45751 |
2020-10-31 09:13
|
8.exe 56564e2f274ac21803580be8a236518d AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows ComputerName DNS DDNS crashed |
|
2
kingshakes.linkpc.net(79.134.225.52) - mailcious 79.134.225.52 - suspicious
|
|
|
14.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45752 |
2020-10-31 09:09
|
FILE_PO_10312020EX.doc b864ecba7b8fee96b95159cb9f4d30b2 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/BHsFILw0Hais/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45753 |
2020-10-30 22:39
|
win32.exe 7c0ec544d981d901c7819996d90dacc8 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
mail.salujaford.in(199.101.134.84) freegeoip.app(104.28.5.151) checkip.dyndns.org(216.146.43.71) 104.28.4.151 131.186.161.70 199.101.134.84 - suspicious
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SURICATA Applayer Detect protocol only one direction
|
|
17.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45754 |
2020-10-30 21:59
|
POP.exe 8cf74500bb24624b63930bf263aafcb0 AutoRuns suspicious privilege Code Injection Check memory Checks debugger unpack itself malicious URLs Windows |
|
|
|
|
5.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45755 |
2020-10-30 21:50
|
invoice_771275.doc 2fabe873166b42d734a12c918f792764 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs IP Check Tofsee Windows Exploit DNS DDNS crashed |
3
http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
8
mail.salujaford.in(199.101.134.84) wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 162.88.193.70 104.28.5.151 212.162.149.27 - suspicious 199.101.134.84 - suspicious
|
8
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET POLICY PE EXE or DLL Windows file download HTTP SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
5.4 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45756 |
2020-10-30 21:21
|
FAS_100120_OBW_103020.doc 26e46a86e1386111f4c7790bab599869 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45757 |
2020-10-30 21:21
|
DL-13306.jpg.exe c2491d6299805883f79bdd9b4fc3d8ea VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45758 |
2020-10-30 18:24
|
Arc_SV7257602192KT.doc 410eee98c357147776c0e926c6336db2 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ http://173.173.254.105/VUE9aVj4BJR/14tp40nWJQcBF/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45759 |
2020-10-30 18:22
|
http://shivakunwar.com.np/swif... 509bad3e7b3d5770ff5a7d173c65010e VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://annabphotography.co.uk/wp-includes/WdHO/ http://shivakunwar.com.np/swift/ZenW4gwhknqJ1/ http://173.173.254.105/O6x6F5c8/ - mailcious
|
9
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious shivakunwar.com.np(72.29.65.177) - mailcious 35.208.159.220 - suspicious 35.214.15.47 - suspicious 72.29.65.177 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 117.18.232.200 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
8.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45760 |
2020-10-30 18:19
|
https://manweikeji.com/wp-cont... 18933749e6ba858f74cfae5a1a480d14 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
manweikeji.com(103.82.52.25) 103.82.52.25 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45761 |
2020-10-30 18:18
|
H1ZZIwcmmLvZZEwj.exe ea9881ed00071a29a1138d1cb5f96f92 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://173.173.254.105/QyzclKTk/vs6VYXdD/us3PJya/ - mailcious
|
2
173.173.254.105 - suspicious 102.182.145.130 - suspicious
|
|
|
6.4 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45762 |
2020-10-30 17:01
|
http://legalempowermentindia.c... b6581a528bf2bb5b7abac91ac8a0a6f3 VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://70.39.251.94:8080/YENeL7EW77ATz/FS7SCljrP5OI3f/A9SCSlrLLNjEjV/LrdtVxqzvuOTmlAgZXX/llW8KgyVCl7z7LY/SLNACzxafIl9/ - mailcious http://legalempowermentindia.com/cgi-bin/Qs/ - malware
|
6
legalempowermentindia.com(202.66.172.245) - malware 70.39.251.94 - suspicious 190.202.229.74 - suspicious 118.69.11.81 - suspicious 202.66.172.245 - suspicious 117.18.232.200 - suspicious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
14.6 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45763 |
2020-10-30 16:24
|
DL-13335.jpg.exe 110cfaeff8c4f45dddbe061750084a32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.0 |
M |
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45764 |
2020-10-30 16:19
|
재판기록 열람복사 신청서.hwp 0b7d1b42a30f4aa4060a1f8dc4cc8f83 Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs |
|
|
|
|
2.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45765 |
2020-10-30 16:19
|
http://uxnew.com/old/89i/ df2f73942120a6d530a6eff7796d41ba VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://70.39.251.94:8080/kAisbuN/3zlv3KqUXyayyXG9sr/mG7c1ziXcJYd/o28eWh/ - mailcious http://uxnew.com/old/89i/ - malware
|
6
uxnew.com(156.247.12.150) - malware 70.39.251.94 - suspicious 190.202.229.74 - suspicious 156.247.12.150 - suspicious 118.69.11.81 - suspicious 117.18.232.200 - suspicious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
14.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|