTotal Email Client Info Stealer Malware Checks debugger RWX flags setting unpack itself malicious URLs Ransomware Email DNS |
|
6
59.18.44.80 59.18.46.76 99.86.144.82 59.18.34.83 35.244.181.201 59.18.45.146
|
|
|
5.8 |
|
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45713 |
2020-11-03 12:43
|
test.eml 5c8e2fed189e7b7f7f1d9e756fd072f8 Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself malicious URLs installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45714 |
2020-11-03 10:28
|
raz.exe 52c7166b6bf6b32f30a20b21ed902afc Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
11
aus.thunderbird.net(54.230.62.19) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(54.230.62.19) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.144.38 99.86.144.25 99.86.144.100 35.244.181.201 99.86.144.82 99.86.144.46
|
|
|
12.4 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45715 |
2020-11-03 10:27
|
noNnzwxW3a0IOoZ.exe 113c6291efcb16880ef982fe221902a7 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key DDNS |
|
2
vikingo1928.duckdns.org(46.246.6.71) 46.246.6.71 - suspicious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
10.6 |
M |
57 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45716 |
2020-11-03 10:24
|
golden.exe 18c010f78d01952fb527691da4f01940 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
10
aus.thunderbird.net(54.230.62.91) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(54.230.62.91) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.144.25 99.86.144.100 35.244.181.201 99.86.144.82 99.86.144.46
|
|
|
12.0 |
M |
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45717 |
2020-11-03 10:23
|
invoice_555664.doc 5d3f07cc44fe9defb5b6a95b652b3dde VirusTotal Malware exploit crash unpack itself malicious URLs Exploit crashed |
1
http://stdygreenkegheedahatakankeadeshnaastfaw.ydns.eu/office360/regasm.exe
|
2
stdygreenkegheedahatakankeadeshnaastfaw.ydns.eu(103.125.191.229) - mailcious 103.125.191.229 - suspicious
|
|
|
4.2 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45718 |
2020-11-03 10:16
|
mr.exe f4dc1e3e9f8addd3f26b12416c33a5eb VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS DDNS keylogger |
|
2
demoledor.duckdns.org(46.246.6.71) 46.246.6.71
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.8 |
M |
53 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45719 |
2020-11-03 10:15
|
n1c9hq9ps.jpg.exe fd3da0ce820ee753901011f520ecd2b1 VirusTotal Malware PDB unpack itself DNS crashed |
|
9
aus.thunderbird.net(54.230.62.78) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(54.230.62.78) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) 99.86.144.61 99.86.144.115 99.86.144.82 35.244.181.201 99.86.144.46
|
|
|
2.4 |
M |
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45720 |
2020-11-03 09:36
|
invoice_141143.doc 8853970adc71fa21d4706d67327d5a27 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
2
http://magicview.ga/kung/gate.php http://stdyunitedfrkesokoriorimistreetsmsttyr.ydns.eu/chnsfrnd1/vbc.exe - malware
|
14
aus.thunderbird.net(54.230.62.78) aus5.mozilla.org(35.244.181.201) d2js2viceajwla.cloudfront.net(54.230.62.78) prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) magicview.ga(91.203.193.242) - mailcious stdyunitedfrkesokoriorimistreetsmsttyr.ydns.eu(103.141.138.122) - mailcious 91.203.193.242 - suspicious 99.86.144.38 99.86.144.61 99.86.144.100 35.244.181.201 99.86.144.82 103.141.138.122 - suspicious 99.86.144.46
|
12
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
5.6 |
M |
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|