| 45796 |
2020-10-29 14:13
|
Invoice 003344656.doc 2dd0c550b545686341a97e367f184105
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://152.32.75.74:443/yxMyBCvRPV0/RVcKAsBr2t0Yo/ - mailcious
http://xinhecun.cn/wp-content/VCNbWWDK/ - malware
|
5
xinhecun.cn(8.210.173.81) - malware
getpranaveda.xyz(103.129.97.141) - malware
152.32.75.74 - suspicious
103.129.97.141 - suspicious
8.210.173.81 - suspicious
|
7
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45797 |
2020-10-29 11:01
|
ernb3qw6s9.exe 5e38580cb8baf1b6e75698bdbe3642b4
VirusTotal Malware Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://173.212.214.235:7080/U0TCYZFaPHtp5qwjM2/ - mailcious
|
3
107.170.146.252 - suspicious
88.153.35.32 - suspicious
173.212.214.235 - suspicious
|
|
|
7.2 |
M |
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45798 |
2020-10-29 10:51
|
document2.doc cb56b7c3074ca0082f757295644d5e57
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://23.249.162.110/hkcmd/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45799 |
2020-10-29 10:44
|
Ym4nLhD.exe 20d546782a89689cb3143102855b30b9
VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/eZiPw8ZrwOZNOep/9TbfXvLBvABMiyppA/ - mailcious
|
2
70.39.251.94 - suspicious
78.206.229.130 - suspicious
|
|
|
7.4 |
M |
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45800 |
2020-10-29 10:38
|
vbc.exe 981e5205357b236c348d4f43f01e4936
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
M |
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45801 |
2020-10-29 10:28
|
f3.exe b2c96a156e4346838ca812b4eeb319fe
Browser Info Stealer FTP Client Info Stealer Cryptocurrency wallets Cryptocurrency MachineGuid Check memory unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
functionalrejh.com(5.63.155.126) - mailcious
api.ipify.org(54.235.83.248)
5.63.155.126 - suspicious
54.235.83.248
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
8.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45802 |
2020-10-29 10:09
|
vbc.exe 981e5205357b236c348d4f43f01e4936
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
9.4 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45803 |
2020-10-29 10:07
|
n1.exe 8aad8fa5cd8e6a9742079b7d579aadf4
VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45804 |
2020-10-29 10:05
|
KQGM9kR.exe 8e1906f95a563aca2fed0dc278eb67ea
Malware Malicious Traffic ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/YkXasmCh3TPZqmM/RguI9g0SOMojbpzJd61/gKpYfLbHX5m/hHaFiW6z0sL9SgMb/TecMluoGIoG/A2AcQhB6VekGEBw8FIN/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.8 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45805 |
2020-10-29 10:04
|
vbc.exe 981e5205357b236c348d4f43f01e4936
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.2 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45806 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/
https://weparditestaa.fi/wp-admin/72uPk/ - malware
https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182)
weparditestaa.fi(192.130.146.156) - malware
gayatrienterprise.org(104.27.153.75)
192.130.146.156 - suspicious
80.227.52.78
104.27.152.75
51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45807 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious
http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/
http://nanettecook.org/wp-admin/x/ - mailcious
https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware
nanettecook.org(74.80.58.254) - mailcious
85.50.100.181 - suspicious
80.227.52.78
74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45808 |
2020-10-29 09:46
|
AutoVLM Clone.exe 1eeb0ed06b17538b62b3bf0859c5f496
VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
|
|
|
|
3.6 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45809 |
2020-10-29 09:39
|
document.doc c71813d096c329c4cc6f447b02d33668
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://78.128.92.94/win/vbc.exe
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45810 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(172.67.140.232) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
160.153.137.210 - suspicious
104.27.160.57
208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|