| 45781 |
2020-10-30 09:57
|
o.exe 5cb0213d1dafb33f3ed1255e836572a0
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://91.121.200.35:8080/MNsmN4Gc/ - mailcious
|
2
152.32.75.74 - suspicious
91.121.200.35 - suspicious
|
|
|
7.2 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45782 |
2020-10-30 09:56
|
PDF220039000003.msi c4214412ef3bbb32f1732e41e9703d83
VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check ComputerName DNS |
1
http://54.94.2.167/aj32.php
|
1
|
|
|
5.0 |
|
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45783 |
2020-10-30 09:54
|
faco.exe ae975e9d679eeb792b89b7e2d19f9d43
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.8 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45784 |
2020-10-30 09:54
|
lvs7kabg6ouix3r.exe d32acba23526d5c591027df645884b39
VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
12.4 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45785 |
2020-10-30 09:51
|
p.png.exe d860b8a46bdf5f113c36ecc32760daf8
VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://eventlarva.com/7/forum.php - mailcious
http://api.ipify.org/
|
4
eventlarva.com(95.216.151.81) - mailcious
api.ipify.org(54.235.182.194)
95.216.151.81 - suspicious
50.19.98.74
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.4 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45786 |
2020-10-30 09:49
|
lvs7kabg6ouix3r.exe d32acba23526d5c591027df645884b39
Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS |
|
1
84.38.134.114 - suspicious
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
14.0 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45787 |
2020-10-30 09:30
|
inf 2020_10_30 E0604.doc d4595a5f1f04dfd12460d298347780e5
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://70.39.251.94:8080/FDnR/9ABEJRvc1oHHm/5UwDOB/mJSOpac1L7AZEx/Su6F0zTtJtUy1iYE/ - mailcious
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware
http://acredales.com/thank_you/d/ - mailcious
http://supportessays.com/wp-admin/iuz/ - mailcious
http://www.royalempresshair.com/wp-content/upgrade/Fj/
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious
www.royalempresshair.com(45.79.219.198) - mailcious
supportessays.com(104.31.65.87) - mailcious
acredales.com(104.24.113.218) - mailcious
70.39.251.94 - suspicious
190.202.229.74
159.89.19.237 - suspicious
118.69.11.81
104.24.113.218
104.31.65.87 - suspicious
45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45788 |
2020-10-30 09:14
|
T5T5PsgV73kgezHAG.exe 77a8d929966839fa83576eff59446669
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/1DAgg9zTWmTy03/IFg4HXfST/0aXb57oEWFgqheXqd6I/ - mailcious
|
3
118.69.11.81
70.39.251.94 - suspicious
190.202.229.74
|
|
|
7.8 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45789 |
2020-10-30 09:08
|
EB00575 invoicing.doc add2a3411a95dd6e3189600db8b2599c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/
https://seramporemunicipality.org/replacement-vin/Ql4R/
https://mayxaycafe.net/wp-includes/UxdWFzYQj/
https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
https://homewatchamelia.com/wp-admin/qmK/
|
15
420extracts.ca()
seramporemunicipality.org(104.28.19.90) - mailcious
goodherbwebmart.com(79.172.193.70)
imperfectdream.com(35.213.176.43) - mailcious
casinopalacett.com(148.72.93.189)
homewatchamelia.com(104.28.23.149) - mailcious
mayxaycafe.net(104.28.6.70) - mailcious
enjoymylifecheryl.com(172.67.180.161)
148.72.93.189 - suspicious
172.67.133.164
79.172.193.70
35.213.176.43 - suspicious
104.28.23.149 - suspicious
172.67.132.92 - suspicious
104.18.63.171
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45790 |
2020-10-30 09:04
|
http://46.183.222.25/lvs7kabg6... d32acba23526d5c591027df645884b39
Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows Exploit ComputerName DNS crashed |
1
http://46.183.222.25/lvs7kabg6ouix3r.exe - malware
|
3
46.183.222.25 - suspicious
84.38.134.114 - suspicious
117.18.232.200 - suspicious
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible NanoCore C2 60B
|
|
15.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45791 |
2020-10-30 08:25
|
http://mail.bursaevdenevenakli... 65219b413cc8678537ffaa48f268491a
VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware
http://70.39.251.94:8080/cSg3zfWn9Cem4o6Q/tmWosD/rrm0BQmFqyOTVl/ - mailcious
|
6
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious
70.39.251.94 - suspicious
190.202.229.74
159.89.19.237 - suspicious
118.69.11.81
117.18.232.200 - suspicious
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
|
|
14.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45792 |
2020-10-30 08:11
|
http://capellaevents.com/val-i... e88a8f48e0299941837f7db0680de66d
VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed keylogger |
2
http://102.182.145.130/fwiJGuFtxytx0wnPe/dzjiNrvfmmnduxJP/ - mailcious
http://capellaevents.com/val-images/mD2zBip/
|
4
capellaevents.com(31.186.241.7) - mailcious
31.186.241.7 - suspicious
102.182.145.130 - suspicious
117.18.232.200 - suspicious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
12.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45793 |
2020-10-29 18:26
|
document.doc 838f19684f9acf6932514d2ce2037b8f
Malware download VirusTotal Malware exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
1
http://ehdjhgesydfgsswertdfehkshkslrnjlwneoedss.ydns.eu/svchost.exe - malware
|
3
ehdjhgesydfgsswertdfehkshkslrnjlwneoedss.ydns.eu(103.125.191.69) - malware
20.43.94.199
103.125.191.69 - suspicious
|
3
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.8 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45794 |
2020-10-29 18:18
|
rep_OUX_100120_UDR_102920.doc 9cacd26495c3a84a37794522678a5b0f
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://80.227.52.78/sUH0AfORZCFYqsQlJks/lICeEiUYWsK7Q3Y/ - mailcious
https://jtech.com.vn/wp-includes/IhSNuI/
|
11
eclatcollection.com(160.153.138.219) - mailcious
www.corsiwebonline.it(5.39.64.201)
jtech.com.vn(178.128.116.205)
ismlm.xyz(103.129.97.81)
conclassdigital.com(69.46.26.202)
80.227.52.78 - suspicious
5.39.64.201
178.128.116.205
160.153.138.219 - suspicious
103.129.97.81 - suspicious
69.46.26.202
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45795 |
2020-10-29 15:54
|
k.png.exe 28e9316fb298d2e7a3d9fd71c662b3ec
VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://api.ipify.org/
http://epperhaptem.com/7/forum.php - mailcious
|
4
epperhaptem.com(95.216.151.81) - mailcious
api.ipify.org(23.21.252.4)
95.216.151.81 - suspicious
23.21.252.4
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.0 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|