| 45811 |
2020-10-29 09:36
|
0k0T8JlNG3cBImu.exe 6e71622e15fd0f1862778f091d26bfa4
RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://192.198.91.138:443/dO7GPe/LFLEb/cdz2fkO/ - mailcious
|
1
192.198.91.138 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45812 |
2020-10-29 09:30
|
k.png.exe 28e9316fb298d2e7a3d9fd71c662b3ec
VirusTotal Malware AutoRuns Malicious Traffic buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName |
2
http://api.ipify.org/
http://epperhaptem.com/7/forum.php
|
4
epperhaptem.com(95.216.151.81)
api.ipify.org(54.204.14.42)
95.216.151.81 - suspicious
174.129.214.20
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.0 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45813 |
2020-10-29 09:30
|
httUAcNMH.exe f989edb0552c0972871f92004df28aa1
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/aAZwuDxm/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45814 |
2020-10-29 09:29
|
D.exe 0f005763d29a9c1276e5b28d6660f7a4
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/x3YJv/4VGLv8i3cqYFcpQqj2/gqyR3Wn/50FCBqlDcJF/MvDOieWpqdYFzA/GvMszxXpG/ - mailcious
|
2
152.32.75.74
91.121.200.35 - suspicious
|
|
|
7.4 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45815 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(104.27.160.57) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
104.27.161.57
160.153.137.210 - suspicious
208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45816 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8
AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/
https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220)
117.18.232.200 - suspicious
192.198.91.138
104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45817 |
2020-10-29 07:52
|
https://cacomixtle.net/wp-admi... d31c81b34cabc36bd0089c0651769552
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
cacomixtle.net(138.197.1.150)
138.197.1.150
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45818 |
2020-10-28 22:56
|
locker.exe 3265b2b0afc6d2ad0bdd55af8edb9b37
Dridex TrickBot VirusTotal Malware AutoRuns Malicious Traffic Checks debugger WMI ICMP traffic unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW shadowcopy delete IP Check VM Disk Size Check human activity check Ransomware Kovter Windows Tor ComputerName Remote Code Execution DNS crashed |
9
http://89.233.43.74/tor/server/fp/39ba70b6aa85830f56e57d7a9441c96b77ee4a6c
http://178.17.174.68/tor/server/fp/eedc92c8e4f14efb6200fb4c92d4f957b98652b4
http://104.218.63.72/tor/server/fp/7ca53c34d8c70376a1638ee7a934a7cb03996be2
http://167.88.7.134/tor/server/fp/7292ef58742cc793f7ab3846d87001178328f9a2
http://api.ipify.org/
http://78.46.104.112/tor/server/fp/4c8b019e2b132fdd831419e13f59e7b7fa80476a
http://31.220.2.132/tor/server/fp/044e647f34eda4ac975edad628c4e9bcfff1fb08
http://45.66.33.45/tor/status-vote/current/consensus
http://49.50.107.221/tor/server/fp/72b2b12a3f60408bdbc98c6df53988d3a0b3f0ee
|
12
api.ipify.org(54.235.182.194)
104.218.63.72
167.88.7.134
178.17.174.68
45.154.35.220
54.235.83.248
89.233.43.74
45.66.33.45
78.46.104.112
31.220.2.132
185.100.84.251
49.50.107.221
|
20
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603
ET POLICY External IP Lookup api.ipify.org
SURICATA HTTP Request abnormal Content-Encoding header
ET POLICY TOR Consensus Data Requested
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET TOR Known Tor Exit Node Traffic group 94
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 790
ET P2P Tor Get Server Request
ET TOR Known Tor Exit Node Traffic group 106
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106
ET TOR Known Tor Exit Node Traffic group 21
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21
ET TOR Known Tor Exit Node Traffic group 101
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101
ET TOR Known Tor Exit Node Traffic group 27
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159
|
|
14.2 |
|
45 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45819 |
2020-10-28 22:44
|
twt.exe 00cee56c0dcea46c71f28780aa7e4eb9
Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45820 |
2020-10-28 22:37
|
document.doc 00678e8494a9637cad37bc87d534e34f
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://107.173.219.115/twt.exe
|
1
107.173.219.115 - suspicious
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45821 |
2020-10-28 22:20
|
foAMCEMvyjYP.exe 5a306f6d45337d0bb7565f1056039760
Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/LW69ahuO/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45822 |
2020-10-28 22:20
|
October invoice.doc e574350d6acb364b547cea6490bb16a4
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows |
3
http://www.enolil-loo.com/agillawood/CZafm/
http://www.394509.com/biogenesis/ab/
http://www.panoramafe.com/slabbing/bBkdFoF96m/
|
6
www.panoramafe.com(173.236.153.249)
www.enolil-loo.com(75.119.201.1)
www.394509.com(211.159.217.42)
211.159.217.42
75.119.201.1
173.236.153.249
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
4.0 |
|
11 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45823 |
2020-10-28 22:11
|
pcazzp.jpg.exe 84048d4a704ca3ed43cf15d44dceeb39
VirusTotal Malware |
|
|
|
|
0.8 |
|
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45824 |
2020-10-28 22:10
|
qq.exe cc098e505724ea82572a19a4857840fe
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
2.8 |
|
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45825 |
2020-10-28 22:08
|
ernb3qw6s9.exe 5e38580cb8baf1b6e75698bdbe3642b4
VirusTotal Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/Qt9YFX/nstSYjZaFjZ7kljdCtz/LYPq2UXP/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|