45796 |
2020-10-29 14:13
|
Invoice 003344656.doc 2dd0c550b545686341a97e367f184105 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://152.32.75.74:443/yxMyBCvRPV0/RVcKAsBr2t0Yo/ - mailcious http://xinhecun.cn/wp-content/VCNbWWDK/ - malware
|
5
xinhecun.cn(8.210.173.81) - malware getpranaveda.xyz(103.129.97.141) - malware 152.32.75.74 - suspicious 103.129.97.141 - suspicious 8.210.173.81 - suspicious
|
7
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET POLICY HTTP traffic on port 443 (POST)
|
|
4.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45797 |
2020-10-29 11:01
|
ernb3qw6s9.exe 5e38580cb8baf1b6e75698bdbe3642b4 VirusTotal Malware Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://173.212.214.235:7080/U0TCYZFaPHtp5qwjM2/ - mailcious
|
3
107.170.146.252 - suspicious 88.153.35.32 - suspicious 173.212.214.235 - suspicious
|
|
|
7.2 |
M |
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45798 |
2020-10-29 10:51
|
document2.doc cb56b7c3074ca0082f757295644d5e57 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://23.249.162.110/hkcmd/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45799 |
2020-10-29 10:44
|
Ym4nLhD.exe 20d546782a89689cb3143102855b30b9 VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/eZiPw8ZrwOZNOep/9TbfXvLBvABMiyppA/ - mailcious
|
2
70.39.251.94 - suspicious 78.206.229.130 - suspicious
|
|
|
7.4 |
M |
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45800 |
2020-10-29 10:38
|
vbc.exe 981e5205357b236c348d4f43f01e4936 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
M |
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45801 |
2020-10-29 10:28
|
f3.exe b2c96a156e4346838ca812b4eeb319fe Browser Info Stealer FTP Client Info Stealer Cryptocurrency wallets Cryptocurrency MachineGuid Check memory unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
functionalrejh.com(5.63.155.126) - mailcious api.ipify.org(54.235.83.248) 5.63.155.126 - suspicious 54.235.83.248
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
8.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45802 |
2020-10-29 10:09
|
vbc.exe 981e5205357b236c348d4f43f01e4936 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45803 |
2020-10-29 10:07
|
n1.exe 8aad8fa5cd8e6a9742079b7d579aadf4 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45804 |
2020-10-29 10:05
|
KQGM9kR.exe 8e1906f95a563aca2fed0dc278eb67ea Malware Malicious Traffic ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/YkXasmCh3TPZqmM/RguI9g0SOMojbpzJd61/gKpYfLbHX5m/hHaFiW6z0sL9SgMb/TecMluoGIoG/A2AcQhB6VekGEBw8FIN/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.8 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45805 |
2020-10-29 10:04
|
vbc.exe 981e5205357b236c348d4f43f01e4936 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.2 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45806 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/ https://weparditestaa.fi/wp-admin/72uPk/ - malware https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182) weparditestaa.fi(192.130.146.156) - malware gayatrienterprise.org(104.27.153.75) 192.130.146.156 - suspicious 80.227.52.78 104.27.152.75 51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45807 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/ http://nanettecook.org/wp-admin/x/ - mailcious https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware nanettecook.org(74.80.58.254) - mailcious 85.50.100.181 - suspicious 80.227.52.78 74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45808 |
2020-10-29 09:46
|
AutoVLM Clone.exe 1eeb0ed06b17538b62b3bf0859c5f496 VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.6 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45809 |
2020-10-29 09:39
|
document.doc c71813d096c329c4cc6f447b02d33668 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://78.128.92.94/win/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45810 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(172.67.140.232) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 160.153.137.210 - suspicious 104.27.160.57 208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|