45736 |
2020-11-01 10:45
|
Order_23333342.exe 9844ecd457d193dd641d0500188314d3 Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://skilldrivinget.com/ojman/PL341/index.php - mailcious
|
3
skilldrivinget.com(81.19.215.2) - mailcious 81.19.215.2 - suspicious 104.75.32.111
|
1
ET MALWARE AZORult v3.3 Server Response M1
|
|
17.2 |
M |
22 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45737 |
2020-11-01 10:01
|
FTCQ42XSHcWQqUPmaMv.exe 510cdcda8721b82b2b0b7fd878798352 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/EBVQYhBbK8U/ys83dclAmS5XK/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
8.4 |
M |
40 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45738 |
2020-11-01 09:53
|
https://fullelectronica.com.ar... 9844ecd457d193dd641d0500188314d3 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
7
fullelectronica.com.ar(209.133.222.158) - malware 209.133.222.158 - suspicious 172.217.25.3 172.217.24.74 211.46.92.199 211.46.93.10 117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45739 |
2020-10-31 17:50
|
rep_37770137.doc e8677d06460f14ebd67f1a46a19f6749 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Windows DNS |
3
http://da-industrial.com/js/9IdLP/ - malware http://173.173.254.105/6gutBCvN9/Il0Z/ - mailcious http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
4
da-industrial.com(181.88.192.21) - malware 181.88.192.21 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.6 |
M |
39 |
SFPark
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45740 |
2020-10-31 12:57
|
4YS0I.exe cb43cc7511fb5c08435ea41106247c8f VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/C7UranzjC/Z0owDwHf/Ok6tMt3BbF5FUkZ78c6/HJyqzWox9oFTgUn0qn/fJfs3I1N3i8nVyrDgA/MJyxAQrjLIbvjQt5/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
8.2 |
M |
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45741 |
2020-10-31 10:29
|
ARC_TH1940084283ZO.doc 55d79fbe07c3d17f618890bd72c4efc3 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/5qGiDTQbt2M3E/pmKaKqFNIpPJ2slYB/sik1lN7jWaLd/CJA4Obiy3/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.4 |
M |
35 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45742 |
2020-10-31 09:50
|
UNTITLED_FY4695778951OT.doc dfa215f2b84d0df40c221d76309acb13 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/hcVx/OgLyOkmDwCTmM/p2pkqLA15Sm/MDkzk/EN8kGI/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45743 |
2020-10-31 09:47
|
regasm.exe 355e70c00a060f1e2a0680676227d7ce Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/rojas/gate.php
|
2
magicview.ga(91.203.193.242) - mailcious 91.203.193.242
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
|
38 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45744 |
2020-10-31 09:46
|
https://bitbucket.org/soyag/la... 9ada122303e6dee1c0f0171bf2e59253 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
bitbucket.org(104.192.141.1) - malware 18.205.93.2 - suspicious 117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45745 |
2020-10-31 09:42
|
ike.exe 5b938ccc78b8b6af082c85f969d188f7 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.0 |
|
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45746 |
2020-10-31 09:41
|
ePh0eJZNL1NJpMw.exe d3c3cff0bfce9f34418da4cf2fdfb027 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName crashed |
|
|
|
|
13.6 |
|
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45747 |
2020-10-31 09:36
|
mBhuyP.exe 2acfebc586eac54f79cc41fd78e897ce Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/upYJrV/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45748 |
2020-10-31 09:31
|
Inf_EDV_100120_URP_103120.doc 11b0ade6c38d27ba741294173f088621 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45749 |
2020-10-31 09:15
|
83iUuVObiSnKzI9WfkpU.exe cc0b69abe8dd0a2cf87ffe7e1a1e1d2f Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/rTd1BLeci/ION6jVntQcFEnskr/nVplv25C/H9DfHq1WUDUpB/ - mailcious
|
3
118.69.11.81 - suspicious 70.39.251.94 - suspicious 190.202.229.74 - suspicious
|
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45750 |
2020-10-31 09:14
|
donpyx.exe 319a790ffd7c286a2ed494469ddd1357 Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Browser Email ComputerName Software |
1
http://ciuj.ir/donpy/index.php
|
2
ciuj.ir(104.237.252.41) 104.237.252.41
|
1
ET MALWARE AZORult v3.3 Server Response M3
|
|
15.6 |
|
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|