45811 |
2020-10-29 09:36
|
0k0T8JlNG3cBImu.exe 6e71622e15fd0f1862778f091d26bfa4 RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://192.198.91.138:443/dO7GPe/LFLEb/cdz2fkO/ - mailcious
|
1
192.198.91.138 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45812 |
2020-10-29 09:30
|
k.png.exe 28e9316fb298d2e7a3d9fd71c662b3ec VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://api.ipify.org/ http://epperhaptem.com/7/forum.php
|
4
epperhaptem.com(95.216.151.81) api.ipify.org(54.204.14.42) 95.216.151.81 - suspicious 174.129.214.20
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.0 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45813 |
2020-10-29 09:30
|
httUAcNMH.exe f989edb0552c0972871f92004df28aa1 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/aAZwuDxm/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45814 |
2020-10-29 09:29
|
D.exe 0f005763d29a9c1276e5b28d6660f7a4 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/x3YJv/4VGLv8i3cqYFcpQqj2/gqyR3Wn/50FCBqlDcJF/MvDOieWpqdYFzA/GvMszxXpG/ - mailcious
|
2
152.32.75.74 91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45815 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(104.27.160.57) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 104.27.161.57 160.153.137.210 - suspicious 208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45816 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8 AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/ https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220) 117.18.232.200 - suspicious 192.198.91.138 104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45817 |
2020-10-29 07:52
|
https://cacomixtle.net/wp-admi... d31c81b34cabc36bd0089c0651769552 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
cacomixtle.net(138.197.1.150) 138.197.1.150 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45818 |
2020-10-28 22:56
|
locker.exe 3265b2b0afc6d2ad0bdd55af8edb9b37 Dridex TrickBot VirusTotal Malware AutoRuns Malicious Traffic Checks debugger WMI ICMP traffic unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW shadowcopy delete IP Check VM Disk Size Check human activity check Ransomware Kovter Windows Tor ComputerName Remote Code Execution DNS crashed |
9
http://89.233.43.74/tor/server/fp/39ba70b6aa85830f56e57d7a9441c96b77ee4a6c http://178.17.174.68/tor/server/fp/eedc92c8e4f14efb6200fb4c92d4f957b98652b4 http://104.218.63.72/tor/server/fp/7ca53c34d8c70376a1638ee7a934a7cb03996be2 http://167.88.7.134/tor/server/fp/7292ef58742cc793f7ab3846d87001178328f9a2 http://api.ipify.org/ http://78.46.104.112/tor/server/fp/4c8b019e2b132fdd831419e13f59e7b7fa80476a http://31.220.2.132/tor/server/fp/044e647f34eda4ac975edad628c4e9bcfff1fb08 http://45.66.33.45/tor/status-vote/current/consensus http://49.50.107.221/tor/server/fp/72b2b12a3f60408bdbc98c6df53988d3a0b3f0ee
|
12
api.ipify.org(54.235.182.194) 104.218.63.72 167.88.7.134 178.17.174.68 45.154.35.220 54.235.83.248 89.233.43.74 45.66.33.45 78.46.104.112 31.220.2.132 185.100.84.251 49.50.107.221
|
20
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603 ET POLICY External IP Lookup api.ipify.org SURICATA HTTP Request abnormal Content-Encoding header ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Exit Node Traffic group 94 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 790 ET P2P Tor Get Server Request ET TOR Known Tor Exit Node Traffic group 106 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106 ET TOR Known Tor Exit Node Traffic group 21 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21 ET TOR Known Tor Exit Node Traffic group 101 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101 ET TOR Known Tor Exit Node Traffic group 27 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159
|
|
14.2 |
|
45 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45819 |
2020-10-28 22:44
|
twt.exe 00cee56c0dcea46c71f28780aa7e4eb9 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45820 |
2020-10-28 22:37
|
document.doc 00678e8494a9637cad37bc87d534e34f VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://107.173.219.115/twt.exe
|
1
107.173.219.115 - suspicious
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45821 |
2020-10-28 22:20
|
foAMCEMvyjYP.exe 5a306f6d45337d0bb7565f1056039760 Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/LW69ahuO/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45822 |
2020-10-28 22:20
|
October invoice.doc e574350d6acb364b547cea6490bb16a4 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows |
3
http://www.enolil-loo.com/agillawood/CZafm/ http://www.394509.com/biogenesis/ab/ http://www.panoramafe.com/slabbing/bBkdFoF96m/
|
6
www.panoramafe.com(173.236.153.249) www.enolil-loo.com(75.119.201.1) www.394509.com(211.159.217.42) 211.159.217.42 75.119.201.1 173.236.153.249
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
4.0 |
|
11 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45823 |
2020-10-28 22:11
|
pcazzp.jpg.exe 84048d4a704ca3ed43cf15d44dceeb39 VirusTotal Malware |
|
|
|
|
0.8 |
|
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45824 |
2020-10-28 22:10
|
qq.exe cc098e505724ea82572a19a4857840fe VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
2.8 |
|
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45825 |
2020-10-28 22:08
|
ernb3qw6s9.exe 5e38580cb8baf1b6e75698bdbe3642b4 VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/Qt9YFX/nstSYjZaFjZ7kljdCtz/LYPq2UXP/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|