| 45841 |
2020-10-28 18:14
|
5j03vVHmJpg.exe 0dd348f4aa94c0be2e84561dda14eac0
Malware Malicious Traffic Check memory RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://88.153.35.32/xVkFvi0xr0OKrwmZRS/IkvcNT3Xm/fJ2IMGEt7DTjKU00/ - mailcious
|
1
88.153.35.32 - suspicious
|
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45842 |
2020-10-28 18:06
|
link.exe a9cbc59987ec442437ffea45aade05ba
Dridex VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Cryptographic key |
1
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
|
2
bprbalidananiaga.co.id(103.253.212.238)
103.253.212.238
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY HTTP traffic on port 443 (POST)
|
|
9.4 |
M |
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45843 |
2020-10-28 12:26
|
Electronic form.doc eb6a6943bf8db6a0c7003c1c869b3323
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://91.121.200.35:8080/oQduEUzyuXYOG1/iosXbeze6L0YK93Z/r3qIMIMkoLSL/NEUB/oa9411o42Xd/ - mailcious
https://agenciainfluenciar.com.br/indexing/X/ - malware
https://e-spaic.pt/hacks_list/LK/ - mailcious
|
6
agenciainfluenciar.com.br(107.180.71.232) - malware
e-spaic.pt(161.97.75.68) - mailcious
179.15.102.2 - suspicious
107.180.71.232 - suspicious
161.97.75.68 - suspicious
91.121.200.35 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45844 |
2020-10-28 12:26
|
reqrm.exe cc219392a073e3c644174607af417b93
Malware download Azorult VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://workwithjoshuaking.com/ssq/cow/index.php
|
2
workwithjoshuaking.com(162.0.231.127)
162.0.231.127
|
1
ET MALWARE AZORult Variant.4 Checkin M2
|
|
14.4 |
|
38 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45845 |
2020-10-28 12:18
|
dat-730044.doc 86383b38ce26730817e15b0ae7191437
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://www.josejuanarroyo.com/antithetical-bulblet/l/ - malware
http://78.206.229.130/uKGfHwmnTEnY6/wjVGkGYqbNm/OpCtHvEIGdQVlYOcem/fDtBX5jksao28y/dxopC8I/MURSzK4WAPeY/ - mailcious
|
3
www.josejuanarroyo.com(65.254.227.224) - mailcious
78.206.229.130 - suspicious
65.254.227.224 - suspicious
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
4.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45846 |
2020-10-28 11:38
|
aPfjegjaF.exe 6d8eb085d7dfcfdd55f26262e51fbfdc
Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
16
http://morasergiov.ac.ug/
http://217.8.117.77/oJHstwpndf.exe - malware
http://morasergiov.ac.ug/vcruntime140.dll
http://jamesrlongacre.ug/rc.exe
http://morasergiov.ac.ug/nss3.dll
http://morasergiov.ac.ug/sqlite3.dll
http://jamesrlongacre.ug/ds2.exe
http://jamesrlongacre.ug/index.php
http://morasergiov.ac.ug/freebl3.dll
http://morasergiov.ac.ug/mozglue.dll
http://jamesrlongacre.ug/ac.exe
http://jamesrlongacre.ug/ds1.exe
http://morasergiov.ac.ug/main.php
http://morasergiov.ac.ug/msvcp140.dll
http://morasergiov.ac.ug/softokn3.dll
https://cdn.discordapp.com/attachments/752128569169281083/770252881495326780/Uvop123
|
9
morasergiov.ac.ug(217.8.117.77)
discord.com(162.159.136.232)
taenaia.ac.ug(79.134.225.121)
jamesrlongacre.ug(217.8.117.77)
cdn.discordapp.com(162.159.130.233) - malware
79.134.225.121 - suspicious
162.159.136.232
162.159.129.233 - suspicious
217.8.117.77 - suspicious
|
11
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M3
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
27.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45847 |
2020-10-28 11:36
|
oJHstwpndf.exe 0eec3e7a4adb97d3262da05499627f11
Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check human activity check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS |
9
http://morasergiov.ac.ug/
http://morasergiov.ac.ug/vcruntime140.dll
http://morasergiov.ac.ug/nss3.dll
http://morasergiov.ac.ug/sqlite3.dll
http://morasergiov.ac.ug/freebl3.dll
http://morasergiov.ac.ug/mozglue.dll
http://morasergiov.ac.ug/main.php
http://morasergiov.ac.ug/msvcp140.dll
http://morasergiov.ac.ug/softokn3.dll
|
4
morasergiov.ac.ug(217.8.117.77)
78.129.193.54
51.15.77.244
217.8.117.77 - suspicious
|
6
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 717
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.8 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45848 |
2020-10-28 11:33
|
99.exe e2cd3596bdec815d580dfeadec5209bb
ENERGETIC BEAR VirusTotal Malware suspicious privilege Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs anti-virtualization Ransomware Windows Tor ComputerName DNS crashed keylogger |
|
6
163.172.149.155
5.135.65.145
45.66.33.45
78.129.193.54
108.53.208.157
51.15.77.244
|
6
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 717
|
|
12.0 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45849 |
2020-10-28 10:35
|
https://achremittanceservices.... d32109224e04cbdb24ca32fb320f89a1
Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows Tor DNS |
|
3
achremittanceservices.com(68.65.123.61)
68.65.123.61
178.254.45.64
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45850 |
2020-10-28 10:34
|
fem76rrOZaV1Rmecl.exe 52d43e04889f414a4822214ea6385746
VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://70.39.251.94:8080/zhKsdlEc6/bbweYIbi0il/watuUvIP7uh/PdWOatw60/
|
3
70.39.251.94
45.16.226.117 - suspicious
104.131.92.244 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
8.2 |
|
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45851 |
2020-10-28 10:34
|
DOC_96439691.doc 56a98d4ac1377142220a9cfc737a13b3
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://tangshizhi.com/wp-admin/pcFD/
http://107.170.146.252:8080/x1M3/oedgL4bl1Sxsa/vi44ggjQKWaE/ohU9Y8R8JN/QP7G8wd6RNEPGKnq2/ - mailcious
|
6
tangshizhi.com(202.95.11.52)
cuutrolulut.info(208.113.172.110)
107.170.146.252 - suspicious
88.153.35.32 - suspicious
208.113.172.110
202.95.11.52 - suspicious
|
5
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45852 |
2020-10-28 10:30
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware
181.214.142.131 - suspicious
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45853 |
2020-10-28 10:22
|
Inv_RM55024.exe 3983beae3cd93351990cb562fd901ae7
Malware download VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Windows Tor ComputerName DNS Software crashed keylogger |
1
http://3ple.farm/16.exe - malware
|
8
3ple.farm(181.214.142.131) - malware
81.7.14.253
178.254.45.64
217.182.196.68 - suspicious
181.214.142.131 - suspicious
80.127.137.19
78.82.243.187
31.185.104.20
|
8
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 742
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 725
|
|
21.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45854 |
2020-10-28 10:21
|
crypwarzne.exe 11462f772298d022d297e311c9c4410d
VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows Browser Email Cryptographic key |
|
|
|
|
9.4 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45855 |
2020-10-28 10:21
|
tyuew.exe 4fc3c6a6fc4711ad9907fdf45810829c
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows DNS Cryptographic key crashed |
4
https://ahgwqrq.xyz/getrandombase64.php?get=330F8E490A8A44EFA30583C338272735
https://ahgwqrq.xyz/getrandombase64.php?get=2546F095A204453AA8FD8516FFDCA892
https://ahgwqrq.xyz/getrandombase64.php?get=97D7C843E8234D4687C41F0958409F28
https://ahgwqrq.xyz/getrandombase64.php?get=99DA4645D7AD484294E084764E693136
|
5
www.google.it(172.217.174.99)
ahgwqrq.xyz(104.27.180.69)
104.27.180.69
216.58.200.3
185.165.153.249
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|